The goal of such documentation is to prevent similar intrusions from occurring again. By recording what happened in a file such as a database, information is stored in a place where future members of the SIRT who may not have been involved with the original incident can review it. Record-Keeping Record-keeping is the process or recording all of the events associated with a security incident. Such documentation has many goals. SIRT members who encounter events similar to the ones already encountered will benefit enormously by the notes. An organization’s legal representatives can also use the information in court. Reevaluating Policies Any recommendations of changes in security policies or procedures that arise as a result of security incidents should be included in the follow-up database. An organization’s security policy may specify that details about security incidents are for internal use only and not for public consumption. After the Attack: Computer Forensics Computer forensics is the set of activities associated with trying to find out who hacked into a system or who gained unauthorized access, usually with the ultimate goal of gaining enough legally admissible evidence to prosecute the person. Tracing Attacks One of the first tasks undertaken when initiating a forensics investigation is the identification of the person or persons who initiated the attack. Identification can be difficult for a number of reasons. First, the offender may intentionally falsify the IP address listed as the source of the attack. Second, the hacker may have gained control of someone else’s computer and used it to launch an attack. Forensics Toolkits Many incident handlers keep a forensics toolkit of hardware and software (sometimes called a jump kit) ready in order to respond to alerts. Such a kit might include a laptop computer, a cell phone; backup CD-ROMs or other
The goal of such documentation is to prevent similar intrusions from occurring again. By recording what happened in a file such as a database, information is stored in a place where future members of the SIRT who may not have been involved with the original incident can review it. Record-Keeping Record-keeping is the process or recording all of the events associated with a security incident. Such documentation has many goals. SIRT members who encounter events similar to the ones already encountered will benefit enormously by the notes. An organization’s legal representatives can also use the information in court. Reevaluating Policies Any recommendations of changes in security policies or procedures that arise as a result of security incidents should be included in the follow-up database. An organization’s security policy may specify that details about security incidents are for internal use only and not for public consumption. After the Attack: Computer Forensics Computer forensics is the set of activities associated with trying to find out who hacked into a system or who gained unauthorized access, usually with the ultimate goal of gaining enough legally admissible evidence to prosecute the person. Tracing Attacks One of the first tasks undertaken when initiating a forensics investigation is the identification of the person or persons who initiated the attack. Identification can be difficult for a number of reasons. First, the offender may intentionally falsify the IP address listed as the source of the attack. Second, the hacker may have gained control of someone else’s computer and used it to launch an attack. Forensics Toolkits Many incident handlers keep a forensics toolkit of hardware and software (sometimes called a jump kit) ready in order to respond to alerts. Such a kit might include a laptop computer, a cell phone; backup CD-ROMs or other