> You can't just do a live responce, you have to plan ahead for it.
True dat! However, I have a great job because so few people plan ahead.
I could see that. Folks wait until their first break in before putting in the controls that will be necessary for this first responce fornesic analysis of a compromised system.
Keeping a good image of a critical system, or different intrusion detection systems, or contingecy planning and procedures.
If you really want the ability to clearly determine, "Was there an incidient?" then you need the rest of the supporing stuff.
If you don't have it then there are too many what if's and other unanswered (or no 100% true good answer) questions.
skip
> I could see that. Folks wait until their first break in before putting in the
> controls that will be necessary for this first responce fornesic analysis of a
> compromised system.
Fortunately for my job security, that isn't the case most times. Because most of the folks that call me have not put any effort at all into information/computer/network security, the "first break in" really doesn't change anything. In the cases where the do take some of the suggestions in my final report and make the effort to improve security, the issues are often that (a) its a drain to the bottom line without any immediately identifiable benefit, and (b) they implement a point solution rather than assessing overall risk.
> If you really want the ability to clearly determine, "Was there an
> incidient[sic]?" then you need the rest of the supporing stuff.
Very, very true. Many times I get asked the questions, "what was running on the system?" or "was the intruder accessing specific files?". More often than not, in such cases, I'm called in days (or weeks) after the incident was discovered and triaged by others, and the system was shut down or rebooted.
H