Main Menu

HOME
NEWS
BLOG
PROGRAMS
* Information Sharing & Networking
* Technical Support
* Gender & ICT Policy Advocacy
DOCUMENTS
GALLERY
LINKS
JOBS, INTERNSHIPS & VOLUNTEERING
ABOUT US
CONTACT
WOUGNET Map
Join WOUGNET
Take Back the Tech Campaign

Login

Newsletter

Subscribe to our monthly e-newsletter,
WOUGNET Update Newsletter.




WOUGNET on One Percent Club

Upcoming Events

Mon, Feb 27th
CSW 56: Rural Women Empowerment, Poverty Reduction, and Rural Development

WOUGNET Office

WOUGNET is located at Plot 55 Kenneth Dale, Off Kira Road, Kamwokya. Directions: After the Kamwokya market as you travel along Kira road, turn off to your left onto Kenneth Dale, (just before the football field and Kira Road Police Station). Once on Kenneth Dale, look out for the WOUGNET sign post on your left towards the end of the road. Click here for a map.

Go to:

Kubere Information Centre Website


Women In Business Website

WOUGNET Gallery

www.flickr.com
This is a badge showing public photos and videos of WOUGNET hosted on Flickr. Click the images to go to the gallery.

Related

HOME arrow * Technical Support arrow Tech Tips arrow July 2008: Steps for Recovering from a System Compromise/Intrusion.
July 2008: Steps for Recovering from a System Compromise/Intrusion. PDF Print E-mail

1. Before you get started

It is important to notify management of the organization about the intrusion in order to facilitate internal coordination of your recovery effort. Before you get started in your recovery, your organization needs to decide if pursuing a legal investigation is an option. You may wish to simply secure your systems or take the case to law enforcement for investigation.

If you are interested in determining the identity of or pursuing action against the intruder, we suggest that you consult legal counsel to see what laws, if any, have been violated. Based on that, you could then choose what legal avenues to pursue.

In addition to notifying management and legal counsel at your site, you may also need to notify others within your organization that may be directly affected by your recovery process (e.g., other administrators or users). The importance of documenting every step you take in recovery can not be overstated. Recovering from a system compromise can be a hectic and time-consuming process and hasty decisions are often made. Documenting the steps you take in recovery will help prevent hasty decisions and give you a record of all the steps you took to recover, which you can reference in the future. Documenting the steps you take in recovery also may be useful if there is a legal investigation.

2. Regain control

To regain control, you will need to disconnect all compromised machines from your network. After that you may wish to operate in single user mode or as the local administrator to ensure that you have complete control of the machine; however, by rebooting or changing to single user/local administrator mode, you may lose some useful information because all processes executing at the time of discovery will be killed.

Operating in single user mode will prevent users, intruders, and intruder processes from accessing or changing state on the compromised machine while you are going through the recovery process. If you do not disconnect the compromised machine from the network, you run the risk that the intruder may be connected to your machine and may be undoing your steps as you try to recover the machine.

Before analyzing the intrusion create a backup of your system. This will provide a "snapshot" of the file system at the time that the compromise was first discovered. You may need to refer back to this backup in the future.

With your system disconnected from the network, you can now thoroughly review log files and configuration files for signs of intrusion, intruder modifications, and configuration weaknesses. Data on compromised systems is often modified by intruders. We encourage you to verify the integrity of web pages, archives, files in users' home directories, and any other data files on your system. Also, intruders will commonly install custom-made tools for continued monitoring or for access to a compromised system. The common classes of files left behind by intruders are; Network Sniffers, Trojan Horse Programs, Backdoors, Vulnerability Exploits, etc.

We encourage you to check all of your systems, not just those that you know to be compromised. In your check include any systems associated with the compromised system through shared network-based services or through any method of trust.

3. Recover from the intrusion.

Keep in mind that if a machine is compromised, anything on that system could have been modified, including the kernel, binaries, datafiles, running processes, and memory. In general, the only way to trust that a machine is free from backdoors and intruder modifications is to reinstall the operating system from the distribution media and install all of the security patches before connecting back to the network.

Secondly, disable unnecessary services. Configure your system to offer only the services that the system is intended to offer and no others. In general, the most conservative policy is to start by disabling everything and only enabling services as they are needed.

Thirdly, install all vendor security patches. Ensure that the full set of security patches for each of your systems is applied. This is a major step in defending your systems from attack and its importance cannot be overstated.

When restoring data from a backup, ensure that the backup itself is from an uncompromised machine. Keep in mind that you could re-introduce a vulnerability that would allow an intruder to gain unauthorized access. After all security holes or configuration problems have been patched or corrected, we suggest that you change the passwords of ALL accounts on the affected system(s).

After completing the data system recovery and addressing all the security concerns, you can then reconnect the machine to the network.

- -
Summarized by WOUGNET Techsupport team. The complete document is available from Cert.org

 
 
< Prev   Next >
[ Back ]