Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Incident response (was Re: whois ) (fwd)

  • From: multics
  • Date: Tue Oct 24 12:24:40 2000

If I'm researching an intrusion incident the things that are important
to me are:

1)  The organization I'm contacting can at least confirm that they have
records that are useful in tracking down the hacker.

2)  There is someone there who can look at their records since if I'm
tracking down a hacker, it has often been a case that the source I've
tracked things to has also been hacked.

3)  The organization contacted takes the incident serious and will at
least make sure they preserve any evidence/logs/records/etc that may be
of use in further tracking of the culprit.

4)  I can get enough information, even if its a yes or no, to determine
if its worth filing a police report.

Forwarded message:

> On Tue, 24 Oct 2000 Valdis.Kletnieks@vt.edu wrote:
> 
> :Umm... would you be satisfied with a "We've referred it to the appropriate
> :people" response?
> :
> :At least here, and probably many other universities, we're stuck not being
> :able to say much more than that due to student confidentiality rules...
> :Yes, we take action.  No, we usually can't say what we did.
> 
> A general incident response capability would be usefull, but unfortunately
> this requires more cooperation than most companies are willing to give. 
> 
> Would it be worthwhile to include security incident handling policies
> and procedures in peering agreements? i.e a peering agreement also 
> includes a testable disaster recovery plan, and a security incident
> response plan. 
> 
> It is fairly obvious by now that a peering agreement is more than simply 
> an agreement on a router configuration. 
> 
> I'm wondering if anyone would consider something like this a little more
> robust than the centralized CIRTs and industry associations, as it would
> be relative to local policy, and the participants have a direct existing
> relationship with each other. This, as opposed to dependance on a neutral
> co-ordinating centre which may be dealing with other problems. 
> 
> 
> --
> batz
> Reluctant Ninja
> Defective Technologies
> 
> 
> 


-- 
Richard Shetron  multics@ruserved.com multics@acm.rpi.edu  NO UCE
What is the Meaning of Life?      There is no meaning,
It's just a consequence of complex carbon based chemistry; don't worry about it
The Super 76, "Free Aspirin and Tender Sympathy", Las Vegas Strip.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.