Sunday, October 17, 2004

Be prepared

If you share your network with anyone (anyone!) with administrative
access to any (that's ANY!) system, then you need to take a few
precautions to help recover from a network compromise. The following
are steps that we've learned in the open lab:
  • Know the MAC
    address for the default gateway (have it written down)
  • Know the
    hostname(s) and IP address(es) for your servers, especially your DNS and
    directory servers
  • if you're done with a dangerous tool, delete
    it and the source code
  • scan your systems, inside and out, before
    and after active analysis
  • log and record as much as possible, no
    matter how silly it seems

Some of those are forensic
measures but those first two are valuable bits of information if you're
suddenly trying to figure out why the Google page suddenly reads "All
your lookups are belong to us!"

No comments:

Post a Comment