The topic for this class is a review from ITS 4350, which some of you were in two years ago. For the sake of brevity, let's assume we are talking about security incidents.
That week's lesson began with a horror story about a student testing a worm program. The lesson asked you to read through it and think about some questions. Who was responsible for the outbreak? What should have been done to prevent it?
This is an example of what Albert Einstein, Hans ěrsted, Ernst Mach,
and others, called a Gedankenexperiment.
(Nouns in German are capitalized, even when mixed with English. It means
mind/thought experiment.) This is the way such an experiment (one that
could get way out of hand) should be done because the consequences of
carrying it out in the real world are unacceptable. You could argue that
the student in this case carried out his thought experiment first, then
found that the real world results were not what he expected. That is the
danger in doing thought experiments: you may not
know enough yet to predict the actual results.
That text made a case for gathering information
while you are investigating a problem, getting everything you can, then
analyzing it to make a plan for
and recovery. The analysis and
planning stage is where the Gedankenexperimenting (which is a painful
combination of Latin, German, and English) takes place.
Containment methods vary depending
on what is happening.
Eradication requires repair of the damage done, and removal of the various viruses, worms, altered files, and other kinds of mess left by the attacker. The text reminds us that a particularly nasty attacker may decide to leave behind software that will cause more damage after the initial attack has ended. If, on the other hand, the attacker intends to return, there is more likely to be a new back door to the system, created by the attacker to make it easy to re-enter the new favorite data source. Finding new accounts with elevated rights should make your admins wonder what else has been changed about the system.
Recovery, as usual, means restoring the state the system was in before the incident. However, in the case of an attack, the system should be better than before by being guarded against that specific attack. Recovery may mean restoration of data, reinstallation of operating systems and programs, and may also include changing any compromised attack surfaces.
Some texts discuss security incidents in terms of several categories:
For a DoS attack:
For a Malware attack:
For Unauthorized access:
For Inappropriate use:
It would be ideal to have a history on what worked in defense of various attacks we and others have experienced. This sort of thing does exist, but remember that the bad guys read that stuff, too. Have a plan, but be ready to modify it. Dr. Deming said to continue to plan, to do, to check, and to act. Those who ask the difference between the do and act portions are ignoring what we are supposed to learn when we check on what we did. This relates to some wisdom that may have originated with Helmuth Karl Bernhard Graf von Moltke (portrait on the right), who observed that no plan of battle ever survives first contact with the enemy. Remain flexible. Learn from what happens, and plan what to do next.
We should make plans, and store those plans in ways that they can be accessed regardless of the disaster, regardless of the services that my be out at the time of the disaster. If we cannot access the plans, we cannot rely on them and we can only function from our memories of them and from our best judgement. We will have to do that anyway, but take advantage of your history.