NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Attrition Dataloss> 2010-12

[Dataloss] You've Been Breached: Now What?

From: security curmudgeon (jerichoattrition.org)
Date: Tue Dec 21 2010 - 01:23:51 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------- Forwarded message ----------
From: InfoSec News <alertsinfosecnews.org>

http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228800744

By Adam Ely
InformationWeek
December 18, 2010

No one likes to think about database breaches, but the fact is, they
happen. Rather than cross your fingers and hope for the best, create an
incident response plan ahead of time. Without a plan, you may destroy
critical evidence that could be used to prosecute the offender. You might
also overlook just how the incident occurred, leaving you exposed to
future breaches.

Log analysis is an essential component of an incident response plan.
You'll want to review logs from the compromised machine or machines and
from other sources, including network devices and access control systems.

A number of log types--transaction, server access, application server, and
OS--can all provide valuable information to retrace what occurred. If your
database administrator has enabled transaction logs--and it's a big
if--start there because they're a rich source of information.

Your first goal is to understand what data has been extracted, which will
help you gauge the current risk to the company. Then examine what else the
attacker may have tried to do. As you review logs, look for queries that
would match the data known to be exported. If you don't have any evidence
to match against, gather up the database administrator, application
developer, and anyone else who knows normal application and database
activity. Get a conference room, display the logs on a projector, and have
them help you look for anomalies such as unusual queries that applications
or administrators wouldn't normally make.

[...]
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]