Damage Control and Assessment
System security administrators must assess the damage caused by an intruder after an attack. Selecting the damage control technique, or set of techniques, to implement will depend largely upon the computing environment under attack and the goals of the administrator. Damage control techniques are those actions that are taken while an intruder is logged into a system. This chapter discusses the following six possible actions: inform the authorities, backup system data, remove the intruder, contain and monitor the intruder, lock stolen user accounts, and require additional authentication. While damage control concerns the response to an attack in progress, damage assessment concerns the post-intrusion response. The first step in the recovery and restoration process is the examination of audit trails, or log files. The chapter also discusses six security techniques: patch security holes, lock stolen user accounts, change account passwords, employ shadow password files, backup information, and reduce network services.