ABSTRACT

Are you ready with the necessary tools to stop an intru-

der? Do you have a policy against normal users running

hacker-type tools inside your environment? Does the pol-

icy allow for administrators to access similar tools to

identify vulnerabilities and track incidents? After you

stop an intruder, can you capture the necessary evidence

to track any damage that may have been done? Is there an

incident response plan in place that would have clearly

instructed you on who to call and what to do to protect

the evidence of an intrusion? Does your organization plan

to prosecute for damages? Does a process exist to ensure

that the evidence does not get damaged or tampered with

and that a proper chain of custody is in place so the

evidence retains its forensic quality and will hold up in

court?