ABSTRACT
Are you ready with the necessary tools to stop an intru-
der? Do you have a policy against normal users running
hacker-type tools inside your environment? Does the pol-
icy allow for administrators to access similar tools to
identify vulnerabilities and track incidents? After you
stop an intruder, can you capture the necessary evidence
to track any damage that may have been done? Is there an
incident response plan in place that would have clearly
instructed you on who to call and what to do to protect
the evidence of an intrusion? Does your organization plan
to prosecute for damages? Does a process exist to ensure
that the evidence does not get damaged or tampered with
and that a proper chain of custody is in place so the
evidence retains its forensic quality and will hold up in
court?