IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
Before restoring operations after an attack, all passwords on the IT systems
concerned should be changed. This also includes IT systems which were not
directly affected by manipulation, but from which the attacker may already
have obtained information about users and/or passwords.
It should be assumed that once the "secure" condition has been restored, the
adversary will attempt a further attack. For this reason the IT systems,
especially the network connections, should be monitored using the appropriate
monitoring tools (see also S 5.71 Intrusion detection and intrusion response
systems).
Documentation
All actions performed while dealing with a security problem should be
documented in as much detail as possible so as to
- retain the details of what happened,
- make it possible to retrace the problems which occurred,
- be able to rectify any problems/faults which could result from hasty
implementation of countermeasures,
- be able to resolve problems already known more quickly should they occur
again,
- be able to eliminate the security weaknesses and draw up preventive
measures and
- collect evidence if a prosecution is to be brought.
Such documentation includes not only a description of the actions carried out
including the times at which they were taken, but also the log files of the
affected IT systems.
Reaction to deliberate action
Where a security incident was triggered by an adversary, a decision must be
made as to whether to stand back and watch the attack or whether
countermeasures should be implemented as soon as possible. Naturally an
attempt can be made to catch the adversary "red-handed" but this runs the risk
that in the meantime he will destroy, tamper with or read data.
Regrettably, investigation of security problems indicates that these are often
caused by staff from within the organisation. This can be the result of an
oversight, inappropriate working procedures or technical problems, but it
could also be a case of failure to observe security measures or even deliberate
action.
Wherever security problems are caused internally, the trigger must be
investigated. Often the problems turn out to stem from inappropriate or
incomprehensible procedures. It is then necessary to amend the procedures
accordingly or else to supplement them with additional measures, e.g. of a
technical nature.
If the security problems are the result of deliberate action or negligence,
appropriate disciplinary measures should be taken.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Change passwords
Monitoring of the
affected IT systems
Dealing with insiders