Microsoft Windows XP Home Edition - Zenk - Security - Repository
Microsoft Windows XP Home Edition - Zenk - Security - Repository
Microsoft Windows XP Home Edition - Zenk - Security - Repository
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Responding to an Attack<br />
<strong>Microsoft</strong> <strong>Windows</strong> <strong>XP</strong> <strong>Home</strong> <strong>Edition</strong><br />
<strong>Security</strong> Implementation<br />
Version 1.4b Option 1<br />
Based on the information that you have gathered from your firewall log and you<br />
have determined that you have been attacked, there are a couple of options that<br />
you have in responding to the attack. You will want to notify your Internet<br />
Service Provider (ISP). Provide them with all the details of the attack as you<br />
know them (who, what, where, when, and how). If you don't want to contact your<br />
ISP then you can contact Dshield.org<br />
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46<br />
15 (http://www.dshield.org). Dshield.org is<br />
an organization that tracks reports of intrusions. You need to submit them all the<br />
information that you have concerning this attack. You will also need to send<br />
them your log showing that the attack occurred. They will analyze the reports<br />
that you submit and depending on the results that may contact the user's<br />
(attackers) ISP. If none of these seem like options you can go to the NIPC web<br />
site (www.nipc.gov/incident/incident.htm) 16 . NIPC (National Infrastructure<br />
Protection Center) is a division of the FBI. This site provides you with information<br />
on how to handle the attack. They have documents covering how to protect<br />
evidence, and how to help Federal, State, and Local Law Enforcement Agencies<br />
investigate the incident.<br />
There are some general recommendations that you should follow. The first is to<br />
respond quickly. The longer you wait to report an incident the more difficult it can<br />
become to trace the attack. You should not stop any system processes or<br />
tamper with files. You may inadvertently destroy evidence on how the attack<br />
happened or who initiated the attack. You should use your telephone for all<br />
communications. If you have been attacked there is a chance that your e-mail<br />
has been compromised. By using e-mail you could have all your e-mails logged<br />
by the attacker or spread the attack to other computers and users. You will want<br />
to make copies of all the files that an intruder may have altered or left. This will<br />
help investigators determine how, when, and who initiated the attack. You<br />
should never contact the attacker yourself. You do not want to let them know<br />
that you know who they are. You could place yourself and your family in danger<br />
by contacting the intruder.<br />
© SANS Institute 2003, Author retains full rights<br />
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46<br />
15 Dshield.org, Euclidian Consulting, http://www.dshield.org<br />
16 National Infrastructure Protection Center, Division of FBI, http://www.nipc.gov/incident/incident.htm<br />
Page 22 of 53<br />
© SANS Institute 2003, As part of the Information <strong>Security</strong> Reading Room. Author retains full rights.