Ayoi's

Pic source: kellepcharles.blogspot.com

Greeting guys..

I’ve spent the past two weeks getting the draft for forensic readiness policy complete for submission to our client in Indonesia. To be honest this time around I need to assist our sister company there in designing an SOC for that particular client. In sense of security policy, bulk of the task was done by my colleague there. She’s very good in integrating the client’s security policies into ours. I really impressed with her works tho

So what the heck is Forensic Readiness Policy?

The main objectives of this policy are to maximize the usefulness of incident data and minimize the cost of forensics during incident response. Very clear eh? Well the elements of forensic readiness usually:

• How Logging is done
• What are the activities/items that being logged?
• Intrusion Detection System (Network and host based)
• Forensic Acquisition
• Evidence Handling

So before this post become a mini howto, better for me to stop till there. Nowadays more and more organizations aware on the importance of preserving or maintaining a proper record especially on their network traffics (based on my limited encounter lah.) There was a time when firewall or filtering via the boundary routers can be considered enough for network security. Now it seems that at least Intrusion Detection Systems (IDS) is the must have within the list of security devices for an organization (whether there are analysts or at least people monitoring this IDS outputs is another story). Also from my (limited) experience, most of our clients do have either one or more logs repository. Again the question whether if these logs are reviewed or not is not for me to answer.

So what does it mean?

It means that nowadays the www is not as wild wild web like it used to be. You hit and then you left the scene without much fuss on the trail. Bypassing filtering device like firewall is something cool but now if you brag on how you managed to bypass layer 3 and 4 filtering device, I guess people will just shrug off and ignore you. Now there are mechanisms to detect your activities whether on network or on the attacked system itself. Hacking is not Harry Porter stuff and you do leave a trail. Sooner or later, your “hacking” activities trails will lead to you.

With this kind of policy and many other similar policies as well, organizations perhaps are well prepared to detect and respond to any security incidents. Because for me, eventually you will be hacked or compromised. The important thing that you have to remember is how do you detect, respond and recover from these attacks.

Prepared - source :www. antithesiscommon.com

So bragging about your “hacking” activities in forums or blogs IMHO is a NO NO. It makes the task for the LEA easier especially when you include your handler in the page that you “hacked”

Anyway, somehow crime doesn’t pay

Comments RSS