Responding to Intrusions
February 1999 • Security Improvement Module
Klaus-Peter Kossakowski, Suresh Konda, William R. Wilson, Julia H. Allen, Christopher J. Alberts, Cory Cohen, Gary Ford, Barbara Fraser, Eric Hayes, John Kochmar
This 1999 report is one of a series of SEI publications that are intended to provide practical guidance to help organizations improve the security of their networked computer systems. This report is intended for system and network administrators, managers of information systems, and security personnel responsible for networked information resources.
Software Engineering Institute
CMU/SEI Report Number
These practices are intended primarily for system and network administrators, managers of information systems, and security personnel responsible for networked information resources. These practices are applicable to your organization if your networked systems infrastructure includes host systems providing services to multiple users (file servers, timesharing systems, database servers, Internet servers, etc.) local-area or wide-area networks direct connections, gateways, or modem access to and from external networks, such as the Internet We recommend that you read all of the practices in this module before taking any action. To successfully implement the practices, it is important that you understand the overall context and relationships among them. For instance, once you read the practices in the Handle category, it is easier to understand the Practices in the Prepare category (see the Summary of recommended practices table). If you are dealing with an intrusion, you may want to skip the first two preparatory practices and move immediately to Practice 3, Analyze all information necessary to characterize an intrusion. Once you have completed your response and recovery process, we recommend that you review and implement the preparatory practices.