Preparing to Detect Signs of Intrusion
June 1998 • Security Improvement Module
John Kochmar, Julia H. Allen, Christopher J. Alberts, Cory Cohen, Gary Ford, Barbara Fraser, Suresh Konda, Klaus-Peter Kossakowski, Derek Simmel
The practices contained in this 1998 report identify advance preparations you must make to enable you to obtain evidence of an intrusion or an intrusion attempt.
Software Engineering Institute
CMU/SEI Report Number
It is essential that those responsible for your organization's information systems and networks be adequately prepared to detect evidence of breaches in security when they occur. Without advance preparation, it will be difficult, if not impossible, to determine if an intruder has been present and the extent of the damage caused by the intrusion. Thorough preparation will permit you to detect an intrusion or an intrusion attempt during or soon after it occurs. Preparation involves consideration of your security policy and supporting procedures, your critical business information, your systems, your networks, your user community (internal and external), and the tools to be employed in detecting intrusions.
A general security goal is to prevent intrusions. Even if you have sophisticated prevention measures in place, your strategy for detecting intrusions must include preparation. This module is a companion to Detecting Signs of Intrusion.
The practices contained in this module identify advance preparations you must make to enable you to obtain evidence of an intrusion or an intrusion attempt. They are designed to help you prepare by configuring your data, systems, networks, workstations, tools, and user environments to capture the necessary information for detecting signs of intrusion.