Capturing the Lessons You've Learned
Once you believe that a system has been restored to a safe state, you may not be completely off the hook - there may still be holes and even traps lurking in the system. You'll need to have the system monitored for items that may have been missed during the cleanup stage.
You'll find a security log to be a valuable asset while vulnerabilities are being removed. Keep logs of procedure that have been used to make the system secure again. This information should include command procedures (e.g., shell scripts) that can be run on a periodic basis to recheck the security. Keep logs of important system events. Reference these events to determine the extent of the damage of a given incident.
After an incident, you'll need to write a report describing the incident, method of discovery, correction procedure, monitoring procedure, and a summary of lesson learned. This exercise will provide you with a clear understanding of the problem.
Elizabeth M. Ferrarini is a free-lance writer based in Arlington, Massachusetts.
This article was first published on CrossNodes, an internet.com site.