Last Updated: 2008-09-29 02:43:56 UTC
by Lorna Hutcheson (Version: 1)
In light of the upcoming month of Incident Handling, I thought it would be good to start with Step 0 and that is Detection. Before you ever begin your incident handling process, you have to know you are compromised. Sometimes its readily apparent and sometimes it isn't. However, there are some indicators that are often ignored or not thought of having "malicious" possibilities. These reports can be big clues and often go unchecked. Here are some of these ideas, in no particular order, yet are good indicators that something may be amiss.
- Your logging server hasn't logged any events or you haven't received alerts in the last 12 hours
- Your FTP server/user hard drives etc. are suddenly out of disk space or maybe logs increase in size more than your normal variation
- Your competition's products looks just like yours, but have a prettier color scheme
- Your customers start receiving spam on email addresses they used only to sign up for your service
- You get machine acts "funny" report from users (i.e. windows closing by themselves, browser homepage changed, etc.)
- Someone needs help connecting to the company's wireless access point, you don't have a wireless access point
- Complaints that software (payment processing software, web browser, etc) keeps crashing
- Complaints from user(s) that passwords/logins aren't working
- Computer systems running unusually slow
- Visitors to your website complain that they get redirected to another site or one that just doesn't "look" right
If you have other indicators that you have encountered in the past that have clued you in to a compromise, please let us know and we'll update the list.