Unexpected server reboot equal security incident?

View Poll Results: How often do you view your Event Viewer?

Voters
43. You may not vote on this poll
  • Every week.

    5 11.63%
  • Never.

    7 16.28%
  • Only when stuff goes wrong!

    17 39.53%
  • What are you talking about?

    5 11.63%
  • Once a month.

    3 6.98%
  • At Least Daily

    11 25.58%
Multiple Choice Poll.
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Unexpected server reboot equal security incident?

  1. #1
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487

    Unexpected server reboot equal security incident?

    In practice do you consider a unplanned/unexpected server reboot a security incident?

    I know that in theory it does (security incident = unexpected event) but I want to know what does everyone PRACTICE?

    Further, what's the first step in your response process (security incident or not)? Contact the system administrator or the security office? If security office is not available is the system administrator allowed to act without security?

    I'm looking into the possibility of implementing this in my company and am looking for information regarding how others handle this 'event'.

    Thanks

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I don't, personally, think that a reboot is enough to indicate a security incident. The concern may exist, but if I trust the safeguards in place, I'd first lean towards hardware issues... this comes in to play expecially with very new (relatively ununsed and therefore untested... may have conflicts with other parts of the server) and older software that may be on it's way out.

    As far as handling, bring it back up (offline if you're suspicious) but check on the Event Log or /var/log/messages or whatever depending on the operating sytem... See if there's anything in there to explain the reboot. Also check if anyone was working around the error... I've seen lots of cases where people have tripped over a power bar or knocked a plug out and just put it back in real fast and snuck away because they don't want to accept blame.

    As far as procedures.... that company policy should already be in place.... A call list is the best way... As for the security office.... Physical security should already be accounted for.. Any server rooms should be alarmed so that security is notified if the reboot is caused physically while no one is around. As far as proceding with or without security.... that again depends, if you have an outside party doing physical building security, do you really want them around your equipment? Are you authorized to access the room on your own (as the sys admin)?. The biggest thing for unexplained lockups/reboots/etc is to have a call list in place... Security (should it be reported to them) should know to contact the on-call technical support (if there's currently one in the building)... otherwise a list of technicians/administrators should be created and an order in which to contact them if there is a problem.

    This is what I see around the office (for the most part) and what I've learned in class anyways... Some of the more experienced people will probably have a better answer.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Continuity and reliability are also part of your security. So yes, I consider it a security incident. I for one would definitely like to know why this server unexpectedly rebooted. It could mean anything though. From a DoS to a plain old hardware failure. But it threatens the reliability and continuity and it should be fixed a.s.a.p.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    It is an (IT) incident for sure, but not necessarily security incident. As SirDice said, it could be just plain old hardware failure. Or, an OS/application problem.

    Generally speaking, incident is any event that is not part of the standard operation of a service and that causes an interruption (or reduction) in the service quality. Standard operation is defined within the Service Level Agreement (SLA) to users.

    Some companies implement incident management for handling incidents. Users would call a help desk/service desk "agent" who record the incident. The agent is then the 1st level support, and has a checklist procedure and access to some monitoring tools. If s/he can't determine the root cause, s/he can escalate the incident (and turn it into a problem) to the appropriate 2nd level support, like the system administrator. When the problem has been solved, the agent will notify the user and close the incident.

    Peace always,
    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    137
    Hi. I voted no. Mainly because after an unplanned reboot, a security problem does not first come to mind. I will usually think hardware problem and chase that.

    But maybe I should change my thinking. In my neck of the woods, with the NOS's we use, server reboots don't happen too often.

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Continuity and reliability are also part of your security. So yes, I consider it a security incident. I for one would definitely like to know why this server unexpectedly rebooted. It could mean anything though. From a DoS to a plain old hardware failure. But it threatens the reliability and continuity and it should be fixed a.s.a.p.
    I am with SirDice on this one.

    "security" includes the integrity of your data and applications. Re-booting in mid-flight could corrupt both? that potential would also have to be addressed as part of your remedial preocedures.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    I would say yes also. Unexpected reboot can have bad consequence (Downtime if your server is a public one like eCommerce) and it should be thread as critical.
    -Simon \"SDK\"

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Re: Unexpected server reboot equal security incident?

    Originally posted here by ric-o
    Further, what's the first step in your response process (security incident or not)? Contact the system administrator or the security office? If security office is not available is the system administrator allowed to act without security?

    I'm looking into the possibility of implementing this in my company and am looking for information regarding how others handle this 'event'.
    If you want to impress your boss, try and implement ITIL.


    Now I've got a question in return (I already know the answer ) :
    Do you consider backups to be part of your security?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    I think IT security is a component of the total information assurance umbrella not the other way around.

    An inconsistant database due to random reboot can but does not have to be a direct security
    incident per se.

    A single random reboot or shutdown is cause for alarm and investigation but not a total DEFCON 5 freakout.

    Having an implemented incident response plan is always a great idea. Regardless of severity, it's a good idea to report up the chain of command any incident to ensure proper communication and documentation.

  10. #10
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    The original Security (CIA) Triad was confidentiality, integrity and availability. If the server is not available it is an incident.

    Since 9/11 security has changed as discussed in many articles including this one

    What's happened to availability?

    http://www.nwfusion.com/columnists/2...schwartau.html

    where he discusses the new triad that has emerged

    A new security triad, CPP, redefines the three main areas of security: Cyber (computer, network and information security), Physical (the wires, silicon, glass and structures) and People (employees, consultants, suppliers, partners and anyone in contact with your company).
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides