View Poll Results: How often do you view your Event Viewer?
- 43. You may not vote on this poll
March 15th, 2005 05:09 PM
Re: Re: Unexpected server reboot equal security incident?
Ah, good one. Yes I do...however implementation could vary. I personally consider backup policy definition a decision by the business (along with any regulations, etc) along with security providing input. Security office is then the 'custodian' of backups but may not actually DO the backups...that could be the IT operations function.
Originally posted here by SirDice
Do you consider backups to be part of your security?
Some good comments everyone. You are reminding me of the best practice in security management that says an unexpected reboot is an EVENT but not necessarilly a security incident. That is to be determined upon initial assessment of the situation...and may actually change from being considered/classified as a security incident to a non-incident later in the investigation.
I personally consider availability as a security matter - to me that's a no brainer as it's part of what you're taught in security training and one of the triad (as noted by whatthe). But I do not feel that security is the actual implementer nor maintainer of the systems responsible for that. That's another no brainer. Just because security is responsible for availability doesnt mean they manage the networks, manage the backup systems, manage the systems....of course they dont...they coordinate with those responsible parties and also implement/maintain policies governing them. I digress a bit here.
Great comments...keep 'em coming.
March 15th, 2005 05:09 PM
While I appreciate the writers intent, I think he left out some important considerations.
Originally posted here by whatthe
The original Security (CIA) Triad was confidentiality, integrity and availability. If the server is not available it is an incident.
Since 9/11 security has changed as discussed in many articles including this one
What's happened to availability?
where he discusses the new triad that has emerged
Those of us that fight daily with CFO's to get funding for process and policy, run into companies revenue and budgetary hurdles that must be addressed. So once again there is the "perfect" world and the "current" world and the reality of creating solutions to problems with limited resources.
Sure, some orgs get it right and allocate resources in a way to provide the necessary tools to do the job but many do not and the reality is they are not just going to pull the plugs due to a poor security profile.
This column is VERY typical of current writing on infosec issues.
Allot of feel good theory without much substance in regard to specific recommendations to
solving specific problems.
Thanks for the link!!!
March 15th, 2005 06:04 PM
Most people summed up the important points. I'll still throw in my 2 bits...
First, you need to define what an incident is. Second, you need to define the scope of your incidents. This pretty much is where events come in. Event 1 and Event 2 mean that an incident level 4 has occured. Incident level 4 may translate to a hardware issue. The key here is not to have too many or too few incident levels. Seven would be the max. This makes trending and reporting much easier for you.
So, I voted, it depends. A reboot is an event. A defined incident is the culmination of events.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
March 16th, 2005 02:25 AM
Hi. I just felt I shoud add, it's related to topic of thread.
I pretty much follow same or similar as majority of other posters posted, but If I see network gear such as a managed switch or router freeze/crash/reboot out of the blue (especially if it happens twice in a row on same device), alarm bells start to ring in my head until I have ruled out a security incident, and then I start to treat it as an event and chase hardware networking troubleshooting steps.
It might be common sense for some of the more expeirienced, but perhaps not for others. Just thought I should add.