Unexpected server reboot equal security incident? - Page 2

View Poll Results: How often do you view your Event Viewer?

Voters
43. You may not vote on this poll
  • Every week.

    5 11.63%
  • Never.

    7 16.28%
  • Only when stuff goes wrong!

    17 39.53%
  • What are you talking about?

    5 11.63%
  • Once a month.

    3 6.98%
  • At Least Daily

    11 25.58%
Multiple Choice Poll.
Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: Unexpected server reboot equal security incident?

  1. #11
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487

    Re: Re: Unexpected server reboot equal security incident?

    Originally posted here by SirDice
    Do you consider backups to be part of your security?
    Ah, good one. Yes I do...however implementation could vary. I personally consider backup policy definition a decision by the business (along with any regulations, etc) along with security providing input. Security office is then the 'custodian' of backups but may not actually DO the backups...that could be the IT operations function.

    Some good comments everyone. You are reminding me of the best practice in security management that says an unexpected reboot is an EVENT but not necessarilly a security incident. That is to be determined upon initial assessment of the situation...and may actually change from being considered/classified as a security incident to a non-incident later in the investigation.

    I personally consider availability as a security matter - to me that's a no brainer as it's part of what you're taught in security training and one of the triad (as noted by whatthe). But I do not feel that security is the actual implementer nor maintainer of the systems responsible for that. That's another no brainer. Just because security is responsible for availability doesnt mean they manage the networks, manage the backup systems, manage the systems....of course they dont...they coordinate with those responsible parties and also implement/maintain policies governing them. I digress a bit here.

    Great comments...keep 'em coming.

  2. #12
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by whatthe
    The original Security (CIA) Triad was confidentiality, integrity and availability. If the server is not available it is an incident.

    Since 9/11 security has changed as discussed in many articles including this one

    What's happened to availability?

    http://www.nwfusion.com/columnists/2...schwartau.html

    where he discusses the new triad that has emerged
    While I appreciate the writers intent, I think he left out some important considerations.
    Those of us that fight daily with CFO's to get funding for process and policy, run into companies revenue and budgetary hurdles that must be addressed. So once again there is the "perfect" world and the "current" world and the reality of creating solutions to problems with limited resources.
    Sure, some orgs get it right and allocate resources in a way to provide the necessary tools to do the job but many do not and the reality is they are not just going to pull the plugs due to a poor security profile.

    This column is VERY typical of current writing on infosec issues.
    Allot of feel good theory without much substance in regard to specific recommendations to
    solving specific problems.

    Thanks for the link!!!

  3. #13
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Most people summed up the important points. I'll still throw in my 2 bits...

    First, you need to define what an incident is. Second, you need to define the scope of your incidents. This pretty much is where events come in. Event 1 and Event 2 mean that an incident level 4 has occured. Incident level 4 may translate to a hardware issue. The key here is not to have too many or too few incident levels. Seven would be the max. This makes trending and reporting much easier for you.

    So, I voted, it depends. A reboot is an event. A defined incident is the culmination of events.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #14
    Senior Member
    Join Date
    Dec 2004
    Posts
    137
    Hi. I just felt I shoud add, it's related to topic of thread.

    I pretty much follow same or similar as majority of other posters posted, but If I see network gear such as a managed switch or router freeze/crash/reboot out of the blue (especially if it happens twice in a row on same device), alarm bells start to ring in my head until I have ruled out a security incident, and then I start to treat it as an event and chase hardware networking troubleshooting steps.

    It might be common sense for some of the more expeirienced, but perhaps not for others. Just thought I should add.

    :-)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •