Incident Response - For Users: Difference between revisions
No edit summary |
No edit summary |
||
| Line 8: | Line 8: | ||
=Identifying a Possible Security Incident= | =Identifying a Possible Security Incident= | ||
Incidents are not always easy to spot. Sometimes you will see clear-cut evidence of a security incident, such as a warning from your antivirus software, or a host obviously acting under the control of someone else. Other times, the clues may be more subtle | Incidents are not always easy to spot. Sometimes you will see clear-cut evidence of a security incident, such as a warning from your antivirus software, or a host obviously acting under the control of someone else. Other times, the clues may be more subtle: | ||
* Did you notice login activity on your account from hosts that you don't normally log in from? | |||
* Has your computer been unusually slow or unstable lately? | |||
* Do you end up at websites that do not correspond to the URL you entered? | |||
* Do you get warning notifications when you haven't before? | |||
* Have you observed any unexpected configuration changes? | |||
These are just examples, and do not encompass all possible signs of an incident. Use these examples to give you an idea of what to be attentive for, and fine-tune your intuition. Generally speaking, should you find yourself using a computer and thinking "Huh, that's odd, this isn't right...", you are probably looking at a potential security incident. | |||
Revision as of 21:20, 28 February 2012
Scope
This document applies to all individuals authorized to use SDSC's IT resources. The prescribed actions and processes described in this document apply to situations involving any SDSC Host (as defined in the SDSC Security Policy) as well as any of the IT resources provided by SDSC.
Background
Incident response does not only involve IT staff and security. Users, such as yourself, play a big part too, as they are often the first to realize something "odd". However, with respect to incident response, users also have the ability to do the most damage. By attempting to investigate incidents on their own, a user may inadvertently destroy evidence or warn the intruder of our knowledge of their presence.
The procedures described in this document are designed to provide an effective means of transferring the responsibility of handling an incident or potential incident from the user to security staff with minimal loss of evidence and risk of alerting an intruder. We encourage you to make use of this process whenever you suspect an incident, not only when you know one has occurred.
Identifying a Possible Security Incident
Incidents are not always easy to spot. Sometimes you will see clear-cut evidence of a security incident, such as a warning from your antivirus software, or a host obviously acting under the control of someone else. Other times, the clues may be more subtle:
- Did you notice login activity on your account from hosts that you don't normally log in from?
- Has your computer been unusually slow or unstable lately?
- Do you end up at websites that do not correspond to the URL you entered?
- Do you get warning notifications when you haven't before?
- Have you observed any unexpected configuration changes?
These are just examples, and do not encompass all possible signs of an incident. Use these examples to give you an idea of what to be attentive for, and fine-tune your intuition. Generally speaking, should you find yourself using a computer and thinking "Huh, that's odd, this isn't right...", you are probably looking at a potential security incident.
