Personal tools
You are here: Home Department IT Security Technical Staff Incident Handling Advice for specific incidents Operating system or application vulnerability
Contact information
rusecure@rutgers.edu
(732) 445-8011

RU Secure Home
 
Document Actions

Operating system or application vulnerability

last modified 2007-07-27 11:28

A flaw in an application or in the operating system itself permits unauthorized access to data, elevation of privileges, or the remote execution of arbritrary code.

  • Isolate the affected systems.  This is the simplest technique for containing an unauthorized access incident—disconnect each affected system from the network.  This prevents the affected systems from being further compromised.  However, it can be challenging to identify all affected systems.  Attackers often use one compromised system as the source of attacks against other internal systems.  Handlers should examine other systems for signs of successful attacks and contain those components of the incident as well.  If many systems need to be checked, automated methods could be used, such as performing port scans for backdoors.

  • Disable the affected service.  If an attacker is using a particular service to gain unauthorized access, containing the incident may include temporarily or permanently disabling the service.  For example, if the attacker is exploiting an FTP vulnerability and the unauthorized access is limited to the FTP data files, the incident could be contained by temporarily disabling the FTP service.  If the server is inadvertently running FTP, then FTP should be disabled permanently.

  • Eliminate the attacker’s route into the environment.  If possible, prevent the attacker from accessing nearby resources that might be the next targets while minimizing disruption of services to authorized users.  Examples include temporarily blocking incoming connections to a particular network segment or disconnecting a remote access server.

  •  Disable user accounts that may have been used in the attack.  The same accounts and passwords that were acquired from one system may work on other systems; therefore, the accounts may need to be disabled across the enterprise.  Handlers should also look for new user accounts that may have been created by the attacker.  Accounts should be disabled, rather than just changing passwords, until handlers determine what actions the attacker performed.  
Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: