Information Security Best Practices: 205 Basic Rules

Section 19: Emergency Rules Against Attacks

Emergency procedures or countermeasures must be used when a network or computer is compromised. These emergency procedures may seem drastic, but can save downtime and prevent the destruction of information.

INFOSEC Best Practice #195

If you suspect your site is being probed, then turn on logging and run intrusion detection software.

If you suspect that your site is being probed, then make sure that security logging is turned on. The intrusion detection software must notify you via your beeper of any suspicious activity so that you can react quickly to the situation. Investing in an intrusion detection software package may give you the warning you need before too much damage is done by the hacker(s).

INFOSEC Best Practice #196

If you are in the process of being spammed, stop your post office process on the mail server.

If you are being attacked by mail bombs or being spammed, then the mail server disk may be filling up and the CPU may be overloaded. By stopping the post-office process on the mail server, you will stop the server from accepting any new mail via port 25. It will give you time to try to protect the computer against the suspected attack and, in the event of spamming, clean up your hard disk by deleting the junk mail. Also, create a separate disk partition for all user email.

INFOSEC Best Practice #197

If you suspect that you are having illegal telnet sessions, then shut the telnet service off.

A telnet session requires...