Along with developing a security policy and selecting appropriatesecurity measures to implement that policy, a site needs to establishand test procedures for handling system, site, or network compromises.The procedure should address two areas:
Appropriate responses once a breachis suspected or confirmed. Site guidelines should help determine whetherto increase site security (eliminating all possibility of furthercompromise), put proactive measures in place to apprehend the offender,or collect evidence to initiate a criminal or civil suit. Each decisionhas its own set of rules and guidelines.
Appropriate contacts and resources outside of thesite that may be needed should such an event occur. For example,a company might want to become familiar with local, state, and federalauthorities (as applicable), local phone carriers (security division),and the HP support groups.1
This chapter describes how to recognize when an attack onthe system is in progress or has taken place and what countermeasurescan be taken.