Re: Odd situation, advice needed on penentration test results

On Wed, Mar 26, 2003 at 02:01:44PM -0800, Harlan Carvey wrote:
> Ido,
>
> I would agree that the system needs to be secured, but
That's where network packet logging and possibly IDS would be useful. I agree that capturing the IP source address is important.
>
> I'm not sure I completely understand your reasoning
Actually, that's what happens when you have two trains of thought in your head and only write half of each. I meant to say that you should be careful because the intruder may have set up a logic bomb that if the network interface  goes down then the system (or at least his files) get wiped. That's the reason why it may be better to simply unplug the system at the power source since then there should (theoretically) be no way for a logic bomb that triggers on network interface connectivity from wiping the system before you have a chance to capture the drive image. I was writing on two things and forgot to make sure I was complete on both of them. Sorry.

Ido

-- 
===========================================================================
                        | Ido Dubrawsky          E-mail: idubraws@cisco.com
     |          |       | Network Security Architect
    :|:        :|:      | VSEC Technical Marketing, SAFE Architecture Team
   :|||:      :|||:     | Cisco Systems, Inc.
.:|||||||:..:|||||||:.  | Silver Spring, MD. 20902
===========================================================================

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1