9.42. Filing an Incident Report

Problem

You want to report a security incident to appropriate authorities, such as a computer security incident response team (CSIRT).

Solution

In advance of any security incident, develop and document a security policy that includes reporting guidelines. Store CSIRT contact information offline, in advance.

When an incident occurs:

  1. Decide if the incident merits an incident report. Consider the impact of the incident.

  2. Gather detailed information about the incident. Organize it, so you can communicate effectively.

  3. Contact system administrators at other sites that were involved in the incident, either as attackers or victims.

  4. Submit incident reports to appropriate CSIRTs. Be sure to respond to any requests for additional information.

Discussion

If your system has been hacked [Recipe 9.41], or you have detected suspicious activity that might indicate an impending break-in, report the incident. A wide range of computer security incident response teams (CSIRTs) are available to help.

CSIRTs act as clearinghouses for security information. They collect and distribute news about ongoing security threats, analyze statistics gathered from incident reports, and coordinate defensive efforts. Collaboration with CSIRTs is an important part of being a responsible network citizen: any contribution, however small, to improving the security of the Internet will help you, too.

Develop a security policy, including procedures and contact information for applicable CSIRTs, before ...

Get Linux Security Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.