Page 1194 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1194
are disabled or removed, that all up-to-date patches are installed, that
user accounts are modified from the defaults, and any compromises
have been reversed.
In some cases, an attacker may have installed malicious
code on a system during an attack. This may not be apparent
without a detailed inspection of the system. The most secure
method of restoring a system after an incident is to completely
rebuild the system from scratch. If investigators suspect that an
attacker may have modified code on the system, rebuilding a
system may be a good option.
Remediation
In the remediation stage, personnel look at the incident and attempt to
identify what allowed it to occur, and then implement methods to
prevent it from happening again. This includes performing a root
cause analysis.
A root cause analysis examines the incident to determine what allowed
it to happen. For example, if attackers successfully accessed a database
through a website, personnel would examine all the elements of the
system to determine what allowed the attackers to succeed. If the root
cause analysis identifies a vulnerability that can be mitigated, this
stage will recommend a change.
It could be that the web server didn’t have up-to-date patches,
allowing the attackers to gain remote control of the server.
Remediation steps might include implementing a patch management
program. Perhaps the website application wasn’t using adequate input
validation techniques, allowing a successful Structured Query
Language (SQL) injection attack. Remediation would involve updating
the application to include input validation. Maybe the database is
located on the web server instead of in a backend database server.
Remediation might include moving the database to a server behind an
additional firewall.
