Page 485 - StudyBook.pdf
P. 485
Topologies and IDS • Chapter 7 469
TEST DAY TIP
A false positive is defined as a positive detection result that is false or
untrue. This can be dangerous because you may spend wasted time
trying to put together the facts of the case and look for a weakness in
your system. A false negative, on the other hand, is a negative detection
event that is actually positive or true. False negatives are the worst of
the four states that can occur in an IDS. A false negative gives you the
feeling that everything is OK, all the while an attacker has comprised
your systems and is helping themselves to your sensitive and valuable
data.
Incident Response
The first thing that must be done after receiving notification of an attack is to
respond to the attack. In some cases the administrator may want to allow the attack
to continue for a short period of time so that they can collect further data and
other evidence about the attack, its origin, and its methods.After terminating the
attack, or upon discovering the evidence of the attack, they must take all available
steps to ensure that the chain of evidence will not be lost.They must save and
export log and audit files, close open ports that have been exploited, and secure
services that should not have been running in the first place. In short, take every
available step to ensure that the same type of attack will not occur again some time
in the future.
NOTE
For more detailed information about the practical and legal aspects of
incident response, see “Scene of the Cybercrime: Computer Forensics
Handbook” (ISBN: 1-928994-29-6), published by Syngress.
www.syngress.com
