System compromises can be very difficult to detect. Most often, the data custodian notices something unusual about the data. It could be missing, altered, or moved; the time stamps could be different; or something else is just not right. The more you know about the normal operation of your system, the better prepared you will be to detect abnormal system behavior. Malicious Code When malicious code is mentioned, you probably think of viruses. Although a virus is a com- mon type of malicious code, it is only one type of several. In Chapter 4, “Communications Security and Countermeasures,” we discussed different types of malicious code. Detection of this type of a malicious code incident comes from either an end user reporting behavior caused by the malicious code or an automated alert reporting that scanned code containing a malicious component has been found. The most effective way to protect your system from malicious code is to implement code scanners and keep the signature database up-to-date. In addition, your security policy should address the introduction of outside code. Be specific as to what code you will allow end users to install. Denial of Service The final type of incident is a denial of service DoS. This type of incident is often the easiest to detect. A user or automated tool reports that one or more services or the entire machine is unavailable. Although they’re simple to detect, avoidance is a far better course of action. It is theoretically possible to dynamically alter firewall rules to reject DoS network traffic, but in recent years the sophistication and complexity of DoS attacks make them extremely difficult to defend against. Because there are so many variations of the DoS attack, implementing this strat- egy is a nontrivial task. Response Teams Many organizations now have a dedicated team responsible for investigating any computer security incidents that take place. These teams are commonly known as Computer Incident Response Teams CIRTs or Computer Security Incident Response Teams CSIRTs. When an incident occurs, the response team has four primary responsibilities: Determine the amount and scope of damage caused by the incident Determine whether any confidential information was compromised during the incident Implement any necessary recovery procedures to restore security and recover from inci- dent-related damages Supervise the implementation of any additional security measures necessary to improve security and prevent recurrence of the incident As part of these duties, the team should facilitate a postmortem review of the incident within a week of the occurrence to ensure that key players in the incident share their knowledge and develop best practices to assist in future incident response efforts.