- Incomplete analysis of a system failure may not reveal that the failure was due to malicious activity, thus leaving a back door opportunity for future disruption of services.
- Perform the following types of investigative activity :-
- Examine operating system accounting files in order to ascertain which system processes were running when the system failed.
- Examine any intrusion detection software to see if external parties were involved in the activity.
- Examine any error log files associated with the system failure for details of processes and users who were active on the system at the time of the failure.
- Combine the details from the three aforementioned sources to pin point user activity at the time of the failure.
- Where possible, ensure that system start up checks are run before users are allowed to log on, in order to ensure the integrity of the data.
- Ensure that all system failures are logged, whether they are deemed as being caused by an information security breach or not.
- Build up a database of system failures and subsequent recovery procedures in order to provide quick cross references for any future failures.