Reacting to a suspected attack

The best time to secure your system is before it is attacked. Period.

That being said, most system administrators (and, worse, their superiors) don't know to, or don't care to, spend the time to secure their workstations until it is too late. Then they get to spend even more time cleaning up from a securty breach and then spend the time to secure it.

CERT/CC maintains a web site site with a vast array of information, including documents such as these:

See also:
Dave Dittrich <>
Last modified: Wed Apr 3 10:38:26 PST 1996