Chapter 25 Assessing the Damage

quantifying dollar loss is hard

Determining scope of damage:
compromised data (loss of integrity)
compromised systems: common OS, services, network, or admin more likely to have been exploited by a common vulnerability.
compromised services, often external (ISP, messaging, credit card procesing)
compromised privileges

Determining length of the incident

Determining the cause: repair it so won't happen again.
how the incident occurred, what the motive was, why it was not deterred:
exploited vulnerability.
bypassed safeguards
avoided detection

Determining the responsible party can be difficult.
often what, how, when, from where but not who.