securely investigate your security alerts

SANS posted about the possibility that attackers could subvert the administrative process, for example being able to inject website URLs into logs which an admin will then investigate and potentially have his box pwned.

I find such avenues of recon and exploitation to be quite viable, especially for non-professional admins (the blog author who blindly follows every referrer link for the ego boost). I also like this idea for profiling administrative practices. Are there admins following up on alerts or log entries?

For myself, I try to be careful with what I view from work when investigating alerts. The last thing I want is to see a scan from an IP, open it in a browser, and be inundated with porn popups. I’d definitely recommend investigating from a Linux VM. At my previous job, our wireless network was physically separated from the main network, and got to the Internet through a generic DSL connection. This is an excellent, non-tracable connection to poke around. Any tracing would lead back to my DSL provider, and pretty much stop dead there. Paranoid? Sure. But I’d rather keep such things in mind than be a security professional living in ignorance…