Quoting Daniel Wittenberg (daniel-wittenbergat_private): > I don't think you're exactly comparing the same things. How about > someone broke into my house, planted bugs all over my hours, possibly > set traps doors in the floor, and wired it to catch on fire when you > leave. The biggest problem I see with a compromise, is that you don't To stay with your example is to come home, find the house bugged and boobie-trapped, and based on that fact leveling it, just to build a similar house (in less time than it'd take to clean it, agreed). The neighbor's cat, which got snipered with gun from the upper windows of your house is not brought back, right? But without at least dusting for shoeprints, you'll never know HOW the bad guy got in. You'll build the same house again, the bad guy got lucky once in this neighborhood they might come back. So, when you simply level and reerrect the house, you might make yourself an accessory to the neighbors dog being snipered, too. I've seen quite a number of intrusions in my life. Most of the systems were reinstalled between four and six hours after detection - that is after someone with sufficient clue took he 'live' snapshot, did the on-analysis and removed the media to do the deeper forensic work. A new harddisk in, reinstall, good. And by that time, one knows HOW the bad guy got in and what he did. The 'security through reinstallation' myth seems to have coined by all those Certified Internet Snakeoil Sales People (CISSPs) and their likes to conceal the fact that all their fancy certs don't help them much when it comes to true forensic work. See, I believe that a networked system brings with itself responsibilities. Just like buying a car or a gun. It's a liability, one should only accept if s/he knows how to resolve these problems in a matter that keeps neighbors and other participants in the 'community', knows someone who's competent to do it, or can pay for someone to do it. > know what they did. Also, with a lot of people it's a matter of time. > If it takes me 3 days to follow your instructions below, vs. 1-2 hours > to rebuild the system from scratch, unless I have a lot of time to An initial 'live' assessment takes 3-4 hours, reinstalling a system from the latest backup between 1 and 3 hours, and applying the patches to prevent the intrusion from happening again, based on the knowledge gathered during the initial 3-4 hours, takes another 2 hours. So, I guess, it's fair to say that it _will_ indeed take longer to do proper forensics, but not 2 hours compared to 3 days but more like three hours compared to six. > systems compromised like this, but I've cleaned up plenty that have, and > it's usually not worth the time and effort to figure out what all the > little kiddies were doing. I don't think there is any right answer to And if it's just to find out if they did it to other systems from yours, it's always worth the effort - at least in my book. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 25 2002 - 09:12:57 PDT