On Mon, 24 Jun 2002, Jonas M Luster wrote: > Quoting Don Weber (Donat_private): > > > a compromised machine, CAN and is usually designed to compromise or be used > > to compromised other machines. leaving YOUR machine active and on the > > internet, is allowing your system to attempt to compromise MY system, you > > call that over-reacting professional, i call it being considerate. A house > > To simply destroy all evidence is not considerate. It is a great > dis-service to all those machines that have been compromised through > the compromised system. Such a machine usually carries enough > information to determine the machines that have been attacked from the > system and reveals an awful lot about the intruder. > > That is why I stress the need to prohibit malicious activities on > router or switch level as soon as the incident is discovered, that is > doing the right things in access-lists and blocks to make sure the > system will still function but can not be used against third parties > anymore. This all assumes you have the luxery of time, money and skills to dig into the incident. Your average customer does not have the luxery of time and is not willing to spend the money on the required skills. They want an operational system again and without the backdoors, etc. So while the concept is nice if you are in an academic environment is is unfeasable in the real corporate world. The most they want you to pay for is put in another system as fast as you can without the gaps theat were open last time. (They propably will still not care to stop ALL possible gaps.) So hence the S.O.P. that will be used most of the times as it is the most cost effective way in the short run. If you are skilled enough and are allowed time to go beyond that. Then there is no need for a S.O.P. as you will have to handle each case individually. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooijat_private http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 08:30:25 PDT