> Sure, but what I'm trying to get at is the level of > social pressure on sysadmins. I tend to agree with what you said, but I'm not clear on the 'social pressure' issue. To me, if the manager now knows what to ask the admins, then that's professional pressure. > > I teach a 2-day, hands-on incident response course > for > > NT/2K. I've had folks ask be during the course, > "why > > would someone want to break into my computer??" > > And, briefly, what do you tell them? For the most part, b/c they can. The vast majority of infrastructures I've seen...as a consultant as well as a manager...are not capable of preventing or detecting incidents. When I was at Winstar, the data center got hit massively by 'tagged' FTP directories, sadmin/IIS, etc. In that particular case, it was due to incompetence. However, many kiddies and malicious crackers get in b/c they can. Some will use the machine they take over as a jumping off point for other attacks/DoS. Very few remain stealthy and quiet. > Its a cultural thing. I think that its something > that > has to seep into our body of common knowledge, as > things > to do with other technologies have seeped in. Again, it used to be, w/ the Unix admins. Now that the GUI is used on so many systems to remove the admin from real administration, and 'protect him' from the inner workings of the system, we've seen the fallout. > Nowadays, after quite some time, our cultural > awareness > of the hazards of radiation have improved. The same > will > happen WRT computer 'stuff' <sigh> you'd think that in the year '02, there would be some awareness... > From my perspective, it shouldn't have been down for > two days, > but my role was purely diagnostic and I had no > control over > the process of rebuilding the system. Based on what you've said, I'd agree. After all, I saw kiddies scanning FTP servers for months (in a post-mordem log review), successfully logging in as Anonymous and running 'mkdir' and 'rmdir' commands. A simple review of this would have prevented system crashes, massive consumption of bandwidth, and having to clean up 6 GB - 10 GB of pirated software/movies/porn. > I told the general manager that their admins had > absolutely NO > excuse for letting things get that far; the log > entries > were very clear. I think they got a rocket up them. > 8) I guess the question now is this...had the manager been tasking the admins with such activity (ie, log review, etc) all along, and the admins reporting 'all clear'? Or had the manager not (directly or indirectly) tasked the admins, nor provided training, etc? After all, isn't it the manager that determines what the admin does w/ his time? The manager can say that helpdesk activities and keeping machines up are more important than security. > It could easily have been prevented by maintaining > an up-to-date > sshd. This was a well known exploit that even script > kiddies could have Such is the way of many 'hacks'. Some of my favorites are blank 'sa' passwords on SQL servers, blank or easily guessed NT passwords w/ port 139/445 open to the Internet, etc. __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 23:25:23 PST