sure.. well if manager has no clue of what IT is ( and that's mostly the case), he will not understand what hack attack is, and he will not understand it after 100 security courses.. of course there are exceptions and I've met them personally. Their decisions also affect their IT staff, as when they have only one unix admin who only knows how to start and stop admin GUI... Demystifying incidents is one of the tasks that consultants have to do (but are not doing as they'll loose their jobs in longterm.. so exagerating is a part of it :) Since unixes use GUIs there's not much time and money wasted on learning how OS works.. you just do your job and don't care about the rest. In one way it's understandable as there is so much required from one admin.., but on the other hand we all know what means not doing log reviews or proper system security checks) but back to the price of hack attacks.. you can't exactly value hack attempts and attacks before they happen.you can only assess what the value may be and there are many ways of doing it: lost revenue; risk value; manhours lost/required;... it's a matter of choosing the best method for the actual case. If company values its actives in required manhours I wouldn't waste time to explain them how lost revenue vauation works.. sweth:please read any security risk assessment guide.. there you'll get this formula well explained.. Thomas: It wasn't intention to exagerate the risk value :)that surely was my mistake in calculation.. lubo -----Original Message----- From: H C [mailto:keydet89at_private] Sent: Donnerstag, 21. Februar 2002 04:23 To: Steve Wray; Russell Fulton; Nistor, Lubomir Cc: loganalysisat_private Subject: RE: [logs] hack attempts && price > Sure, but what I'm trying to get at is the level of > social pressure on sysadmins. I tend to agree with what you said, but I'm not clear on the 'social pressure' issue. To me, if the manager now knows what to ask the admins, then that's professional pressure. > > I teach a 2-day, hands-on incident response course > for > > NT/2K. I've had folks ask be during the course, > "why > > would someone want to break into my computer??" > > And, briefly, what do you tell them? For the most part, b/c they can. The vast majority of infrastructures I've seen...as a consultant as well as a manager...are not capable of preventing or detecting incidents. When I was at Winstar, the data center got hit massively by 'tagged' FTP directories, sadmin/IIS, etc. In that particular case, it was due to incompetence. However, many kiddies and malicious crackers get in b/c they can. Some will use the machine they take over as a jumping off point for other attacks/DoS. Very few remain stealthy and quiet. > Its a cultural thing. I think that its something > that > has to seep into our body of common knowledge, as > things > to do with other technologies have seeped in. Again, it used to be, w/ the Unix admins. Now that the GUI is used on so many systems to remove the admin from real administration, and 'protect him' from the inner workings of the system, we've seen the fallout. > Nowadays, after quite some time, our cultural > awareness > of the hazards of radiation have improved. The same > will > happen WRT computer 'stuff' <sigh> you'd think that in the year '02, there would be some awareness... > From my perspective, it shouldn't have been down for > two days, > but my role was purely diagnostic and I had no > control over > the process of rebuilding the system. Based on what you've said, I'd agree. After all, I saw kiddies scanning FTP servers for months (in a post-mordem log review), successfully logging in as Anonymous and running 'mkdir' and 'rmdir' commands. A simple review of this would have prevented system crashes, massive consumption of bandwidth, and having to clean up 6 GB - 10 GB of pirated software/movies/porn. > I told the general manager that their admins had > absolutely NO > excuse for letting things get that far; the log > entries > were very clear. I think they got a rocket up them. > 8) I guess the question now is this...had the manager been tasking the admins with such activity (ie, log review, etc) all along, and the admins reporting 'all clear'? Or had the manager not (directly or indirectly) tasked the admins, nor provided training, etc? After all, isn't it the manager that determines what the admin does w/ his time? The manager can say that helpdesk activities and keeping machines up are more important than security. > It could easily have been prevented by maintaining > an up-to-date > sshd. This was a well known exploit that even script > kiddies could have Such is the way of many 'hacks'. Some of my favorites are blank 'sa' passwords on SQL servers, blank or easily guessed NT passwords w/ port 139/445 open to the Internet, etc. __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 09:37:00 PST