[unisog] justification

Mitch Collinsworth mitch at ccmr.cornell.edu
Mon Feb 24 18:43:06 GMT 2003


> > Her conclusion though was that the really costly incidents were the
> > ones where the techies got interested in "what happened here?" and
> > spent lots of time analyzing the exploit, forensics, et al.  Secondary
> > conclusion: if you want to save $$ don't do this;  when a system is
> > cracked, wipe, reinstall, get back to business, let it go.
> >
> > Not saying I fully endorse this strategy, though it's obvious how this
> > conclusion can easily be reached.  Just reporting what I heard.
>
> I've lost the original message but I was thinking about this recently. I'm
> not convinced this is a valid conclusion. Is it the "techie"'s interest
> that causes the expense or is it the "techie" being more interested in
> investigating complex, technical and probably more expensive incidents?

As I recall, her point was that techies as a group tend to take system
compromises as a personal challenge and if not constrained will spend
as much time as it takes to figure out what happened.  I think this is
mostly true for admins who aren't just plain lazy.  Before anyone takes
this the wrong way, please note that "constrained" can take on a
multitude of meanings, including "other work to do".

There seems to be interest in this, so I went back to look up who it
was who made the presentation.  Virginia Rezmierski, whom google finds
here:  http://www.fordschool.umich.edu/people/Faculty/rezmierski-v.htm
as well as a number of other references.

The project these conclusions came from is summarized here:
http://www.cic.uiuc.edu/groups/ITSecurityWorkingGroup/ICAMP.shtml

Apparently you have to pay for the full report, though the cost is not
excessive.

-Mitch



More information about the unisog mailing list