mitch at ccmr.cornell.edu
Mon Feb 24 18:43:06 GMT 2003
> > Her conclusion though was that the really costly incidents were the
> > ones where the techies got interested in "what happened here?" and
> > spent lots of time analyzing the exploit, forensics, et al. Secondary
> > conclusion: if you want to save $$ don't do this; when a system is
> > cracked, wipe, reinstall, get back to business, let it go.
> > Not saying I fully endorse this strategy, though it's obvious how this
> > conclusion can easily be reached. Just reporting what I heard.
> I've lost the original message but I was thinking about this recently. I'm
> not convinced this is a valid conclusion. Is it the "techie"'s interest
> that causes the expense or is it the "techie" being more interested in
> investigating complex, technical and probably more expensive incidents?
As I recall, her point was that techies as a group tend to take system
compromises as a personal challenge and if not constrained will spend
as much time as it takes to figure out what happened. I think this is
mostly true for admins who aren't just plain lazy. Before anyone takes
this the wrong way, please note that "constrained" can take on a
multitude of meanings, including "other work to do".
There seems to be interest in this, so I went back to look up who it
was who made the presentation. Virginia Rezmierski, whom google finds
as well as a number of other references.
The project these conclusions came from is summarized here:
Apparently you have to pay for the full report, though the cost is not
More information about the unisog