[unisog] justification

Seth Scavette seth at bayice.com
Mon Feb 24 19:04:13 GMT 2003


We have a short budget and big time staff issues. If a box gets hacked 
it is investigated. We have tools that scan quickly such as NetRecon and 
some hacker tools. What we have found with the tear down and rebuild 
scenario is that the box tends to get hit again because the standard 
lock down and patches wasn't enough. Time is saved by some investigation 
in the long run. What we also find is many of the exploits have a common 
thread so once you learn one its easy to find the others.

Seth
UAA

Arnold, Jamie wrote:

>Perhaps, but some of us have budgets and are short of staff.  In a perfect
>world it would be nice to have the time to investigate.  We try to get
>services back as soon as possible.
>
>
>J
>
>-----Original Message-----
>From: Mike Stanley [mailto:mikestanley at utk.edu] 
>Sent: Monday, February 24, 2003 12:30 PM
>To: unisog at sans.org
>Subject: Re: [unisog] justification
>
>
>
>On Friday, February 21, 2003, at 11:50 AM, Mitch Collinsworth wrote:
>
>  
>
>>If this is the report I'm thinking of, we had a presentation here a 
>>few months ago by someone who was directly involved in the project 
>>that produced that report.  Sorry, don't remember her name just now.
>>
>>Her conclusion though was that the really costly incidents were the 
>>ones where the techies got interested in "what happened here?" and 
>>spent lots of time analyzing the exploit, forensics, et al.  Secondary
>>conclusion: if you want to save $$ don't do this;  when a system is 
>>cracked, wipe, reinstall, get back to business, let it go.
>>
>>Not saying I fully endorse this strategy, though it's obvious how this 
>>conclusion can easily be reached.  Just reporting what I heard.
>>    
>>
>
>Sounds like an amazingly short-sighted, almost Microsoftian solution.
>
>"Oh, your machine isn't working right?  Format, reinstall Windows, and 
>everything is all better again."
>
>"Oh, your student information server was hacked?  Ah well, wipe, 
>reinstall, apply the patch de jour and hope it doesn't happen again."
>
>
>
>----------------------------------------------
>Mike Stanley, MCSE
>mikestanley at utk.edu
>OIT Lab Services
>
>
>
>
>  
>



More information about the unisog mailing list