harnold at binghamton.edu
Tue Feb 25 20:09:17 GMT 2003
I've yet to see a compromised box that was rebuilt correctly and patched
correctly get exploited a second time. *Every* comp'd box I have seen here
was exploited due to being setup incorrectly and/or not patched. I might
not have a good statistical model as we only have around 3000 faaculty/staff
and 13000 student machines.
From: Seth Scavette [mailto:seth at bayice.com]
Sent: Monday, February 24, 2003 2:04 PM
To: unisog at sans.org
Subject: Re: [unisog] justification
We have a short budget and big time staff issues. If a box gets hacked
it is investigated. We have tools that scan quickly such as NetRecon and
some hacker tools. What we have found with the tear down and rebuild
scenario is that the box tends to get hit again because the standard
lock down and patches wasn't enough. Time is saved by some investigation
in the long run. What we also find is many of the exploits have a common
thread so once you learn one its easy to find the others.
Arnold, Jamie wrote:
>Perhaps, but some of us have budgets and are short of staff. In a
>perfect world it would be nice to have the time to investigate. We try
>to get services back as soon as possible.
>From: Mike Stanley [mailto:mikestanley at utk.edu]
>Sent: Monday, February 24, 2003 12:30 PM
>To: unisog at sans.org
>Subject: Re: [unisog] justification
>On Friday, February 21, 2003, at 11:50 AM, Mitch Collinsworth wrote:
>>If this is the report I'm thinking of, we had a presentation here a
>>few months ago by someone who was directly involved in the project
>>that produced that report. Sorry, don't remember her name just now.
>>Her conclusion though was that the really costly incidents were the
>>ones where the techies got interested in "what happened here?" and
>>spent lots of time analyzing the exploit, forensics, et al. Secondary
>>conclusion: if you want to save $$ don't do this; when a system is
>>cracked, wipe, reinstall, get back to business, let it go.
>>Not saying I fully endorse this strategy, though it's obvious how this
>>conclusion can easily be reached. Just reporting what I heard.
>Sounds like an amazingly short-sighted, almost Microsoftian solution.
>"Oh, your machine isn't working right? Format, reinstall Windows, and
>everything is all better again."
>"Oh, your student information server was hacked? Ah well, wipe,
>reinstall, apply the patch de jour and hope it doesn't happen again."
>Mike Stanley, MCSE
>mikestanley at utk.edu
>OIT Lab Services
More information about the unisog