Security Incidents mailing list archives
Re: Ramen
From: "Ryan W. Maple" <ryan () GUARDIANDIGITAL COM>
Date: Wed, 24 Jan 2001 12:47:52 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 24 Jan 2001, Russell Fulton wrote:
On Mon, 22 Jan 2001 16:43:09 -0800 Dave Dittrich <dittrich () CAC WASHINGTON EDU> wrote:Matt, generally (well, actually 99.999% of the time), the rule is to totally reformat whenever there has been a root level compromise. Go to your old backups, restore from there. Have a stiff drink, for that box is history.My rule #0 is get an image copy before doing your rule #1. Yes, trying to "clean up" is nearly futile, but properly handling the incident is important.I agree that this is desirable, however it is non trivial on most modern systems which don't have handy tapedrives etc.
I agree with that point, however, there is a threshold which should be discussed. If you are at home on your 56k PPP link (does anybody actually have those anymore?) and somebody cracks your machine, it's generally not something you are going to pursue. If you are in any sort of organization, then it is definately something you will pursue. I think any organization with some sort of security awareness will have some sort of medium to save an image on, be it a tape drive, CD-R, or even an extra hard drive sitting around somewhere. Just my $.02. Cheers, Ryan +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ Ryan W. Maple "I dunno, I dream in Perl sometimes..." -LW Guardian Digital, Inc. ryan () guardiandigital com +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6bxVLIwAIA9MpKWcRAukqAJwKZPuvXda6CT9tgV6R+wx1q3PnRgCdHJra wTu9Kk75J3Rwcl8i4IBxI4s= =68dG -----END PGP SIGNATURE-----