Security Basics mailing list archives

Re: compromised network

From: "Greg" <pchandyman () ozemail com au>
Date: Fri, 2 Jan 2004 20:33:41 +1100


----- Original Message -----
From: "JM" <jm () mindless com>
To: "'Dana Rawson'" <absolutezero273c () nzoomail com>;
<security-basics () securityfocus com>
Sent: Wednesday, December 31, 2003 12:33 AM
Subject: RE: compromised network

The only way to be 100% is to completely start from scratch again.


You know, I have read this reply from many people, over and over again and
without going to the trouble of finding the original message again, all I
can say is - whatever happened to the idea of image backups with
incrementals?

Eg, let's say all is quiet and OK and the crap started happening, at the
local timezone of that machine, at 11PM. Let's FURTHER say that the business
has a once a week full backup with hourly incrementals. What the heck is the
matter with going back to that SAME day at 10PM's incremental and restoring
from that image/incremental? Sure, the WEAKNESS that ALLOWED all this to
happen may WELL have occurred prior to that date but if you have the logs
with ports and IP ranges, surely you can get away without starting from
scratch? Otherwise, what the HELL is the use of backing ANYTHING up? Oh yes,
in case of hardware blowout (eg, hard drive burning out), equipment theft
etc. Yes I hear all that but at this date in 2004, I have to say that the
chances of that happening as opposed to what DID happen to this person are
small. I think the hardware will continue through many such intrusion
attempts.

Now, after reinstalling from image/incremental, I would, as some have said,
get someone in who really knows what he/she is doing to A) Make the
possibility of it happening ever again as close to zero as it can be; B) Get
rid of whatever the weakness was that allowed this to happen.

Reformat and install from scratch? That is more or less, to me personally,
like "My car is out of fuel! I better buy a new car!".

Yes, I am a hoarder but that is the mindset of most people in I.T. or even
those not in I.T. with an interest in it.

Greg.


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: compromised network Greg (Jan 02)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 02)
  - Re: compromised network Greg (Jan 05)
    - Re: compromised network Ansgar -59cobalt- Wiechers (Jan 05)
    - Re: compromised network Greg (Jan 08)
- Re: compromised network - backups Alvin Oga (Jan 05)
- <Possible follow-ups>
- RE: compromised network Mike (Jan 05)
- Re: compromised network Dana Rawson (Jan 06)
- RE: compromised network Francisco Mário Ferreira Custódio (Jan 07)