Tuesday, March 15, 2005

Comments from a previous blog entry...

In my previous "rootkit saga continues..." blog entry, there were some comments that I...uh...wanted to comment on...

Geez, can you get any more circular than that?

"...one thing I understand is that it is more difficult to MONITOR a windows box..."

Hhhmmm...I can't say that I really agree with that, Bob (Note: oblique reference to "Office Space"). Sure, Windows does not maintain a log of all of the activity that occurs on the system, but Windows systems can be monitored. It simply comes down to intelligent design and engineering...knowing what you want to do, whether it makes sense, and then doing it. For example, some folks shut off auditing and logging all together because it either creates too much information and they can't review it, or they just don't understand what they're seeing...or both. A better option would be to enable logging based on the purpose of the box, then develop a centralized analysis repository for the logs. The truth is out there, Scully.

"So IMHO, Windows is substantially easier to "DRIVE", but substantially more difficult to analyse in general. But this can even be to a lack of documentation..."

Yeah, I'd have to agree with that. I think that most folks "grow up" in the security industry, hearing about Linux or *nix or *BSD systems being "more secure", so they migrate to that area. However, from a consulting perspective, Windows is much more ubiquitous on the desktop...and there's much less expertise out there, with regards to incident response analysis for these systems. I'm sure that part of this is due to the fact that this sort of skill set, though useful in other areas, is seen as a unique specialization.

I also believe that this documentation comes in two forms...documentation of the internals of Windows, and perhaps the more necessary "HOW-TO"-type guides. The Windows internals stuff is something the bad guys seem to know, and to be honest, is probably a lot more than most administrators and first responders have time to digest. I do agree that there needs to be much more in the way of "HOW-TO" guides, even with the ones that are already out there. Just as important, however, is that these guides and this sort of information needs to be credible...it should be based on experimentation, with verifiable and reproduceable results.

2 comments:

Anonymous said...

so when are you going to write some "How-Tos" ?? :)

H. Carvey said...

Chris,

Are there any in particular that you'd like to see? That's usually a good place to start...I could write them all day and not a single one would be of interest to you...