tag:blogger.com,1999:blog-9518042.post4488930835193473069..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: How do you do that voodoo that you do?Unknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9518042.post-53262213089791354702006-11-18T07:40:00.000-05:002006-11-18T07:40:00.000-05:00Exactly!Exactly!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-20782770946873604432006-11-17T22:23:00.000-05:002006-11-17T22:23:00.000-05:00Subject matter expertise determines procedures! I...Subject matter expertise determines procedures! If you don know what you have you don't know where to look.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-52091204320550039472006-11-17T18:30:00.000-05:002006-11-17T18:30:00.000-05:00kfir d...
Twice in one night...many thanks!
So b...kfir d...<br /><br />Twice in one night...many thanks!<br /><br /><i>So before each system reinstalling, one must find at least one security hole, and to make sure he close it after the installation is over.<br />This way, hopefully, in the end he will close them all.</i><br /><br />Just one? What if it's the wrong one? Or what if the vulnerability that is found only permits denial of service attacks, and not remote code execution...and the vulnerability the attacker used allowed remote code execution.<br /><br />I would agree with your statement if we were to keep all admins and responders at their current skill level. However, I'm advocating an increase in skill levels, so that the admins and responders can do more in less time.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-11173396989926463992006-11-17T18:19:00.000-05:002006-11-17T18:19:00.000-05:00I do agree. In every investigation one must assume...I do agree. In every investigation one must assume there are pieces of the passel that you don't know exists.<br />So one must clean the whole system.<br />But, as you said: <i>"the reinstalled system may have the same or additional vulnerabilities, so the attacker can reinfect the system once it's back up."</i><br /><br />So before each system reinstalling, one must find at least one security hole, and to make sure he close it after the installation is over.<br />This way, hopefully, in the end he will close them all.<br /><br />Leaving theory a side, it should be mentioned that most Sysadmins (at least those I met) are not really happy of shutting down their servers. Even more, they really don't like to reinstall their system.<br />So you can suggest them to reinstall every time they are hacked, but unfortunately not all will listen.<br />;)Anonymousnoreply@blogger.com