I should point out one factor which I think makes a large difference in
the approach that one might take in encountering a security issue - the
vast majority of my customers are home users who just casually use their
machine. In a hypothetical situation of me being called in to analyse a
security compromise of a medium-sized business's system(s), my strategy
definitely would not factor in "can I fix this in under 3 hours".
Wayne S. Anderson wrote:
You know, I want to point out to folks on this list that this is NOT an
either/or situation. Much like any time we engage in computer forensics,
there are processes we can institute as security professionals that allow
for the removal of untrusted components via a clean install without complete
loss of data.
1) Recognize that a system is compromised if it is infected with anything
more than an embedded 'exploit'. (E.g. Email comes through that has HTML or
something which is temporarily copied to a local cache when the email loads
in the application. This is easy to fix. Any true "virus" which infects
the host system at deeper than an individual application level is taboo.
Toast.)
I used the term 'malware' because I believe that the threats are
becoming more and more blended.
2) Jon's point about reliability here is very key to the discussion. It is
COMPLETELY irresponsible to warrant to a customer that you can certify a
system safe after it has been infected with any manner of
control-compromising code that has gone undetected/untreated for a period of
time.
Do you see this as applying in a joe average home user scenario?
As an individual consumer, I may choose to take that risk so there is
an important distinction for the environment that you are asking this
question on. On an enterprise level it is hard to imagine a small or medium
business where this risk is acceptable.
Agreed.
Realize that security is the intelligent application of principles and
experience to maintain a balance between confidentiality, integrity, and
accessibility for yourself, your customer, or your organization. Security
doesn't have to be "wipe and restart" OR "remove the malware and continue
using", there are other solutions out there. It is important to recognize
that there are multiple possible approaches and you need to examine the
risks and benefits of your (hopefully standardized) approach to regularly
determine if it can be improved.
I assume you mean, in my average scenario (eg. home casual user got
their machine compromised through installing something while browsing
for porn) that my advising the customer of common-sense approaches as
well as possibly suggesting alternative software to help avoid similar
problems in the future, for example?
--
Mike Moratz-Coppins
mike@mikeymike.org.uk
http://www.mikeymike.org.uk/
