On Jan 28, 3:33 pm, Bear <
bearbottoms1+...@gmail.com> wrote multiple
posts:
maybe, in future, you could read my posts all the way through and let
them sink in a bit before you replied. that way you wouldn't need to
reply multiple times to the same post, and i wouldn't have to try and
piece your thoughts back together into a cohesive whole.
> On 1/28/2012 1:27 PM, kurt wismer wrote:
>
> > the first step is prevention, certainly agree with you there. if you
> > can prevent going through the following cycle at the first stage,
> > that's a lot of effort you don't have to expend.
>
> This is wrong. What are you going to do? Wait till you are infected than
> make an image? First make your recovery plan before you go out into the
> wild. Then work on prevention.
if i tell you to first drive to your parents house and then nail shut
the doors and windows, i would normally think it goes without saying
that you must first acquire a car, a hammer, and some nails.
however, since i was critical of leaving other steps in the
traditional PDR triad as implicit, i suppose it's only fitting that
"prepare" be made explicit too. so the 0th step is to prepare for your
next malware encounter. now my hexad is a septad.
> > next is diagnosis of what you failed to prevent, because you need to
> > know everything it did in order to know what steps need to be taken in
> > recovery. you also need to know where it came from if you're going to
> > involve the authorities as well as what files to send to vendors so
> > they can improve their products. you also need to know how the
> > compromise was able to succeed for when you re-evaluate your defenses.
>
> This takes hours and more in many cases. Most average users will never
> be able to do such. Your advice may work for expert users but they are
> few and far between. It takes less than 30 minutes to restore a clean image.
in the same vein, one could also say it takes less than 30 minutes to
destroy information that could have:
a) warned the victim that his bank account was in jeopardy
b) informed the victim wich vulnerable subsystem needed to be patched,
reconfigured, or disabled in order to prevent getting compromised by
similar malware in the future
c) identified which cloud-based email needed to be deleted to avoid
accidentally re-compromising the machine with the exact same malware
in the future
is this really the lesson you want to teach people? from my
perspective, this is precisely the thoughtless, lazy, half-arsed
approach i complained about before. simply restoring an image just
sets you up to get pwned again in exactly the same way. the best proof
of learning from your mistakes is to change direction - if you keep
doing the same thing you keep making the same mistake. pretending
there's an easy answer (just restore a clean image!) breeds laziness
and complacency and gives people a false sense of security.
now i realize that there are limits to what people are capable of, but
i never said they had to do it alone. they can get help if they need
to. they can also cut corners, but the more thorough their knowledge
of how their prevention failed this time, the better equipped they'll
be to improve it and not fail the next time.
On Jan 28, 3:37 pm, Bear <
bearbottoms1+...@gmail.com> wrote:
> On 1/28/2012 1:27 PM, kurt wismer wrote:
>
> > after that is recovery (don't want to do it before reporting to
> > authorities as you may be compromising opportunities to gain valuable
> > intelligence about the person or people involved, or lose access to
> > the malware samples). with the kinds of malware out there these days,
> > recovery can easily extend beyond the confines of your hard drive, so
> > while good backups and/or drive images are a must, they are only the
> > beginning.
>
> So you are going to recover from factory images or media? Because you
> haven't made your recovery images yet.
yes, yes, recovery needs preparations. guess what - so does
prevention, so does detection, so does diagnosis, etc. making images
is an implementation detail, just like updating anti-virus software,
preparing a whitelist, generating a behavioural baseline for installed
software, collecting file integrity information, and so on and so
forth. you raised an important point (in your single-minded sort of
way) about the importance of preparedness, but you don't have to keep
banging that drum.