I should point out one factor which I think makes a large difference in
the approach that one might take in encountering a security issue - the
vast majority of my customers are home users who just casually use their
machine. In a hypothetical situation of me being called in to analyse a
security compromise of a medium-sized business's system(s), my strategy
definitely would not factor in "can I fix this in under 3 hours".

Wayne S. Anderson wrote:
> You know, I want to point out to folks on this list that this is NOT an
> either/or situation. Much like any time we engage in computer forensics,
> there are processes we can institute as security professionals that allow
> for the removal of untrusted components via a clean install without complete
> loss of data.
>
> 1) Recognize that a system is compromised if it is infected with anything
> more than an embedded 'exploit'. (E.g. Email comes through that has HTML or
> something which is temporarily copied to a local cache when the email loads
> in the application. This is easy to fix. Any true "virus" which infects
> the host system at deeper than an individual application level is taboo.
> Toast.)

I used the term 'malware' because I believe that the threats are
becoming more and more blended.

> 2) Jon's point about reliability here is very key to the discussion. It is
> COMPLETELY irresponsible to warrant to a customer that you can certify a
> system safe after it has been infected with any manner of
> control-compromising code that has gone undetected/untreated for a period of
> time.

Do you see this as applying in a joe average home user scenario?

> As an individual consumer, I may choose to take that risk so there is
> an important distinction for the environment that you are asking this
> question on. On an enterprise level it is hard to imagine a small or medium
> business where this risk is acceptable.

Agreed.

> Realize that security is the intelligent application of principles and
> experience to maintain a balance between confidentiality, integrity, and
> accessibility for yourself, your customer, or your organization. Security
> doesn't have to be "wipe and restart" OR "remove the malware and continue
> using", there are other solutions out there. It is important to recognize
> that there are multiple possible approaches and you need to examine the
> risks and benefits of your (hopefully standardized) approach to regularly
> determine if it can be improved.

I assume you mean, in my average scenario (eg. home casual user got
their machine compromised through installing something while browsing
for porn) that my advising the customer of common-sense approaches as
well as possibly suggesting alternative software to help avoid similar
problems in the future, for example?

--
Mike Moratz-Coppins
mike (at) mikeymike.org (dot) uk [email concealed]
http://www.mikeymike.org.uk/

[ reply ]