Focus on Microsoft
More along the lines of malware disinfection Mar 18 2008 01:33PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)
RE: More along the lines of malware disinfection Mar 18 2008 06:08PM
Express Web Systems, Inc. (mailinglist expresshosting net) (1 replies)
Re: More along the lines of malware disinfection Mar 18 2008 06:28PM
Mike Moratz-Coppins (mike mikeymike org uk) (1 replies)
RE: More along the lines of malware disinfection Mar 28 2008 01:46AM
Murda Mcloud (murdamcloud bigpond com)
RE: More along the lines of malware disinfection Mar 18 2008 05:46PM
Devin Ganger (DevinG 3sharp com)
Re: More along the lines of malware disinfection Mar 18 2008 05:46PM
Jon R. Kibler (Jon Kibler aset com) (3 replies)
RE: More along the lines of malware disinfection Mar 18 2008 07:57PM
Wayne S. Anderson (wfrazee wynweb net) (2 replies)
RE: More along the lines of malware disinfection Mar 18 2008 09:07PM
Monahan, Jim (MONAHAJ ccf org)
Re: More along the lines of malware disinfection Mar 18 2008 08:56PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)
Re: More along the lines of malware disinfection Mar 19 2008 04:03PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: More along the lines of malware disinfection Mar 19 2008 05:31PM
Mike Moratz-Coppins (mike mikeymike org uk) (2 replies)
Re: More along the lines of malware disinfection Mar 20 2008 09:21AM
Vincent Archer (archer tms frmug org)
Re: More along the lines of malware disinfection Mar 19 2008 08:33PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (2 replies)
RE: More along the lines of malware disinfection Mar 19 2008 11:21PM
Mark Brunner (mark_brunner hotmail com) (1 replies)
RE: More along the lines of malware disinfection Mar 28 2008 02:22AM
Murda Mcloud (murdamcloud bigpond com)
Re: More along the lines of malware disinfection Mar 19 2008 09:12PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)
Re: More along the lines of malware disinfection Mar 23 2008 01:06AM
pinowudi (pinowudi gmail com)
RE: More along the lines of malware disinfection Mar 20 2008 08:34AM
John Lightfoot (jlightfoot gmail com) (1 replies)
Re: More along the lines of malware disinfection Mar 20 2008 04:54PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: More along the lines of malware disinfection Mar 23 2008 04:26AM
pinowudi (pinowudi gmail com)
Re: More along the lines of malware disinfection Mar 20 2008 12:41AM
Geekwench (geekwench hotmail com)
RE: More along the lines of malware disinfection Mar 18 2008 11:55PM
Devin Ganger (DevinG 3sharp com)
RE: More along the lines of malware disinfection Mar 18 2008 11:31PM
Wayne S. Anderson (wfrazee wynweb net)
This is a great point, Mike.

As with all things security related, you really have to examine the
environment and the value of the asset which you are securing.

In your particular example, you appear to focus largely on home users. I
would actually offer them the choice, if it were me. It has been me in the
past when I was getting started. You do your initial investigation. Ah
hah! Malware! You naughty user, you, stop going to those uh.... creative
body art.... sites. At that point you can either offer them your arbitrary
toast-and-rehash service which loses all of the data OR you can say that
there are three choices and its up to you.

My first service is to remove the malware. I don't warrant my work as
modern malware can be a real bugger to get rid of. I will make my best
effort to get rid of the bad stuff and leave the good stuff intact but
realize there is a small chance something can go wrong and a small chance
that the creeping crud could still be there.

My second service is to pave over your system. Its fast, its relatively
cheap if you still have your old CDs, but you lose your data. I warrant
this service because your system is fresh and fully patched and will be
working but wont have your old data. Most people don't do this because they
have pictures, games, etc, that they want me to grab from the old system.

My third service takes a little more time and involves a little more work
but I rebuild your system and try to bring over standard profile information
from your old computer and the information that you tell me you really need
from the old PC. This is the image-rebuild-and-restore option. I warrant
this work because its detailed work and I leave you a fully patched system
with as much information as I can reasonably recover from the old PC. This
costs a little more but is the best option.

This way you offer yoru customers the choice, let them choose whether they
want to pay for the extra time. You offer your customer options including
an upsell/premium option that makes a little more money for you. Your user
gets to choose what level of risk they are taking on (even though they don't
see it as risk, they just see it as what work you are willing to do and how
you walk away from the job).

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Mike Moratz-Coppins
Sent: Tuesday, March 18, 2008 2:57 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: More along the lines of malware disinfection

I should point out one factor which I think makes a large difference in
the approach that one might take in encountering a security issue - the
vast majority of my customers are home users who just casually use their
machine. In a hypothetical situation of me being called in to analyse a
security compromise of a medium-sized business's system(s), my strategy
definitely would not factor in "can I fix this in under 3 hours".

Wayne S. Anderson wrote:
> You know, I want to point out to folks on this list that this is NOT an
> either/or situation. Much like any time we engage in computer forensics,
> there are processes we can institute as security professionals that allow
> for the removal of untrusted components via a clean install without
complete
> loss of data.
>
> 1) Recognize that a system is compromised if it is infected with anything
> more than an embedded 'exploit'. (E.g. Email comes through that has HTML
or
> something which is temporarily copied to a local cache when the email
loads
> in the application. This is easy to fix. Any true "virus" which infects
> the host system at deeper than an individual application level is taboo.
> Toast.)

I used the term 'malware' because I believe that the threats are
becoming more and more blended.

> 2) Jon's point about reliability here is very key to the discussion. It
is
> COMPLETELY irresponsible to warrant to a customer that you can certify a
> system safe after it has been infected with any manner of
> control-compromising code that has gone undetected/untreated for a period
of
> time.

Do you see this as applying in a joe average home user scenario?

> As an individual consumer, I may choose to take that risk so there is
> an important distinction for the environment that you are asking this
> question on. On an enterprise level it is hard to imagine a small or
medium
> business where this risk is acceptable.

Agreed.

> Realize that security is the intelligent application of principles and
> experience to maintain a balance between confidentiality, integrity, and
> accessibility for yourself, your customer, or your organization. Security
> doesn't have to be "wipe and restart" OR "remove the malware and continue
> using", there are other solutions out there. It is important to recognize
> that there are multiple possible approaches and you need to examine the
> risks and benefits of your (hopefully standardized) approach to regularly
> determine if it can be improved.

I assume you mean, in my average scenario (eg. home casual user got
their machine compromised through installing something while browsing
for porn) that my advising the customer of common-sense approaches as
well as possibly suggesting alternative software to help avoid similar
problems in the future, for example?

--
Mike Moratz-Coppins
mike (at) mikeymike.org (dot) uk [email concealed]
http://www.mikeymike.org.uk/

[ reply ]
Re: More along the lines of malware disinfection Mar 18 2008 07:26PM
M Lists (m-lists lucretia ca)
Re: More along the lines of malware disinfection Mar 18 2008 06:26PM
Mike Moratz-Coppins (mike mikeymike org uk) (2 replies)
RE: More along the lines of malware disinfection Mar 19 2008 01:39PM
Devin Ganger (DevinG 3sharp com)
Re: More along the lines of malware disinfection Mar 18 2008 09:51PM
Colin Copley (colin 75 btinternet com) (1 replies)
RE: More along the lines of malware disinfection Mar 28 2008 01:55AM
Murda Mcloud (murdamcloud bigpond com)


 

Privacy Statement
Copyright 2010, SecurityFocus