Wednesday, 12 May 2004

Finally, someone has the right answer to how to clean a compromised system. So, you didn’t patch the system and it got hacked. What to do?

Click here to find out.

Is it the one correct answer - If you have already been compromised? Three cheers for Jesper M. Johansson, Ph.D., CISSP, MCSE, MCP+I, Security Program Manager at Microsoft for pointing this out. Maybe.

However, it should be noted (as was done to me by a security professional whom I respect greatly) that there are many options other than and in addition to patching available to prevent system compromise. Here's what my colleague said in email:

“I can't believe they actually published that!  While instilling fear and hopelessness it has no redeeming value and makes MS look bad (by implying a 'justification' for the pain of the patch process).  There are other alternatives to cleaning systems and validating what has been altered besides reformatting.  Things like Tripwire, regular audits, etc. etc. etc.  The real decision is what is it worth to not have to reformat?  Also you don't need any of the MS patches to prevent a system from being compromised.”

All valid points. I agree on one level or another with everyone here: Prevention and planning are worth a ton of cure. But when you have been compromised at the system level (i.e. did not plan and prevent), you're assuming a fairly large risk if you continue to use the compromised system.

Add/Read: Comments [1]
IT Security | Tech
Wednesday, 12 May 2004 10:59:49 (Pacific Standard Time, UTC-08:00)
#  Trackback

Referred by: [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral]

Wednesday, 12 May 2004 11:43:03 (Pacific Standard Time, UTC-08:00)
The author painted a bleak and nasty picture. While he did a good job of spreading fear and only outlining the simplest and most commonly used answer to the problem. However, in the real world, sometimes reformatting is not a viable option.

The author failed to note, that with some money spent, a recovery is possible without formatting the system and starting over.

For instance, take a known good backup (even if it is from 3 months ago) and compare MD5 sums of all files against the compromised image. That will identify a percentage of the files that were not compromised. Keep working forward in time, noting the dates of backups where files changed MD5sums. This gives you a decent timeline of changes.

Then have a qualified person review the remaining files and reasons for changes. That will quickly eliminate more files. Now you are down to a short list of files that are suspect.

This is time consuming but effective. But from a business perspective it can sometimes make sense. For instance, you have a $1,000,000 cost to your company through loss of this server if you rebuild and have to reenter possibly altered data, then it would make sense to spend $50,000 to have a qualified security professional help recover your system.

This is true regardless of operating system or installed software. This is just one example of a solution not outlined by the author of the MS paper. There are other solutions based on the variables in the case (e.g., types of backups, frequency of backups, logging solutions in use, etc.)

Mostly I fault the author for not pointing out that there are alternatives for trustworthy system/data recovery, they just depend on cost. And also for using disaster recovery costs for a justification of a poor patch process from MS that still needs fixing.

Jay Swofford
Comments are closed.