RE: Incident investigation methodologies
From: Dave Paris (dparis_at_w3works.com)
Date: 06/07/04
- Previous message: Fiscus, Kevin: "RE: Incident investigation methodologies"
- In reply to: Steven Trewick: "RE: Incident investigation methodologies"
- Next in thread: Fiscus, Kevin: "RE: Incident investigation methodologies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Steven Trewick" <STrewick@joplings.co.uk>, <keydet89@yahoo.com> Date: Mon, 7 Jun 2004 15:07:46 -0400
> -----Original Message-----
> From: Steven Trewick [mailto:STrewick@joplings.co.uk]
> Sent: Monday, June 07, 2004 10:47 AM
> To: 'Harlan Carvey'; incidents@securityfocus.com
> Cc: Ansgar -59cobalt- Wiechers
> Subject: RE: Incident investigation methodologies
>
[...]
> If my choice as a human being was to perform a procedure on myself
> that would cost a minimal amount of resource, and take a minimal
> amount of time, or a lengthy and costly series of investigations
> that would take forever, be painful, and possibly, ultimately
> inconclusive, which would I pick ?
Depends. If you know you may well be dealing with a pathogen capable of
inflicting near or at-lethal levels of damage on others (whether it's others
you're in charge of or just other people), one would hope you'd have the
professionalism and/or presence of mind to do a somewhat deeper inspection
rather than just place a band-aid, smack it on the ass, and tell it to get
back in the game.
I think this can be summed (and lightened) up by invoking a little Monty
Python.
...[Arthur chops off the Black Knight's left arm]...
"Now stand aside, worthy adversary."
"'Tis but a scratch."
"A scratch? Your arm's off!"
"Well, what's that, then?"
"I've had worse."
"You liar!"
...[Arthur chops off the Black Knight's right arm]...
"Eh. You are indeed brave, Sir Knight, but the fight is mine."
"Oh, had enough, eh?"
"Look, you stupid ***. You've got no arms left."
"Yes, I have."
"Look!"
"Just a flesh wound."
.. sorry, couldn't resist, given the "medical" twist ;-)
Kind Regards,
-dsp
> -----Original Message-----
> From: Steven Trewick [mailto:STrewick@joplings.co.uk]
> Sent: Monday, June 07, 2004 10:47 AM
> To: 'Harlan Carvey'; incidents@securityfocus.com
> Cc: Ansgar -59cobalt- Wiechers
> Subject: RE: Incident investigation methodologies
>
>
>
> > One more thing to think about...what happens when you
> > go to the doctor? When you go to a doctor's office
> > with a complaint, does he simply give you a lethal
> > injection then perform an autopsy to determine what
> > was wrong with you? Or does he collect volatile
> > information...interview you, ask you questions, take
> > your temperature and blood pressure, etc?
>
>
> That is simply the single most bogus metaphor I've heard this week.
>
> In the real world, production systems need to go back into production
> ASAP.
>
> Frontline support staff simply do not have the time or resource
> (or often even the knowledge) to conduct lengthy forensic investigations.
>
> Time = Money, that's a cold, hard fact, and there simply isn't any way
> around it.
[...]
- Previous message: Fiscus, Kevin: "RE: Incident investigation methodologies"
- In reply to: Steven Trewick: "RE: Incident investigation methodologies"
- Next in thread: Fiscus, Kevin: "RE: Incident investigation methodologies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
