Re: Incident investigation methodologies
From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
Date: Wed, 09 Jun 2004 13:58:48 -0400 To: Harlan Carvey <firstname.lastname@example.org>
Harlan Carvey wrote:
>As do I. And I also think that it would greatly
>benefit the community, by moving us beyond the
>stagnation faced by phrases like "...but a hacker
>could...". Some small degree of paranoia...perhaps
>"caution" is a better term...is necessary in the
>security profession, as no one person can know
>everything there is to know. However, many of us
>working together can know quite a lot...
I think that the "paranoia" point of discussion is quite interesting.
Let me first start by saying that I agree completely with the majority
of the points you've made here, Harlan. The fact of the matter is that
if we don't create a trusted incident response methodology, we're
looking at a future of constantly second guessing our own systems.
Computer science is just that: science, not mysticism. As such there is
always a logical progression.
However, I think that the "paranoia" argument is largely dependant on
the audience of the argument. If I say to you (or, vice versa) that a
black hat COULD trojan a copy of netstat.exe, it doesn't have the same
connotation than if I said that to an end user. The assumption, I
believe, is that saying this to a security professionaly carries with it
the assumption that that security professional will understand that this
doesn't mean that it has been trojaned nor that it is even likely, just
that it could and does happen.
Now, whether everyone on this list is a security professional is another
discussion altogether, and not one that I intend on joining into. :)