Re: Incident investigation methodologies

From: Barry Fitzgerald (
Date: 06/09/04

  • Next message: Curt Purdy: "RE: [ok] Simple Windows incident response methodology"
    Date: Wed, 09 Jun 2004 13:58:48 -0400
    To: Harlan Carvey <>

    Harlan Carvey wrote:

    >As do I. And I also think that it would greatly
    >benefit the community, by moving us beyond the
    >stagnation faced by phrases like "...but a hacker
    >could...". Some small degree of paranoia...perhaps
    >"caution" is a better necessary in the
    >security profession, as no one person can know
    >everything there is to know. However, many of us
    >working together can know quite a lot...

    I think that the "paranoia" point of discussion is quite interesting.

    Let me first start by saying that I agree completely with the majority
    of the points you've made here, Harlan. The fact of the matter is that
    if we don't create a trusted incident response methodology, we're
    looking at a future of constantly second guessing our own systems.
    Computer science is just that: science, not mysticism. As such there is
    always a logical progression.

    However, I think that the "paranoia" argument is largely dependant on
    the audience of the argument. If I say to you (or, vice versa) that a
    black hat COULD trojan a copy of netstat.exe, it doesn't have the same
    connotation than if I said that to an end user. The assumption, I
    believe, is that saying this to a security professionaly carries with it
    the assumption that that security professional will understand that this
    doesn't mean that it has been trojaned nor that it is even likely, just
    that it could and does happen.

    Now, whether everyone on this list is a security professional is another
    discussion altogether, and not one that I intend on joining into. :)


  • Next message: Curt Purdy: "RE: [ok] Simple Windows incident response methodology"