SANS ISC (once again) and Microsoft - Flatten Compromised Systems

Published: 2004-05-16
Last Updated: 2004-05-17 10:47:27 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
A few days after Johannes Ullrich, SANS CTO, posted some of the ISC's compelling reasons why rebuilding a compromised system should be considered a best practice (for the umpteenth needed time, link below), ISC Handler Chris Carboni shared a link to a May 7th paper reciting Microsoft's reasons that can support rebuilding as a "best practice" (by Jesper M. Johansson, Security Program Manager, Microsoft Corporation). The author's take on "flattening compromised systems" and other issues is a great read and addition to the body of best practice recommendations to rebuild compromised systems.

Experience shows that rebuilding a compromised system is a best practice that some people responsible for the security of systems still want to ignore (in both *NIX & Microsoft shops). These are the folks that will have the time to read the following article ( ; ^ ). So .... if ensuring the confidentiality, integrity and availability of your employer's network, and safekeeping their business and their customers are not good enough reasons to make rebuilding a best practice for compromised systems in your shop, consider the following best practice and career advice from the Microsoft article (my highlighting);

"The only way to clean a compromised system is to flatten and rebuild. That?s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don?t want to see you doing that."
(Help: I Got Hacked. Now What Do I Do? by Jesper M. Johansson, Security Program Manager, Microsoft Corporation: May 7, 2004)

ISC's recent, needed, umpteenth and not last publication of some of the reasons why "clean up tools may not be adequate" is at;

Port 8000 activity is increasing, tip o' the hat to Ken Connelly's consistently informative Intrusions.Org Log posts;
Dshield Port 8000 Numbers;
Two sharp eyed readers correctly pointed out that these scans are more likely for HP print servers with HP Web JetAdmin vulnerabilities. We have received reports of successful exploitation of vulnerable systems.

Last Week's Internet Storm Center: Threat Update Archive is available

If you missed last weeks Internet Storm Center: Threat Update Featuring: Johannes Ullrich, Marcus Sachs and fascinating Q & A submissions ( ; ^ ), you can catch the archived briefing (audio and pdf) by logging in to your SANS Portal account;

Patrick Nolan
0 comment(s)


Diary Archives