Wolfgang, a reader, submitted this link (http://blogs.msdn.com/sdl/archive/2007/04/26/lessons-learned-from-the-animated-cursor-security-bug.aspx) to an MSDN Blog article analyzing their lessons learned from the recent ANI Vulnerability. This reminded me that it’s almost time to perform a similar analysis on my own environment.
Lessons-Learned, or follow-up is the last step in incident response. It also happens to be the most neglected step.
Hopefully, the MS07-017 patch has been safely deployed through most of your environment by now. I know not everyone has by now, and I feel your pain. For those who have, take a few moments to reflect on the event and recall how your environment performed in the early-pre-patch stages and how smoothly the transition to a post-patch state went.
Once you have gathered some of the data from the overall event, ask yourself:
At the day-job we needed to tighten the detection and analysis cycle for all of the new malware that was using this vector to get into our network. This means that I’ll probably have an easier time justifying that Sandnet (http://www.lurhq.com/truman/) we’ve been planning to build. We also need to look at the amount of time it takes to block malicious URLs in our response process. We also may want to consider a different content-filtering solution.
Apr 27th 2007
1 decade ago