This is a great point, Mike. As with all things security related, you really have to examine the environment and the value of the asset which you are securing.
In your particular example, you appear to focus largely on home users. I would actually offer them the choice, if it were me. It has been me in the past when I was getting started. You do your initial investigation. Ah hah! Malware! You naughty user, you, stop going to those uh.... creative body art.... sites. At that point you can either offer them your arbitrary toast-and-rehash service which loses all of the data OR you can say that there are three choices and its up to you. My first service is to remove the malware. I don't warrant my work as modern malware can be a real bugger to get rid of. I will make my best effort to get rid of the bad stuff and leave the good stuff intact but realize there is a small chance something can go wrong and a small chance that the creeping crud could still be there. My second service is to pave over your system. Its fast, its relatively cheap if you still have your old CDs, but you lose your data. I warrant this service because your system is fresh and fully patched and will be working but wont have your old data. Most people don't do this because they have pictures, games, etc, that they want me to grab from the old system. My third service takes a little more time and involves a little more work but I rebuild your system and try to bring over standard profile information from your old computer and the information that you tell me you really need from the old PC. This is the image-rebuild-and-restore option. I warrant this work because its detailed work and I leave you a fully patched system with as much information as I can reasonably recover from the old PC. This costs a little more but is the best option. This way you offer yoru customers the choice, let them choose whether they want to pay for the extra time. You offer your customer options including an upsell/premium option that makes a little more money for you. Your user gets to choose what level of risk they are taking on (even though they don't see it as risk, they just see it as what work you are willing to do and how you walk away from the job). Wayne S. Anderson http://www.linkedin.com/in/wayneanderson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Moratz-Coppins Sent: Tuesday, March 18, 2008 2:57 PM To: [email protected] Subject: Re: More along the lines of malware disinfection I should point out one factor which I think makes a large difference in the approach that one might take in encountering a security issue - the vast majority of my customers are home users who just casually use their machine. In a hypothetical situation of me being called in to analyse a security compromise of a medium-sized business's system(s), my strategy definitely would not factor in "can I fix this in under 3 hours". Wayne S. Anderson wrote: > You know, I want to point out to folks on this list that this is NOT an > either/or situation. Much like any time we engage in computer forensics, > there are processes we can institute as security professionals that allow > for the removal of untrusted components via a clean install without complete > loss of data. > > 1) Recognize that a system is compromised if it is infected with anything > more than an embedded 'exploit'. (E.g. Email comes through that has HTML or > something which is temporarily copied to a local cache when the email loads > in the application. This is easy to fix. Any true "virus" which infects > the host system at deeper than an individual application level is taboo. > Toast.) I used the term 'malware' because I believe that the threats are becoming more and more blended. > 2) Jon's point about reliability here is very key to the discussion. It is > COMPLETELY irresponsible to warrant to a customer that you can certify a > system safe after it has been infected with any manner of > control-compromising code that has gone undetected/untreated for a period of > time. Do you see this as applying in a joe average home user scenario? > As an individual consumer, I may choose to take that risk so there is > an important distinction for the environment that you are asking this > question on. On an enterprise level it is hard to imagine a small or medium > business where this risk is acceptable. Agreed. > Realize that security is the intelligent application of principles and > experience to maintain a balance between confidentiality, integrity, and > accessibility for yourself, your customer, or your organization. Security > doesn't have to be "wipe and restart" OR "remove the malware and continue > using", there are other solutions out there. It is important to recognize > that there are multiple possible approaches and you need to examine the > risks and benefits of your (hopefully standardized) approach to regularly > determine if it can be improved. I assume you mean, in my average scenario (eg. home casual user got their machine compromised through installing something while browsing for porn) that my advising the customer of common-sense approaches as well as possibly suggesting alternative software to help avoid similar problems in the future, for example? -- Mike Moratz-Coppins [EMAIL PROTECTED] http://www.mikeymike.org.uk/
