Thursday, December 15, 2005

When to rebuild...

We have this little section in our policy that states a system must be rebuilt after it is compromised. In some situations, the rebuild will be at the discretion of the Information Security Manager. Unfortunately, system administrators like to argue about this or simply ignore it when it comes to malware. I have seen computer support technicians work on a spyware/adware infected box for THREE DAYS before finally giving up and rebuilding. Get a freaking clue people!!! The box could have been rebuilt using Ghost, Microsoft ADS or favorite imaging app in 20 to 60 minutes, yet you wasted 3 days. Holy crap! I seriously wanted to smack some of these people. There are some malware infections that are very simple to alleviate, but others are a real pain and most help desk people are not trained to deal with these types of things. I truly amazes me. I have had things handed to me that were not able to be "cleaned" by the help desk that I solved in 5-10 minutes yet spent the next 30 minutes verifying that it wasn't something more sinister. Rootkits are becoming more prevalent and more malware is using a "rootkit" driver to hide their processes so why not make it easy on yourselves. Spend some time developing a process where you can burn your systems down to a wiped disk, apply and image or slipstreamed OS/app install and be done with it.

Geez...enough ranting. I need to work on my list of updated tools to put on this site but that probably won't happen until next week. I will have my podcast listing up tomorrow.

No comments: