On 12/30/2011 09:15 AM, Lamar Owen wrote: > On Wednesday, December 28, 2011 10:38:30 PM Craig White wrote: >> the top priority was to get the machine back online? >> >> Seems to me that you threw away the only opportunity to find out what >> you did wrong and to correct that so it doesn't happen again. You are >> left to endlessly suffer the endless possibilities and the extreme >> likelihood that it will happen again. > > Agreed 100%. There is an old saying that applies here 'penny wise but pound foolish.' > > While getting back up quickly is a definite goal, fixing the underlying issue (which can only be done when the underlying issue is known!) is a far more important issue. If downtime cannot be tolerated for a thorough investigation, then the high-availability plan needs to be adjusted to provide failover to another box/VM while the compromised box/VM is investigated. Agree with this. At the very least, some kind of image (dd) of the original disk for further study even if you have to get the machine back on line and you don't have a failover machine. Not knowing how or at least who (so you can block that location) got in means that if/when they want in again, they do it the same way they did last time ... unless you got lucky and happened to correct the issue in the meantime. > > As to the OP's original question about statistics, it seems to me that such statistics are useless for predictive analysis, and no matter how much history you have of past exploit timing this will not and cannot accurately predict the next exploit's timing or the exploitability of the next issue. > > Now for risk assessment it might be useful to have some sort of metric, with the knowledge that no risk assessment is an accurate predictor of future exploitability.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos