Krebs has a story up about malware “destroying” 800 systems for the city of Norfolk, Virginia. Reading it drives home a few points, not all of which make me happy. I will say, it sucks bad enough to have power issues that affect lots of things, but it would suck worse to have to expediciously rebuild nearly 800 machines.
1. I’d conjecture almost every organization has a vested, financial interest in getting systems back to operation as quickly as possible. department heads, directors, managers, and the staff are all measured by that reaction. In addition, I doubt few organizations have extra staff and equipment on hand to handle any incident that effects even a fraction of their systems. This means there is often all the pressure in the organization to wipe off systems and get them back up and running, slapping hands along the way of those who stored documents improperly on their local systems. And very little pressure to preserve evidence or dig deeper in defining and scoping the malware and/or intrusion. Sad, but true.
2. “Insider” gets mentioned, and honestly, probably appropriately. But that never helps with my work, mainly because I’m an insider and an admin, and locking/auditing me can only lead to inefficiencies. Yes, I’m biased. But I get the desire, from an organizational standpoint, to prevent one rogue admin for stomping on the balls of whomever. I just don’t have to entirely like it, and I prefer to say things like, “If you can’t trust your admins, you need to question your hiring practices.” Besides, solving issues surrounding godlike admins is a rather tough (read: costly) task.
3. As commentors on the article have said, it is nice to have data storage policies and even some controls in place, but if users want to save things to their systems, they’ll find ways to do it. This dives deeply into our “gambling” sort of view to risk. Everyone has some inkling that their system hard disks are not magic and will fail eventually, but many people take the gamble and do nothing about it. This is one of those places where FUD scare tactics user education helps.
4. As always with reports like this, I’m left hungry for technical details. But I’m getting used to being unsatiated in that regard. At least I can trust what Krebs does report, and I believe he has reported all *he’s* gotten, too. Likewise, it begs questions like, could endpoint security have detected this? any sort of integrity auditing? And so on…at least, those are my questions I’d love to have answered if I sat in their SOC (if they have one).