honeynet reverse challenge

Prev 

Costs

1. Background

With the exception of Ryan, none of us are true security professionals, so we expect that our methods will prove less efficient and our results less profound than those supplied by the experts. We thought the challenge looked like fun, so we undertook it in that spirit.

We are:

Phil Edelbrock - linux sysadmin at Edge Design with six year's experience. Phil is also cofounder of the lm_sensors project.

Marius Nita - perl programmer at Edge Design with three year's experience.

Ryan Oliver - IT consultant at PHA with nine year's experience and a Vax 11/750 which is mostly paid for.

Rob Fightmaster - project manager at Edge Design with only one year's Linux experience - which is how I got stuck doing the grunt work (html, md5sum, and stamper).

2. Costs - full analysis

This is the cost analysis using Dave Dittrich's template.

ContributorHoursCost/Hr.Total-15%15%
Edelbrock50.0$33.65$1,682.50$1,430.13$1,934.88
Nita5.0$33.65$168.25$143.01$193.49
Oliver5.0$33.65$168.25$143.01$193.49
Fightmaster10.0$33.65$336.50$286.03$386.98
 
Subtotal70.0 $2,355.50$2,002.18$2,708.83
 
Benefits @ 28%  $659.54$560.61$758.47
 
Total Labor Cost  $3,015.04$2,562.78$3,467.30

3. Costs - fast & cheap

OPINION: We believe Dave's costing model is excellent for capturing damage and repair costs (as he originally intended), but his template is not as useful for capturing real-world expenses when the bulk of the time is analysis of malicious tools and techniques.

Doing a thorough security analysis, complete with a published write-up, is time intensive and expensive. The effort is especially challenging if network security issues comprise less than 10% of your on-the-job efforts (and training). Furthermore, from the perspective of a company with a recently compromised network, a properly documented security advisory looks more like a public service announcement than a valuable internal resource. For these reasons, we believe that many companies choose not to finance this public good. Faced with a compromise, it is easy to focus on fixing the immediate problem and returning to whatever urgent matters were demanding IT resources prior to the compromise. Our experience leads us to believe that many systems administrators are under pressure to execute a fast & cheap fix: restore lost data, restore binaries, patch the offending service (better late than never) and watch netstat regularly for a couple weeks.

In that instance the immediate cost analysis might look more like the table below.

ContributorHoursCost/Hr.Total-15%15%
Edelbrock10.0$33.65$330.65$281.05$380.25
 
Benefits @ 28%  $423.23$359.74$486.72
 
Total Labor Cost  $423.23$359.74$486.72


Prev 
answers