cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
d46j48fx
Contributor I

Is it overkill to wipe a machine after successful phishing attempt?

Colleagues,

 

I would appreciate your "best practice" responses to the question, "Is it overkill to wipe a machine after successful phishing attempt?" 

 

Scans from two different AV products plus a rootkit scan came up empty on the user's machine.  I play a paranoia card (the user didn't report the compromise AT ALL.  We found out when another event occurred.) The help-desk is pushing back with "Wipe, re-image and restore is gonna take us forever! There was nothing found on the machine so...yah...gonna ignore your recommendation."

 

In my organisation the security function is integral to the IT team, as opposed to being organizationally separate.  You can no doubt appreciate why the above tug-of-war is happening. This has been addressed in a  recent external security assessment and I know what result I'm fighting for. However, for now, I would appreciate your thoughts on, "Wipe or Don't Wipe?"

 

Thanks!

 

DL

10 Replies
Shannon
Community Champion

 


@d46j48fx wrote:

 

I would appreciate your "best practice" responses to the question, "Is it overkill to wipe a machine after successful phishing attempt?" 


To properly answer that question, one would need details on the phishing attempt, including: -

 

  1. How was this detected, and deemed as successful?
  2. What is the potential impact?
  3. What kind of security controls do you have in place?
  4. What will be the business impact of wiping the system?

 

Incident response usually depends on the scenario --- varying with impact, organisation policies, regulatory authority requirements, etc. --- so a 'best practice' approach should be used when setting up controls instead.

 

(In my opinion, wiping is overkill if you're utilizing images, dealing with end-user systems, aren't protecting sensitive data, and have proper controls in place --- in which case completely isolating a system from the rest of your network should suffice, since you may need it for investigations.)

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz