A poorly conceived incident response often makes things easier for criminals.Take the Decatur Public library, which was hacked last week. After finding signs of an intrusion, a technician from the Library Corp., the company that manages Decatur’s library network “wiped out everything that had been added to the computer.”Doing this didn’t get the library back online and it hurt investigators. From this story in the Decatur Daily, written when library employees were checking out books by hand again.“Because the hacker’s data was erased, (library director Sandy) McCandless did not think the library could trace the cyber trail to determine whether the hacker took patron information.She said she reported the hacking to police. She said officers told her they can’t investigate until the library can show damage or data stolen. Computer and white-collar crime investigators Robert Peete and Justin Lyons were unavailable Tuesday for confirmation.“The library says that repairing and restoring service was job #1, but you’d think that Library Corp., a company that specializes in LIbrary systems, would have the resources to save this data.This reminded me of a note from the IC3 today on securing yourself from Web attacks. I asked rsnake (aka Robert Hansen, CEO of SecTheory) what he thought of these tips and he *hated* #11 saying that it From the IC3Recommendation 11: Implement firewall rules to block known malicious IP addresses. Firewall rule sets designed to block all ingress (incoming) and egress (outgoing) traffic to the known malicious IP addresses have been put in place. Note that traffic violating the rules should be logged and observed in near-real time.Here’s why rsnake hated this idea (in his own words)“Let’s say I know a guy named “Bob” was going to come and kick my ass.So I go into a nightclub and I say “Ask everyone what their name is, and if they say their name is Bob don’t let them in.”You come in and say “Hey, my name is Bob” sure, they’ll stop you. So then you put on your fancy wig that you bought and come up again and say, “My name is Frank”Poof. Now you have done two things: a) you have kicked my ass, and b) learned how I was tracking you. And as a side benefit you now can use it against me in the future by getting other people blocked.It’s just dumb. And worse yet, now I can no longer track you instead of passively learning people’s names, alerting me so I could escape and live to fight another day. Meanwhile you’re confused how I knew about it since no one stopped youBlocking people never worked, ever.” Related content opinion Direct Marketing Association on information security: Be safe By Robert McMillan Apr 08, 2011 3 mins Data and Information Security opinion As violence escalates, Libya cuts off the Internet By Robert McMillan Feb 18, 2011 2 mins Core Java opinion An FBI backdoor in OpenBSD? By Robert McMillan Dec 15, 2010 5 mins Data and Information Security opinion Congressional candidate says Democrats leaked his Social Security number By Robert McMillan Sep 28, 2010 1 min Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe