How To Manage a Security Breach?

Salvance writes, "A friend of mine has recently been stressed over a security breach at the company he consults for. The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced. Due to the inherent lack of security in Win98, a worm was able to infiltrate almost every computer and send gigabytes of data (possibly including sensitive company data) to a 'redirector' in Eastern Europe. My friend was working on other security projects at this company and stumbled across this massive hole. He quickly convinced company executives to remove Internet access from all Win98 machines, purchase better firewalls, and implement other data protection strategies. However, the sticking point was client notification. Due to the nature of the legacy systems, there was no way to know what data was transferred. For this reason the company wanted to play it safe and disclose nothing. Of course, my friend is all for disclosure and preventing harmful use of the potentially leaked data. My friend doesn't know what to do, so I'd like to know what others here think."

Re:"A friend of mine"

A friend of mine likes to post to slashdot. Anonymously.

Mr. Vitti, that friend of yours..

is it me?

Re:No Brainer

[drolli]

Full Ack. If you work for somebody and you are paid for that there are three possibilities:

1) Everything is ok and you know that everything is ok

2) Something is wrong and you know that it is wrong (wrong in the sense of being illegal). Estimate (maybe with the help of a lawyer) if you commit a crime by supporting your employers position. Luckily I live in a country (Germany) which learned some lessons from History, so that normally you don not have the duty to bring the case to court. Since you normally only have contracts with your employer, inform him and leave it to him to inform his partners or customers. If what you are doing can not be seen as "fraud" (e.g. buying stock options for a company of which you know that their whole documentation was disclosed by their concurrence) it should be ok. My advice is: if not telling it is not outright criminal (e.g. if a non-disclosure could cause deaths), document what steps you have taken. If you believe that your Employer commits a crime, leave ASAP if your customer base permits.

3) You suspect that something is wrong but you don't know the exact legal situation. Well, after all you are a technician. You are not supposed to analyse contracts. If you create an excel worksheet which helps the secretary to bypass the company-wide bill system and she uses it deliberatly to "tune" some financial values without documenting what she is doing- I think you should not bother with that. Dont think too much about it.

Re:BWAHAHAA

[fohat]

You are misinformed. They are no longer the consultants you say "nee"; they are now the consultants who say "eki eki eki ftang whoborble"