How To Manage a Security Breach?

Salvance writes, "A friend of mine has recently been stressed over a security breach at the company he consults for. The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced. Due to the inherent lack of security in Win98, a worm was able to infiltrate almost every computer and send gigabytes of data (possibly including sensitive company data) to a 'redirector' in Eastern Europe. My friend was working on other security projects at this company and stumbled across this massive hole. He quickly convinced company executives to remove Internet access from all Win98 machines, purchase better firewalls, and implement other data protection strategies. However, the sticking point was client notification. Due to the nature of the legacy systems, there was no way to know what data was transferred. For this reason the company wanted to play it safe and disclose nothing. Of course, my friend is all for disclosure and preventing harmful use of the potentially leaked data. My friend doesn't know what to do, so I'd like to know what others here think."

Easy

[MyLongNickName]

Get the resume ready. If I were a client of a company that had such shitty protection of my data, I'd find another company ASAP. I expect that said person would do much better finding another place to work.

Re:Easy

[MyLongNickName]

Just noticed that he "consults" for the company, not works for it. This being the case, he has absolutely no say in the decision. The only thing I can say: cover your ass. Get everything in writing. If you have a verbal conversation, follow it up with an e-mail. Remember... shit flows downhill. They WILL try to find a way to shift the blame. Make sure you do not become the scapegoat.

Document, document, document

[greenmars]

Offsite, you need to have a spreadsheet or other document. Put in the date and write down everything that happened to the best of your knowledge.

If something is not documented, it didn't happen.

Then, do what the client wants you to. Include the client's wishes in your documentation.

Interesting.

[BVis]

So the company knows that there WAS a breach, and potentially sensitive data may have been leaked. The company probably doesn't have a technical obligation to disclose anything, since they don't know for sure that information that requires (or should require) disclosure (like customers' billing data, social security information, credit card info etc) was compromised.

That being said, the right thing to do is to be forthcoming and disclose the nature of the breach, emphasizing that no specific information about what was leaked is available.

Of course, this being a corporate setting, if they can get away without telling anyone, they will. Especially if it's publicly held; while the stockholders might wish to know that there was a problem, they may also be upset that a disclosure was made that was not absolutely required, as that will negatively affect their stock value.

No Brainer

[ReidMaynard]

Since he consults, he does not set policy. He informed management (best keep a record(s) of that), it's their call.

Re:No Brainer

[jimicus]

And if he develops a reputation for publicising such breaches rather than "working to fix them" (ie. cover up), that too will dictate how his consulting business will grow.

First - CYA

[hrieke]

Cover Your Ass.

Document everything. If there where conversations and meetings, send out a follow up email with the notes of what was talked about. Keep copies of everything, make backups and place them in a bank.

The second part comes if the company is publicly traded or not. If so, and these Windows 98 machines hold trade secrets or the accounts logged in had access to trade secrets stored elsewhere on the network, then the company is in some deep doo-doo, otherwise tell him to buckup and carry on.

You've already informed the client

[mccalli]

As a consultant, your client is the company itself and not that company's customers. You've informed the company, now document it to make sure that's known. Ensure the right bit of the company is informed (ie. compliance, not just your local boss), document and you're done.

Now, if the real question was "should I inform the company's customers because I think this is very important to them?", well you're on an entirely different path and ultimately only you can decide that. Without knowing the details of what might have been disclosed, no-one here can even give you an informed opinion let alone a set of instructions. But as far as what you must do is concerned, then see paragraph one.

Cheers,
Ian

It's not your company

[yebb]

As a consultant, it's not your place to dictate how another company defines it's business strategy.

You've said your bit to promote disclosure (I assume), make sure that there is a paper trail detailing that, then let them run their business how they see fit. Possibly into the ground.

If you're a third party contractor, and you start letting loose about your clients, thats not a good way to give yourself credibility. Remember that the management team for this company has likely spoken to their lawyers, possibly other security experts. There is the remote possibility that they know what they are doing.

OR HERE'S A BETTER IDEA

[mrsbrisby]

....

don't ask on slashdot?

Seriously.

If your "friend" thinks he needs legal advise, he should ask a lawyer.

If your "friend" is asking for technical advise, while dosbox and wine are _great_ ways to impose greater restrictions on legacy software, if your "friend" is asking for technical advise by acting like he's looking for legal advise, then your "friend" is an asshat.