Slashdot Mirror
How To Manage a Security Breach?
Salvance writes, "A friend of mine has recently been stressed over a security breach at the company he consults for. The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced. Due to the inherent lack of security in Win98, a worm was able to infiltrate almost every computer and send gigabytes of data (possibly including sensitive company data) to a 'redirector' in Eastern Europe. My friend was working on other security projects at this company and stumbled across this massive hole. He quickly convinced company executives to remove Internet access from all Win98 machines, purchase better firewalls, and implement other data protection strategies. However, the sticking point was client notification. Due to the nature of the legacy systems, there was no way to know what data was transferred. For this reason the company wanted to play it safe and disclose nothing. Of course, my friend is all for disclosure and preventing harmful use of the potentially leaked data. My friend doesn't know what to do, so I'd like to know what others here think."
Get the resume ready. If I were a client of a company that had such shitty protection of my data, I'd find another company ASAP. I expect that said person would do much better finding another place to work.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Offsite, you need to have a spreadsheet or other document. Put in the date and write down everything that happened to the best of your knowledge.
If something is not documented, it didn't happen.
Then, do what the client wants you to. Include the client's wishes in your documentation.
So the company knows that there WAS a breach, and potentially sensitive data may have been leaked. The company probably doesn't have a technical obligation to disclose anything, since they don't know for sure that information that requires (or should require) disclosure (like customers' billing data, social security information, credit card info etc) was compromised.
That being said, the right thing to do is to be forthcoming and disclose the nature of the breach, emphasizing that no specific information about what was leaked is available.
Of course, this being a corporate setting, if they can get away without telling anyone, they will. Especially if it's publicly held; while the stockholders might wish to know that there was a problem, they may also be upset that a disclosure was made that was not absolutely required, as that will negatively affect their stock value.
Never underestimate the power of stupid people in large groups.
Since he consults, he does not set policy. He informed management (best keep a record(s) of that), it's their call.
-- www.globaltics.net
Political discussion for a new world
Cover Your Ass.
Document everything. If there where conversations and meetings, send out a follow up email with the notes of what was talked about. Keep copies of everything, make backups and place them in a bank.
The second part comes if the company is publicly traded or not. If so, and these Windows 98 machines hold trade secrets or the accounts logged in had access to trade secrets stored elsewhere on the network, then the company is in some deep doo-doo, otherwise tell him to buckup and carry on.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
As a consultant, your client is the company itself and not that company's customers. You've informed the company, now document it to make sure that's known. Ensure the right bit of the company is informed (ie. compliance, not just your local boss), document and you're done.
Now, if the real question was "should I inform the company's customers because I think this is very important to them?", well you're on an entirely different path and ultimately only you can decide that. Without knowing the details of what might have been disclosed, no-one here can even give you an informed opinion let alone a set of instructions. But as far as what you must do is concerned, then see paragraph one.
Cheers,
Ian
As a consultant, it's not your place to dictate how another company defines it's business strategy.
You've said your bit to promote disclosure (I assume), make sure that there is a paper trail detailing that, then let them run their business how they see fit. Possibly into the ground.
If you're a third party contractor, and you start letting loose about your clients, thats not a good way to give yourself credibility. Remember that the management team for this company has likely spoken to their lawyers, possibly other security experts. There is the remote possibility that they know what they are doing.
Why are these machines connected to the Internet?
If they are insecure, sandbox them or cut them off completely.
If they need some kind of network access, use a whole shitload of proxies and firewalls and a carefully-monitored snort install and babysit the hell out of it until they can be secured.
No, forget that. Get them off the net completely.
-- My Weblog.
Your 'friend' has already screwed up. ( sorry to put it that baldly, but he has ) He was hired to deal with security issues, not legal ones. He never should have discussed client notification with them. When he starts expressing opinions about that, he is way outside of what he contracted to do. He may not have recognized this breach of manners, but, I assure you, they have.
Now, if he - or anybody else - leaks this, management will assume that it was him.
#1 - run the hell away. if the client is not interested in doing what he suggests then he is wasting time. those 98 machines should have been on a secure private network with no internet access for years now. if the company refused to do that he should have said, "then you will have no security, your data can and will be stolen eventually, are you ok with that?", if they say yes, have them sign off on a hold harmless waiver. always end that statement with that question. it delivers ownership of the problem to the exec and allows you to CYA.
when the security breach happened like this you can then say "executive XYZ said he was ok with that, see here is his sign off acknowledging that fact.
Secondly, win98 apps can be ran in a virtual system that would have allowed him to have some security.. why did he not do this? was the client a cheapskate and refused to pay for anything?? if so then once again it's a run away situation.
This could have been avoided, it would not have been cheap, but it could have been avoided. IT consultants need to have the balls to tell a customer "NO! you have to do it this way." because they are paying you to be the expert. If they do not listen to you sugges they hire the "geek squad" from best buy then if all they are looking for is IT people that will do what they are told.
Can you tell I am fed up with incompetent clients that say they want security but refuse to pay for it?
Do not look at laser with remaining good eye.
One of the available options you can configure is the vmware ethernet bridge. This bit of code was donated by the NSA (make of that what you will). iirc the NSA were using vmware to run windows as a client OS with linux as the host OS for security reasons (the vmware network bridge itself being considered quite secure)
$_="Slashdotter";$syn="OTT";s;..;;;sub _{print shift||$_};s!ash!Perl !;s=$syn=ack=i;tr+LLEd+BLAH+;_"Just Another ";_
You are misinformed. They are no longer the consultants you say "nee"; they are now the consultants who say "eki eki eki ftang whoborble"
Is there heaven? Is there Hell? Is that a Tuna Melt I smell?-Primus
....
don't ask on slashdot?
Seriously.
If your "friend" thinks he needs legal advise, he should ask a lawyer.
If your "friend" is asking for technical advise, while dosbox and wine are _great_ ways to impose greater restrictions on legacy software, if your "friend" is asking for technical advise by acting like he's looking for legal advise, then your "friend" is an asshat.