How To Manage a Security Breach?

Salvance writes, "A friend of mine has recently been stressed over a security breach at the company he consults for. The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced. Due to the inherent lack of security in Win98, a worm was able to infiltrate almost every computer and send gigabytes of data (possibly including sensitive company data) to a 'redirector' in Eastern Europe. My friend was working on other security projects at this company and stumbled across this massive hole. He quickly convinced company executives to remove Internet access from all Win98 machines, purchase better firewalls, and implement other data protection strategies. However, the sticking point was client notification. Due to the nature of the legacy systems, there was no way to know what data was transferred. For this reason the company wanted to play it safe and disclose nothing. Of course, my friend is all for disclosure and preventing harmful use of the potentially leaked data. My friend doesn't know what to do, so I'd like to know what others here think."

Document, document, document

[greenmars]

Offsite, you need to have a spreadsheet or other document. Put in the date and write down everything that happened to the best of your knowledge.

If something is not documented, it didn't happen.

Then, do what the client wants you to. Include the client's wishes in your documentation.

No Brainer

[ReidMaynard]

Since he consults, he does not set policy. He informed management (best keep a record(s) of that), it's their call.

Re:Easy

[MyLongNickName]

Just noticed that he "consults" for the company, not works for it. This being the case, he has absolutely no say in the decision. The only thing I can say: cover your ass. Get everything in writing. If you have a verbal conversation, follow it up with an e-mail. Remember... shit flows downhill. They WILL try to find a way to shift the blame. Make sure you do not become the scapegoat.

First - CYA

[hrieke]

Cover Your Ass.

Document everything. If there where conversations and meetings, send out a follow up email with the notes of what was talked about. Keep copies of everything, make backups and place them in a bank.

The second part comes if the company is publicly traded or not. If so, and these Windows 98 machines hold trade secrets or the accounts logged in had access to trade secrets stored elsewhere on the network, then the company is in some deep doo-doo, otherwise tell him to buckup and carry on.

You've already informed the client

[mccalli]

As a consultant, your client is the company itself and not that company's customers. You've informed the company, now document it to make sure that's known. Ensure the right bit of the company is informed (ie. compliance, not just your local boss), document and you're done.

Now, if the real question was "should I inform the company's customers because I think this is very important to them?", well you're on an entirely different path and ultimately only you can decide that. Without knowing the details of what might have been disclosed, no-one here can even give you an informed opinion let alone a set of instructions. But as far as what you must do is concerned, then see paragraph one.

Cheers,
Ian

Too late to be an "unidentified source"

[Harmonious+Botch]

Your 'friend' has already screwed up. ( sorry to put it that baldly, but he has ) He was hired to deal with security issues, not legal ones. He never should have discussed client notification with them. When he starts expressing opinions about that, he is way outside of what he contracted to do. He may not have recognized this breach of manners, but, I assure you, they have.

Now, if he - or anybody else - leaks this, management will assume that it was him.

Re:BWAHAHAA

[fohat]

You are misinformed. They are no longer the consultants you say "nee"; they are now the consultants who say "eki eki eki ftang whoborble"