Slashdot Mirror
What to Do When Your Security is Breached
ancientribe writes "When you've got a full-blown security breach on your hands, what do you do? If you've been smart, you'll already have a computer security incident response team — and a plan — in place. But many companies are too resource-strapped to have a full-blown, fully-tested incident response strategy. DarkReading has some tips on what to do — and what not to do."
When your security is breached by a handful of thugs you must immediately run out and attack a random neighbor's house.
Complain! Call the help desk!
But since ours is a relatively small company, we went with the open-source Thai fighters.
Innovation makes enemies of all those who prospered under the old regime... -- Machiavelli
Run from side to side?
Kent Brockman: So, professor, would you say it's time for everyone to panic?
Professor: Yes I would, Kent.
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
what to do if you burn your hand:
1. first, remove your hand from the burning stove.
2. use ice to cool your hand
3. seek medical attention.
wow. Thanks. I never would have figured any of that out on my own.
All businesses should have contingency plans for all disasters.
For most disasters, whether it's an IT disaster, a natural disaster, a non-natural physical disaster like a fire, a real or frivolous patent lawsuit, employee or company malfeasance, or what not, you need a plan.
For "terminal" disasters, like a nuclear blast that kills all employees and destroys all company assets, folding up shop may be the right business plan. For small businesses, extreme disasters like car wreck that kills all the employees might also be terminal in a slightly less catastrophic way. In these cases, at least you can plan to sell your business or its assets to another entity, so your customers have continuity.
Basically, divide your disasters into categories, and plan and insure accordingly:
0) end of the world, big asteroid or global thermonuclear war
1) major catastrophe, we are dead, forget about the customer, nuclear detonation event
2) end of the company, save the customer, Enron
3) end of the management team, save the company, MCI
4) we can recover from this but it's gonna hurt a lot, Vonage(?)
5) it's a flesh wound, CEO dies of heart attack
6) mosquito bite, SCO sues IBM
7) what? something happened? I didn't even notice, {if I had an example it would be #6}
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The appropriate response is to shoot the lieutenant responsible for security. Then promote another ambitious, yet expendable underling to his/her place. Come on - this is Evil Overlord 101-level stuff.
'Loose' is when your pants are three sizes too big. 'Lose' is when you misuse 'loose'.
Windows XP: What's security?
Windows Vista: This wouldn't happen to me anyway, I'm the Most Secure OS (tm)!
Mac OS X: I never get any viruses!
GNU/Linux: Me neither!
Windows Vista User Access Control: You are entering a conversation with flaming probability 89%. Cancel or Allow?
Windows Vista: [to Vista UAC] Allow. [to the others] That's because nobody uses you!
GNU/Linux: Oh yeah...
Mac OS X: That's because only elite people use Mac OS X. Because you're not worth them.
GNU/Linux: Wait! Windows Vista, you lie! Lot's of people from all around the world use me! In fact, they even improve me! That's because we believe that...
Mac OS X and Windows Vista: [at the same time] Shut up Linux.
Windows Vista: [to Mac OS X] But anyway, even if there were a "Security Breach", it's not like they'd be able to mess anything up!
Mac OS X: That's because it's impossible to do anything in Vista.
Windows Vista User Access Control: [to Vista] You are coming to a sad realization... Cancel or Allow?
NB: the views or opinions expressed by any of the characters do not necessarily resemble the views or opinions of the author.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C1 bottles of beer on the wall. Take one down, pass it round... Oh, umm...
OpenBSD: [walks into room, looks around, walks out, shaking his head not understanding why everyone can't be as secure as he is]
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I call Microsoft support.
5 - 6 page ones suck so we try to fix things with out tell PHB who will just make lock down thing that will get in the way of people doing there jobs.
Just patch a socket. Problem solved. I learned that watching 24.
It was an open FTP server. Some kind soul put about 14Gb of movies on one of our servers, then we noticed the hole (mainly because of the space) and shut down access to that server.
So in our case the response was:
1. Stop access.
2. Buy beer and popcorn
3. Watch movies.
Once I was a four stone apology. Now I am two separate gorillas.
Just post your IP addresses and remote access logons and I'll be glad to help with your break-in! I promise I'll take the data and put it somewhere safe -and offshore No payment up front, but trust me -I will be getting back to you. -I'm just sayin'
When in confusion
or in doubt
Run in circles
scream and shout.
And yeah, pull the ethernet cables out.
Create an account on this website ?
Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
Let's assess your response step by step.
1. Assemble an incident response team.
Gather the buddies round the terminal, see what we got here.
2. Assess the initial damage and the risk for more.
You measured the damage, all 14GB of it. In assessing the risk for more of this damage, you noted that no ftp write access had been tried in a while, concluding that the risk was relatively low.
3. Develop a notification plan.
You sent an email-to-all that there's going to be a movie night, cancel your dates, postpone dinner, it's going to be a long one!
4. Begin remediating the problem.
You closed off ftp access.
5. Document everything.
I guess watching the movies, I mean damage, would fall under the documentation stage.
6. Develop a strategy for stopping the next attack.
Contemplate re-opening the ftp server to encourage more damage.
Comment removed based on user account deletion