Slashdot Mirror

← Back to Stories (view on slashdot.org)

What to Do When Your Security is Breached

Posted by ScuttleMonkey on from the set-fire-to-the-servers-and-run dept.

ancientribe writes "When you've got a full-blown security breach on your hands, what do you do? If you've been smart, you'll already have a computer security incident response team — and a plan — in place. But many companies are too resource-strapped to have a full-blown, fully-tested incident response strategy. DarkReading has some tips on what to do — and what not to do."

2 of 177 comments (clear)

  1. Re:The problem is by cptgrudge · · Score: 5, Interesting

    I suppose that most Microsoft shops wouldn't even know if they were breached, because most breaches don't actually desctroy data, they just steal it.

    It's so much worse than that.

    Back in my younger days at a summer tech job for a US school district, I found that an NT4 SQL server had been compromised a group of people. They were based out of France, I think, from what I could tell from the IP addresses, and had actually set themselves up quite nicely, with organized file structure and their own IRC and FTP server running on it. They were using it as a repository to store files and a few French movies. After I told the sysadmin in place at the time about it, I was stunned when he said, "Well, are they hurting anything?"

    After some persuasion on my part, he rebuilt the server. Three times. After it kept getting hacked by the same people.

    --
    Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
  2. story by 18769 · · Score: 5, Interesting
    I'm just a grad student, and one day, I installed something (I think it might've been an nfs server) without firewalling it (I did some sort of thing which had the deamon reject connections from outside my subnet). I was hacked. Funny thing is, they went straight from my machine to my roommate's, an old 486 which was also a webserver. From my roommate's machine, the hacker served a rootkit (cleverly named "..." in the root html directory).

    Enter the FBI, who showed up in my roomate's lab asking about his computer (amoung other things). Picture yourself a grad student answering his lab door to find men in suits (an uncommon experience) who say they're part of the FBI (also uncommon), and mean it (still less common). After some questions, it was hesitantly established that my roomate was not the hacker serving root kits from his home computer.

    From there, the FBI (with our permission) bugged our appartment. They put a "tap" in our appartment, which consistend of a special switch and a *very* loud windows machine that sat on our internet connection listening for hacker activity. The installation of the tap involved 7 FBI agents, none of which new nearly as much as my roomate about networking (that the broadcast ping couldn't get through their special switch with the word "tap" on it was a real mystery). Neadless to say, I didn't fool around with bittorrent or the like durring that time.

    After a month or two, they caught the hacker (who was sweedish, apparently), and eventaully prosecuted him successfully.

    Point is: sometimes it is useful to not reinstall immediately when hacked -- it can result in a good story :)