Slashdot Mirror
What to Do When Your Security is Breached
ancientribe writes "When you've got a full-blown security breach on your hands, what do you do? If you've been smart, you'll already have a computer security incident response team — and a plan — in place. But many companies are too resource-strapped to have a full-blown, fully-tested incident response strategy. DarkReading has some tips on what to do — and what not to do."
But since ours is a relatively small company, we went with the open-source Thai fighters.
Innovation makes enemies of all those who prospered under the old regime... -- Machiavelli
Kent Brockman: So, professor, would you say it's time for everyone to panic?
Professor: Yes I would, Kent.
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
what to do if you burn your hand:
1. first, remove your hand from the burning stove.
2. use ice to cool your hand
3. seek medical attention.
wow. Thanks. I never would have figured any of that out on my own.
All businesses should have contingency plans for all disasters.
For most disasters, whether it's an IT disaster, a natural disaster, a non-natural physical disaster like a fire, a real or frivolous patent lawsuit, employee or company malfeasance, or what not, you need a plan.
For "terminal" disasters, like a nuclear blast that kills all employees and destroys all company assets, folding up shop may be the right business plan. For small businesses, extreme disasters like car wreck that kills all the employees might also be terminal in a slightly less catastrophic way. In these cases, at least you can plan to sell your business or its assets to another entity, so your customers have continuity.
Basically, divide your disasters into categories, and plan and insure accordingly:
0) end of the world, big asteroid or global thermonuclear war
1) major catastrophe, we are dead, forget about the customer, nuclear detonation event
2) end of the company, save the customer, Enron
3) end of the management team, save the company, MCI
4) we can recover from this but it's gonna hurt a lot, Vonage(?)
5) it's a flesh wound, CEO dies of heart attack
6) mosquito bite, SCO sues IBM
7) what? something happened? I didn't even notice, {if I had an example it would be #6}
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The appropriate response is to shoot the lieutenant responsible for security. Then promote another ambitious, yet expendable underling to his/her place. Come on - this is Evil Overlord 101-level stuff.
'Loose' is when your pants are three sizes too big. 'Lose' is when you misuse 'loose'.
Windows XP: What's security?
Windows Vista: This wouldn't happen to me anyway, I'm the Most Secure OS (tm)!
Mac OS X: I never get any viruses!
GNU/Linux: Me neither!
Windows Vista User Access Control: You are entering a conversation with flaming probability 89%. Cancel or Allow?
Windows Vista: [to Vista UAC] Allow. [to the others] That's because nobody uses you!
GNU/Linux: Oh yeah...
Mac OS X: That's because only elite people use Mac OS X. Because you're not worth them.
GNU/Linux: Wait! Windows Vista, you lie! Lot's of people from all around the world use me! In fact, they even improve me! That's because we believe that...
Mac OS X and Windows Vista: [at the same time] Shut up Linux.
Windows Vista: [to Mac OS X] But anyway, even if there were a "Security Breach", it's not like they'd be able to mess anything up!
Mac OS X: That's because it's impossible to do anything in Vista.
Windows Vista User Access Control: [to Vista] You are coming to a sad realization... Cancel or Allow?
NB: the views or opinions expressed by any of the characters do not necessarily resemble the views or opinions of the author.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C1 bottles of beer on the wall. Take one down, pass it round... Oh, umm...
It was an open FTP server. Some kind soul put about 14Gb of movies on one of our servers, then we noticed the hole (mainly because of the space) and shut down access to that server.
So in our case the response was:
1. Stop access.
2. Buy beer and popcorn
3. Watch movies.
Once I was a four stone apology. Now I am two separate gorillas.
I suppose that most Microsoft shops wouldn't even know if they were breached, because most breaches don't actually desctroy data, they just steal it.
It's so much worse than that.
Back in my younger days at a summer tech job for a US school district, I found that an NT4 SQL server had been compromised a group of people. They were based out of France, I think, from what I could tell from the IP addresses, and had actually set themselves up quite nicely, with organized file structure and their own IRC and FTP server running on it. They were using it as a repository to store files and a few French movies. After I told the sysadmin in place at the time about it, I was stunned when he said, "Well, are they hurting anything?"
After some persuasion on my part, he rebuilt the server. Three times. After it kept getting hacked by the same people.
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
I've considered it, but there's a lot of barriers. First, you need enough evidence for a subpoena. That means that the chain of custody has to be preserved, and the crime scene needs to be secured by the police. Usually that means giving the compromised machines, relevant logs from monitoring equipment, etc. over to Law Enforcement for an indeterminate amount of time. I know I can't live without my servers for that long.
You need to get the subpoena to identify the person behind the attack. That assumes that your evidence actually points to a specific suspect. Unless your attacker was a complete moron, or your network logs are incredibly voluminous, that's not very likely. Once the subpoena is served and you've got your suspect and laid charges, you need to present evidence. That requires an expert witness. If you're lucky, YOU are the expert witness, but there's training and certification involved in that process. Otherwise, you get to hire an expert witness, and that won't be cheap. Your opponent will probably hire an opposing expert, just to confuse everybody.
Overall, I'd say that chances of success are incredibly low. Legal fees will be very high, and you have to turn over a fair chunk of your network assets to Law Enforcement. Basically, if you aren't really, really sure that you've got your man, it's really not worth the time and effort to find out who it was. That effort is much better spent allowing you to sleep at night knowing that people aren't getting in, IMO.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
When in confusion
or in doubt
Run in circles
scream and shout.
And yeah, pull the ethernet cables out.
Enter the FBI, who showed up in my roomate's lab asking about his computer (amoung other things). Picture yourself a grad student answering his lab door to find men in suits (an uncommon experience) who say they're part of the FBI (also uncommon), and mean it (still less common). After some questions, it was hesitantly established that my roomate was not the hacker serving root kits from his home computer.
From there, the FBI (with our permission) bugged our appartment. They put a "tap" in our appartment, which consistend of a special switch and a *very* loud windows machine that sat on our internet connection listening for hacker activity. The installation of the tap involved 7 FBI agents, none of which new nearly as much as my roomate about networking (that the broadcast ping couldn't get through their special switch with the word "tap" on it was a real mystery). Neadless to say, I didn't fool around with bittorrent or the like durring that time.
After a month or two, they caught the hacker (who was sweedish, apparently), and eventaully prosecuted him successfully.
Point is: sometimes it is useful to not reinstall immediately when hacked -- it can result in a good story :)