Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cleaning Up the Mess After a Major Hack Attack

Posted by Soulskill on from the cut-the-lines dept.

Hugh Pickens writes "Kevin Mandia has spent his entire career cleaning up problems much like the recent breach at Stratfor where Anonymous defaced Stratfor's Web site, published over 50,000 of its customers' credit card numbers online and have threatened to release a trove of 3.3 million e-mails, putting Stratfor is in the position of trying to recover from a potentially devastating attack without knowing whether the worst is over. Mandia, who has responded to breaches, extortion attacks and economic espionage campaigns at 22 companies in the Fortune 100 in the last two years and has told Congress that if an advanced attacker targets your company then a breach is inevitable (PDF), calls the first hour he spends with companies 'upchuck hour' as he asks for firewall logs, web logs, and emails to quickly determine the 'fingerprint' of the intrusion and its scope. The first thing a forensics team will do is try to get the hackers off the company's network, which entails simultaneously plugging any security holes, removing any back doors into the company's network that the intruders might have installed, and changing all the company's passwords. 'This is something most people fail at. It's like removing cancer. You have to remove it all at once. If you only remove the cancer in your leg, but you have it in your arm, you might as well have not had the operation on your leg.' In the case of Stratfor, hackers have taken to Twitter to announce that they plan to release more Stratfor data over the next several days, offering a ray of hope — experts say the most dangerous breaches are the quiet ones that leave no trace."

6 of 100 comments (clear)

  1. And, as usual... by AngryDeuce · · Score: 4, Insightful

    A bunch of people that had nothing to do with the breach will more than likely end up losing their jobs over it (often the same people that warn about these vulnerabilities beforehand), while the retards that caused the breach, either through their ineptitude or refusal to spend money on proper security, walk away unharmed.

    1. Re:And, as usual... by Lumpy · · Score: 5, Insightful

      Which is why I send the email 10 times with a receipt request. Boss is too stupid to turn off that feature, and I also get a reply from him saying, "PLEASE STOP EMAILING ME THIS!"

      Never EVER trust your boss. he will burn you to save his own butt.

      --
      Do not look at laser with remaining good eye.
    2. Re:And, as usual... by HereIAmJH · · Score: 4, Insightful

      Any job that requires a CYA email archive is not worth having.

      --
      Another day, another update to a Google android app.
  2. Re:Clean up? Start fresh by Lumpy · · Score: 4, Insightful

    Not a problem here. we simply re store the workstation boot image from the creation CD and run all the updates on it.
    Thumb drives, not a problem, thumb drives dont work here.

    as for switches, I can update ios on every switch in 60 seconds. not a hard thing to do.

    as for the "backups" problem. I have yet to see a hacker that can infect a machine using an odf file, I'm not backing up ANY executables.

    Honestly I can do a complete wipe and restore in under 5 days for a company that has 1000 employees and 20 servers. IF the IT department was set up and run by competent people.

    If it's a typical cluster-turd... far far longer.

    --
    Do not look at laser with remaining good eye.
  3. Re:Clean up? Start fresh by wvmarle · · Score: 4, Insightful

    Honestly I can do a complete wipe and restore in under 5 days for a company that has 1000 employees and 20 servers.

    That's not too bad. But of course any machine that's not been wiped and restored can not be allowed on the network. And for the employees that means up to five days of not being able to do much. That's a long time to wait.

  4. Re:Clean up? Start fresh by Arrogant-Bastard · · Score: 4, Insightful

    What you're doing, although I don't think you intended to, is making excuses as to why those six mistakes are necessary. This is a fatal error. By justifying them, you ignore the consequences -- which are that you've just about guaranteed that you will be hacked the first time someone with sufficient expertise and resources decides to target you.

    The trick is to recognize that you cannot make these mistakes. Period. No matter who you have to run over, who you have to piss off, who you have to overrule, who you have to upset, no matter what. You have to be, and yes I am, an arrogant bastard. Because the moment you compromise, you're doomed. We've seen it over and over and over and over again, we're seeing it again today, we'll see it again tomorrow. Every single data breach incident I've ever read about included at least one of those six mistakes, and most of them included several. Yet incompetent, weak-willed IT people insist on making them because "we've always done it this way" or "that can't work!" or "but it would break..." or for a thousand other reasons...none of which matter. (What good is having a spiffy computing environment if it's not secure?)

    The problem isn't that we don't know what to do. We do. The problem is lack of will to do it.