RE: OK, I've been hacked, now what?

["Scott, Richard" <Richard.Scott () bestbuy com>]

        Joseph S D Yao stated:>

        You may not have been aware of a security hole.  Or, also likely,
you
        were aware of the possibility of a hole, but your management wanted
you
        to concentrate on getting something else done, but getting back to
that
        non-profitable security stuff [;-}] later.

        Now, all of a sudden, there's a smoking gun ... or, if you prefer, a
        thumbprint on your dining room window.  On the inside.  Evidence
that
        an intruder has been there.  But there is NO WAY OF KNOWING [a
priori]
        that this is all that the intruder has done!

        Even if NOTHING ELSE HAS BEEN DONE, the cost of this intrusion MUST
        include either a complete review of everything to see what has been
        touched [if you're a masochist or really detail-oriented], or just
        wiping everything out and re-starting from the last time you THINK
[but
        cannot "know"] that there was no intrusion.  If you want to use any
        files since the known intrusion, you must review them for evidence
of
        tampering.  [What if the intruder downloaded your MS Word files,
viewed
        them with a virus-infected copy of MS Word, and copied back the
        infected copy?  What if they stuck scurrilous remarks about your
        favourite folks, including immediate ancestors, in your Annual
Report?]

        The cost of the intrusion might as well include the costs of
properly
        upgrading your system to have at least minimal security features ...

        If this is really the case take this example: 
        I own a house that has no security what so ever.  A break in occurs.
        I claim in the insurance and to the police that nothing was stolen,
yet the cost of the break in will cost thousands of pounds because I want a
24 hrs guard on the door next time.  So the real cost is driven up by my
desire to increase security.

        Now take this as the main reason I begrudge companies randomly
making up figures.
        Assume I am a hacker.  I break in, copy a document which in it's
true form isn't publicly available, and yet the information in another form
is available publicly.   Now, the company had no security, no firewall,
nothing what so ever, the company declares the loss of that item, cost the
business millions.
        Now, the loss is not reported to shareholders as legally bound to
and I am caught.
        The company declares the system was down during the breech which it
wasn't and ups the ante once again.
        The company also states that this information was so valuable, that
it demands the cost of implementing security to protect it from the
perpetrator.

        Now, this get interesting!
        The court is told that the information in another form is publicly
available I another form.  That if the information was so valuable why
wasn't it protected and that if the losses reported by the company were
real, why is there no report of it in financial reports?  This whole
scenario had been played by the infamous E911 document and blue Lightening
many years ago.  If the system had not been brought down, and the services
are still available, what real costs are lost.  

        Ok the company feels that it must investigate, sure, why not begin
by having a security project/personnel there before the site was running.
In fact if a company is going to lie about the worth of it's assets, it is
surely going leave it self open for perjury charges?

        I think companies should be realistic and begin by acknowledging
security breeches are as common to online sites as bank robbers robbing from
banks.  How many banks do you see have no security?  What I hear you say?
None?
        In England, there isn't a bank where there isn't some type of
procedure/plan strategy invoked for security.
        I think management who value the information on there servers should
pay more time listening to what exactly is happening, after all there is a
premise stating, what's on the Internet, is in public domain ;-)

        It's this worthless attachment to public information that companies
always perform that I refute when I see the figures of a break in.  Sure,
all the costs so far mention in the thread are realistic apart from a few.
Yes, costs of consultants, down time, research time etc etc, but really,
where do we draw the line?


        because management would never have granted you time to get around
to
        it otherwise.  And this is necessary, otherwise you would never have
        been "cracked" by the cracker.

        Eh?

        If the amount spent on cleaning up after an intrusion is just
copying
        an old copy of index.html over the defaced one ... well, I guess
that
        company deserves what it gets.


        Exactly ;-)


Richard Scott   
(I.S.) E-Commerce Team
* Tel: 001-(612)-995-5432
* Fax: 001-(612)-947-2005
* Best Buy World Headquarters
   7075 Flying Cloud Drive
   Eden Prairie, MN 55344 USA
   This '|' is not a pipe







        --
        Joe Yao                         jsdy () cospo osis gov - Joseph S. D.
Yao
        COSPO/OSIS Computer Support
EMT-B
        
-----------------------------------------------------------------------
              This message is not an official statement of COSPO policies.