Re: OK, I've been hacked, now what?

[Joseph S D Yao <jsdy () cospo osis gov>]

>       If this is really the case take this example: 
>       I own a house that has no security what so ever.  A break in occurs.
>       I claim in the insurance and to the police that nothing was stolen,
> yet the cost of the break in will cost thousands of pounds because I want a
> 24 hrs guard on the door next time.  So the real cost is driven up by my
> desire to increase security.

Do you own anything in your house that is worth many thousands of
pounds?  If so, you might well wish to pay that much.  And if you own
anything worth millions of pounds, you are probably paying tens of
thousands of pounds in insurance for it.  If you pay thousands of
pounds for a 24-hour guard, the insurance company might reduce your
premiums by a similar amount.

Further: if your house is as well organized as most people's computers,
how would you even KNOW whether something has been stolen or not?  Or,
to draw a parallel with crackers that insert Trojan horses etc.,
whether your household appliances had been replaced by ones that did
"other things" while you weren't looking?

But it's also not entirely an LSD [pounds, shillings, pence] issue.
It's a "comfort" issue.  When you come home and see the door jimmied
open, do you just waltz in and snake a brew from the kitchen?  I would
hope that you would at least look for someone else to walk in -
carefully looking around for the intruder - or, better, call the police
to do it for you.

To better state your case, from the business point of view: say that
Harrod's had no security except locking their doors every night.  And
say that, one morning, the CEO comes in and finds the remains of his
best cigars, sandwiches, and bottles of port on his desk, when nobody
has been in the store.  Don't you think that he will immediately order
an inventory of the entire store, and an administrative inventory of
his most important papers?  That will surely cost more than your
thousands of pounds!  Don't you think that he would go out and pay for
"security consultants"?  Don't you think that he will finally listen
to the doorman, who has been insisting for years that the store should
get an electronic alarm system, and at least two more doormen so that
he can catch some shut-eye at night?

>       Now take this as the main reason I begrudge companies randomly
> making up figures.
>       Assume I am a hacker.  I break in, copy a document which in it's
> true form isn't publicly available, and yet the information in another form
> is available publicly.   Now, the company had no security, no firewall,
> nothing what so ever, the company declares the loss of that item, cost the
> business millions.
>       Now, the loss is not reported to shareholders as legally bound to
> and I am caught.
>       The company declares the system was down during the breech which it
> wasn't and ups the ante once again.
>       The company also states that this information was so valuable, that
> it demands the cost of implementing security to protect it from the
> perpetrator.
>
>       Now, this get interesting!
>       The court is told that the information in another form is publicly
> available I another form.  That if the information was so valuable why
> wasn't it protected and that if the losses reported by the company were
> real, why is there no report of it in financial reports?  This whole
> scenario had been played by the infamous E911 document and blue Lightening
> many years ago.  If the system had not been brought down, and the services
> are still available, what real costs are lost.  
>
>       Ok the company feels that it must investigate, sure, why not begin
> by having a security project/personnel there before the site was running.
> In fact if a company is going to lie about the worth of it's assets, it is
> surely going leave it self open for perjury charges?
>
>       I think companies should be realistic and begin by acknowledging
> security breeches are as common to online sites as bank robbers robbing from
> banks.  How many banks do you see have no security?  What I hear you say?
> None?
>       In England, there isn't a bank where there isn't some type of
> procedure/plan strategy invoked for security.
>       I think management who value the information on there servers should
> pay more time listening to what exactly is happening, after all there is a
> premise stating, what's on the Internet, is in public domain ;-)

Most of your points are very valid.  But, again, HOW DO YOU KNOW what
the cracker did?  (He broke into the computer.  That by itself makes
him a Criminal Hacker - a cracker.)  It may be immediately obvious that
he looked at the list of local restaurants in the /pub directory.  How
do you know he didn't also copy over the list of passwords to his
'crack' machine, and the secret financial documents that the financial
officer put in his personal directory on this machine because that made
it so much easier to edit them?

You are ABSOLUTELY RIGHT that the management should have put an
appropriate value on security BEFORE the break-in.  My response should
have reeked of my attitude towards those that refuse to do so.

Are you surprised that companies conceal "hidden losses" from their
shareholders?  Thou innocent.  Are you surprised that they want "the
authorities" to do work for free, rather than pay for local work?  Thou
naive.  Do you think that companies will laugh off a little intrusion,
and say, "Oh, it can't have been harmful, let's do better next time."?
Well, yes, sometimes they try so hard to pretend that it never happened
that they lie to themselves.  But the more HONEST will expend what
resources they can [especially if they happen to be public resources or
someone else's] trying to find out what THEY might have lost, what THEY
did to enable this, and what THEY can do to fix it.

Until they forget.  ;-/

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
-----------------------------------------------------------------------
      This message is not an official statement of COSPO policies.