Firewall Wizards mailing list archives
RE: OK, I've been hacked, now what?
From: "Scott, Richard" <Richard.Scott () bestbuy com>
Date: Fri, 7 May 1999 10:09:38 -0500
Dana Nowell wrote: At 12:14 PM 5/6/99 -0500, Scott, Richard wrote: > > -----Original Message----- > From: Dana Nowell [SMTP:DanaNowell () corsof com] > Sent: Thursday, May 06, 1999 10:30 AM > To: Scott, Richard > Subject: RE: OK, I've been hacked, now what? > > At 09:59 AM 5/5/99 -0500, Scott, Richard wrote: > > Yes I agree, my point was that 'general connectivity' is not >generally a > 'project' so to tie security to project based funding is short >sighted. > Sometimes you just need to buy infrastructure based on where the >company is > headed. > > Yes, but security plays a part in every project, whether that be >e-commerce, database management or simple User Interface Design! If I under >took a project and never thought about security I would consider myself >unworthy of the role. Now if the corporation considers having numerous >networks then a security project should be started and continuosly funded. > OK, I get it now, we are sort of saying the same thing. Expenditures are TYPICALLY approved either for a specific project or as part of corporate infrastructure. You think a 'security project' should be started that spanned multiple areas (not usually done that way, turf issues cause problems) and that project funded appropiately. In actual practice, security costs are either built into a project if they are significant or a separate project for a 'piece of infrastructure' is started for cross project issues (e.g. a firewall is infrastructure, a RSA encryption library might be project specific). Security departments are continiously funded and they have a list of cross domain 'on-going' projects (network security, internet security, physical security, ...) BUT the scope of these projects are fixed, increasing the scope requires justification of the new expenditures (and various departmental sign-offs). Everything that a corporation undertakes needs justification. Rightly so, too , when you have tabloid whores and media junkies writing about stories of hackers stealing secrets. Let's face it, adequate security isn't that expensive. It just needs rationalisation and common sense from those who are in the know. The site should be protected from well known vulnerabilities, and empirical evidence and reports could be used to persuade management that extra expenditure is needed. In the environments I have worked in security is always born in mind and is always reviewed when new exploits are found both internally and publicly. Not only does this often help the other teams understand the technology they are using it also helps prevent lapses in security. If the management feels that a breech of security is worthless, and risk management now a days is changing this trail of thought; then one would have to conclude that it's time to try something different. Maybe hire a penetrative expert for a few hours and get them to test the site, retrieve information management understands, and tell them this was obtained easily. Then things might change, >By quantifing costs people can point to other incidents in the industry >to > help justify the costs quoted (hence the expenditures requested). >If I > claim a web site breach will cost $200,000 (in hard and soft costs), >my > boss will say, 'right, where to hell did you get that number, you >trying to > pad your budget?'. I can say I guessed or I can then point out that >N > other companies similar to us were breached and they reported losses > totaling Y dollars for and average cost per incident of $201,426, >that's > where I got the number. He might be apt to listen somemore if I >used 'real > data' than if I guessed. So by now it should be obvious why padding >the > numbers can occur. If people pad the numbers, hackers look bad, LEA >looks > good, security guys get bigger budgets, CEOs write-off more one time > expenses on the budget (making the company look better to investors) >and in > general everyone but the hackers are happy (and the hackers have >been > painted as the bad guy so who cares about them, they have zero PR > credibility/impact). > > > The problem here is educating the higher management. If your >business is worth millions 200k a year is peanuts to spend on security. >However, security costs will reduce once you have built the infrastructure >such as firewalls and the rest. Initial start up costs will be high, as >with any project! Would you design a car without looking in to aerodynamic >efficiency? Would you start a project to develop a new pair of trainers >(sneakers) with out looking at marketing ? The point that must be realised >is that security is an essential part of development. Yes, it usually is done that way, the issue is HOW MUCH security, what types, how much does it cost, ... I want to design a car, do I BUILD/BUY a wind tunnel for testing or rent one? That all depends on how you wish to persue the job at hand. If you were an F1 racing team you would want to buy one in the long term, and maybe if you are a car manufacture, you may want to too, but if you are building one car, then maybe not. Similarly, if you have one site which is going to be used for 3 months, and then dismantled, why bother with extreme security. However, if this site was to be linked to the corporate intranet or has a longer life span you may wish to spend more money on it, and it's security ;-) Or is my design a sufficient rip-off of a Honda/Ford/Chevy/xxx that I can get 'close enough' from their data. What if I'm wrong? It may be interesting, of all the people reading the firewall-wizards list, to build a report on how much people are spending on firewalls, training and development. I'll forward this message to the list and see if one can get a response. The other problem may be that your business is worth $N Million/year in REVENUE but only a few thousands in profit (how many EC sites even turn a profit?) Now justify an additional $200K in security expenditures :-). My point entirely when one decides how much an intrusion actually affect company profits. > > You argue that "If I > claim a web site breach will cost $200,000 (in hard and soft costs), >my > boss will say, 'right, where to hell did you get that number, you >trying to > pad your budget?'. I can say I guessed or I can then point out that >N > other companies similar to us were breached and they reported losses > totaling Y dollars for and average cost per incident of $201,426, >that's > where I got the number." > > Well how do you know their estimates were correct? In fact, if a >higher management player doesn't think security is an issue, then you should >go about trying to educate them. Maybe a little penetrative testing is in >order. > > They ALWAYS think security is an issue (CEOs like to cover their butts legally), they are RARELY competent to quantify the exposure for themselves. That's why they pay us :-). We quantify the risks, provide alternative solutions (with costs) and they choose how much risk is acceptable vs. the cost of removing that risk. They do occaisionally want to know how we quantified the risk (based on others in the industry, guessed, past experience, ...). As to how we know the other estimates are correct, you don't. BUT if I price 10 different types of autos from 10 different dealers, can I get an idea if the actual auto I'm looking at is priced roughly correctly, sure. If I've never seen an automobile, have no clue as to their costs, can I say if a Ford Escort is worth $5k or $15k, nope. Penetrative testing is useful, how did you justify the time spent on doing it (chicken and the egg problem, if management is totally clueless, you don't get the testing approved). Then assuming you find a hole, is it cost effective to patch it or is it 'better/cheaper' to assume the risk? I would advocate a diplomatic measure! Penetrative testing in the corporate environment isn't easy. However, if one assumes that software has a testing environment, hardware has a testing environment, I'd explain that security needs a testing environment. One can take a firewall product, install it and still render the site insecure. One, would explain to the management (business) that testing needs to be done, and configuration is the key. You'll may find that if you speak to them in their language, less bytes and sockets and more operational risk and figures, a bright future is ahead. > > > Management would NOT say 'No security policy'. They say the >exposure you > have pointed out does not justify the amount of money you are asking >for to > fix it. > > Then if that was the case I would point out that if the cost of >maintain the project/site is say 1 million, and the cost of security is >200k, but the loss could erupt to a closure of business, then they would >listen. Obviously I admit with using alarmist points it's hard to educate >management. But they are definitely getting the point! > No, they simply think you are over reacting, "close the business as if ...", credibility is the exchange currency here, crying the sky is falling, the sky is falling rarely gets you anywhere. One doesn't need to cry the that the sky is falling in, although it seems they do that when they are penetrated! Maybe some statistical analysis of scanning on the network, selected logging of certain attacks can persuade the business folk that something needs to be done. Just like opinion polls, customer confidence polls and market research provide management with an easily broad view of what is going on. Proving the sky is falling or proving a logcial example of how it could fall if much more useful. Remember, if the site is worth $1 million/year and the cost of stopping a given event is say $200,000/year you STILL need to convince management that the event is likely to happen. If it cost $1 million to recover from the event, I'd give you little funding if the likelyhood of the event was once every 50 years (on average pay $10 Million to save $1 Million, this is not cost effective). Remember if 'cost to fix it' > 'Cost to recover' * 'likely incident count', it may be better to assume the risk. > > > > This is hard to say, but I would argue that mugging someone >would > >incur the cost upon that person at that moment in time. I would >exclude > >costs of legal fees. The problem here lies with the American legal >system > >which seems to be like a joke! > > Forget the legal fees, think medical fees related to psychological >trauma, > same prinicipal/issue (had to quantify soft money not obviously >related at > first pass) and perhaps easier to rationalize. > > OK so the hacker finds a hole in your system. The hole existed well >before the hacker found it. > The cost of repairing that hole is born by the owner of the site. > Just like if one would suffer from stress before a mugging occurred. >The role of cost is subsequently reduced. That person already suffered from >stress, so the cost of causing stress to that person is not entirely the >muggers fault. > Thus corporations should not include the cost of fixing the bug ion >the first place. > Agreed, BUT the cost of examining the site in detail to determine IF the hacker did anything IS incident driven. As is the cost of replacing the site if the site is needed for evidence. I'd exclude the hardware cost but labor to reinstall is included as I need the site back. If the patched version is available I may ge the patch for free as I can and should charge the reinstall off to the incident and the time to install the old one is roughly the same as the new one (I assume). I think that the whole patch/service pack "market" is shoddy. If I purchase a vendor's product and it's supposed to be a secure firewall, then that is what I want. If it is breached due to configuration then it may be my fault. On the other hand is the breech occurs due to a protocol implementation by the vendor, the I should be entitled to sue the company. Hence a drastic change to the licensing agreement is needed. It isn't necessarily true to blame hackers for everything, in fact lets assume they discovered some holes that a foreign agent were going to exploit on your site, but you found the hole and blocked it? That hacker who published the exploit may have brought about bug fixes et al? > > Going by what we've discussed it is obvious that security in >terms > >of legality/cost needs thorough research and more clarity! However >so, > >mounting costs to an inordinate figure which includes fictitious >losses is > >illegal, yet I have yet seen a case, and maybe Mitnicks is the >first to > >dispute this, to counter this! > > Claiming that something cost X is not illegal, > > > Actually, if X cost millions of dollars and this was not reported to >the shareholders, then in court in could be considered a false testimony, >and next to perjury! > > it can certainly become a > point of argument. That said, you can not pull a number out of a >hat, you > do need justification, the 'hackee' accounts for costs in a much >more > 'liberal' fashion than the hacker that's all. I can sue the mugger >for $10 > Million in psychological damages claiming 'I'll need therapy for 20 >years > at $N/year plus health issues related to stress', > > To do this though you would have to have a good lawyer, and you >would never get the money anyway! > You could sue for all you want, but it doesn't mean you will win! > Just like corporations making huge losses as a result of a hacked >site, which in all caused a fraction of the amount! > Exactly my point, the company can CLAIM it cost $10 million per incident, doesn't mean the courts will believe them or that they'll get it back in civil court. > the mugger claims 'no one > has fallen over from a mugging related heart attack a year after the > mugging occurred and 20 years seems a bit long, you're padding the > numbers', the court decides. > > Yes with out evidence you are in shallow water. Hence, what >evidence could one use to bring about costs caused by a hacker. For one >reporting them to shareholders would be a wise move. ;-) > Long term, yes. Short term, a publically traded company the admits being hacked MAY lose value in the market, may fire the CEO, may go out of business. So what does a CEO do? Corporations must report significant loses to shareholders in their annual report.(legally) > > Same creative accounting issue. Eventually > this will be worked out (usually when insurance companies get in the >game) > with standardized 'allowed' expenditures and 'typical' rates in each > category. Until then creative accounting rules both sides of the >equation. > Hackers claim that 'if you had procedures in place and good backup, > recovery should have been a day so damages are $500 for one day >labor, no > lost business because those people came back later and no loss of >client > confidence because it was a single incident that people expect to >happen > eventually and besides you are partly to blame for having poor >security.' > The company's estimate is $100,000 or more including lost confidence > numbers. Both sides are doing alittle creative accounting in my >opinion. > > Maybe so but I think the security community should take heed and >develop a methodolgy for calculating some what the cost of a break in. ;-) Yes they should. And everyone should be a good parent, a good citizen, and ... :-) > > > > No, put if NT was the main breech in security, why shouldn't >MS be > >sued, after all it has proclaimed Nt secure! When it was first >released (NT > >4). In fact the C2 rating is all confusing because it is only >given to an > >NT machine standalone! > > > > > > MS does NOT claim NT IS secure. It claims NT CAN BE configured to >meet the > C2 standard, ball's back in your court. > > Not in a Network environment though, stand alone only ;-) > > > > > First, prove the hacker did nothing :-). > > > > Nope, that's not how the law works! > > Actually, it is. > > Nope, first of all you must prove he/she actual performed the hack! Sorry thought that was a given, thought you intended proven break-in, no apparent damage. My point was that just checking for damage costs money, which in effect IS damage. > > > The hacker broke into the system, I am may be by that act > to ensure he did nothing, a cost I am potentially entitled to recoup >in > civil court as his act caused me quantifiable damages. > I would say he kept you in business ;-) > > > But the point was > not to use that to attack the hacker, it is that a corporate expense >occurs > from that incident that the corporation has to pay for and it can be >used > in a cost justification plan (I.E. every break-in must be >investigated to > quantify the damage, including no damage, consequently EVERY >break-in costs > at least X dollars even if no damage occurs). > > If no damage exists, and assume we can state that, then effectively >the charge of breaking in to a computer is used, but corporations tend to >append numerous other factors to underpin a prosecution. > True. > > > > > > And while expenditure MIGHT be > > small, what of the potential cost of lost customer >confidence? > > > > Maybe this should have been thought of before the project to >develop > >the site went a head. I would argue that of the company valued >this > >criteria so much, why was it taken not to include security in the >project? > > > > > > It may have been, that does not reduce the 'cost' of the break in. > Yes it can, just my segmenting the network the breech can be >contained to a possible limited area! > Not unless they are in differnet security domains, just adding routers if pretty useless security. Adding more segments with firewalls between segments is useful BUT the original model may have been a tough outer perimeter with little security internally, thus concentrating all security dollars to avoid break-in, not 'wasting dollars' on minimizing damage after a break-in. (Not the best scheme IMO, but one alot of companies use). > Just > because I thought of it, planned for it, and the hacker broke in any >way > does not mean the cost doesn't count (hopefully I've minimized it, >but I > still count it). > Yes, you have minimised it. IMHO, if a site has no security, then >it's wasting their time being on the Internet. Would I park my car with the >car keys in it? Would I leave the front door a jar when I leave my house? >No. So why would I put my network out in the open? > I think you can not dismiss that the a criminal hacker once broken >the law should get prosecuted. But you can not append random costs to make >the prosecution. These costs must be proven. > The court examine the costs, they can NOT be random. The issue is 'what is a valid cost?' we have little law, little experience, and no standards on that topic. Much like the guy that has never seen an auto guessing if the Escort is priced fairly. > > The wannabe comment makes me think you do not manage a site on a >daily > basis :-). Guess how many SMURF attacks we see a day at a basically > unknown Dev building in southern New Hampshire (four to five on >average 5+ > days/week, several months AFTER smurf should be well dead through >out the > world) Want to discuss network scans (2+/week)? Want to discuss >rates the > week after a new exploit program is released (5-20+ depending on the > exploit and code availability)? Want to discuss the same rate when >the > exploit is first identified (but before code is 'generally' >available to > the script kiddies), probably 1 exploit out of 20 shows up once in >the > month before 'general code release' (Beta? :-). > > I take note of your point. And yes there are plenty of people >downloading scripts and executing them. But at the same time these expoits >are available to you and you should identify how to defend against them. If >you see so many smurg attacks it all to easy to defend against it. Simple.? >Had the exploit circulated amongst the elite, you would have not noticed the >attacks for a some time. In fact lets assume I was a hacker (;-)) I >developed an exploit, I may want to abuse it for a while before releasing it >to the public! And then what would you do? > Not the original point. The original point was ancillary damages cause by release of an exploit. Let's assume I am a small no name site, and the exploit is a web page defacing hack. Can I assume the risk and NOT upgrade yet (roll it in to the next quarterly upgrade), sure. What is my risk in the elite inner circle case, I'm not a likely target (or no more so than several thousand others) the incidence rate is low, so my overall exposure is low (probability of incident), I can wait. Now the elite release the exploit, N thousand script kiddies download, my probability of incident is now about 100%, I'd better patch immediately. See the difference for the 'small guy'. (admitedly zero difference if you are IBM, MS, AT&T, or other high profile 'bonus points' target site). > And yes I do manage a site, a private one, and I have sat on both >sides of the firewall so to speak ;-) > I am nether a criminal hacker nor security expert, but I am a person >who is security aware *wink wink*. > No, really :-). > > > > > Very FEW vendors claim their code is secure in general, some claim >it is > secure against attack X, some claim it meets C2 or B1 or A3 or ... > requirements if PROPERLY configured. Everyone is careful, no one >likes > being sued. > > Funny this, but had I had a site based on an OS that consistently >was breached, and caused me a huge loss, I would sue the vendor. It's >doesn't have to be secure, it MUST fit the purpose the software was >intended. The problem like costs is that software is not a tangible object. >One can not necessarily state it didn't meet the requirements of the person >who bought the software. However, how many vendors offer a refund when >users find that the software they bought crashes constantly, or leaves >gapping holes in their security? None. There should be a role reversal, ok >let the law deal with hackers, at let the corporation sue the vendors! > Have you read a MS license agreement recently, specifically the 'fitness of use' clause? > > > Mitnick's biggest problem is he pawed through people's stuff >with > >out > > permission, a very negative PR event. > > > > Actually do you really know what he did? The stuff which >people > >have written about him is all lies, and anyway, the information he >had was > >available on the internet! The question is what information is in >the > >public domain and what isn't? And why? And how did private info >get in to > >the public? Mitnick received data from BBS that were publicly > >released...like credit card numbers... > > Yes and pawed through Telco dumpsters and switches. > Which at the time is not illegal. The file in question containing >the CC numbers was public available on the Net. And as I believe the law >states that having this is not illegal using it is. Owning Exploits is not >illegal, using them maybe.... > Like I said, the government did a good PR job. The issue is the trace from the security guy in CA, the led back to Mitnick (yes, yes, I know, but it is enough to bust him, the rest is laywerdom issues). > > Yes, are all goals always met? Gee, maybe people should consider a >goal of > stopping burglers, I bet a $10000 security system would look neat on >a > $2000 trailer in a low rent southern ghetto. > > How about 100$ alarm, but wait you forgot the cost of the burglary. >The cost of living elsewhere, the emotional cost, ... and wait after the >insurance company has paid up, we must always include the emotional cost, >and then the cost of the theft it self, and then the cost of the damage >caused which maybe more than the object was worth... and wait guess what, we >never had any evidence that there was a Rolex watch in the trailer.. Will >can still say it was there though,,.. throw that in too... > And it used to work that way, until insurance companies standardized things and courts accepted that as 'general practice'. > > (It ALWAYS comes back to > cost, I CAN break into ANY site, the trick is to make it cost more >than it > is worth. The problem is my estimate of worth/cost is not always >the same > as yours.) If you have an EC site, I COULD hire 50 mercenaries, a >couple > of tanks, some automatic weapons, and be ready to kill the entire >site's > staff to walk off with the physical equipment, I bet that defeats >the bulk > of EC site security out there. > > Yes, but highly unlikely. What are the chances though that an EC >site is scanned every week? > You know yourself how often things like these occur! > > > I doubt I'd make my money back and I bet > I'd get at least a small hassle from LEA. But I WOULD be able to >break in > to the equipment after I got it home (barring media level >encryption). > > > > > Well let's say the project funding was 25 million dollars, I >would > >advocate at least a few million in beginning the security project, >.... > > > > Again, not a one size fits all problem. Suppose it was a $25 >million > dollar project. $24.5 million in hardware that was to be stationed >in a > top level security office of the Pentagon, or in the White House >Situation > Room and the equipment was NEVER going to be connected to a network. >Still > need 1+ million for additional security? > > Maybe, if the computer held classified documents, natioal security >would be at risk if they were released, I would heavily invest in anti >Tempest equipment. At that point the whole damn room is already Tempest level :-). > > > The key is Analysis, Analysis, Analysis. What am I protecting, what >is it > worth to ME (hard and soft money), what is it worth to SOMEONE ELSE, >what > are the threats, what am I willing to spend to protect it? You need >all of > the above to make a decision. > > Good point. So why don't EC corporations take this in to account. >And it shouldn't just apply to EC sites, but to other computer sites around >the World. Ok, maybe would should happen is the corporation should document >the information stored in the systems, it's worth in different scenarios, >then if a breech does occur, they have the knowledge already. More often >than not, the corporate officer doesn't know how the information is worth, >I understand that a precise value can not be calculated, but some initial >value could be. > > At the moment, as history has shown us, companies are associating >values to information which are just not though out. Sure stolen code is by >definition expensive, especially if it's a new algorithm to do something >better. But if it's so valuable, and this could be used to educate the >management (in the quest for better security), why have they left in it a >place where it could be at risk? > Because it was easier and cheaper for them to do that and increase productivity than impact productivity by securing it ( don't the real world suck :-). One can still introduce the benefits of productivity through data distribution and keep a handle on security. However, it's the personnel who are not interested/educated about security who seem to be the problem. Dana Nowell Home: mailto:dana () nowell mv com Cornerstone Software Inc. Work: mailto:DanaNowell () corsof com MIME attachments preferred, BINHEX and uuencoded acceptable. The opinions above are free, remember you get what you pay for. The company doesn't speak for me and I don't speak for them. Richard Scott (I.S.) E-Commerce Team * Tel: 001-(612)-995-5432 * Fax: 001-(612)-947-2005 * Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA This '|' is not a pipe
Current thread:
- RE: OK, I've been hacked, now what? Scott, Richard (May 04)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 05)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- Re: OK, I've been hacked, now what? Bluefish [@ home] (May 16)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- <Possible follow-ups>
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 07)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)
- RE: OK, I've been hacked, now what? dbell (May 12)
- RE: OK, I've been hacked, now what? Peter Mayne (May 12)
- FW: OK, I've been hacked, now what? kevin . sheldrake (May 13)
- Re: FW: OK, I've been hacked, now what? Asmodeus (May 16)
- Re: FW: OK, I've been hacked, now what? Joseph S D Yao (May 16)
- Re: FW: OK, I've been hacked, now what? Crispin Cowan (May 16)
- Re: FW: OK, I've been hacked, now what? Lance Spitzner (May 16)
- Re: FW: OK, I've been hacked, now what? Cohen Liota (May 16)
(Thread continues...)