Firewall Wizards mailing list archives

Re: OK, I've been hacked, now what?

From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Wed, 5 May 1999 12:24:33 -0400 (EDT)

Richard Scott mused:

I was just wondering about these so called costs.  Let's assume your web
page was defaced.  That your original index.html or whatever had in fact be
copied to old.html, and a new page inserted(the hacked page).

Now I am not aware of the hacking incident, more information maybe more
helpful here.
Now if it is the case that the original page has been moved.  What are the
real costs in replacing by moving it back to index.html.

The fact that the security hole already existed shouldn't be placed in the
cost of the intrusion.  ...


Not quite.

You may not have been aware of a security hole.  Or, also likely, you
were aware of the possibility of a hole, but your management wanted you
to concentrate on getting something else done, but getting back to that
non-profitable security stuff [;-}] later.

Now, all of a sudden, there's a smoking gun ... or, if you prefer, a
thumbprint on your dining room window.  On the inside.  Evidence that
an intruder has been there.  But there is NO WAY OF KNOWING [a priori]
that this is all that the intruder has done!

Even if NOTHING ELSE HAS BEEN DONE, the cost of this intrusion MUST
include either a complete review of everything to see what has been
touched [if you're a masochist or really detail-oriented], or just
wiping everything out and re-starting from the last time you THINK [but
cannot "know"] that there was no intrusion.  If you want to use any
files since the known intrusion, you must review them for evidence of
tampering.  [What if the intruder downloaded your MS Word files, viewed
them with a virus-infected copy of MS Word, and copied back the
infected copy?  What if they stuck scurrilous remarks about your
favourite folks, including immediate ancestors, in your Annual Report?]

The cost of the intrusion might as well include the costs of properly
upgrading your system to have at least minimal security features ...
because management would never have granted you time to get around to
it otherwise.  And this is necessary, otherwise you would never have
been "cracked" by the cracker.

Eh?

If the amount spent on cleaning up after an intrusion is just copying
an old copy of index.html over the defaced one ... well, I guess that
company deserves what it gets.

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
-----------------------------------------------------------------------
      This message is not an official statement of COSPO policies.

Current thread:

RE: OK, I've been hacked, now what? Scott, Richard (May 04)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 05)
  - Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
    - Re: OK, I've been hacked, now what? Bluefish [@ home] (May 16)
- <Possible follow-ups>
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
  - Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 07)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)

(Thread continues...)