Firewall Wizards mailing list archives
Re: OK, I've been hacked, now what?
From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Wed, 5 May 1999 12:24:33 -0400 (EDT)
Richard Scott mused:
I was just wondering about these so called costs. Let's assume your web page was defaced. That your original index.html or whatever had in fact be copied to old.html, and a new page inserted(the hacked page). Now I am not aware of the hacking incident, more information maybe more helpful here. Now if it is the case that the original page has been moved. What are the real costs in replacing by moving it back to index.html. The fact that the security hole already existed shouldn't be placed in the cost of the intrusion. ...
Not quite. You may not have been aware of a security hole. Or, also likely, you were aware of the possibility of a hole, but your management wanted you to concentrate on getting something else done, but getting back to that non-profitable security stuff [;-}] later. Now, all of a sudden, there's a smoking gun ... or, if you prefer, a thumbprint on your dining room window. On the inside. Evidence that an intruder has been there. But there is NO WAY OF KNOWING [a priori] that this is all that the intruder has done! Even if NOTHING ELSE HAS BEEN DONE, the cost of this intrusion MUST include either a complete review of everything to see what has been touched [if you're a masochist or really detail-oriented], or just wiping everything out and re-starting from the last time you THINK [but cannot "know"] that there was no intrusion. If you want to use any files since the known intrusion, you must review them for evidence of tampering. [What if the intruder downloaded your MS Word files, viewed them with a virus-infected copy of MS Word, and copied back the infected copy? What if they stuck scurrilous remarks about your favourite folks, including immediate ancestors, in your Annual Report?] The cost of the intrusion might as well include the costs of properly upgrading your system to have at least minimal security features ... because management would never have granted you time to get around to it otherwise. And this is necessary, otherwise you would never have been "cracked" by the cracker. Eh? If the amount spent on cleaning up after an intrusion is just copying an old copy of index.html over the defaced one ... well, I guess that company deserves what it gets. -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- RE: OK, I've been hacked, now what? Scott, Richard (May 04)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 05)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- Re: OK, I've been hacked, now what? Bluefish [@ home] (May 16)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- <Possible follow-ups>
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 07)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)
(Thread continues...)