Firewall Wizards mailing list archives
RE: OK, I've been hacked, now what?
From: "Scott, Richard" <Richard.Scott () bestbuy com>
Date: Wed, 5 May 1999 11:46:27 -0500
Joseph S D Yao stated:> You may not have been aware of a security hole. Or, also likely, you were aware of the possibility of a hole, but your management wanted you to concentrate on getting something else done, but getting back to that non-profitable security stuff [;-}] later. Now, all of a sudden, there's a smoking gun ... or, if you prefer, a thumbprint on your dining room window. On the inside. Evidence that an intruder has been there. But there is NO WAY OF KNOWING [a priori] that this is all that the intruder has done! Even if NOTHING ELSE HAS BEEN DONE, the cost of this intrusion MUST include either a complete review of everything to see what has been touched [if you're a masochist or really detail-oriented], or just wiping everything out and re-starting from the last time you THINK [but cannot "know"] that there was no intrusion. If you want to use any files since the known intrusion, you must review them for evidence of tampering. [What if the intruder downloaded your MS Word files, viewed them with a virus-infected copy of MS Word, and copied back the infected copy? What if they stuck scurrilous remarks about your favourite folks, including immediate ancestors, in your Annual Report?] The cost of the intrusion might as well include the costs of properly upgrading your system to have at least minimal security features ... If this is really the case take this example: I own a house that has no security what so ever. A break in occurs. I claim in the insurance and to the police that nothing was stolen, yet the cost of the break in will cost thousands of pounds because I want a 24 hrs guard on the door next time. So the real cost is driven up by my desire to increase security. Now take this as the main reason I begrudge companies randomly making up figures. Assume I am a hacker. I break in, copy a document which in it's true form isn't publicly available, and yet the information in another form is available publicly. Now, the company had no security, no firewall, nothing what so ever, the company declares the loss of that item, cost the business millions. Now, the loss is not reported to shareholders as legally bound to and I am caught. The company declares the system was down during the breech which it wasn't and ups the ante once again. The company also states that this information was so valuable, that it demands the cost of implementing security to protect it from the perpetrator. Now, this get interesting! The court is told that the information in another form is publicly available I another form. That if the information was so valuable why wasn't it protected and that if the losses reported by the company were real, why is there no report of it in financial reports? This whole scenario had been played by the infamous E911 document and blue Lightening many years ago. If the system had not been brought down, and the services are still available, what real costs are lost. Ok the company feels that it must investigate, sure, why not begin by having a security project/personnel there before the site was running. In fact if a company is going to lie about the worth of it's assets, it is surely going leave it self open for perjury charges? I think companies should be realistic and begin by acknowledging security breeches are as common to online sites as bank robbers robbing from banks. How many banks do you see have no security? What I hear you say? None? In England, there isn't a bank where there isn't some type of procedure/plan strategy invoked for security. I think management who value the information on there servers should pay more time listening to what exactly is happening, after all there is a premise stating, what's on the Internet, is in public domain ;-) It's this worthless attachment to public information that companies always perform that I refute when I see the figures of a break in. Sure, all the costs so far mention in the thread are realistic apart from a few. Yes, costs of consultants, down time, research time etc etc, but really, where do we draw the line? because management would never have granted you time to get around to it otherwise. And this is necessary, otherwise you would never have been "cracked" by the cracker. Eh? If the amount spent on cleaning up after an intrusion is just copying an old copy of index.html over the defaced one ... well, I guess that company deserves what it gets. Exactly ;-) Richard Scott (I.S.) E-Commerce Team * Tel: 001-(612)-995-5432 * Fax: 001-(612)-947-2005 * Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA This '|' is not a pipe -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- RE: OK, I've been hacked, now what? Scott, Richard (May 04)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 05)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- Re: OK, I've been hacked, now what? Bluefish [@ home] (May 16)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- <Possible follow-ups>
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 07)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)
- RE: OK, I've been hacked, now what? dbell (May 12)
- RE: OK, I've been hacked, now what? Peter Mayne (May 12)
- FW: OK, I've been hacked, now what? kevin . sheldrake (May 13)
- Re: FW: OK, I've been hacked, now what? Asmodeus (May 16)
(Thread continues...)