Firewall Wizards mailing list archives
Re: OK, I've been hacked, now what?
From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Wed, 5 May 1999 17:24:38 -0400 (EDT)
If this is really the case take this example: I own a house that has no security what so ever. A break in occurs. I claim in the insurance and to the police that nothing was stolen, yet the cost of the break in will cost thousands of pounds because I want a 24 hrs guard on the door next time. So the real cost is driven up by my desire to increase security.
Do you own anything in your house that is worth many thousands of pounds? If so, you might well wish to pay that much. And if you own anything worth millions of pounds, you are probably paying tens of thousands of pounds in insurance for it. If you pay thousands of pounds for a 24-hour guard, the insurance company might reduce your premiums by a similar amount. Further: if your house is as well organized as most people's computers, how would you even KNOW whether something has been stolen or not? Or, to draw a parallel with crackers that insert Trojan horses etc., whether your household appliances had been replaced by ones that did "other things" while you weren't looking? But it's also not entirely an LSD [pounds, shillings, pence] issue. It's a "comfort" issue. When you come home and see the door jimmied open, do you just waltz in and snake a brew from the kitchen? I would hope that you would at least look for someone else to walk in - carefully looking around for the intruder - or, better, call the police to do it for you. To better state your case, from the business point of view: say that Harrod's had no security except locking their doors every night. And say that, one morning, the CEO comes in and finds the remains of his best cigars, sandwiches, and bottles of port on his desk, when nobody has been in the store. Don't you think that he will immediately order an inventory of the entire store, and an administrative inventory of his most important papers? That will surely cost more than your thousands of pounds! Don't you think that he would go out and pay for "security consultants"? Don't you think that he will finally listen to the doorman, who has been insisting for years that the store should get an electronic alarm system, and at least two more doormen so that he can catch some shut-eye at night?
Now take this as the main reason I begrudge companies randomly making up figures. Assume I am a hacker. I break in, copy a document which in it's true form isn't publicly available, and yet the information in another form is available publicly. Now, the company had no security, no firewall, nothing what so ever, the company declares the loss of that item, cost the business millions. Now, the loss is not reported to shareholders as legally bound to and I am caught. The company declares the system was down during the breech which it wasn't and ups the ante once again. The company also states that this information was so valuable, that it demands the cost of implementing security to protect it from the perpetrator. Now, this get interesting! The court is told that the information in another form is publicly available I another form. That if the information was so valuable why wasn't it protected and that if the losses reported by the company were real, why is there no report of it in financial reports? This whole scenario had been played by the infamous E911 document and blue Lightening many years ago. If the system had not been brought down, and the services are still available, what real costs are lost. Ok the company feels that it must investigate, sure, why not begin by having a security project/personnel there before the site was running. In fact if a company is going to lie about the worth of it's assets, it is surely going leave it self open for perjury charges? I think companies should be realistic and begin by acknowledging security breeches are as common to online sites as bank robbers robbing from banks. How many banks do you see have no security? What I hear you say? None? In England, there isn't a bank where there isn't some type of procedure/plan strategy invoked for security. I think management who value the information on there servers should pay more time listening to what exactly is happening, after all there is a premise stating, what's on the Internet, is in public domain ;-)
Most of your points are very valid. But, again, HOW DO YOU KNOW what the cracker did? (He broke into the computer. That by itself makes him a Criminal Hacker - a cracker.) It may be immediately obvious that he looked at the list of local restaurants in the /pub directory. How do you know he didn't also copy over the list of passwords to his 'crack' machine, and the secret financial documents that the financial officer put in his personal directory on this machine because that made it so much easier to edit them? You are ABSOLUTELY RIGHT that the management should have put an appropriate value on security BEFORE the break-in. My response should have reeked of my attitude towards those that refuse to do so. Are you surprised that companies conceal "hidden losses" from their shareholders? Thou innocent. Are you surprised that they want "the authorities" to do work for free, rather than pay for local work? Thou naive. Do you think that companies will laugh off a little intrusion, and say, "Oh, it can't have been harmful, let's do better next time."? Well, yes, sometimes they try so hard to pretend that it never happened that they lie to themselves. But the more HONEST will expend what resources they can [especially if they happen to be public resources or someone else's] trying to find out what THEY might have lost, what THEY did to enable this, and what THEY can do to fix it. Until they forget. ;-/ -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- RE: OK, I've been hacked, now what? Scott, Richard (May 04)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 05)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- Re: OK, I've been hacked, now what? Bluefish [@ home] (May 16)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- <Possible follow-ups>
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 07)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)
- RE: OK, I've been hacked, now what? dbell (May 12)
- RE: OK, I've been hacked, now what? Peter Mayne (May 12)
- FW: OK, I've been hacked, now what? kevin . sheldrake (May 13)
- Re: FW: OK, I've been hacked, now what? Asmodeus (May 16)
- Re: FW: OK, I've been hacked, now what? Joseph S D Yao (May 16)
(Thread continues...)