How To Manage a Security Breach?

Salvance writes, "A friend of mine has recently been stressed over a security breach at the company he consults for. The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced. Due to the inherent lack of security in Win98, a worm was able to infiltrate almost every computer and send gigabytes of data (possibly including sensitive company data) to a 'redirector' in Eastern Europe. My friend was working on other security projects at this company and stumbled across this massive hole. He quickly convinced company executives to remove Internet access from all Win98 machines, purchase better firewalls, and implement other data protection strategies. However, the sticking point was client notification. Due to the nature of the legacy systems, there was no way to know what data was transferred. For this reason the company wanted to play it safe and disclose nothing. Of course, my friend is all for disclosure and preventing harmful use of the potentially leaked data. My friend doesn't know what to do, so I'd like to know what others here think."

Easy

[MyLongNickName (822545)]

Get the resume ready. If I were a client of a company that had such shitty protection of my data, I'd find another company ASAP. I expect that said person would do much better finding another place to work.

Re:Easy

[MyLongNickName (822545)]

Just noticed that he "consults" for the company, not works for it. This being the case, he has absolutely no say in the decision. The only thing I can say: cover your ass. Get everything in writing. If you have a verbal conversation, follow it up with an e-mail. Remember... shit flows downhill. They WILL try to find a way to shift the blame. Make sure you do not become the scapegoat.

Re:

[diersing (679767)]

You are correct. Disclosure is a legal/business decision, if the company is public (or has customers in certain states) their hands are tied and they must comply and disclose to either the customer directly or via the mass media. If its a private company with no customers in areas where protective legislation dictates disclosure then it is a discretionary decision.

OR HERE'S A BETTER IDEA

[mrsbrisby (60242)]

....

don't ask on slashdot?

Seriously.

If your "friend" thinks he needs legal advise, he should ask a lawyer.

If your "friend" is asking for technical advise, while dosbox and wine are _great_ ways to impose greater restrictions on legacy software, if your "friend" is asking for technical advise by acting like he's looking for legal advise, then your "friend" is an asshat.

Document, document, document

[greenmars (685118)]

Offsite, you need to have a spreadsheet or other document. Put in the date and write down everything that happened to the best of your knowledge.

If something is not documented, it didn't happen.

Then, do what the client wants you to. Include the client's wishes in your documentation.

Interesting.

[BVis (267028)]

So the company knows that there WAS a breach, and potentially sensitive data may have been leaked. The company probably doesn't have a technical obligation to disclose anything, since they don't know for sure that information that requires (or should require) disclosure (like customers' billing data, social security information, credit card info etc) was compromised.

That being said, the right thing to do is to be forthcoming and disclose the nature of the breach, emphasizing that no specific information about what was leaked is available.

Of course, this being a corporate setting, if they can get away without telling anyone, they will. Especially if it's publicly held; while the stockholders might wish to know that there was a problem, they may also be upset that a disclosure was made that was not absolutely required, as that will negatively affect their stock value.

No Brainer

[ReidMaynard (161608)]

Since he consults, he does not set policy. He informed management (best keep a record(s) of that), it's their call.

Re:

[jimicus (737525)]

And if he develops a reputation for publicising such breaches rather than "working to fix them" (ie. cover up), that too will dictate how his consulting business will grow.

sticky situation

[misanthrope101 (253915)]

There is always a danger in being more or less ethical than your employer. If you're more ethical you're a troublemaker and they'll fire you, and if you're less ethical then you're a scumbag. Obviously the ethical thing to do would be to notify the customers. But executives don't really work for the customer--they work for the stockholders, and "doing the right thing" doesn't figure very large in the balance sheet. I don't envy your friend's position, but it's a common one--look at Sibel Edmonds. Emplo

"A friend of mine"

[Bromskloss (750445)]

Yeah, right. Cause it would never happne to you, would it? ;-)

Legacy systems/apps

[xtracto (837672)]

I think one of the most important points here is the Operating System. I think it could be an option, if you *really* need to run specific applications on Win98 platform, to install such insecure operating system inside a virtual machine as VMware. I dont care if the operating system is WindwsXP or Linux, but I am sure it will be easier to fix the security hole if you have the OS inside the VM sandbox.

On the other side, it could be the case (it has been in lots of places were I am from) that such machines a

Re:

[Isao (153092)]

Erm, virtualization is not a panacea. In this scenario, it appears that the Win98 systems have access to sensitive data because of the legacy applications that require Win98 to run. If you virtualize this under (say) MacOS running Parallels (to try and eliminate the host platform as an infection vector), you are still running Win98 in a VM, and Win98 will still have access to the sensitive data. If the Win98 VM has to be on the network, you are almost back to square one. The only improvement here may be

Re:

[blackest_k (761565)]

Vmware doesn't work on every system.
second you need enough ram to be able to run the host and guest OS
but firstly you need a good enough CPU. a K6(400) wasn't capable for example.

Maybe an alternative might be to remotely run the guest os using the older PC's as clients.
or just do the sensible thing and buy some better systems.
 

that's how I run W98SE...

[alizard (107678)]

I run it via Win4Lin 9.x over Fedora Core 3. I've never seen ZoneAlarm go off since I put it behind a Linux firewall. To do Windows AV protection, just run F-Prot for Linux, it's got the Windows virus signatures and updates automatically via daily cron job.

Oddly enough, the only legacy Windows apps I run regularly are Eudora and occasionally, Word and Excel. (I have OpenOffice, at what I do, "minor" compatibility problems aren't) I use the Linux host for everything else.

Think about what?

[Per Abrahamsen (1397)]

The relationship between the client and the client's customers is most likely not what he is being paid to consult about. He is better off pretending that he never thought of the issue at all.

Put on your nerd hat, and treat any non-technical issue as unimportant and uninteresting.

Re:

[Dekortage (697532)]

So nerds don't care about right and wrong? It's only ones and zeros? What kind of hat should he wear if he wanted to be concerned?

Disclose the breach.

[bleh-of-the-huns (17740)]

Disclosure is required if there was any privacy data stored on those systems (peoples names/numbers/ssn/etc), if you do not know which users data was comprimised, all users need to be notified. This is required when it affects gov agencies, I am not however sure about private and commercial entities, although not notifying your customers if their data was comprimised, is asking for trouble, and when word gets out, people will find alternate solutions to what that company provides.

First - CYA

[hrieke (126185)]

Cover Your Ass.

Document everything. If there where conversations and meetings, send out a follow up email with the notes of what was talked about. Keep copies of everything, make backups and place them in a bank.

The second part comes if the company is publicly traded or not. If so, and these Windows 98 machines hold trade secrets or the accounts logged in had access to trade secrets stored elsewhere on the network, then the company is in some deep doo-doo, otherwise tell him to buckup and carry on.

You've already informed the client

[mccalli (323026)]

As a consultant, your client is the company itself and not that company's customers. You've informed the company, now document it to make sure that's known. Ensure the right bit of the company is informed (ie. compliance, not just your local boss), document and you're done.

Now, if the real question was "should I inform the company's customers because I think this is very important to them?", well you're on an entirely different path and ultimately only you can decide that. Without knowing the details of what might have been disclosed, no-one here can even give you an informed opinion let alone a set of instructions. But as far as what you must do is concerned, then see paragraph one.

Cheers,
Ian

Re:

[nahdude812 (88157)]

It's ultimately the company's decision whether they report it to their customers or not. Especially as a contractor to the compromised company, you have no authority or right to disclose anything that the company doesn't want you to.

Unless of course you suspect something illegal is being done by the company (eg criminal withholding of proper disclosure), in which case you should:
1) Hire a lawyer today (maybe yesterday)
2) As mentioned repeatedly, document everything, and make sure you notified the correct c

Re:

[b0s0z0ku (752509)]

I agree with all posters who say that he should CYA and document everything. But is he liable for not reporting that a federal law has been broken?

I think that it's the choice of the parties aggrieved by the crime. However, the company whose data was leaked should be informed since they're one of those parties, and it's their decision as well. What may be a bigger problem is data protection laws that require the owner of the data to be informed. If management fails to inform the owners of the company w

Tricky

[user24 (854467)]

This is a really hard problem, especially given that I don't know what how sensitive the sensitive information might have been, but the bottom line for me (as a client, MD or security guy) would be; disclose.

I come to this conclusion from an evaluation of worst-case scenarios;

possible results:
harmful use of customer data, harms client
disclosure, harms company reputation

I am assuming that the harmed client would not know that company at fault. we shall call this 'harm1'
If the nature of the data means that a

Morality vs Math

[Fantastic Lad (198284)]

This kind of thinking is nasty.

I'm not saying you are nasty, but the risk/benefit ratio analysis is certainly psychotic. The ultimate example is that of the air plane manufacturer doing a similar study;

1. If we fix a known fault in all our aircraft, it will cost us 1 Billion Dollars.
2. Over the lifetime of the aircraft, lawsuits due to death and injury resulting from the fault will cost us only 500 million.
3. Don't fix the fault; it's less expensive in the long run.

Money isn't everything. Doing the right

Re:

[user24 (854467)]

yeah I know. I was going to prefix my comment with "replying in business-speak that your manager will understand".

You shouldn't even need to do this to know what's right, but the thing is, no company ever just does what's right; they -need- to have this type of wank.

Re:

[qwijibo (101731)]

In business, money is everything. 1 billion dollars is something that adversely affects the bottom line more than 500 million, making it a bad business decision. Speaking about the right thing is the easiest way to lose the attention of business people. Though, there are often other factors that can turn the right thing into a bottom line benefit. For example, avoiding damage to the company's reputation would be good for future contracts. Also, death and injury frequently cause new laws which could res

Get it in writing. Signed.

[Tony Hoyle (11698)]

And guess who's going to be in the shit if valuable information gets leaked? The execs that covered it up? Noooo.... the poor sap they convinced not to tell anyone about it.

Get everything in writing. If possible get signatures. If you need them for references get then *now* before anything goes wrong.

Time to bite the bullet

[Frosty Piss (770223)]

The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced

It's really time to consider that while it may not be easy, it's time to hire some programmers and write that replacement. Really. Win98 support is going to get more and more difficult, to the point where it is no longer reasonable to support it at all. Will it be too late for your company when that time comes?

It's not your company

[yebb (142883)]

As a consultant, it's not your place to dictate how another company defines it's business strategy.

You've said your bit to promote disclosure (I assume), make sure that there is a paper trail detailing that, then let them run their business how they see fit. Possibly into the ground.

If you're a third party contractor, and you start letting loose about your clients, thats not a good way to give yourself credibility. Remember that the management team for this company has likely spoken to their lawyers, possibly other security experts. There is the remote possibility that they know what they are doing.

Win 98?

[ZoneGray (168419)]

I dunno... I'd be more embarrassed that the company was still using Windows '98 because it didn't want to replace their legacy software. Oh, I know, I've heard it all before... there's no replacement for it, it would be too costly, blah blah blah.

But there almost certainly IS a replacement for your legacy apps, and your employer is being stupid by continuing to use it. Instead of paying the cost of replacement, they're paying the cost of NOT replacing it... higher IT staffing costs, decreased security, an

The question isn't being asked

[wirefarm (18470)]

Why are these machines connected to the Internet?

If they are insecure, sandbox them or cut them off completely.

If they need some kind of network access, use a whole shitload of proxies and firewalls and a carefully-monitored snort install and babysit the hell out of it until they can be secured.

No, forget that. Get them off the net completely.

Firewall and ethics

[macdaddy (38372)]

There is absolutely no reason for those machines to have had (or have currently) unfettered access to the outside world. If they're required to support a funky app then their outbound access should be bound to a specific port or set of ports and a specific destination or source IP. There is no excuse for this kind of setup. I too have seen many situations just like this which were made to have much less of an impact by limiting the outbound access of the machines. For example does your mail server reall

Get used to it

[codepunk (167897)]

I can bet with near 100% certainty that I could walk into nearly any enterprise network, jack into the core on a mirrored port and find at least a few owned machines. If you are on a windows network and the clients have access to the internet there are some that are compromised...period. It takes constant monitoring and even then you are performing damage control. Keep your internal secuirty policies tight this will help to reduce the risk slightly.

Speaking from the client's perspective

[v1 (525388)]

If I ever learned that the company responsible for protecting my security covered up a breech, they would be GONE. That day. That shows an incredible lack of integrity on your company's part. There's really nothing you can do to help your situation there. Eventually someone will catch them and that will be their undoing. Anyone around them will be tarnished. The best thing you can do is put the resume to work, DOCUMENT EVERYTHING, and talk with a lawyer that specializes in these things, there are pr

At least

[Jon Luckey (7563)]

At least they don't have to worry about nuking the site from orbit.

That window of opportunity has closed.

For starters ... The Lawyers

[vtcodger (957785)]

The first thing to do is talk to the lawyers and make sure that they understand EXACTLY what has happened. If there is, or might be, a legal obligation to make disclosures, the company would have to be run by total fools not to do so. If the lawyers say disclose and the management waffles or decides not to, it's probably time to bail.

Second, all the smoke and mirrors notwithstanding, Windows 9 probably is not much more (or less) insecure than NT based Windows. They both suck as far as I can see. If an

Best advice: don't disclose

[tgv (254536)]

Do not disclose until there is evidence that the information has been used. The people who received the data might not know that they have it and they will not be able to find it without further information. Once you go public, they will start looking for it.

So, until you've got evidence that they already did use the information, you should seriously consider keeping silent. Even mentioning the name of the company could lead to a series of IP-addresses and hence to the data.

If he doesn't like it,

[teflaime (738532)]

his only choice is to quit working there. He is only a consultant, so he can make recommendations, but the company is free to ignore him. Odds are that he is likely to be bound by a non-disclosure agreement regarding the network and data situation at the company, as well.

I have a tip for your friend....

[Lumpy (12016)]

#1 - run the hell away. if the client is not interested in doing what he suggests then he is wasting time. those 98 machines should have been on a secure private network with no internet access for years now. if the company refused to do that he should have said, "then you will have no security, your data can and will be stolen eventually, are you ok with that?", if they say yes, have them sign off on a hold harmless waiver. always end that statement with that question. it delivers ownership of the problem to the exec and allows you to CYA.

when the security breach happened like this you can then say "executive XYZ said he was ok with that, see here is his sign off acknowledging that fact.

Secondly, win98 apps can be ran in a virtual system that would have allowed him to have some security.. why did he not do this? was the client a cheapskate and refused to pay for anything?? if so then once again it's a run away situation.

This could have been avoided, it would not have been cheap, but it could have been avoided. IT consultants need to have the balls to tell a customer "NO! you have to do it this way." because they are paying you to be the expert. If they do not listen to you sugges they hire the "geek squad" from best buy then if all they are looking for is IT people that will do what they are told.

Can you tell I am fed up with incompetent clients that say they want security but refuse to pay for it?

or if they still have the Win98 licenses

[misanthrope101 (253915)]

Run them in Virtual Machines. VMWare is just awesome. Not that this fixes the problem after it happened.

Re:

[leonmergen (807379)]

Run them in Virtual Machines. VMWare is just awesome. Not that this fixes the problem after it happened.

Ehr.. correct me if I'm wrong, but wouldn't that just result in infected virtual machines ? The whole beauty of those virtual machines is that you, well.. emulate a machine that behaves just like any other machine. It's not that exploits for Win'98 would not occur within such a virtual machine.

This is, ofcourse. assuming that they already run the minimal amount of Win'98 machines they need, and not

Re:

[user24 (854467)]

yeah but you can wipe the virtual image and revert to a known clean one at the end of each day. like re-installing all the boxen every night.

Re:

[misanthrope101 (253915)]

I thought the VMs would be protected by the security of the host system, since they're connecting through it. Am I wrong about that? That's not a rhetorical question--I don't actually know, and I'm curious. If I install VMware on Linux, then install Win98 in a VM, doesn't the Win98 internet connection get handled by the host OS?

Re:

[leonmergen (807379)]

I thought the VMs would be protected by the security of the host system, since they're connecting through it.

Well, to my knowledge, VMWare creates new virtual ethernet interfaces you can lookup with ifconfig.. looks pretty unprotected to me :-)

Re:

[walt-sjc (145127)]

It depends how you have it configured. Read the docs to understand it.

Re:

[netsharc (195805)]

Well, the host OS can act as a NAT (ask Wikipedia what that is) or it can bridge the network connection, and the guest OS gets a valid (globally) accessible IP address. A NAT is a bit safer because it's impossible for a system from the outside to initiate a connection with the guest OS, but if you bridge and the guest OS has an accessible IP address, any system can connect to it. Of course in reality they're connecting to the host OS, but the host OS isn't necessarily set-up to watch the data, instead just

Re:

[nolife (233813)]

No, A VM has its own network connectivity just as a real machine. The VM host CAN supply the virtual network switch to supply that network connectivity to the VMs but that is it, as far as the VM is concerned, the OSI model still applies and the host simply provides the physical layer. You could run a software firewall on one VM and use that VM to route and provide network access to the other VMs on the same host if you wanted a one box solution. VMWare encourages and collects "user built" VM images and

It's not just about what the company wants

[Old Man Kensey (5209)]

One reason we've seen more disclosures like this lately is because of a recent California law that requires disclosure in such cases if California citizens are affected by the breach. I'm not sure if the law requires actual knowledge of a particular type of data being compromised, but this could be the lever he needs to get the company to DTRT and disclose (you only have to disclose to Californians, but after that, it's pretty much going to get out so you might as well disclose nationally right off). As I

Too late to be an "unidentified source"

[Harmonious Botch (921977)]

Your 'friend' has already screwed up. ( sorry to put it that baldly, but he has ) He was hired to deal with security issues, not legal ones. He never should have discussed client notification with them. When he starts expressing opinions about that, he is way outside of what he contracted to do. He may not have recognized this breach of manners, but, I assure you, they have.

Now, if he - or anybody else - leaks this, management will assume that it was him.

Re:

[fohat (168135)]

You are misinformed. They are no longer the consultants you say "nee"; they are now the consultants who say "eki eki eki ftang whoborble"

Re:

[b0s0z0ku (752509)]

Not informing the customers is the decision of the executives, and any resulting problems this causes are therefore their responsibility.

Well, if not informing the clients violates some data protection laws (as another poster said it did in Calif.) the management might be committing a criminal offense by not reporting the breach. If he knows about it, he'd be obligated to report this to the police. Otherwise he might be charged with being an accessory or abetting the crime if criminal charges were ever