How To Manage a Security Breach? 183
Salvance writes, "A friend of mine has recently been stressed over a security breach at the company he consults for. The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced. Due to the inherent lack of security in Win98, a worm was able to infiltrate almost every computer and send gigabytes of data (possibly including sensitive company data) to a 'redirector' in Eastern Europe. My friend was working on other security projects at this company and stumbled across this massive hole. He quickly convinced company executives to remove Internet access from all Win98 machines, purchase better firewalls, and implement other data protection strategies. However, the sticking point was client notification. Due to the nature of the legacy systems, there was no way to know what data was transferred. For this reason the company wanted to play it safe and disclose nothing. Of course, my friend is all for disclosure and preventing harmful use of the potentially leaked data. My friend doesn't know what to do, so I'd like to know what others here think."
Easy (Score:3, Insightful)
Re:Easy (Score:5, Insightful)
Re: (Score:2, Informative)
OR HERE'S A BETTER IDEA (Score:3, Insightful)
don't ask on slashdot?
Seriously.
If your "friend" thinks he needs legal advise, he should ask a lawyer.
If your "friend" is asking for technical advise, while dosbox and wine are _great_ ways to impose greater restrictions on legacy software, if your "friend" is asking for technical advise by acting like he's looking for legal advise, then your "friend" is an asshat.
Re: (Score:2)
Long ago I realised most "Ask Slashdot" posts were just hypotheticals; or fantasies along the line of "Letters to Penthouse". Basically concocted by submitters, or perhaps editors, to excite noisy discussion and lots of ad impressions. So don't worry about why anyone would be stupid enough to ask Slashdot if they were really in that situation, because the situation, and the person, are most likely imaginary.
Re: (Score:2)
Hopefully that
Re: (Score:2)
One possible "benefit" to this approach is that your sudden attention to formality here in documenting this should scare the executives into thinking about this a little harder. "If he feels it necessary to collect some CYA documentatio
Re: (Score:2)
http://yro.slashdot.org/article.pl?sid=05/06/30/1
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Document, document, document (Score:3, Insightful)
If something is not documented, it didn't happen.
Then, do what the client wants you to. Include the client's wishes in your documentation.
Win98 boxes (Score:1)
It's not just about what the company wants (Score:2)
Re: (Score:2)
Basically, it says if you maintain personal information of California residents and if that info *might* be compromised, then you *must* notify all affected parties. The information includes first name (or initial) and last name, plus one or more of SSN, driver's license #, CC number, bank account, and a few others.
The fine for failure to notify is $10,000 *per account*. The first big story on this was a few months after the law became effective. A consultant for Wells Farg
Interesting. (Score:3, Insightful)
That being said, the right thing to do is to be forthcoming and disclose the nature of the breach, emphasizing that no specific information about what was leaked is available.
Of course, this being a corporate setting, if they can get away without telling anyone, they will. Especially if it's publicly held; while the stockholders might wish to know that there was a problem, they may also be upset that a disclosure was made that was not absolutely required, as that will negatively affect their stock value.
No Brainer (Score:4, Insightful)
Re: (Score:2, Funny)
1) Everything is ok and you know that everything is ok
2) Something is wrong and you know that it is wrong (wrong in the sense of being illegal). Estimate (maybe with the help of a lawyer) if you commit a crime by supporting your employers position. Luckily I live in a country (Germany) which learned some lessons from History, so that normally you don not have the duty to bring the case to court. Since you normally onl
Re: (Score:3, Insightful)
sticky situation (Score:2)
Couldn't you... (Score:1)
Finally there are companies that specialise in moving data from legacy systems to modern systems. You could employ one to move all the data.
or if they still have the Win98 licenses (Score:2)
Re: (Score:2)
Run them in Virtual Machines. VMWare is just awesome. Not that this fixes the problem after it happened.
Ehr.. correct me if I'm wrong, but wouldn't that just result in infected virtual machines ? The whole beauty of those virtual machines is that you, well.. emulate a machine that behaves just like any other machine. It's not that exploits for Win'98 would not occur within such a virtual machine.
This is, ofcourse. assuming that they already run the minimal amount of Win'98 machines they need, and not
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I thought the VMs would be protected by the security of the host system, since they're connecting through it.
Well, to my knowledge, VMWare creates new virtual ethernet interfaces you can lookup with ifconfig.. looks pretty unprotected to me :-)
Re: (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This is just another example of why it is important to have the source code to business critical software.
"A friend of mine" (Score:2)
Mr. Vitti, that friend of yours.. (Score:1, Funny)
Legacy systems/apps (Score:2)
On the other side, it could be the case (it has been in lots of places were I am from) that such machines a
Re: (Score:2)
Re: (Score:2)
second you need enough ram to be able to run the host and guest OS
but firstly you need a good enough CPU. a K6(400) wasn't capable for example.
Maybe an alternative might be to remotely run the guest os using the older PC's as clients.
or just do the sensible thing and buy some better systems.
VMWare for Legacy systems/apps (Score:2)
that's how I run W98SE... (Score:2)
Oddly enough, the only legacy Windows apps I run regularly are Eudora and occasionally, Word and Excel. (I have OpenOffice, at what I do, "minor" compatibility problems aren't) I use the Linux host for everything else.
Think about what? (Score:2)
Put on your nerd hat, and treat any non-technical issue as unimportant and uninteresting.
Re: (Score:2)
So nerds don't care about right and wrong? It's only ones and zeros? What kind of hat should he wear if he wanted to be concerned?
Yes. Ones are right (Score:2)
Disclose the breach. (Score:2)
Re: (Score:2)
Somebody else's problem (Score:1)
Informing customers may also cause problems for the company that are disproprortionate to the damage done. If this friend informs the clients himself, he could be held responsible for harm done to the company.
Re: (Score:2)
Well, if not informing the clients violates some data protection laws (as another poster said it did in Calif.) the management might be committing a criminal offense by not reporting the breach. If he knows about it, he'd be obligated to report this to the police. Otherwise he might be charged with being an accessory or abetting the crime if criminal charges were ever
First - CYA (Score:4, Insightful)
Document everything. If there where conversations and meetings, send out a follow up email with the notes of what was talked about. Keep copies of everything, make backups and place them in a bank.
The second part comes if the company is publicly traded or not. If so, and these Windows 98 machines hold trade secrets or the accounts logged in had access to trade secrets stored elsewhere on the network, then the company is in some deep doo-doo, otherwise tell him to buckup and carry on.
Re: (Score:2)
Cover his ass? Hmm
Question: "How to manage a security breach".
Answer: "Cover Your Ass".
That's the community spirit and responsibility I'm talking about, atta boy!
Now I ask you too: which is worse, that people ask how to handle a major security breakdown on slashdot, or that from over 100 posts, at the time of this posting, none is modded 5+ for anything...
Re: (Score:2)
For instance, if the company is publicly traded, the data breach should be part of the the SEC filings, yes?
Lawyers will be involved, and perhaps lawyers who's interests are NOT alligned with yours- lawyers who are thinking of minority share holders for example, or seeking to place blame away from those who au
Get out now if they refuse to disclose the breach. (Score:1)
The Six Dumbest Ideas in Computer Security (Score:1)
http://www.ranum.com/security/computer_security/e
You've already informed the client (Score:4, Insightful)
Now, if the real question was "should I inform the company's customers because I think this is very important to them?", well you're on an entirely different path and ultimately only you can decide that. Without knowing the details of what might have been disclosed, no-one here can even give you an informed opinion let alone a set of instructions. But as far as what you must do is concerned, then see paragraph one.
Cheers,
Ian
Re: (Score:2)
Unless of course you suspect something illegal is being done by the company (eg criminal withholding of proper disclosure), in which case you should:
1) Hire a lawyer today (maybe yesterday)
2) As mentioned repeatedly, document everything, and make sure you notified the correct c
Re: (Score:2)
I think that it's the choice of the parties aggrieved by the crime. However, the company whose data was leaked should be informed since they're one of those parties, and it's their decision as well. What may be a bigger problem is data protection laws that require the owner of the data to be informed. If management fails to inform the owners of the company w
Tricky (Score:2)
I come to this conclusion from an evaluation of worst-case scenarios;
possible results:
harmful use of customer data, harms client
disclosure, harms company reputation
I am assuming that the harmed client would not know that company at fault. we shall call this 'harm1'
If the nature of the data means that a
Morality vs Math (Score:2)
I'm not saying you are nasty, but the risk/benefit ratio analysis is certainly psychotic. The ultimate example is that of the air plane manufacturer doing a similar study;
1. If we fix a known fault in all our aircraft, it will cost us 1 Billion Dollars.
2. Over the lifetime of the aircraft, lawsuits due to death and injury resulting from the fault will cost us only 500 million.
3. Don't fix the fault; it's less expensive in the long run.
Money isn't everything. Doing the right
Re: (Score:2)
You shouldn't even need to do this to know what's right, but the thing is, no company ever just does what's right; they -need- to have this type of wank.
Re: (Score:2)
Get it in writing. Signed. (Score:2)
Get everything in writing. If possible get signatures. If you need them for references get then *now* before anything goes wrong.
Time to bite the bullet (Score:2)
It's really time to consider that while it may not be easy, it's time to hire some programmers and write that replacement. Really. Win98 support is going to get more and more difficult, to the point where it is no longer reasonable to support it at all. Will it be too late for your company when that time comes?
It's not your company (Score:3, Insightful)
You've said your bit to promote disclosure (I assume), make sure that there is a paper trail detailing that, then let them run their business how they see fit. Possibly into the ground.
If you're a third party contractor, and you start letting loose about your clients, thats not a good way to give yourself credibility. Remember that the management team for this company has likely spoken to their lawyers, possibly other security experts. There is the remote possibility that they know what they are doing.
Re: (Score:2)
Only large companies have lawyers on staff to handle this sort of advice. This sounds like a small company, who will be billed by the minute for all legal advice. They will not speak to their lawyers unless they have no choice. They will not ask them for advice on such matters. Small companies never do.
Win 98? (Score:2)
But there almost certainly IS a replacement for your legacy apps, and your employer is being stupid by continuing to use it. Instead of paying the cost of replacement, they're paying the cost of NOT replacing it... higher IT staffing costs, decreased security, an
Re: (Score:2)
The question isn't being asked (Score:3, Informative)
If they are insecure, sandbox them or cut them off completely.
If they need some kind of network access, use a whole shitload of proxies and firewalls and a carefully-monitored snort install and babysit the hell out of it until they can be secured.
No, forget that. Get them off the net completely.
Firewall and ethics (Score:2)
Re: (Score:2)
Use SUS [google.com] or WSUS [microsoft.com] or one of the many 3rd-party patch management applications.
As an example I know of one network in particular where the Windows domain servers (print servers, file servers, DCs, ISA boxes, etc) have no access to the outside world at all. No access at all. The internal Exchange servers don't have access to the outside either. They relay all mail through a SMTP relay w/ anti-spam and anti-virus fun
Re: (Score:2)
Re: (Score:2)
I'm not a WSUS expert by any means. I certainly hope that the packages are signed somehow. Google mig
Get used to it (Score:2)
Speaking from the client's perspective (Score:2)
At least (Score:2)
That window of opportunity has closed.
For starters ... The Lawyers (Score:2)
Second, all the smoke and mirrors notwithstanding, Windows 9 probably is not much more (or less) insecure than NT based Windows. They both suck as far as I can see. If an
Best advice: don't disclose (Score:2)
So, until you've got evidence that they already did use the information, you should seriously consider keeping silent. Even mentioning the name of the company could lead to a series of IP-addresses and hence to the data.
If he doesn't like it, (Score:2)
Re: (Score:2)
If not reporting the breach is a criminal act, the NDA might be trumped by criminal law. For example, an NDA created by the Mafia that requires employees not to disclose murders to anyone outside the organization wouldn't stand up in court :)
-b.
Re: (Score:2)
Watching traffic? (Score:2)
I guess nobody noticed the "gigabytes of data" that was being pumped through the company's Internet pipe? Also, how do you know the server was actually in Eastern Europe?
I have a tip for your friend.... (Score:3, Interesting)
when the security breach happened like this you can then say "executive XYZ said he was ok with that, see here is his sign off acknowledging that fact.
Secondly, win98 apps can be ran in a virtual system that would have allowed him to have some security.. why did he not do this? was the client a cheapskate and refused to pay for anything?? if so then once again it's a run away situation.
This could have been avoided, it would not have been cheap, but it could have been avoided. IT consultants need to have the balls to tell a customer "NO! you have to do it this way." because they are paying you to be the expert. If they do not listen to you sugges they hire the "geek squad" from best buy then if all they are looking for is IT people that will do what they are told.
Can you tell I am fed up with incompetent clients that say they want security but refuse to pay for it?
Re: (Score:2)
Re: (Score:2)
Some Win98 installs I've seen are there for hardware reasons (expensive specialised A/D conversion cards in industrial machines with a few processor boards on the backplane) - but they are not on any networks.
too late now but (Score:2)
Virtualization. (Score:2)
Be safe! (Score:2)
Wellll there's yer problem!
--Rob
Run for President (Score:2)
Slashdot, Esq. (Score:2)
This is not an easy question... (Score:2)
It is the C-Suite that is responsible for the securit
required by law to notify customers (Score:2)
http://www.networkworld.com/news/2006/010606-data- breaches-law.html?fsrc=rss-security [networkworld.com]
Of course it may different for your state as it's not nation wide that I'm aware of, but the fact still remains it is illegal in almost half the states in this country to "keep it quiet". More over, he WOULD be implimented in this mess as he knows of the problem and doesn't say anyth
ever heard of SOX (Score:2)
Re:ever heard of SOX (SOX != data breach law) (Score:2)
Re: (Score:2)
Plan your public response (Score:2)
AFAIK you're facing a legal requirement for disclosure, but also a PR nightmare if you mishandle it. If your DR and BCP doesn't say anything about media handling you ought to give its author a bit of a heads up - the disclosure is going to be painful enough, mishandling how you tell the customers this (and the press) can cause serious harm to your customers.
I won't address the legal issues - that's what lawyers are for. Tech stuff you will have covered b
Seek legal counsil (Score:2)
Don't Panic PANIC BUTTON (Score:2)
http://slashdot.org/~netr00t [slashdot.org]
I would add, get a Lawyer, as in, have a Lawyer (anyway).
If you're in the USA, you should know by now, mostly morons make the "rules" of conduct, try not to participate.
Pay the Man:
http://www.forescout.com/index.php?url=products&se ction=activescout [forescout.com]
http://www.winternals.com/ [winternals.com]
Useful:
http://www.sysinternals.com/SecurityUtilities.html [sysinternals.com]
http://www.porcupine.org/forensics/forensic-discov ery/ [porcupine.org]
http://www.fish2.com/tct/help-when-broken-into [fish2.com]
Firewalls a
Too late to be an "unidentified source" (Score:4, Interesting)
Now, if he - or anybody else - leaks this, management will assume that it was him.
Re: (Score:2)
I would also suggest the person who discovered the mess
Re: (Score:2)
Yes, he should have, but in the form "I strongly recommend that you ask corporate counsel whether laws X, Y and Q apply. If they do you will have to notify your clients. The facts and the unknowns that counsel will need to review include A, B, and E".
I don't keep my clients in the dark about things that might hurt them. I also don't exceed my expertise by playing lawyer.
Notifying the world on his own initiative would be a breach of professiona
Re: (Score:2)
Somebody mod him up.
Re: (Score:2)
Yes, everyone has a specific job to do and must not express any sentiment not directly related to that job. Shut up and keep shoveli
Re: (Score:3, Funny)