Forgot your password?
typodupeerror

How To Manage a Security Breach? 183

Posted by kdawson
from the how-much-disclosure? dept.
Salvance writes, "A friend of mine has recently been stressed over a security breach at the company he consults for. The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced. Due to the inherent lack of security in Win98, a worm was able to infiltrate almost every computer and send gigabytes of data (possibly including sensitive company data) to a 'redirector' in Eastern Europe. My friend was working on other security projects at this company and stumbled across this massive hole. He quickly convinced company executives to remove Internet access from all Win98 machines, purchase better firewalls, and implement other data protection strategies. However, the sticking point was client notification. Due to the nature of the legacy systems, there was no way to know what data was transferred. For this reason the company wanted to play it safe and disclose nothing. Of course, my friend is all for disclosure and preventing harmful use of the potentially leaked data. My friend doesn't know what to do, so I'd like to know what others here think."
This discussion has been archived. No new comments can be posted.

How To Manage a Security Breach?

Comments Filter:
  • Easy (Score:3, Insightful)

    by MyLongNickName (822545) on Monday November 06, 2006 @08:29AM (#16733655) Journal
    Get the resume ready. If I were a client of a company that had such shitty protection of my data, I'd find another company ASAP. I expect that said person would do much better finding another place to work.
    • Re:Easy (Score:5, Insightful)

      by MyLongNickName (822545) on Monday November 06, 2006 @08:37AM (#16733721) Journal
      Just noticed that he "consults" for the company, not works for it. This being the case, he has absolutely no say in the decision. The only thing I can say: cover your ass. Get everything in writing. If you have a verbal conversation, follow it up with an e-mail. Remember... shit flows downhill. They WILL try to find a way to shift the blame. Make sure you do not become the scapegoat.
      • Re: (Score:2, Informative)

        by diersing (679767)
        You are correct. Disclosure is a legal/business decision, if the company is public (or has customers in certain states) their hands are tied and they must comply and disclose to either the customer directly or via the mass media. If its a private company with no customers in areas where protective legislation dictates disclosure then it is a discretionary decision.
        • ....

          don't ask on slashdot?

          Seriously.

          If your "friend" thinks he needs legal advise, he should ask a lawyer.

          If your "friend" is asking for technical advise, while dosbox and wine are _great_ ways to impose greater restrictions on legacy software, if your "friend" is asking for technical advise by acting like he's looking for legal advise, then your "friend" is an asshat.
          • by 1u3hr (530656)
            don't ask on slashdot?

            Long ago I realised most "Ask Slashdot" posts were just hypotheticals; or fantasies along the line of "Letters to Penthouse". Basically concocted by submitters, or perhaps editors, to excite noisy discussion and lots of ad impressions. So don't worry about why anyone would be stupid enough to ask Slashdot if they were really in that situation, because the situation, and the person, are most likely imaginary.

      • by k12linux (627320)
        Don't even rely on email. Print out a memo and keep a copy for yourself. Warn them in a "I just want you to have all the facts because I care about you as a customer" way that they may be exposing themselves to legal trouble if any of their customers live in an area with laws about this kind of thing (or if they are a publicly traded company, or in certain regulated industries.) Also warn that while you wouldn't violate confidentiality a leak by someone else could devistate customer trust.

        Hopefully that
        • by Fastolfe (1470)
          I completely agree. This is an appropriate time to get extremely formal. Document these things in writing, on paper, and explain these things in strong words, and follow up with a reaffirmation of your NDA. Maybe even make it clear that you're doing this as a CYA measure.

          One possible "benefit" to this approach is that your sudden attention to formality here in documenting this should scare the executives into thinking about this a little harder. "If he feels it necessary to collect some CYA documentatio
          • by jrockway (229604)
            Take a look to what happened to this guy for disclosing information via a memo to the CEO. Basically, his company runied his life, all because he pointed out (privately) one thing they did illegally. My advice to the consultant is to quit now, and get a lawyer. If they get a lawyer first, you're screwed:

            http://yro.slashdot.org/article.pl?sid=05/06/30/18 54228 [slashdot.org]
            • by k12linux (627320)
              Exactly why you want to be clear you won't leak any information. If they fear you are going to damage the company this kind of thing can happen. If they know you are going to keep your nose out of it beyond the memo they might actually work with you to fix things.
              • by Intron (870560)
                Right. Whatever you do, don't tell a friend or post a writeup on slashdot! Once you do either of those, you're screwed.
                • by k12linux (627320)
                  LOL! Yeah, I'd probably leave off of the memo the words, "I discussed this issue on a popular technology news website and others with no qualification to give legal advice said I should send this CYA memo to you."
  • by greenmars (685118) on Monday November 06, 2006 @08:31AM (#16733669)
    Offsite, you need to have a spreadsheet or other document. Put in the date and write down everything that happened to the best of your knowledge.

    If something is not documented, it didn't happen.

    Then, do what the client wants you to. Include the client's wishes in your documentation.
  • He might want to dig deeper into which worm he was infected with and what types of docs it steals, this may help determine what data was indeed stolen. If his company wants to investigate this further he should notify the FBI. If they want to keep quiet well their isn't much he can do about that with out possibly losing his job.
    • One reason we've seen more disclosures like this lately is because of a recent California law that requires disclosure in such cases if California citizens are affected by the breach. I'm not sure if the law requires actual knowledge of a particular type of data being compromised, but this could be the lever he needs to get the company to DTRT and disclose (you only have to disclose to Californians, but after that, it's pretty much going to get out so you might as well disclose nationally right off). As I
      • by hedronist (233240) *
        You are referring to AB 700 [ca.gov].

        Basically, it says if you maintain personal information of California residents and if that info *might* be compromised, then you *must* notify all affected parties. The information includes first name (or initial) and last name, plus one or more of SSN, driver's license #, CC number, bank account, and a few others.

        The fine for failure to notify is $10,000 *per account*. The first big story on this was a few months after the law became effective. A consultant for Wells Farg

  • Interesting. (Score:3, Insightful)

    by BVis (267028) on Monday November 06, 2006 @08:34AM (#16733695)
    So the company knows that there WAS a breach, and potentially sensitive data may have been leaked. The company probably doesn't have a technical obligation to disclose anything, since they don't know for sure that information that requires (or should require) disclosure (like customers' billing data, social security information, credit card info etc) was compromised.

    That being said, the right thing to do is to be forthcoming and disclose the nature of the breach, emphasizing that no specific information about what was leaked is available.

    Of course, this being a corporate setting, if they can get away without telling anyone, they will. Especially if it's publicly held; while the stockholders might wish to know that there was a problem, they may also be upset that a disclosure was made that was not absolutely required, as that will negatively affect their stock value.
  • No Brainer (Score:4, Insightful)

    by ReidMaynard (161608) on Monday November 06, 2006 @08:34AM (#16733699) Homepage
    Since he consults, he does not set policy. He informed management (best keep a record(s) of that), it's their call.
    • Re: (Score:2, Funny)

      by drolli (522659)
      Full Ack. If you work for somebody and you are paid for that there are three possibilities:

      1) Everything is ok and you know that everything is ok

      2) Something is wrong and you know that it is wrong (wrong in the sense of being illegal). Estimate (maybe with the help of a lawyer) if you commit a crime by supporting your employers position. Luckily I live in a country (Germany) which learned some lessons from History, so that normally you don not have the duty to bring the case to court. Since you normally onl
  • There is always a danger in being more or less ethical than your employer. If you're more ethical you're a troublemaker and they'll fire you, and if you're less ethical then you're a scumbag. Obviously the ethical thing to do would be to notify the customers. But executives don't really work for the customer--they work for the stockholders, and "doing the right thing" doesn't figure very large in the balance sheet. I don't envy your friend's position, but it's a common one--look at Sibel Edmonds. Emplo
  • ...update everything to windows XP, there an emulation layer that runs 98 software, although I don't know how good it is. If not you could try Linux running wine which would probably work.

    Finally there are companies that specialise in moving data from legacy systems to modern systems. You could employ one to move all the data.
    • Run them in Virtual Machines. VMWare is just awesome. Not that this fixes the problem after it happened.
      • Run them in Virtual Machines. VMWare is just awesome. Not that this fixes the problem after it happened.

        Ehr.. correct me if I'm wrong, but wouldn't that just result in infected virtual machines ? The whole beauty of those virtual machines is that you, well.. emulate a machine that behaves just like any other machine. It's not that exploits for Win'98 would not occur within such a virtual machine.

        This is, ofcourse. assuming that they already run the minimal amount of Win'98 machines they need, and not

        • by user24 (854467)
          yeah but you can wipe the virtual image and revert to a known clean one at the end of each day. like re-installing all the boxen every night.
        • I thought the VMs would be protected by the security of the host system, since they're connecting through it. Am I wrong about that? That's not a rhetorical question--I don't actually know, and I'm curious. If I install VMware on Linux, then install Win98 in a VM, doesn't the Win98 internet connection get handled by the host OS?
          • I thought the VMs would be protected by the security of the host system, since they're connecting through it.

            Well, to my knowledge, VMWare creates new virtual ethernet interfaces you can lookup with ifconfig.. looks pretty unprotected to me :-)

            • by walt-sjc (145127)
              It depends how you have it configured. Read the docs to understand it.
            • Re: (Score:2, Interesting)

              by simm1701 (835424)
              One of the available options you can configure is the vmware ethernet bridge. This bit of code was donated by the NSA (make of that what you will). iirc the NSA were using vmware to run windows as a client OS with linux as the host OS for security reasons (the vmware network bridge itself being considered quite secure)
          • by netsharc (195805)
            Well, the host OS can act as a NAT (ask Wikipedia what that is) or it can bridge the network connection, and the guest OS gets a valid (globally) accessible IP address. A NAT is a bit safer because it's impossible for a system from the outside to initiate a connection with the guest OS, but if you bridge and the guest OS has an accessible IP address, any system can connect to it. Of course in reality they're connecting to the host OS, but the host OS isn't necessarily set-up to watch the data, instead just
            • by k12linux (627320)
              Of course you can set up a firewall on the host OS
              Actually iptables rules on a Linux host don't seem to have any affect on IP access of VMware clients.
          • by nolife (233813)
            No, A VM has its own network connectivity just as a real machine. The VM host CAN supply the virtual network switch to supply that network connectivity to the VMs but that is it, as far as the VM is concerned, the OSI model still applies and the host simply provides the physical layer. You could run a software firewall on one VM and use that VM to route and provide network access to the other VMs on the same host if you wanted a one box solution. VMWare encourages and collects "user built" VM images and
    • by Bishop (4500)
      It depends on what the software is. It could be old DOS software running on Win98. There is lots of that still floating around. The emulation layer is not perfect. It tends to fail for old, bad, code that mucks with the hardware directly. If the sofware is to control custom hardware (pci/isa card) it is almost certain not to work.

      This is just another example of why it is important to have the source code to business critical software.
  • Yeah, right. Cause it would never happne to you, would it? ;-)
  • I think one of the most important points here is the Operating System. I think it could be an option, if you *really* need to run specific applications on Win98 platform, to install such insecure operating system inside a virtual machine as VMware. I dont care if the operating system is WindwsXP or Linux, but I am sure it will be easier to fix the security hole if you have the OS inside the VM sandbox.

    On the other side, it could be the case (it has been in lots of places were I am from) that such machines a
    • by Isao (153092)
      Erm, virtualization is not a panacea. In this scenario, it appears that the Win98 systems have access to sensitive data because of the legacy applications that require Win98 to run. If you virtualize this under (say) MacOS running Parallels (to try and eliminate the host platform as an infection vector), you are still running Win98 in a VM, and Win98 will still have access to the sensitive data. If the Win98 VM has to be on the network, you are almost back to square one. The only improvement here may be
    • Vmware doesn't work on every system.
      second you need enough ram to be able to run the host and guest OS
      but firstly you need a good enough CPU. a K6(400) wasn't capable for example.

      Maybe an alternative might be to remotely run the guest os using the older PC's as clients.
      or just do the sensible thing and buy some better systems.
       
      • No, VMware doesn't support everything, but server applications are unlikely to have fancy hardware requirements (CPU, RAM, Disk, Ethernet, maybe CD-burner, no video or audio.) A new 3 GHz motherboard and CPU with 1GB RAM and a disk will set you back a good $300 these days, and should be plenty to run that K6-400 application. Do whatever firewalling you need to in front of it, and run as much anti-virus as you can fit. There's certainly no need for the antique application to be exposed to the raw Interne
    • I run it via Win4Lin 9.x over Fedora Core 3. I've never seen ZoneAlarm go off since I put it behind a Linux firewall. To do Windows AV protection, just run F-Prot for Linux, it's got the Windows virus signatures and updates automatically via daily cron job.

      Oddly enough, the only legacy Windows apps I run regularly are Eudora and occasionally, Word and Excel. (I have OpenOffice, at what I do, "minor" compatibility problems aren't) I use the Linux host for everything else.
  • The relationship between the client and the client's customers is most likely not what he is being paid to consult about. He is better off pretending that he never thought of the issue at all.

    Put on your nerd hat, and treat any non-technical issue as unimportant and uninteresting.

  • Disclosure is required if there was any privacy data stored on those systems (peoples names/numbers/ssn/etc), if you do not know which users data was comprimised, all users need to be notified. This is required when it affects gov agencies, I am not however sure about private and commercial entities, although not notifying your customers if their data was comprimised, is asking for trouble, and when word gets out, people will find alternate solutions to what that company provides.
  • All he can do is give the company his opinion that the clients should be told. What management choose to do after that is entirely up to them. Not informing the customers is the decision of the executives, and any resulting problems this causes are therefore their responsibility.

    Informing customers may also cause problems for the company that are disproprortionate to the damage done. If this friend informs the clients himself, he could be held responsible for harm done to the company.
    • by b0s0z0ku (752509)
      Not informing the customers is the decision of the executives, and any resulting problems this causes are therefore their responsibility.

      Well, if not informing the clients violates some data protection laws (as another poster said it did in Calif.) the management might be committing a criminal offense by not reporting the breach. If he knows about it, he'd be obligated to report this to the police. Otherwise he might be charged with being an accessory or abetting the crime if criminal charges were ever

  • First - CYA (Score:4, Insightful)

    by hrieke (126185) on Monday November 06, 2006 @08:48AM (#16733817) Homepage
    Cover Your Ass.

    Document everything. If there where conversations and meetings, send out a follow up email with the notes of what was talked about. Keep copies of everything, make backups and place them in a bank.

    The second part comes if the company is publicly traded or not. If so, and these Windows 98 machines hold trade secrets or the accounts logged in had access to trade secrets stored elsewhere on the network, then the company is in some deep doo-doo, otherwise tell him to buckup and carry on.

    • by suv4x4 (956391)
      Cover Your Ass

      Cover his ass? Hmm .. ok.

      Question: "How to manage a security breach".
      Answer: "Cover Your Ass".

      That's the community spirit and responsibility I'm talking about, atta boy!

      Now I ask you too: which is worse, that people ask how to handle a major security breakdown on slashdot, or that from over 100 posts, at the time of this posting, none is modded 5+ for anything...
      • by hrieke (126185)
        Point of the problem is that this goes deeper than just "managing a security breach"- there are questions that need to asked and those questions have very little to do with the data potentially stolen.

        For instance, if the company is publicly traded, the data breach should be part of the the SEC filings, yes?
        Lawyers will be involved, and perhaps lawyers who's interests are NOT alligned with yours- lawyers who are thinking of minority share holders for example, or seeking to place blame away from those who au
  • Thieves broke into one of the Corporate offices of the company i work for and stole several thousand dollars worth of computer equipment, including laptops with employee and customer information on them. All customers and employees were notified the next day and advised to post a fraud alert with the credit agencies, complete instructions on how to do so were included in the email. The company was completely transparent in how they dealt with the information loss, and to my knowledge no fraud was committe
  • by mccalli (323026) on Monday November 06, 2006 @08:58AM (#16733911) Homepage
    As a consultant, your client is the company itself and not that company's customers. You've informed the company, now document it to make sure that's known. Ensure the right bit of the company is informed (ie. compliance, not just your local boss), document and you're done.

    Now, if the real question was "should I inform the company's customers because I think this is very important to them?", well you're on an entirely different path and ultimately only you can decide that. Without knowing the details of what might have been disclosed, no-one here can even give you an informed opinion let alone a set of instructions. But as far as what you must do is concerned, then see paragraph one.

    Cheers,
    Ian
    • by nahdude812 (88157) *
      It's ultimately the company's decision whether they report it to their customers or not. Especially as a contractor to the compromised company, you have no authority or right to disclose anything that the company doesn't want you to.

      Unless of course you suspect something illegal is being done by the company (eg criminal withholding of proper disclosure), in which case you should:
      1) Hire a lawyer today (maybe yesterday)
      2) As mentioned repeatedly, document everything, and make sure you notified the correct c
  • by user24 (854467)
    This is a really hard problem, especially given that I don't know what how sensitive the sensitive information might have been, but the bottom line for me (as a client, MD or security guy) would be; disclose.

    I come to this conclusion from an evaluation of worst-case scenarios;

    possible results:
    harmful use of customer data, harms client
    disclosure, harms company reputation

    I am assuming that the harmed client would not know that company at fault. we shall call this 'harm1'
    If the nature of the data means that a
    • This kind of thinking is nasty.

      I'm not saying you are nasty, but the risk/benefit ratio analysis is certainly psychotic. The ultimate example is that of the air plane manufacturer doing a similar study;

      1. If we fix a known fault in all our aircraft, it will cost us 1 Billion Dollars.
      2. Over the lifetime of the aircraft, lawsuits due to death and injury resulting from the fault will cost us only 500 million.
      3. Don't fix the fault; it's less expensive in the long run.

      Money isn't everything. Doing the right
      • by user24 (854467)
        yeah I know. I was going to prefix my comment with "replying in business-speak that your manager will understand".

        You shouldn't even need to do this to know what's right, but the thing is, no company ever just does what's right; they -need- to have this type of wank.
      • by qwijibo (101731)
        In business, money is everything. 1 billion dollars is something that adversely affects the bottom line more than 500 million, making it a bad business decision. Speaking about the right thing is the easiest way to lose the attention of business people. Though, there are often other factors that can turn the right thing into a bottom line benefit. For example, avoiding damage to the company's reputation would be good for future contracts. Also, death and injury frequently cause new laws which could res
  • And guess who's going to be in the shit if valuable information gets leaked? The execs that covered it up? Noooo.... the poor sap they convinced not to tell anyone about it.

    Get everything in writing. If possible get signatures. If you need them for references get then *now* before anything goes wrong.
  • The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced

    It's really time to consider that while it may not be easy, it's time to hire some programmers and write that replacement. Really. Win98 support is going to get more and more difficult, to the point where it is no longer reasonable to support it at all. Will it be too late for your company when that time comes?

  • by yebb (142883) on Monday November 06, 2006 @09:07AM (#16733997)
    As a consultant, it's not your place to dictate how another company defines it's business strategy.

    You've said your bit to promote disclosure (I assume), make sure that there is a paper trail detailing that, then let them run their business how they see fit. Possibly into the ground.

    If you're a third party contractor, and you start letting loose about your clients, thats not a good way to give yourself credibility. Remember that the management team for this company has likely spoken to their lawyers, possibly other security experts. There is the remote possibility that they know what they are doing.

    • by asuffield (111848)
      Remember that the management team for this company has likely spoken to their lawyers


      Only large companies have lawyers on staff to handle this sort of advice. This sounds like a small company, who will be billed by the minute for all legal advice. They will not speak to their lawyers unless they have no choice. They will not ask them for advice on such matters. Small companies never do.
  • I dunno... I'd be more embarrassed that the company was still using Windows '98 because it didn't want to replace their legacy software. Oh, I know, I've heard it all before... there's no replacement for it, it would be too costly, blah blah blah.

    But there almost certainly IS a replacement for your legacy apps, and your employer is being stupid by continuing to use it. Instead of paying the cost of replacement, they're paying the cost of NOT replacing it... higher IT staffing costs, decreased security, an
  • by wirefarm (18470) <[jim] [at] [mmdc.net]> on Monday November 06, 2006 @09:13AM (#16734053) Homepage
    Why are these machines connected to the Internet?

    If they are insecure, sandbox them or cut them off completely.

    If they need some kind of network access, use a whole shitload of proxies and firewalls and a carefully-monitored snort install and babysit the hell out of it until they can be secured.

    No, forget that. Get them off the net completely.
  • There is absolutely no reason for those machines to have had (or have currently) unfettered access to the outside world. If they're required to support a funky app then their outbound access should be bound to a specific port or set of ports and a specific destination or source IP. There is no excuse for this kind of setup. I too have seen many situations just like this which were made to have much less of an impact by limiting the outbound access of the machines. For example does your mail server reall
  • I can bet with near 100% certainty that I could walk into nearly any enterprise network, jack into the core on a mirrored port and find at least a few owned machines. If you are on a windows network and the clients have access to the internet there are some that are compromised...period. It takes constant monitoring and even then you are performing damage control. Keep your internal secuirty policies tight this will help to reduce the risk slightly.
  • If I ever learned that the company responsible for protecting my security covered up a breech, they would be GONE. That day. That shows an incredible lack of integrity on your company's part. There's really nothing you can do to help your situation there. Eventually someone will catch them and that will be their undoing. Anyone around them will be tarnished. The best thing you can do is put the resume to work, DOCUMENT EVERYTHING, and talk with a lawyer that specializes in these things, there are pr
  • At least they don't have to worry about nuking the site from orbit.

    That window of opportunity has closed.
  • The first thing to do is talk to the lawyers and make sure that they understand EXACTLY what has happened. If there is, or might be, a legal obligation to make disclosures, the company would have to be run by total fools not to do so. If the lawyers say disclose and the management waffles or decides not to, it's probably time to bail.

    Second, all the smoke and mirrors notwithstanding, Windows 9 probably is not much more (or less) insecure than NT based Windows. They both suck as far as I can see. If an

  • Do not disclose until there is evidence that the information has been used. The people who received the data might not know that they have it and they will not be able to find it without further information. Once you go public, they will start looking for it.

    So, until you've got evidence that they already did use the information, you should seriously consider keeping silent. Even mentioning the name of the company could lead to a series of IP-addresses and hence to the data.
  • his only choice is to quit working there. He is only a consultant, so he can make recommendations, but the company is free to ignore him. Odds are that he is likely to be bound by a non-disclosure agreement regarding the network and data situation at the company, as well.
    • by b0s0z0ku (752509)
      Odds are that he is likely to be bound by a non-disclosure agreement regarding the network and data situation at the company, as well.

      If not reporting the breach is a criminal act, the NDA might be trumped by criminal law. For example, an NDA created by the Mafia that requires employees not to disclose murders to anyone outside the organization wouldn't stand up in court :)

      -b.

      • by teflaime (738532)
        Ah, but if the company has the duty to dislose/report, then the contractor is free of liability unless he is contractually obligated to handle/protect the data. That doesn't sound like the guy's situation. Sounds like he was just brought in to tell them how to tighten up their security. The company retains control over and responsibility for their data, thus the responsibility to dislose and the penalties for not disclosing.
  • I guess nobody noticed the "gigabytes of data" that was being pumped through the company's Internet pipe? Also, how do you know the server was actually in Eastern Europe?

  • by Lumpy (12016) on Monday November 06, 2006 @10:07AM (#16734597) Homepage
    #1 - run the hell away. if the client is not interested in doing what he suggests then he is wasting time. those 98 machines should have been on a secure private network with no internet access for years now. if the company refused to do that he should have said, "then you will have no security, your data can and will be stolen eventually, are you ok with that?", if they say yes, have them sign off on a hold harmless waiver. always end that statement with that question. it delivers ownership of the problem to the exec and allows you to CYA.

    when the security breach happened like this you can then say "executive XYZ said he was ok with that, see here is his sign off acknowledging that fact.

    Secondly, win98 apps can be ran in a virtual system that would have allowed him to have some security.. why did he not do this? was the client a cheapskate and refused to pay for anything?? if so then once again it's a run away situation.

    This could have been avoided, it would not have been cheap, but it could have been avoided. IT consultants need to have the balls to tell a customer "NO! you have to do it this way." because they are paying you to be the expert. If they do not listen to you sugges they hire the "geek squad" from best buy then if all they are looking for is IT people that will do what they are told.

    Can you tell I am fed up with incompetent clients that say they want security but refuse to pay for it?

    • by dkleinsc (563838)
      Something else to watch out for: If the exec utterly refuses to take ownership of the problem, then a possibility is that the exec was aware of the potential breach, was unable to get higher-ups to pay to fix it, and wanted the consultant around to pass the buck to and/or sue when it hit the fan.
    • by dbIII (701233)
      Secondly, win98 apps can be ran in a virtual system

      Some Win98 installs I've seen are there for hardware reasons (expensive specialised A/D conversion cards in industrial machines with a few processor boards on the backplane) - but they are not on any networks.

  • Make sure that those Win98 machines are isolated from the Internet. Get an old box, fit two NICs and as much RAM you can find, and install Debian. Configure your IPTables to block everything in either direction. Add rules to allow through only whatever you really need and log the most suspicious stuff. If there's e-mail involved, use the Debian box (which will have the excellent Exim MTA installed by default) as an SMTP server -- set your ISP's real SMTP server, or your company's Microsoft Exchange se
  • If the software can handle it, run the entire mess in a virtual environment, in a secure OS. Have the hosting OS take care of opening only the ports necessary for the software to run.
  • For this reason the company wanted to play it safe and disclose nothing.

    Wellll there's yer problem!

    --Rob

  • In the middle of a security breach [cbsnews.com]? If it's really bad, like publishing nuke secrets in Arabic on the Internet while you're inciting the terrorist world [dailykos.com], you should "stay the course" [dailykos.com]. Accuse those disclosing the breach to authorities of "emboldening the enemy" and "disclosing security procedures". Attack, attack, attack. You'll get to keep your job, though your company might go out of business, perhaps in a mushroom cloud. Then you could claim you'd been "right all along", while you burn in hell for eternit
  • You should draft an official document stating that you have consulted with experts, curiously named 'Anonymous Coward', and are following their recommendations.

  • The issue is not one of the company's obligation, but that of the consultant to the company. So the first issue is not that the consultant is required to tell anyone outside the company, but weither the company should. Generically, if there is a security issue - the obligation for the security consultant it to inform "the company" of this fact. Write up your recommendation, and send it off to everyone to whom you deal with, who should know. CC yourself.

    It is the C-Suite that is responsible for the securit
  • In many states now there are consumer protection acts that require companies to inform those that may have had their information comprimised.

    http://www.networkworld.com/news/2006/010606-data- breaches-law.html?fsrc=rss-security [networkworld.com]

    Of course it may different for your state as it's not nation wide that I'm aware of, but the fact still remains it is illegal in almost half the states in this country to "keep it quiet". More over, he WOULD be implimented in this mess as he knows of the problem and doesn't say anyth
  • With the new SOX and other recent legislation, companies are now often required to divulge when customer information is leaked. Do you think places like sayign they leaked 20000 people's personal records? They don't, but they also don't have a choice in the matter. If the place you are working for is fairly large then you could potentially be held liable for helping keep this swept under the rug. Read the law and figure out what the right thing to do is and do it!
    • SOX has nothing to do with this, dipshit. I know it is a popular law to throw around because you've heard about it in the trade press, but it has to do with accuracy of financial reporting, not data breaches of customer data. Closest SOX gets to this is requiring audit of controls on the company's own financial information and the requirement to disclose events that may negatively affect future numbers. You could kind of fit that last bit into SOX if the data disclosure became public and hurt share prices,
      • by cblack (4342)
        I apologize for the flammage ahead of time. Perhaps I was just in a bad mood, but people (especially on slashdot) seem to misrepresent some of the recent corporate confidence laws. I admit I am no expert myself, but I do know SOX does not specifically address data breaches.
  • (disclaimer - I've been doing this WAY too often :-)

    AFAIK you're facing a legal requirement for disclosure, but also a PR nightmare if you mishandle it. If your DR and BCP doesn't say anything about media handling you ought to give its author a bit of a heads up - the disclosure is going to be painful enough, mishandling how you tell the customers this (and the press) can cause serious harm to your customers.

    I won't address the legal issues - that's what lawyers are for. Tech stuff you will have covered b
  • Find out how likely it is that you can be considered an accomplice to a crime when the break IS discovered and the owners of the company are pointing fingers trying to reduce sentences. It's really easy for them to say they never got the message from you and dump the whole thing in your lap.

  • netr00t's got solid advice for you.

    http://slashdot.org/~netr00t [slashdot.org]

    I would add, get a Lawyer, as in, have a Lawyer (anyway).
    If you're in the USA, you should know by now, mostly morons make the "rules" of conduct, try not to participate.
    Pay the Man:

    http://www.forescout.com/index.php?url=products&se ction=activescout [forescout.com]

    http://www.winternals.com/ [winternals.com]

    Useful:
    http://www.sysinternals.com/SecurityUtilities.html [sysinternals.com]

    http://www.porcupine.org/forensics/forensic-discov ery/ [porcupine.org]

    http://www.fish2.com/tct/help-when-broken-into [fish2.com]

    Firewalls a

The meat is rotten, but the booze is holding out. Computer translation of "The spirit is willing, but the flesh is weak."

Working...