How To Manage a Security Breach?

Salvance writes, "A friend of mine has recently been stressed over a security breach at the company he consults for. The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced. Due to the inherent lack of security in Win98, a worm was able to infiltrate almost every computer and send gigabytes of data (possibly including sensitive company data) to a 'redirector' in Eastern Europe. My friend was working on other security projects at this company and stumbled across this massive hole. He quickly convinced company executives to remove Internet access from all Win98 machines, purchase better firewalls, and implement other data protection strategies. However, the sticking point was client notification. Due to the nature of the legacy systems, there was no way to know what data was transferred. For this reason the company wanted to play it safe and disclose nothing. Of course, my friend is all for disclosure and preventing harmful use of the potentially leaked data. My friend doesn't know what to do, so I'd like to know what others here think."

Too late to be an "unidentified source"

[Harmonious Botch]

Your 'friend' has already screwed up. ( sorry to put it that baldly, but he has ) He was hired to deal with security issues, not legal ones. He never should have discussed client notification with them. When he starts expressing opinions about that, he is way outside of what he contracted to do. He may not have recognized this breach of manners, but, I assure you, they have.

Now, if he - or anybody else - leaks this, management will assume that it was him.

I have a tip for your friend....

[Lumpy]

#1 - run the hell away. if the client is not interested in doing what he suggests then he is wasting time. those 98 machines should have been on a secure private network with no internet access for years now. if the company refused to do that he should have said, "then you will have no security, your data can and will be stolen eventually, are you ok with that?", if they say yes, have them sign off on a hold harmless waiver. always end that statement with that question. it delivers ownership of the problem to the exec and allows you to CYA.

when the security breach happened like this you can then say "executive XYZ said he was ok with that, see here is his sign off acknowledging that fact.

Secondly, win98 apps can be ran in a virtual system that would have allowed him to have some security.. why did he not do this? was the client a cheapskate and refused to pay for anything?? if so then once again it's a run away situation.

This could have been avoided, it would not have been cheap, but it could have been avoided. IT consultants need to have the balls to tell a customer "NO! you have to do it this way." because they are paying you to be the expert. If they do not listen to you sugges they hire the "geek squad" from best buy then if all they are looking for is IT people that will do what they are told.

Can you tell I am fed up with incompetent clients that say they want security but refuse to pay for it?

Re:or if they still have the Win98 licenses

[simm1701]

One of the available options you can configure is the vmware ethernet bridge. This bit of code was donated by the NSA (make of that what you will). iirc the NSA were using vmware to run windows as a client OS with linux as the host OS for security reasons (the vmware network bridge itself being considered quite secure)