Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What to Do When Your Security is Breached

ScuttleMonkey posted more than 7 years ago | from the set-fire-to-the-servers-and-run dept.

Security 177

ancientribe writes "When you've got a full-blown security breach on your hands, what do you do? If you've been smart, you'll already have a computer security incident response team — and a plan — in place. But many companies are too resource-strapped to have a full-blown, fully-tested incident response strategy. DarkReading has some tips on what to do — and what not to do."

cancel ×

177 comments

Sorry! There are no comments related to the filter you selected.

Well... (0, Troll)

Anonymous Coward | more than 7 years ago | (#18493907)

Next time, run OpenBSD. If you don't, expect to be pwn3d.

Re:Well... (1)

beckerist (985855) | more than 7 years ago | (#18493977)

Just so you all know, this is really only applicable to big business. Heck, their first suggestion:
1. Assemble an incident response team
suggests to "assemble a legal team." Personally, I'm not all for calling my lawyer for a few c1al15 and v14gr4 popups.

Re:Well...I'll give you some help (1, Funny)

hguorbray (967940) | more than 7 years ago | (#18494731)

Just post your IP addresses and remote access logons and I'll be glad to help with your break-in! I promise I'll take the data and put it somewhere safe -and offshore No payment up front, but trust me -I will be getting back to you. -I'm just sayin'

A good start, but... (4, Insightful)

IL-CSIXTY4 (801087) | more than 7 years ago | (#18494901)

The most secure OS in the world wont protect you from a poorly-coded app. How many people are trying to crack your server at the OS level vs. the number of people looking for SQL injection vulnerabilities?

Nobody??? OK, I'll do it (0, Troll)

battery111 (620778) | more than 7 years ago | (#18496091)

the above comment would be correct, where it not for the fact that *BSD IS DYING!!!

Do what the government does. (4, Funny)

Anonymous Coward | more than 7 years ago | (#18493915)

When your security is breached by a handful of thugs you must immediately run out and attack a random neighbor's house.

Re:Do what the government does. (1)

StewedSquirrel (574170) | more than 7 years ago | (#18494351)

Off topic, but funny.

FIRST SECURE TROUT! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18493917)

i Am A fIsH!

Wrong fish (0)

Anonymous Coward | more than 7 years ago | (#18494057)

Silly trout -- security is for blowfish!

The problem is (4, Insightful)

Rosco P. Coltrane (209368) | more than 7 years ago | (#18493935)

many IT managers decide to purchase Microsoft so when something happens, well, "we couldn't go wrong with Microsoft" or "it's Microsoft, not us". Unfortunately, that's the extent of their plan, after pulling the network cable, i.e. cover their asses.

Re:The problem is (3, Insightful)

Archangel Michael (180766) | more than 7 years ago | (#18494063)

Bingo.

I would further add, that they chose Microsoft because Microsoft promises lower TCO through lowered administrative (geek) needs.

I suppose that most Microsoft shops wouldn't even know if they were breached, because most breaches don't actually desctroy data, they just steal it.

Re:The problem is (5, Interesting)

cptgrudge (177113) | more than 7 years ago | (#18494495)

I suppose that most Microsoft shops wouldn't even know if they were breached, because most breaches don't actually desctroy data, they just steal it.

It's so much worse than that.

Back in my younger days at a summer tech job for a US school district, I found that an NT4 SQL server had been compromised a group of people. They were based out of France, I think, from what I could tell from the IP addresses, and had actually set themselves up quite nicely, with organized file structure and their own IRC and FTP server running on it. They were using it as a repository to store files and a few French movies. After I told the sysadmin in place at the time about it, I was stunned when he said, "Well, are they hurting anything?"

After some persuasion on my part, he rebuilt the server. Three times. After it kept getting hacked by the same people.

Re:The problem is (0)

Anonymous Coward | more than 7 years ago | (#18494813)

They were based out of France...

Hmm... you know who else is based out of France? Microsoft. They're based in Washington State, which is way out of France. Really makes you wonder, doesn't it!

Re:The problem is (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18495023)

Back in my younger days at a summer tech job for a US school district, I found that an NT4 SQL server had been compromised a group of people. They were based out of France, I think, from what I could tell from the IP addresses, and had actually set themselves up quite nicely, with organized file structure and their own IRC and FTP server running on it. They were using it as a repository to store files and a few French movies. After I told the sysadmin in place at the time about it, I was stunned when he said, "Well, are they hurting anything?"

After some persuasion on my part, he rebuilt the server. Three times. After it kept getting hacked by the same people.


Seems to me the problem was an incompetent system administrator and not the OS.

Re:The problem is (1)

644bd346996 (1012333) | more than 7 years ago | (#18495339)

Seems to me the OS made it too easy to change the defaults to something less secure. At the very least, you should have to read a man page to figure out how to turn off your security so thoroughly. Or is it just that the OS was insecure by default?

The REAL problem is... (0)

Anonymous Coward | more than 7 years ago | (#18495851)

Here's a great idea: impliment a fleet of Lunix servers maintainted by a fleet of consultants. That way, when (not IF) you get hacked, nobody will really know it, and nobody will actually be accountable! It worked for Munich, it can work for you! Go go infinite billable hours!

Lunix: the "cover your ass" alternative for spending other people's money!

Got r00t?

What to Do When Your Security is Breached? (2, Funny)

Anonymous Coward | more than 7 years ago | (#18493947)

Complain! Call the help desk!

Re: What to Do When Your Security is Breached? (0)

Anonymous Coward | more than 7 years ago | (#18494513)

Call helpdesk... hold it, I am the helpdesk, security and system administrator.
 

Get MyPW for your Linux Servers (0)

Anonymous Coward | more than 7 years ago | (#18495447)

MyPW [mypw.com] just released a PAM module that allows you to use their password token on as many different Linux servers you install it on. It's pretty cool, I just installed it last week on 5 servers.

What to do? (0)

Anonymous Coward | more than 7 years ago | (#18493951)

Grab your ankles, and kiss your ass goodbye!

That'll learn you not to use Microsoft again.

Dispatch the Tie Fighters (5, Funny)

klenwell (960296) | more than 7 years ago | (#18493961)

But since ours is a relatively small company, we went with the open-source Thai fighters.

Re:Dispatch the Tie Fighters (1)

Thanster (669304) | more than 7 years ago | (#18494855)

So, is that the Empires finest or those deadly Bangkok Chickboys? *confused*

Send The Terminator: +1, Helpful (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18493965)


on a friendly mission to Al-Qaeda Headquarters [whitehouse.org] .

I hope this helps.

Seditiously,
Kilgore Trout, C.E.O.

How about... (2, Funny)

had3l (814482) | more than 7 years ago | (#18493983)

Run from side to side?

my plan (5, Funny)

trybywrench (584843) | more than 7 years ago | (#18493987)

Kent Brockman: So, professor, would you say it's time for everyone to panic?
Professor: Yes I would, Kent.

I love these content-free articles (5, Funny)

Anonymous Coward | more than 7 years ago | (#18493989)

what to do if you burn your hand:

1. first, remove your hand from the burning stove.
2. use ice to cool your hand
3. seek medical attention.

wow. Thanks. I never would have figured any of that out on my own.

Re:I love these content-free articles (5, Funny)

Kandenshi (832555) | more than 7 years ago | (#18494207)

eh? Your steps are a bit off :P Don't use ice to cool a burn, you're likely to cause further damage. Just use running cold water to cool things down. I'd also suggest tossing a bit of sterile gauze over it too, if things are more than mildly bad.

"To treat a minor burn, run cool water over the area of the burn or soak it in a cool water bath (not ice water). Keep the area submerged for at least 5 minutes."
http://www.nlm.nih.gov/medlineplus/ency/presentati ons/100213_1.htm [nih.gov]

"Flush the burn with cool running water or apply cold- water compresses (a wet towel or handkerchief) until the pain lessens. Do not use ice or ice water, which can cause more damage to the tissues."
http://www.personalmd.com/healthtopics/crs/burn1.h tm [personalmd.com]

*emphasis mine*

Re:I love these content-free articles (0, Troll)

Joebert (946227) | more than 7 years ago | (#18494833)

Two questions.
1) If sterile water is unavailable, will non-sterile water work well enough ?
2) Is non-sterile gauze cheaper than sterile gauze, & if so, where can it be purchased ?

Re:I love these content-free articles (1, Funny)

Anonymous Coward | more than 7 years ago | (#18495011)

non-sterile gauze is any gauze that has had its packaging compromised (or opened). So, it was sterile until such time as you opened it. Now, if you really want to buy non-sterile gauze - open it before you pay for it. The price won't be any different though.

Re:I love these content-free articles (0)

Anonymous Coward | more than 7 years ago | (#18495173)

Two questions.
1) If sterile water is unavailable, will non-sterile water work well enough ?
Sure, if you want an infection ;) (Chlorinated) Tap water is fine.

2) Is non-sterile gauze cheaper than sterile gauze, & if so, where can it be purchased ?
most likely, but see above

Re:I love these content-free articles (1)

Mikkeles (698461) | more than 7 years ago | (#18495287)

'If sterile water is unavailable, will non-sterile water work well enough ?'

Yes in cooling the burn, but may cause infection if the skin is burnt off.

'Is non-sterile gauze cheaper than sterile gauze, & if so, where can it be purchased ?'

In grocery and kitchen supply stores under the name "cheesecloth".

er, don't do that (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18494259)

According to my first aid training, never ever use ice. It can cause further tissue damage. For small burns, run large amounts of cool but not cold water over the burn. Larger burns, soak a CLEAN towel in cool water.

From personal experience (unfortunately the personal experience came before the Red Cross training), running cold water over a burn causes excruciating pain about 30 seconds after the cold source is removed. My theory is that the cold constricts blood flow, and after you remove the cold source, the blood starts coming back through the damaged tissue area and oh my god does it hurt.

Re:I love these content-free articles (1)

UnknowingFool (672806) | more than 7 years ago | (#18494295)

You forgot

4. ???
5. Profit!

Re:I love these content-free articles (1)

FMota91 (1050752) | more than 7 years ago | (#18494413)

In fact, 4 is likely to be "Sue your employer for buying computers that are capable of burning you, especially when exposed to a security breach."

Unless you live in other parts of the world where suing isn't so easy (i.e. Not America), in which case you were spot-on.

Re:I love these content-free articles (4, Insightful)

vux984 (928602) | more than 7 years ago | (#18494359)

Based on the other (correct) replies about not using ice to cool your burnt hand we can conclude 2 things:

1) You apparently shouldn't rely on what you 'figured out on your own'.
2) In addition to getting a plan for a security breach you should also look at getting some help with your first aid plan too.

Running water, not ice (1)

Foerstner (931398) | more than 7 years ago | (#18494371)

Ice will just make it worse. [stjoehospital.com]

Only thing worse than a hollow article is a wrong one.

Re:Running water, not ice (1)

maxume (22995) | more than 7 years ago | (#18495159)

That's just the advice problem though. If for some reason you have a big fire in the middle of a big field of snow and you end up having to stick you hand in the fire, by all means use the snow to cool your hand back down to normal temperatures. The 'don't use ice' thing comes from the part where cold 'soothes' the burn, but too much cold does damage; getting the flesh back down to normal temperature mitigates the inflammation response(which is short term) and stops the spread of the burn, and is the body's way of overriding the brain, things that are swollen are hard to move and painful, which makes you treat them nicely, and is a good thing, but is actually somewhat contrary to healing(which is long term). Cold water does all the making it feel better, but without the damage. There isn't any good way to convey that a little ice goes a long way, so the advice comes out as 'don't do that'(and it's right the vast majority of the time, but not 100% of the time).

Re:I love these content-free articles (0)

Anonymous Coward | more than 7 years ago | (#18494803)

My thoughts exactly.

I dunno, it's sorta... news to me (4, Interesting)

Moraelin (679338) | more than 7 years ago | (#18494955)

I don't know, their approach seems kinda... dangerous to me, but maybe that just shows that they're the big security gurus and I'm just a lowly coder. Maybe I can learn something from them. Or maybe they're talking out the ass, I dunno.

For starters the advice to wait until the whole team is assembled, including the accountants, lawyers, etc, then holding meetings to determine your strategy, etc, before even unplugging the damn thing... dunno, it seems to me bordering on criminal. Yes, you don't want to let one lone cowboy handle it from end to end, but a trained admin could at the very least be able to unplug the computer from the network and isolate the damage before it goes any worse. Or know enough to decide if it has to be unplugged. But if he thinks it is, it should be step #1 not IIRC step #4 after you're done holding your meetings and informing the employees and having PR draft the vaguely worded announcement that tries to make it sound unimportant to your customers.

Waiting for the designated accountant, and the designated lawyer, and the HR guy, and God knows who else to arrive at the middle of the night and hold their meeting while a breach is in progress and someone is downloading your productive database, seems to me dumb to the extreme. To reuse your example, it's like saying you should keep your hand in the stove until you talked to your lawyer and your doctor and a designated family member, make sure you have a strategy, and only then pull the hand out. By that time, it could be burned to a crisp.

I mean, by the elder Gods, especially when you include such non-techies... surely you've seen these guys when they have to give you a spec for a program. If you wait for them to hold a meeting on such technical issues as "are we in aggreement that we need to unplug the server?", at least one goes into responsibility avoidance mode and refuses to be remembered as the one who took any decision, at least one goes into alpha-dog-pissing-on-everything-to-mark-his-territ ory mode, etc. It's a meeting that could well take hours without going anywhere.

Frankly. I'd rather just trust the "cowboy" admin to know his job well enough, and know whether he needs to unplug the servers because of a serious breach, or just let it be if it's just a DDOS, while the non-techies deal with their own domain of competence. There is _nothing_ a non-techie can add that's meaningful to that kind of an inherently techie decision. Just like you don't have the admins tell the company lawyers what to do, have the decency to not have the admin hang around and wait for the lawyers to tell him what to do. It's not only a better use of the admins' time, it's also a better use of the lawyers' time, who could be doing something that's a better use of _their_ skills in that time.

I'll aggree, though, that the advice at step 1 seems to be dangerously content free. It's something which, although it may sound otherwise, actually noone ever actually did as such. Even if one "cowboy" admin did offer to contain the incident, it's not like someone let him deal with the _whole_ affair, including the HR, legal and financial aspects. Which is the domains they mention that you need on that team. More likely the "cowboy" just dealt with the servers, while the lawyer did his own job, the HR guy did his own, etc. I don't think (m)any people let the admin draft the press release too, for example. So the whole "don't let one 'cowboy' deal with it all" advice is basically like saying "don't try to fly on a broomstick off a bridge": you weren't actually planning to do that anyway, and it's not really giving you any insight you didn't already have.

Finally, I don't know, maybe I'm just paranoid by trade, but the whole thing looks more like PR and a bit of an IT-for-PHBs magazine than anything actually serious about security or IT. It reads like little more than an advertisment for the three companies they mention, with a bit of a scare theme to make you contact them ASAP, than anything else. I'm also a tad circumspect when security quotes (or similar domains) come from a CTO than from a well known security expert.

And that doesn't just apply to this article, but the whole list of other articles I can find there, reads like that: a nice mix of just enough vague IT-for-PHBs lightweight reading (you want those guys to feel like you turn them into bigger experts than their employees, but not actually make them use their head too much), a bit of "nice company you have, bub, it would be a shame if... something.. were to happen to it" scare, and just a dash of quotes from some company who can solve that problem for you. As I was saying, maybe I'm just paranoid about PR lately and they just incidentally actually did some research as to what is the best company to contact for that kind of problem. But my gut instinct says it's too neatly packaged to be for real. Then again, the gut instinct might be just that chinese food I had ;)

Re:I dunno, it's sorta... news to me (4, Insightful)

Bender0x7D1 (536254) | more than 7 years ago | (#18495509)

Depending on what you want to accomplish, pulling the plug or the network cable isn't something you want to do. If you want to catch the people who did it, instead of just minimize the damage, you need to approach this from a forensics POV. If you power-off the system, you lose everything that is stored in memory, which may be the only location where an important email, webpage or IP address is stored. Without this information it may not be possible to track-down the attacker. Yes, if they are communicating directly with the machine, you can get this info from a router or even the ISP but, if they are using some sort of anonymizer, you can't. Also, the rootkit (or whatever) may have a self-destruct built-in; can't communicate for 3 minutes, delete and overwrite everything. This would mean pulling the network cable will destroy any important information on your system. You might have backups for your data, but you don't for the attacker's information.

Another important consideration is that powering down the system may prevent any information that's gathered from being admissible in court (U.S. jurisdiction). For example, can you guarantee that the email address on the disk is the attackers email, or is it from an email sent or received, or something else. Since you didn't shutdown properly, you may not be able to claim that the address is really attacker124@gmail.com, but might be attacker123, or attacker224, etc. - meaning no warrant and no charges. There are devices out there that you can plug into a USB port that will attempt to copy everything from RAM just so you have a complete record - then you can pull the plug, since that will prevent the hard drive from being written to. This preserves the information and it can be used as evidence. Whatever you do, don't do a normal shutdown.

So, a reason you might want to wait for your lawyers and HR people is to determine if you need to worry about prosecution, or just make the problem go away. If they compromised an old desktop, or the web server in your DMZ, you might decide that it isn't worth it to pursue a conviction - lawyer's call - they know how expensive/difficult it will be. If the system holds personal information, the HR guy may need to help make the call. Ex. - Do you have to report a breach to all of your customers? Just employees? No reporting required, it isn't the info designated under the laws and/or regulations. Now, if it is a development server, you might want to leave it live if you suspect corporate espionage. You can bring in the feds and let them assess the situation. You might also want to buy time to work with you ISP to trace the attack. You actions should be done based on what the server contains and its value - which is why you have the CIO or CEO in the room.

Now, a lot of this may not apply to your situation, but it isn't a black and white issue. There are a lot of things to consider. If you want some good information, I would recommend any of Brian Carrier's work - papers and his book. I have read a couple of his papers and they were really good and, while I haven't read his book, it has been recommended to me by others.

What to Do When Your Security is Breached? (-1)

Anonymous Coward | more than 7 years ago | (#18494039)

gaysecks!!

lots of man on man
and woman on woman

yes....

This is slashdot (-1, Offtopic)

davidwr (791652) | more than 7 years ago | (#18494133)

Around here, we practice gay.goat.cx :)

Pull the plug!! (1)

DogDude (805747) | more than 7 years ago | (#18494059)

First thing to do is to pull the plug, and stop any further damage. After you're not connected to the Net, THEN you can figure out what happened and how to fix it

Sometimes yes sometimes no (2, Interesting)

davidwr (791652) | more than 7 years ago | (#18494157)

I'm not sure if you meant the RJ45 or the AC plug.

In some cases, you may NOT want to pull the plug.

Sometimes proper forensic evaluation requires both plugs remain attached until the experts are done.

As the article said though, sometimes you have to balance continuing harm with the need to preserve the crime scene.

Re:Sometimes yes sometimes no (1)

cheater512 (783349) | more than 7 years ago | (#18494211)

Well after running 'netstat -pav' its reasonably safe to pull the R45 plug since you have a record of any connections incoming.
After that logs of stuff like 'ps aux' and syslog along with a backup of the hard drives allows you to pull the AC plug.

not necessarily (4, Insightful)

davidwr (791652) | more than 7 years ago | (#18494241)

If you are 0wned, don't trust anything the box self-reports.

Re:not necessarily (2, Interesting)

Atlantis-Rising (857278) | more than 7 years ago | (#18495627)

Aye. Second part of that:

If you are big enough to have an Incident Response Team worth talking about (ie, more than the single IT guy), you should have seperate security analysis/reporting ability beyond what the box will report.
 

Re:Sometimes yes sometimes no (1)

hurfy (735314) | more than 7 years ago | (#18495169)

Assuming, of course you are big enough for any experts to give a damn.

But that was a given I suppose since we are assembling a team :(
I would like to know what us cowboys should be doing....

Preserve what? No one is gonna care who stole what from us. Hell, someone stole a few grand worth of actual merchendise and we had the who and the where and noone gave a damn then. Even if we decided to spend all our money to find out who...then what? Odds are they are offshore anyways and noone could do anything even if they wanted to for some reason.

Re:Sometimes yes sometimes no (2, Interesting)

eli pabst (948845) | more than 7 years ago | (#18495621)

Preserve what? No one is gonna care who stole what from us.

You can preserve the evidence of how you got owned, like the means of entry, how privilege elevation was performed, what was done on the system. It's not uncommon for crackers to upload a binary, execute it so that it's running in memory and then delete the binary file, so if the bash_history was wiped you may never find any evidence it was even there unless you looked at the system while it was running. Figuring out how you were compromised may help you prevent it from happening again.

A plan may not apply (3, Insightful)

Todd Knarr (15451) | more than 7 years ago | (#18494061)

I'd note that even if your company has a response plan, you may find it either completely useless or so general that it doesn't provide any help. Look at the article's point #1: it's almost nothing but "If $X, you may need $Y.". And it's far from complete. That's going to be a flaw in any security response plan: it's likely to not address the actual problem you face. Problems that you've thought of tend to get caught earlier before they turn into full-blown incidents, it's the ones nobody thought of that are most likely to bite you badly and it's exactly those that a plan won't cover. About the only part of the plan that'll be guaranteed to be useful is the part explaining what parts of the system are responsible for what and how to lock them down to preserve the evidence while you figure out where the breach is and what you need to do next. Beyond that you're into a twisty maze of little possibilities, all almost but not quite completely unlike each other, and what you need most isn't a plan but someone with enough Clue to analyze the situation and formulate a plan to fit it on the fly.

easy (1)

mastershake_phd (1050150) | more than 7 years ago | (#18494067)

Switch to a paper only office, and an air-tube network.

Re:easy (1)

DarkAxi0m (928088) | more than 7 years ago | (#18494583)

Tubes man... its always about the freaking tube with you man, isn't it !! ...

i guess then you'll never have to fear a hacker... just your plumber?

First you have to file a (1)

Buddy_DoQ (922706) | more than 7 years ago | (#18495025)

27B Stroke 6

I'm a stickler for paper work.

Re:First you have to file a (1)

Angostura (703910) | more than 7 years ago | (#18495823)

...and don't forget to get a receipt for your receipt.

part of a larger contingency plan (5, Funny)

davidwr (791652) | more than 7 years ago | (#18494085)

All businesses should have contingency plans for all disasters.

For most disasters, whether it's an IT disaster, a natural disaster, a non-natural physical disaster like a fire, a real or frivolous patent lawsuit, employee or company malfeasance, or what not, you need a plan.

For "terminal" disasters, like a nuclear blast that kills all employees and destroys all company assets, folding up shop may be the right business plan. For small businesses, extreme disasters like car wreck that kills all the employees might also be terminal in a slightly less catastrophic way. In these cases, at least you can plan to sell your business or its assets to another entity, so your customers have continuity.

Basically, divide your disasters into categories, and plan and insure accordingly:
0) end of the world, big asteroid or global thermonuclear war
1) major catastrophe, we are dead, forget about the customer, nuclear detonation event
2) end of the company, save the customer, Enron
3) end of the management team, save the company, MCI
4) we can recover from this but it's gonna hurt a lot, Vonage(?)
5) it's a flesh wound, CEO dies of heart attack
6) mosquito bite, SCO sues IBM
7) what? something happened? I didn't even notice, {if I had an example it would be #6}

Re:part of a larger contingency plan (1)

cheater512 (783349) | more than 7 years ago | (#18494237)

When we get nuked I think its ok to just screw the business and work on saving your own ass.

Re:part of a larger contingency plan (1)

crabpeople (720852) | more than 7 years ago | (#18494265)

"For "terminal" disasters, like a nuclear blast ... at least you can plan to sell your business or its assets to another entity, so your customers have continuity."
Im gonna go out on a limb here and say if I have to deal with a nuclear blast, my customers are going to pretty low there on the list of things that im worried about the continuity of...

Let's assume you are a multi-city company (1)

davidwr (791652) | more than 7 years ago | (#18494311)

Pretend you are a Wal-Mart or IBM. Suppose Bentonville or Armonk gets wiped off the map by a terrorist bomb.

I hope both companies have some kind of continuity plan, even if it's just transferring their assets and customer lists to a competitor.

On the other hand, the Bentonville Bed And Breakfast will probably just fold up shop.

Re:part of a larger contingency plan (1)

toadlife (301863) | more than 7 years ago | (#18494415)

For most companies, data breaches [attrition.org] usually fall into the #7 slot.

Outsource (2, Insightful)

DogDude (805747) | more than 7 years ago | (#18494101)

If you're working for a company too small for a "Security response team", and chances are, you are, then you've got to consider outsourcing. If a security breach happened, then obviously you don't have the expertise in house to handle security in house, and you're just putting out fires after they happen. It's time to start looking to outsource whatever it was that was broken. In this day and age, unless you're doing something very, very custom, there's really little value to having in house web serving, email, etc.

Re:Outsource (0, Flamebait)

crabpeople (720852) | more than 7 years ago | (#18494317)

"you've got to consider outsourcing"
Ah yes outsourcing. All the security of a 3rd world countries people and laws...

If you're smart... (1)

Creepy Crawler (680178) | more than 7 years ago | (#18494107)

You'll use this [darkreading.com] link. "Print buttons" are your friend, unless you really like 2 pages of content being spread over 10 pages.

Except that (1)

winkydink (650484) | more than 7 years ago | (#18494287)

the article is only 2, not 10 pages long to begin with.

Re:Except that (1)

Creepy Crawler (680178) | more than 7 years ago | (#18494389)

I found that out when I read it.

Still, it's pointless to have people who are "supposed to be tech smart" here posting news sites and aggregators that have 5-10 pages of stuff that 1 page would suffice.

Clearly (5, Funny)

eviloverlordx (99809) | more than 7 years ago | (#18494111)

The appropriate response is to shoot the lieutenant responsible for security. Then promote another ambitious, yet expendable underling to his/her place. Come on - this is Evil Overlord 101-level stuff.

Insightful or Funny You Chose (1)

mpapet (761907) | more than 7 years ago | (#18494145)

Right on.

Re:Insightful or Funny You Chose (1)

Bearhouse (1034238) | more than 7 years ago | (#18494385)

Right. Kick it up guys.

Disconnect and reinstall... (3, Insightful)

FirstTimeCaller (521493) | more than 7 years ago | (#18494113)

It's been a long time (thankfully) since I've had to deal with this. But I'd echo the article about disconnecting from the net to eliminate further attacks. Then I'd remove the drive and save it for forensics -- replacements are cheap (I'm assuming a small business doesn't have expensive RAID setups). Assume that everything has been compromised and restore from a backup prior to the intrusion (hopefully you can tell when that was).

Oh, and keep your clocks synchronized. This will help if you need to trace intrusions across systems.

Congratulations, you just killed your forensics (1)

davidwr (791652) | more than 7 years ago | (#18494213)

Maybe.

Let's assume the bad guys never stored any forensically useful stuff on disk in clear text. Peter Gutmann [auckland.ac.nz] has a few things to say about recovering useful information from RAM chips.

The question for the real world is:
Is it worth going this far just to catch the bad guys?

Don't panic! (4, Insightful)

mandelbr0t (1015855) | more than 7 years ago | (#18494163)

I've dealt with a couple security breaches in the past. It's never easy, and there's always that feeling of being violated as well. The important thing is to not lose your head about it, or you'll make mistakes that could lead to another or worse breach.

First, find out the extent of the breach. Analyze your log files. Find out what time it happened. Find out who was logged in at the time, and find out any log messages from any system services that can help you figure out what the problem was. If you can't figure out what the scope of the breach was with a high level of confidence, then you have to assume the worst: the entire network is compromised.

Second, salvage what you can. Again, be very careful about doing this. Hopefully you have a backup somewhere which would allow you to avoid or shorten this step as much as possible. In essence, do what you have to do to the compromised machine to avoid losing work, but always be concious of the fact that the machine is compromised, and may be transmitting or recording keylogs or other sensitive information. If possible, disconnect the compromised machines from the Internet and isolate it from the rest of your LAN.

Third, plan for the future. How would this breach be avoided in the future? Was it an OS problem? If so, then maybe you need to install OpenBSD instead. Was it a problem with a particular package you were using? Choose a different package. Can you configure your firewall or server to prevent or limit the abuse that caused the problem in the first place (e.g. fail2ban to deal with SSH phishing attacks) or install monitoring software to alert you of a problem (e.g. an IDS like Snort)? Do your users need further training? Does your password policy allow weak passwords? Etc.

Finally, take a deep breath. Unless you've been totally negligent in your job, there wasn't much you could do to prevent it. Don't worry about the fact that you don't have enough to go to the police; most Network Administrators don't have the hardware, training or certification to present evidence in a courtroom anyway. If you can go to the cops, then bully for you! Make that black-hat asshole pay!

Script of comments to come... (5, Funny)

FMota91 (1050752) | more than 7 years ago | (#18494179)

Windows XP: What's security?
Windows Vista: This wouldn't happen to me anyway, I'm the Most Secure OS (tm)!
Mac OS X: I never get any viruses!
GNU/Linux: Me neither!
Windows Vista User Access Control: You are entering a conversation with flaming probability 89%. Cancel or Allow?
Windows Vista: [to Vista UAC] Allow. [to the others] That's because nobody uses you!
GNU/Linux: Oh yeah...
Mac OS X: That's because only elite people use Mac OS X. Because you're not worth them.
GNU/Linux: Wait! Windows Vista, you lie! Lot's of people from all around the world use me! In fact, they even improve me! That's because we believe that...
Mac OS X and Windows Vista: [at the same time] Shut up Linux.
Windows Vista: [to Mac OS X] But anyway, even if there were a "Security Breach", it's not like they'd be able to mess anything up!
Mac OS X: That's because it's impossible to do anything in Vista.
Windows Vista User Access Control: [to Vista] You are coming to a sad realization... Cancel or Allow?

NB: the views or opinions expressed by any of the characters do not necessarily resemble the views or opinions of the author.

OpenBSD (4, Funny)

davidwr (791652) | more than 7 years ago | (#18494263)

OpenBSD: [walks into room, looks around, walks out, shaking his head not understanding why everyone can't be as secure as he is]

Re:OpenBSD (2, Funny)

FMota91 (1050752) | more than 7 years ago | (#18494307)

Mac OS X: Not another Linux... the geeks are out-reproducing us!
OpenBSD: [angry] I'm not Linux you freak! Why is everyone always mixing us up?! [leaves room in tantrum]

Re:OpenBSD (4, Funny)

oyenstikker (536040) | more than 7 years ago | (#18495641)

Windows Vista: Hey, I thought that guy was dead.
Mac OS X: No no, that was OS/2 that died. Remember? You got his kidneys.

Got done.... (4, Informative)

Creepy Crawler (680178) | more than 7 years ago | (#18494225)

I got done reading this, and it's pretty dumb.

"If you're a big company, you already have a security team. If not, hire one." DOH!

That smacks me of the same kind of response from slashdot about legal advice... "Im being sued by the RIAA, should I ignore it?"

Still, why not gander around and see what the the real security experts and such say about such matters:

The Coroners Toolkit [fish2.com] Tools for Unix

Nagios detection suite [nagios.org]

Honeypots for 'sticking hackers' [honeynet.org]

And there's the wonderful tools in the Linux kernel for bridges and such that can be made to monitor data as if there was no computer there at all. Also, PF in FreeBSD can route and filter based on much more criteria than Linux netfilter can (like via OS).

You should have a secure layout of your network along with a respectable sensor network. The Sensornet should be separate from the general network.

If you already work in IT, these things should be obvious, as it is the similar measures required for data recovery on non-hack problems.

Re:Got done.... (0)

Anonymous Coward | more than 7 years ago | (#18495827)

Filtering by OS doesn't make any sense because it's trivial to fake. What's the point exactly?

Re:Got done.... (1)

Creepy Crawler (680178) | more than 7 years ago | (#18495905)

---Filtering by OS doesn't make any sense because it's trivial to fake. What's the point exactly?

Ok. I have a Windows network, a Linux network and a MacOS network. I can prevent machines from migrating networks. If they attempt to, they will be isolated via rather nasty tools (arp corruption tools).

Also, it is NOT rather easy to fake network signatures from consistent data streams. It's easy to fake a NMAP scan though.

The key is I can segregate networks and I have the technological means to do so without me actively watching.

Experts say hire experts (1)

TheLastUser (550621) | more than 7 years ago | (#18494255)

"external consultants or forensics experts -- should be selected prior to an event, experts say."

What a shocker...

Ahhh... easy... (1, Funny)

Anonymous Coward | more than 7 years ago | (#18494285)

I call Microsoft support.

Huh? Reinstall ofcourse! (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18494291)

It boggles me that so many people come up with so many "solutions" yet hardly anyone comes up with the really important step to take: you backup your data, wipe the HD clean and re-install your OS. No matter what you use; be it Linux, Solaris, BSD.

Re:Huh? Reinstall ofcourse! (0)

Anonymous Coward | more than 7 years ago | (#18494831)

I think they're referring to company-wide systems, rather than a single desktop machine. Desktop machines, servers, computers in local and remote offices, who knows how many are affected. How long can the business afford to be completely offline?

Try to cover it up to get out of the TPS reports (1, Funny)

Anonymous Coward | more than 7 years ago | (#18494313)

5 - 6 page ones suck so we try to fix things with out tell PHB who will just make lock down thing that will get in the way of people doing there jobs.

Anyone ever followup with law enforcement agencys? (1)

bdigit (132070) | more than 7 years ago | (#18494369)

I am curious to how many people actually go the next step to get the bad guy caught and how successful they are with it? It seems like its a tough battle to get the identity of the person behind an IP.

Re:Anyone ever followup with law enforcement agenc (5, Insightful)

mandelbr0t (1015855) | more than 7 years ago | (#18494517)

I've considered it, but there's a lot of barriers. First, you need enough evidence for a subpoena. That means that the chain of custody has to be preserved, and the crime scene needs to be secured by the police. Usually that means giving the compromised machines, relevant logs from monitoring equipment, etc. over to Law Enforcement for an indeterminate amount of time. I know I can't live without my servers for that long.

You need to get the subpoena to identify the person behind the attack. That assumes that your evidence actually points to a specific suspect. Unless your attacker was a complete moron, or your network logs are incredibly voluminous, that's not very likely. Once the subpoena is served and you've got your suspect and laid charges, you need to present evidence. That requires an expert witness. If you're lucky, YOU are the expert witness, but there's training and certification involved in that process. Otherwise, you get to hire an expert witness, and that won't be cheap. Your opponent will probably hire an opposing expert, just to confuse everybody.

Overall, I'd say that chances of success are incredibly low. Legal fees will be very high, and you have to turn over a fair chunk of your network assets to Law Enforcement. Basically, if you aren't really, really sure that you've got your man, it's really not worth the time and effort to find out who it was. That effort is much better spent allowing you to sleep at night knowing that people aren't getting in, IMO.

Re:Anyone ever followup with law enforcement agenc (1)

dazed-amoeba (1080497) | more than 7 years ago | (#18496013)

Careful with the subpoena. There was a reporter sitting in the court trolling for news when we asked for a subpoena. The resulting news story was worse than the incident ever was. CIO is gone now.

Patch a socket (2, Funny)

Q-Branch (554342) | more than 7 years ago | (#18494397)

Just patch a socket. Problem solved. I learned that watching 24.

We had a security breach once (5, Funny)

thewils (463314) | more than 7 years ago | (#18494421)

It was an open FTP server. Some kind soul put about 14Gb of movies on one of our servers, then we noticed the hole (mainly because of the space) and shut down access to that server.

So in our case the response was:

1. Stop access.
2. Buy beer and popcorn
3. Watch movies.

Re:We had a security breach once (2, Funny)

GiovanniZero (1006365) | more than 7 years ago | (#18495077)

ah, your response is eerily similar to cops with drug raids.

"Serenity now!" (1)

WoTG (610710) | more than 7 years ago | (#18494451)

Just close your eyes, count to ten, then start shouting "Serenity now" over and over again until the problem passes you by. :)

Cry. (1)

TheLoneWolf071 (1063682) | more than 7 years ago | (#18494503)

Cry havoc And Let Slip The Dogs Of War.

Put your head between your legs (1)

jhylkema (545853) | more than 7 years ago | (#18494571)

and kiss your ass goodbye!

Game over, man (1)

Dachannien (617929) | more than 7 years ago | (#18494631)

Lift off and nuke the site from orbit.

It's the only way to be sure.

panic! (0)

Anonymous Coward | more than 7 years ago | (#18494679)

panic!

Easy... (5, Funny)

andreMA (643885) | more than 7 years ago | (#18494755)

When in confusion
or in doubt
Run in circles
scream and shout.

And yeah, pull the ethernet cables out.

Printable page (0)

Anonymous Coward | more than 7 years ago | (#18494843)

One-third content, two-thirds ads and links. Yeah, that's a good design.

1 part content, nothing extra [darkreading.com]

Easy.... (0)

Anonymous Coward | more than 7 years ago | (#18495019)

Sigh, Get the install CD's locate your last few data backups and plan on a very VERY long week + weekend. Restoring the data is fine, restoring the OS+apps is NOT but you have a good snapshot of the apps when you last installed them right?

When asked, make sure you mention how the CTO cancelled your project for security upgrades and audits and this would not have happened if security audits and upgrades were performed.

Key CTO's car just to make sure.

What any man would do in that situation. (1)

kick_in_the_eye (539123) | more than 7 years ago | (#18495505)

Curl up in the fetal position and wait for tomorrow.

Also works at performance reviews.

easy... (2, Insightful)

trouser (149900) | more than 7 years ago | (#18495617)

Burn the place to the ground, kill everyone, start again.

Two Options (1)

Shaltenn (1031884) | more than 7 years ago | (#18495631)

1) If you have an IT team ready to go: Simply pick one, blame it on them, fire them, find some random script-kiddie hacker and blame them.

2) If you don't have an IT team ready to go: Blame users / customers since it clearly must be their fault in some way, shape, or form.

Remember kiddies, rules never apply if you're a corporation.

I'm not even a fanboy (1)

DragonTHC (208439) | more than 7 years ago | (#18495957)

If you've been smart, you'll already have a computer security incident response team -- and a plan -- in place.
If you've been smart?

The sysadmins are smart. It's their managers who make those decisions. 99% of managers simply don't have the brains to see the need for a disaster recovery team.

The solution is simple. Plan, Plan, Plan, Test, Plan, Test, Plan, and Test.

Your Data has to live separately from your OS/Apps

The easiest way is to use a VMWare ESX server and keep daily/weekly backups of the VMs.
Your Data should live on a Large redundant Storage Array.

The ideal situation for every IT group is a scalable redundant SAN and a scalable Blade center running VMWARE bare metal.

The costs of such things don't seem worth it, but They really are.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>