LINUX SECURITY --- February 27, 2001 Published by ITworld.com -- changing the way you view IT http://www.itworld.com/newsletters __________________________________________________________________________ ______ HIGHLIGHTS * Dealing with the publicity after being compromised. __________________________________________________________________________ ______ Public Notification of a Hack By Rick Johnson We've all been there before. You work all night assessing the damage on a compromised server, and compiling a report showing known compromised areas and those potentially compromised. The internal emergency work is done, but now it's time to deal with the public. How do you proceed? Advice on dealing with the technical side effects of a compromise can be found relatively easily, but very little information exists dealing with the after effects of a malicious hacker ruining your day. Most companies prefer to suppress any information about a compromise and with good reason. Such bad publicity can erode confidence, cause a revenue drop, and, worse yet, send investors running the stock price plummeting. Clearly it's touchy issue. Sure, the whole incident could pass with little more than a whisper if you decide to keep things quiet (and succeed). Should word leak out though, you have made it worse. So before deciding whether or not to publicize a compromise, perform an external damage assessment and consider the following issues. Was any customer data affected? If the answer is yes, then the company must notify its customers immediately -- especially when credit card information is leaked to the world. Notifying customers can be done in a variety of ways. Personal contact is always preferable, but rarely a viable option. Emailing the affected customer base should be your second choice. Also be prepared to continually update customers as the situation changes. Finally, the least favorable option would be issuing a wide scale press release. Certainly not the best choice, but it's still better than customers hearing about it on CNN. What would be gained by exposing the compromise? Exposing the incident can reduce the damage by allowing your public relations department to spin the release far more favorably than your average news report. Exposure also shows you have nothing to hide and that the compromise was just a case of bad luck. Now you can show how diligently your staff has worked to correct the vulnerability and prevent it from happening again. Keep everyone in the loop Before making any public statements, consult with your Legal department. If you do not have one, then contact an attorney skilled in these matters. Legal should approve any prepared statements or press releases before reaching the public domain. Of course, make sure your technology department has patched every hole before releasing any information. Once the proper action has been decided, inform the entire organization of the procedures for handling the incident. Even in cases where customer information remains safe, you should be ready to discuss the security problems publicly. Prepare to be the scapegoat Drastic enough situations could result in someone being fired. An individual's mistake occasionally results in a compromise, but more commonly companies terminate an employee to show stockholders and customers that the weakest link has been removed. We all know who gets blamed first and if it was your fault, then start typing your resume. More often, an executive did not heed your warnings, which resulted in a compromise. Cover yourself by documenting every recommendation and the response when presented. Once someone disregards your warning, they then take responsibility if the worst should happen. About the author(s) ---------------- Rick Johnson is currently the Manager of Security Services for FusionStorm, a remote managed services company. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. __________________________________________________________________________ ______ ADDITIONAL RESOURCES 'I Hired a Hacker': A Security Manager's Confession http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/2313/CWSTO58018/ Sex, drugs, and technology Demonizing cryptography http://www.unixinsider.com/jsw/linsec_nl/swol-02-2001/swol-0223-unixsecuri ty.html NetMAX FireWall worth the fickle installation Good product, but marketing may be misdirected http://www.linuxworld.com/jlw/linsec_nl/lw-2001-02/lw-02-netmax.html __________________________________________________________________________ ______
<<attachment: winmail.dat>>