OK, I've been hacked, now what?

Scott, Richard Richard.Scott@bestbuy.com
Fri, 7 May 1999 10:09:38 -0500

Dana Nowell wrote:
	At 12:14 PM 5/6/99 -0500, Scott, Richard wrote:
	>	-----Original Message-----
	>	From:	Dana Nowell [SMTP:DanaNowell@corsof.com]
	>	Sent:	Thursday, May 06, 1999 10:30 AM
	>	To:	Scott, Richard
	>	Subject:	RE: OK, I've been hacked, now what?
	>	At 09:59 AM 5/5/99 -0500, Scott, Richard wrote:
	>	Yes I agree, my point was that 'general connectivity' is not
	>generally a
	>	'project' so to tie security to project based funding is
	>	Sometimes you just need to buy infrastructure based on where
	>company is
	>	headed.
	>	Yes, but security plays a part in every project, whether
that be
	>e-commerce, database management or simple User Interface Design!
If I under
	>took a project and never thought about security I would consider
	>unworthy of the role.  Now if the corporation considers having
	>networks then a security project should be started and continuosly

	OK, I get it now, we are sort of saying the same thing.
Expenditures are
	TYPICALLY approved either for a specific project or as part of
	infrastructure.  You think a 'security project' should be started
	spanned multiple areas (not usually done that way, turf issues cause
	problems) and that project funded appropiately.  In actual practice,
	security costs are either built into a project if they are
significant or a
	separate project for a 'piece of infrastructure' is started for
	project issues (e.g. a firewall is infrastructure, a RSA encryption
	might be project specific).  Security departments are continiously
	and they have a list of cross domain 'on-going' projects (network
	internet security, physical security, ...) BUT the scope of these
	are fixed, increasing the scope requires justification of the new
	expenditures (and various departmental sign-offs).

	Everything that a corporation undertakes needs justification.
Rightly so, too , when you have tabloid whores and media junkies writing
about stories of hackers stealing secrets.  Let's face it, adequate security
isn't that expensive.  It just needs rationalisation and common sense from
those who are in the know.

	The site should be protected from well known vulnerabilities, and
empirical evidence and reports could be used to persuade management that
extra expenditure is needed.  In the environments I have worked in security
is always born in mind and is always reviewed when new exploits are found
both internally and publicly.  Not only does this often help the other teams
understand the technology they are using it also helps prevent lapses in
	If the management feels that a breech of security is worthless, and
risk management now a days is changing this trail of thought; then one would
have to conclude that it's time to try something different.  Maybe hire a
penetrative expert for a few hours and get them to test the site, retrieve
information management understands, and tell them this was obtained easily.
Then things might change,

	>By quantifing costs people can point to other incidents in the
	>	help justify the costs quoted (hence the expenditures
	>If I
	>	claim a web site breach will cost $200,000 (in hard and soft
	>	boss will say, 'right, where to hell did you get that
number, you
	>trying to
	>	pad your budget?'.  I can say I guessed or I can then point
out that
	>	other companies similar to us were breached and they
reported losses
	>	totaling Y dollars for and average cost per incident of
	>	where I got the number.  He might be apt to listen somemore
if I
	>used 'real
	>	data' than if I guessed.  So by now it should be obvious why
	>	numbers can occur.  If people pad the numbers, hackers look
bad, LEA
	>	good, security guys get bigger budgets, CEOs write-off more
one time
	>	expenses on the budget (making the company look better to
	>and in
	>	general everyone but the hackers are happy (and the hackers
	>	painted as the bad guy so who cares about them, they have
zero PR
	>	credibility/impact).
	>	The problem here is educating the higher management.  If
	>business is worth millions 200k a year is peanuts to spend on
	>However, security costs will reduce once you have built the
	>such as firewalls and the rest.  Initial start up costs will be
high, as
	>with any project!  Would you design a car without looking in to
	>efficiency? Would you start a project to develop a new pair of
	>(sneakers) with out looking at marketing ?  The point that must be
	>is that security is an essential part of development.

	Yes, it usually is done that way, the issue is HOW MUCH security,
	types, how much does it cost, ...
	I want to design a car, do I BUILD/BUY a wind tunnel for testing or

	That all depends on how you wish to persue the job at hand.  If you
were an F1 racing team you would want to buy one in the long term, and maybe
if you are a car manufacture, you may want to too, but if you are building
one car, then maybe not.

	Similarly, if you have one site which is going to be used for 3
months, and then dismantled, why bother with extreme security.  However, if
this site was to be linked to the corporate intranet or has a longer life
span you may wish to spend more money on it, and it's security ;-)

	Or is my design a sufficient rip-off of a Honda/Ford/Chevy/xxx that
	can get 'close enough' from their data.  What if I'm wrong?

	It may be interesting, of all the people reading the
firewall-wizards list, to build a report on how much people are spending on
firewalls, training and development.  I'll forward this message to the list
and see if one can get a response.

	The other problem may be that your business is worth $N Million/year
	REVENUE but only a few thousands in profit (how many EC sites even
turn a
	profit?)  Now justify an additional $200K in security expenditures

	My point entirely when one decides how much an intrusion actually
affect company profits.

	>	You argue that "If I
	>	claim a web site breach will cost $200,000 (in hard and soft
	>	boss will say, 'right, where to hell did you get that
number, you
	>trying to
	>	pad your budget?'.  I can say I guessed or I can then point
out that
	>	other companies similar to us were breached and they
reported losses
	>	totaling Y dollars for and average cost per incident of
	>	where I got the number."
	>	Well how do you know their estimates were correct?  In fact,
if a
	>higher management player doesn't think security is an issue, then
you should
	>go about trying to educate them.  Maybe a little penetrative
testing is in

	They ALWAYS think security is an issue (CEOs like to cover their
	legally), they are RARELY competent to quantify the exposure for
	themselves.  That's why they pay us :-).  We quantify the risks,
	alternative solutions (with costs) and they choose how much risk is
	acceptable vs. the cost of removing that risk.  They do
occaisionally want
	to know how we quantified the risk (based on others in the industry,
	guessed, past experience, ...).

	As to how we know the other estimates are correct, you don't.  BUT
if I
	price 10 different types of autos from 10 different dealers, can I
get an
	idea if the actual auto I'm looking at is priced roughly correctly,
	If I've never seen an automobile, have no clue as to their costs,
can I say
	if a Ford Escort is worth $5k or $15k, nope.  Penetrative testing is
	useful, how did you justify the time spent on doing it (chicken and
the egg
	problem, if management is totally clueless, you don't get the
	approved).  Then assuming you find a hole, is it cost effective to
patch it
	or is it 'better/cheaper' to assume the risk?

	I would advocate a diplomatic measure!  Penetrative testing in the
corporate environment isn't easy.  However, if one assumes that software has
a testing environment, hardware has a testing environment, I'd explain that
security needs a testing environment.  One can take a firewall product,
install it and still render the site insecure.  One, would explain to the
management (business) that testing needs to be done, and configuration is
the key.  You'll may find that if you speak to them in their language, less
bytes and sockets and more operational risk and figures, a bright future is

	>	Management would NOT say 'No security policy'.  They say the
	>exposure you
	>	have pointed out does not justify the amount of money you
are asking
	>for to
	>	fix it.  
	>	Then if that was the case I would point out that if the cost
	>maintain the project/site is say 1 million, and the cost of
security is
	>200k, but the loss could erupt to a closure of business, then they
	>listen.  Obviously I admit with using alarmist points it's hard to
	>management.  But they are definitely getting the point!

	No, they simply think you are over reacting, "close the business as
	...", credibility is the exchange currency here, crying the sky is
	the sky is falling rarely gets you anywhere. 

	One doesn't need to cry the that the sky is falling in, although it
seems they do that when they are penetrated!
	Maybe some statistical analysis of scanning on the network, selected
logging of certain attacks can persuade the business folk that something
needs to be done.  Just like opinion polls, customer confidence polls and
market research provide management with an easily broad view of what is
going on.

	 Proving the sky is falling or
	proving a logcial example of how it could fall if much more useful.
	Remember, if the site is worth $1 million/year and the cost of
stopping a
	given event is say $200,000/year you STILL need to convince
management that
	the event is likely to happen.  If it cost $1 million to recover
from the
	event, I'd give you little funding if the likelyhood of the event
was once
	every 50 years (on average pay $10 Million to save $1 Million, this
is not
	cost effective).  Remember if 'cost to fix it' > 'Cost to recover' *
	'likely incident count', it may be better to assume the risk.

	>	>
	>	>	This is hard to say, but I would argue that mugging
	>	>incur the cost upon that person at that moment in time.  I
	>	>costs of legal fees.  The problem here lies with the
American legal
	>	>which seems to be like a joke!
	>	Forget the legal fees, think medical fees related to
	>	same prinicipal/issue (had to quantify soft money not
	>related at
	>	first pass) and perhaps easier to rationalize.
	>	OK so the hacker finds a hole in your system.  The hole
existed well
	>before the hacker found it.
	>	The cost of repairing that hole is born by the owner of the
	>	Just like if one would suffer from stress before a mugging
	>The role of cost is subsequently reduced.  That person already
suffered from
	>stress, so the cost of causing stress to that person is not
entirely the
	>muggers fault.
	>	Thus corporations should not include the cost of fixing the
bug ion
	>the first place.

	Agreed, BUT the cost of examining the site in detail to determine IF
	hacker did anything IS incident driven. As is the cost of replacing
	site if the site is needed for evidence.  I'd exclude the hardware
cost but
	labor to reinstall is included as I need the site back.  If the
	version is available I may ge the patch for free as I can and should
	the reinstall off to the incident and the time to install the old
one is
	roughly the same as the new one (I assume).

	I think that the whole patch/service pack "market" is shoddy.  If I
purchase a vendor's product and it's supposed to be a secure firewall, then
that is what I want.  If it is breached due to configuration then it may be
my fault.  On the other hand is the breech occurs due to a protocol
implementation by the vendor, the I should be entitled to sue the company.
Hence a drastic change to the licensing agreement is needed.

	It isn't necessarily true to blame hackers for everything, in fact
lets assume they discovered some holes that a foreign agent were going to
exploit on your site, but you found the hole and blocked it?  That hacker
who published the exploit may have brought about bug fixes et al?

	>	>	Going by what we've discussed it is obvious that
security in
	>	>of legality/cost needs thorough research and more clarity!
	>	>mounting costs to an inordinate figure which includes
	>losses is
	>	>illegal, yet I have yet seen a case, and maybe Mitnicks is
	>first to
	>	>dispute this, to counter this!
	>	Claiming that something cost X is not illegal, 
	>	Actually, if X cost millions of dollars and this was not
reported to
	>the shareholders, then in court in could be considered a false
	>and next to perjury! 
	>	it can certainly become a
	>	point of argument.  That said, you can not pull a number out
of a
	>hat, you
	>	do need justification, the 'hackee' accounts for costs in a
	>	'liberal' fashion than the hacker that's all.  I can sue the
	>for $10
	>	Million in psychological damages claiming 'I'll need therapy
for 20
	>	at $N/year plus health issues related to stress', 
	>	To do this though you would have to have a good lawyer, and
	>would never get the money anyway!
	>	You could sue for all you want, but it doesn't mean you will
	>	Just like corporations making huge losses as a result of a
	>site, which in all caused a fraction of the amount!

	Exactly my point, the company can CLAIM it cost $10 million per
	doesn't mean the courts will believe them or that they'll get it
back in
	civil court.

	>	the mugger claims 'no one
	>	has fallen over from a mugging related heart attack a year
after the
	>	mugging occurred and 20 years seems a bit long, you're
padding the
	>	numbers', the court decides.  
	>	Yes with out evidence you are in shallow water.  Hence, what
	>evidence could one use to bring about costs caused by a hacker.
For one
	>reporting them to shareholders would be a wise move. ;-)

	Long term, yes.  Short term, a publically traded company the admits
	hacked MAY lose value in the market, may fire the CEO, may go out of
	business.  So what does a CEO do?

	Corporations must report significant loses to shareholders in their
annual report.(legally)

	>	Same creative accounting issue.  Eventually
	>	this will be worked out (usually when insurance companies
get in the
	>	with standardized 'allowed' expenditures and 'typical' rates
in each
	>	category.  Until then creative accounting rules both sides
of the
	>	 Hackers claim that 'if you had procedures in place and good
	>	recovery should have been a day so damages are $500 for one
	>labor, no
	>	lost business because those people came back later and no
loss of
	>	confidence because it was a single incident that people
expect to
	>	eventually and besides you are partly to blame for having
	>	The company's estimate is $100,000 or more including lost
	>	numbers.  Both sides are doing alittle creative accounting
in my
	>	Maybe so but I think the security community should take heed
	>develop a methodolgy for calculating some what the cost of a break
in. ;-)

	Yes they should.  And everyone should be a good parent, a good
citizen, and
	... :-)

	>	>
	>	>	No, put if NT was the main breech in security, why
	>MS be
	>	>sued, after all it has proclaimed Nt secure! When it was
	>released (NT
	>	>4).  In fact the C2 rating is all confusing because it is
	>given to an
	>	>NT machine standalone!
	>	>
	>	>
	>	MS does NOT claim NT IS secure.  It claims NT CAN BE
configured to
	>meet the
	>	C2 standard, ball's back in your court.
	>	Not in a Network environment though, stand alone only ;-)
	>	>
	>	>	First, prove the hacker did nothing :-).
	>	>
	>	>	Nope, that's not how the law works!
	>	Actually, it is.  
	>	Nope, first of all you must prove he/she actual performed
the hack!

	Sorry thought that was a given, thought you intended proven
break-in, no
	apparent damage.  My point was that just checking for damage costs
	which in effect IS damage.

	>	The hacker broke into the system, I am may be by that act
	>	to ensure he did nothing, a cost I am potentially entitled
to recoup
	>	civil court as his act caused me quantifiable damages.  
	>	I would say he kept you in business ;-)
	>	But the point was
	>	not to use that to attack the hacker, it is that a corporate
	>	from that incident that the corporation has to pay for and
it can be
	>	in a cost justification plan (I.E. every break-in must be
	>investigated to
	>	quantify the damage, including no damage, consequently EVERY
	>break-in costs
	>	at least X dollars even if no damage occurs).
	>	If no damage exists, and assume we can state that, then
	>the charge of breaking in to a computer is used, but corporations
tend to
	>append numerous other factors to underpin a prosecution.


	>	>
	>	>	  And while expenditure MIGHT be
	>	>	small, what of the potential cost of lost customer
	>	>
	>	>	Maybe this should have been thought of before the
project to
	>	>the site went a head.  I would argue that of the company
	>	>criteria so much, why was it taken not to include security
in the
	>	>
	>	>
	>	It may have been, that does not reduce the 'cost' of the
break in.  
	>	Yes it can, just my segmenting the network the breech can be
	>contained to a possible limited area!

	Not unless they are in differnet security domains, just adding
routers if
	pretty useless security.  Adding more segments with firewalls
	segments is useful BUT the original model may have been a tough
	perimeter with little security internally, thus concentrating all
	dollars to avoid break-in, not 'wasting dollars' on minimizing
damage after
	a break-in. (Not the best scheme IMO, but one alot of companies

	>	Just
	>	because I thought of it, planned for it, and the hacker
broke in any
	>	does not mean the cost doesn't count (hopefully I've
minimized it,
	>but I
	>	still count it).
	>	Yes, you have minimised it.  IMHO, if a site has no
security, then
	>it's wasting their time being on the Internet.  Would I park my car
with the
	>car keys in it?  Would I leave the front door a jar when I leave my
	>No.  So why would I put my network out in the open?
	>	I think you can not dismiss that the a criminal hacker once
	>the law should get prosecuted.  But you can not append random costs
to make
	>the prosecution.  These costs must be proven.

	The court examine the costs, they can NOT be random.  The issue is
'what is
	a valid cost?' we have little law, little experience, and no
standards on
	that topic.  Much like the guy that has never seen an auto guessing
if the
	Escort is priced fairly.

	>	The wannabe comment makes me think you do not manage a site
on a
	>	basis :-).  Guess how many SMURF attacks we see a day at a
	>	unknown Dev building in southern New Hampshire (four to five
	>average 5+
	>	days/week, several months AFTER smurf should be well dead
	>out the
	>	world)  Want to discuss network scans (2+/week)?  Want to
	>rates the
	>	week after a new exploit program is released (5-20+
depending on the
	>	exploit and code availability)?  Want to discuss the same
rate when
	>	exploit is first identified (but before code is 'generally'
	>available to
	>	the script kiddies), probably 1 exploit out of 20 shows up
once in
	>	month before 'general code release' (Beta? :-).
	>	I take note of your point.  And yes there are plenty of
	>downloading scripts and executing them.  But at the same time these
	>are available to you and you should identify how to defend against
them.  If
	>you see so many smurg attacks it all to easy to defend against it.
	>Had the exploit circulated amongst the elite, you would have not
noticed the
	>attacks for a some time.  In fact lets assume I was a hacker (;-))
	>developed an exploit, I may want to abuse it for a while before
releasing it
	>to the public!  And then what would you do?

	Not the original point.  The original point was ancillary damages
cause by
	release of an exploit.  Let's assume I am a small no name site, and
	exploit is a web page defacing hack.  Can I assume the risk and NOT
	yet (roll it in to the next quarterly upgrade), sure.  What is my
risk in
	the elite inner circle case, I'm not a likely target (or no more so
	several thousand others) the incidence rate is low, so my overall
	is low (probability of incident), I can wait.  Now the elite release
	exploit, N thousand script kiddies download, my probability of
incident is
	now about 100%, I'd better patch immediately.  See the difference
for the
	'small guy'.  (admitedly  zero difference if you are IBM, MS, AT&T,
	other high profile 'bonus points' target site).

	>	And yes I do manage a site, a private one, and I have sat on
	>sides of the firewall so to speak ;-)
	>	I am nether a criminal hacker nor security expert, but I am
a person
	>who is security aware *wink wink*.

	No, really :-).

	>	Very FEW vendors claim their code is secure in general, some
	>it is
	>	secure against attack X, some claim it meets C2 or B1 or A3
or ...
	>	requirements if PROPERLY configured.  Everyone is careful,
no one
	>	being sued.
	>	Funny this, but had I had a site based on an OS that
	>was breached, and caused me a huge loss, I would sue the vendor.
	>doesn't have to be secure, it MUST fit the purpose the software was
	>intended.  The problem like costs is that software is not a
tangible object.
	>One can not necessarily state it didn't meet the requirements of
the person
	>who bought the software.  However, how many vendors offer a refund
	>users find that the software they bought crashes constantly, or
	>gapping holes in their security?  None.  There should be a role
reversal, ok
	>let the law deal with hackers, at let the corporation sue the

	Have you read a MS license agreement recently, specifically the
'fitness of
	use' clause?

	>	>	Mitnick's biggest problem is he pawed through
people's stuff
	>	>out
	>	>	permission, a very negative PR event.  
	>	>
	>	>	Actually do you really know what he did?  The stuff
	>	>have written about him is all lies, and anyway, the
information he
	>had was
	>	>available on the internet!  The question is what
information is in
	>	>public domain and what isn't?  And why?  And how did
private info
	>get in to
	>	>the public?  Mitnick received data from BBS that were
	>	>released...like credit card numbers...
	>	Yes and pawed through Telco dumpsters and switches.
	>	Which at the time is not illegal.  The file in question
	>the CC numbers was public available on the Net.  And as I believe
the law
	>states that having this is not illegal using it is.  Owning
Exploits is not
	>illegal, using them maybe....

	Like I said, the government did a good PR job.  The issue is the
trace from
	the security guy in CA, the led back to Mitnick (yes, yes, I know,
but it
	is enough to bust him, the rest is laywerdom issues).

	>	Yes, are all goals always met?  Gee, maybe people should
consider a
	>goal of
	>	stopping burglers, I bet a $10000 security system would look
neat on
	>	$2000 trailer in a low rent southern ghetto.  
	>	How about 100$ alarm, but wait you forgot the cost of the
	>The cost of living elsewhere, the emotional cost, ... and wait
after the
	>insurance company has paid up, we must always include the emotional
	>and then the cost of the theft it self, and then the cost of the
	>caused which maybe more than the object was worth... and wait guess
what, we
	>never had any evidence that there was a Rolex watch in the
trailer..  Will
	>can still say it was there though,,.. throw that in too...

	And it used to work that way, until insurance companies standardized
	and courts accepted that as 'general practice'.

	>	(It ALWAYS comes back to
	>	cost, I CAN break into ANY site, the trick is to make it
cost more
	>than it
	>	is worth.  The problem is my estimate of worth/cost is not
	>the same
	>	as yours.)  If you have an EC site, I COULD hire 50
mercenaries, a
	>	of tanks, some automatic weapons, and be ready to kill the
	>	staff to walk off with the physical equipment, I bet that
	>the bulk
	>	of EC site security out there.
	>	Yes, but highly unlikely.  What are the chances though that
an EC
	>site is scanned every week?
	>	You know yourself how often things like these occur!
	>	  I doubt I'd make my money back and I bet
	>	I'd get at least a small hassle from LEA.  But I WOULD be
able to
	>break in
	>	to the equipment after I got it home (barring media level
	>	>
	>	>	Well let's say the project funding was 25 million
dollars, I
	>	>advocate at least a few million in beginning the security
	>	>
	>	Again, not a one size fits all problem.  Suppose it was a
	>	dollar project.  $24.5 million in hardware that was to be
	>in a
	>	top level security office of the Pentagon, or in the White
	>	Room and the equipment was NEVER going to be connected to a
	>	need 1+ million for additional security?  
	>	Maybe, if the computer held classified documents, natioal
	>would be at risk if they were released, I would heavily invest in
	>Tempest equipment.

	At that point the whole damn room is already Tempest level :-).

	>	The key is Analysis, Analysis, Analysis.  What am I
protecting, what
	>is it
	>	worth to ME (hard and soft money), what is it worth to
	>	are the threats, what am I willing to spend to protect it?
You need
	>all of
	>	the above to make a decision.
	>	Good point.  So why don't EC corporations take this in to
	>And it shouldn't just apply to EC sites, but to other computer
sites around
	>the World.  Ok, maybe would should happen is the corporation should
	>the information stored in the systems, it's worth in different
	>then if a breech does occur, they have the knowledge already.  More
	>than not, the corporate officer doesn't know how the information is
	>I understand that a precise value can not be calculated, but some
	>value could be.
	>	At the moment, as history has shown us, companies are
	>values to information which are just not though out.  Sure stolen
code is by
	>definition expensive, especially if it's a new algorithm to do
	>better.  But if it's so valuable, and this could be used to educate
	>management (in the quest for better security), why have they left
in it a
	>place where it could be at risk?

	Because it was easier and cheaper for them to do that and increase
	productivity than impact productivity by securing it ( don't the
real world
	suck :-).

	One can still introduce the benefits of productivity through data
distribution and keep a handle on security.
	However, it's the personnel who are not interested/educated about
security who seem to be the problem.

	Dana Nowell                 Home: mailto:dana@nowell.mv.com
	Cornerstone Software Inc.   Work: mailto:DanaNowell@corsof.com    
	MIME attachments preferred, BINHEX and uuencoded acceptable.

	The opinions above are free, remember you get what you pay for.  
	The company doesn't speak for me and I don't speak for them.

Richard Scott	
(I.S.) E-Commerce Team
* Tel: 001-(612)-995-5432
* Fax: 001-(612)-947-2005
* Best Buy World Headquarters
   7075 Flying Cloud Drive
   Eden Prairie, MN 55344 USA
   This '|' is not a pipe