Video How to Prepare for an IT Security Disaster (Video) 23
Robin Miller for Slashdot: Our guest today is Neill, who is the President of Sitelock. And we’re going to ask Neill two big questions. Let’s start with the first one. Neill, response plans. Now most companies, I don’t if they have disaster or hacked, what kind of response plans should people have?
Neill Feather: At Sitelock, we work with a lot of business owners who are responding to data breaches. Most of them are in panic mode at that time. And so from our experience working there what we see is a pace to be prepared. You want to make sure that you are doing everything you can to protect your data and your customer's data. But at the same time recognize that there is a chance that you will be breached and so it’s good to plan ahead to determine what you want to do if that eventuality arises. Who is going to be involved on your side, what external people do you want to involve and how are you going to communicate and when. So those are the kinds of things that go into a good incident response plan and really need to be thought about before the worst happens.
Slashdot: This doesn’t sound like it’s hard to – I mean it’s just like somebody has to make notes like for a fire evacuation or something and just know where they are, am I right?
Neill Feather: I think that’s right. And I think just like a fire evacuation it’s good to practice. So you know unfortunately that involves sometimes waking people up in the middle of the night to do a fire drill. And just like if you live in an apartment or a hotel that happens to you sometimes, but that’s important to do because it puts people under the same type of stress that they are going to be going through in an actual incident.
Slashdot: Do you think Home Depot had run that scenario and had any plan in place? Didn’t seem like it, did it?
Neill Feather: It’s hard to say, I do think that in terms of the end customer communication, some of the recent breaches have been pretty good in terms of what they have been communicating to end customers and when. There have been others that have waited longer and I think that’s an important thing when once news gets out that there is a breach to make sure that you are communicating to your customers what happened, how they are potentially impacted or not and what you are going to do about it. And I think there have been some good examples of folks doing things the right way to make sure that they are either putting credit monitoring in place or other types of restitution for these customers that have experienced the loss of their personal data.
Slashdot: Okay. That’s good. What comes to mind to me when I think of breaches and insecurity is not a computer thing, but the famous Tylenol poisoning instance, which turned out to be just a few bottles by one nut case, but manTylenol was recalled, it was – we all knew we were safe buying that product.
Neill Feather: Yeah.
Slashdot: What can we do? You mentioned credit checks, but not even just for retail customers more generically and business-to-business, what do we do? What should we be ready to do I should say?
Neill Feather: Well, you mentioned the Tylenol case. It’s one I know well, I spent 10 years at Johnson & Johnson before I came here. Definitely close to home for me and I studied that one a lot, and I think how you respond, that’s a great example of how you can respond. I think you need to start out by apologizing for the breach. While many of these things are preventable, even if they are not at the end of the day, you are responsible for that loss of data and the potential impacts that that has to people. And I think from then on it’s important to just be honest with your customers whether they be consumers or businesses, not only about what happened and what their exposure is but also about what you are going to do, A) make sure that it doesn’t happen again, and B) try to make them halt to the extent that you possibly can. And I think in terms of making sure it doesn’t happen again, whatever you promise you are going to do, you better make sure you do it, because you get in once, but you won’t be a second time.
Slashdot: Yeah, that’s a big point. I guess just absolute honesty.
Neill Feather: I think that’s an important thing when you’re crafting a response. You know we work with a non-profit called the Online Trust Alliance and they have a great response plan in a box and one of the things they offer is a templated response that lays out the steps of an apology and a response to a breach.
Slashdot: That’s interesting. And I expect this is something any business can download and use?
Neill Feather: Yeah, it’s available on their website. We have a link to it on our blog as well. So it is definitely something that people can go out and grab and we felt like – obviously our partnership with that group is important to us. And we help contribute to it and we think it’s an important thing for businesses to be ready for these types of events.
Slashdot: So that can apply to any business from one person thing on up, so you will note that at URL is flashing at the bottom of the screen right now. Yeah, everybody should know that. If we learn nothing else from you that today, that one piece of information is going to save hundreds and thousands of small businesses pain, isn’t it?
Neill Feather: I hope so. And you know, the sad reality of it is that, if a small business suffers a breach, there is over 60% chance that they will be out of business within six months. For bigger businesses, you know the average payout is about $3.5 million, which is a lot of money but it is also something that’s absorbable to a big business. To a small business, you know that loss of trust can lead to much more damage in terms of the actual impact of that business.
Slashdot: Yeah, that could also, breaches and problems could be indicative of sloppy management or other problems that will put that, I don’t know whether it's a causation thing?
Neill Feather: Sure. It could be, I mean, I think if I’ve learned anything working with the business owners that we do work with here, you know, their biggest sin is not being aware that it can happen to them. And I think one of the things we try to impress on our customers is it can happen to anybody and it’s not always even targeted because you did something wrong, it can be random, because they just want data, resources or other types of online goods that they can then exchange for value.
Slashdot: Yeah. We’ve talked about that with other people at fairly good length, sure, and then market for credit card information and even just personal information to sell to advertisers, especially fake advertisers?
Neill Feather: Yeah, there is a lot of that going around and it’s scary that there is such defined values on each individual piece of data that you can buy on those black markets.
Slashdot: So, Neill, you’ve been working specifically at SiteLock watching website security since 2008, right?
Neill Feather: That’s right.
Slashdot: And in that time what has changed, have things gotten worse, better, what’s up?
Neill Feather: I think some things have gotten worse and some have gotten better. You know one of the things that I think has gotten better is the awareness of security among business owners and the importance of it. I think we’re starting to see a lot more business owners know they need security. I think in some cases they don’t know what that means, but they know they need to do something about it which is a big step forward from 2008. I think on the flip side, the negative side of it is the types of attacks that we see now are much more sophisticated, in many cases targeted, we also see a lot more of the non-targeted types of attacks. The types of things that take out 100,000 websites in a clip and those types of things, those are getting more and more frequent unfortunately as more and more people converge among open source platforms and other standard software that kind of concentrates the risk on the web. So we’re seeing a couple of trends, some positive, some not so positive.
Slashdot: Okay. So, like you said people are becoming more aware and that’s important. One thing I have heard varying answers to this from varying people. Small business, safer than big business, because not so much of a target or more of a target because they are softer?
Neill Feather: I think there are different kinds of target. There are definitely software in many cases because they don’t have in-house security personnel thinking about this stuff all the time. I think the other reason is, what we see a lot of small businesses fall victim to is not necessarily an attack that's targeted at them for something they did
Slashdot: Right.
Neill Feather: ...you know, like they get targeted because they are launching a movie that some folks find insulting. The small business doesn’t get targeted like that, they just fall victim to automated types of attacks that you see happening every day. And so they may, that’s one of the first questions people ask us, why me. And the unfortunate answer is, it has nothing to do with you, they are after the resources that they can get from 10,000 websites just like yours.
Just get yourself some good admins.... (Score:2)
Re: (Score:2)
Also get some honest admins. Most data thefts are inside jobs, not external "hackers". Additionally, most data thefts are never detected.
This is sane. Sensible. (Score:3, Interesting)
If it stops them from .... (Score:5, Insightful)
Re: (Score:2)
If these drills make the pointy haired bosses stop thinking IT security purely as a cost to be minimized it would do some good. If an IT dept works well and prevent disasters they never get credited for it. It they slip up and make a huge mistake, they get fired. If the best reward you can hope for is "not getting fired", it will attract a level of talent that considers "not getting fired" an achievement and goal. Unless the management mentality changes IT disasters will keep happening. At least if we fired the top management too along with IT disasters and sue the corporate board for mismanagement, then they might pay attention.
Doesn't that apply to most jobs? If an accountant works well and gets most of the numbers right, he never gets credited, but make one huge mistake that costs the company huge sums of money, and he gets fired. If the Marketing Department works well and brings in lots of business, but makes one huge PR mistake that offends customers and drives away customers, then they get fired. And so on.
IT isn't the only department that gets little credit when things go well, but gets big blame when they don't.
Re: (Score:2)
The job of an IT guy in a messed up situation is to have the spare resources to deal with somebody else's fuckup so that you can pull their balls out of the fire before they push your face into the fire. So it's not just about doing your job right, and it's not just about having the logs to show that you are doing your job right, it's also about second guessing other people's fuckups so they don't
Re: (Score:2)
It helps to let executive management outside of IT know that you're doing something. Maybe periodic reports detailing intrusion attempts, right down to failed SSH logins (there are always lots of those). The value of defense goes up if it's clear to everyone that you're actually under siege.
The first rule (Score:5, Funny)
Keep your resume up to date, and off site.
Comment removed (Score:5, Insightful)
Something happens, what do you do? (Score:1)
Go to the press, say "we got hacked! not our fault! hackers did it!".
Everyone'll believe you and won't blame you. Always works. Just look in the press, plenty succesful examples.
And yeah, this is stupid. Then again, confuse hackers and crackers, paint yourself stupid. Say "cyber" while at it, too.
So many disasters to choose from... (Score:2, Interesting)
Since IT has so many facets, I have a nice buffet of choices to choose from for IT disaster scenarios:
1: A bad guy gets access to the SAN, drops all LUNs, then resyncs all drives as empty mirrored pairs, overwriting all data in the array with garbage.
2: Someone logs onto the HID card reader server and deletes all users from all doors. Much fun ensues as a lot of the doors have no backup mechanical keys, and the ones that do, someone stuffed half a key in.
3: Someone logs on remotely to the HVAC system an
Re: (Score:2)
Having a stupid MITM device is just asking for a disaster in the first place.
Having the thing compromised and getting lawyers from banks after your blood is probably far more likely than catching someone in the act of industrial espionage or whatever paranoid reason you have the spy device installed for.
Don't store what you don't need (Score:2)
My plan for billing data is to put the whole thing on a separate off-line system dedicated to the job. The customer-facing system for updating billing information won't have complete information, credit-card numbers and such will be masked (assuming we need them, as much as possible I plan to offload that to services that do payments for a living). Customer updates will be split, masked data will be used to update the customer-facing system's data while the complete copy will go through a write-only interfa
Just Keep Doing What You're Doing (Score:2)
Site Unlocked (Score:2)
I once worked with a small web site owner to help clean up phishing sites that were on his site. We had a bit of trouble finding the last one on the server, a mix of my inexperience with web server configs and lacklustre support from his web host. Site Lock were convinced his site was 100% clean, even when the owner kept giving them the URL of the phishing site which was still working. They kept saying his site was clean, he has nothing to worry about! And to keep your site clean, why don't you pay us $LOL
Maybe... (Score:1)
How to Prepare for an IT Security Disaster (Video) (Score:1)