non-disclosure of infrastructure problem a management issue?

Mon Aug 25 20:48:12 UTC 2008

* Les Mikesell <lesmikesell at gmail.com> [20080825 19:39]:
> Anders Karlsson wrote:
>> You are making assumptions Les. You don't know how the perpetrator
>> gained access. (Well, I am assuming you don't, but if you do, feel
>> free to enlighten the rest of us.)
>
> Agreed - I don't know.  And that's a problem when someone else does know  
> how to break into our systems - or we haven't been told that it was an  
> inside job.

But that is pretty much the normal state of affairs! Any given OS have
vulnerabilities (and if you argue that one - I'll be very
surprised). There will be someone somewhere that works out how to
exploit one of the vulnerabilities - and I can pretty much guarantee
that the person ain't you.

So the de-facto state of affairs is:
 * Someone else knows how to break in to your system

Now - are you a big enough and prestigious enough target? Is there
financial gain in attacking you? Is it easy enough to gain access to
your systems to add them to a botnet?

If you take reasonable and sensible precautions (i.e. make yourself a
hard enough target to break in to) then you will be quite safe. This
is standard practice.

According to statistics, the majority of security breaches (I've heard
numbers saying 80% - but I have no way to verify them) are inside
jobs. Social engineering to gain access is also a common method, as
it's an easy way to break in (look at Kevin Mitnick).

If you are panicking over the current situation - you should have been
in a state of panic six months ago, and still be in a state of panic
in another six months.

>> Until it's disclosed how (and where, when and why) - getting worked up
>> over it is wasted energy.
>
> So is pretending that there is no reason to be concerned.

Yes - so keep your pants on and await further details before working
yourself up. Now is the time to perhaps be a little more alert (the
world need more lerts) than normal, and just have patience to await
further news.

>> Congratulations on the very selective quoting as well.
>
> It doesn't make any sense to point out how serious a problem a breakin  
> is and then say everyone should just ignore it and go about their 
> business.

Actually, I think it does. Nothing has been said about how the
perpetrator got in, and I expect that to remain under wraps for some
time to come. There is an investigation ongoing.

That unauthorised access was had is pretty serious. So read something
like cert.org to see if there are things to worry about. That's where
all the disclosed vulnerabilities usually end up. If by "ignore it"
you infer that we're saying "pretend it didn't happen", you have not
understood what's been said.

Do I want to know what happened - yes. Will I harrass the
investigators to find out - no. (Hell, I'm still waiting to find out
who shot JFK...)

/Anders