Re: I got an intruder ...
Gene Spafford (spaf@cs.purdue.edu)
Mon, 13 Nov 1995 11:34:15 -0500
> > > I'm presently working on security policies for a customer,
> > > they're asking me what to do with intruder ;)
> >
> > [ one reply deleted...]
>
> What is this neurotic escalation? Has the intruder actually done
> anything other than intrude? If not then close the door they used to get
> in and be thankful that you had this kind of intruder who in effect
> pointed out you were not doing your job properly, rather than one that
> actually did damage. Learn and let live.
>
> [more stuff]
>
> My stomache turns every time I see an exceptionaly ordinary system
> administrators suddenly wet their pants and quiver with excitement and
> anticipation when they come to the conclusion they can really be
> important secret agents, wooed by police, intelligence officers and the
> media. Its a enormous waste of public and private funds. And all for the
> ego and self-delusion of glorified computer managers who are devoid
> of any real life.
That kind of reply was really uncalled for. It displays an ignorance
of the issues, and it insults professionals who are seriously
undertaking their duties.
Security professionals work in a variety of different environments.
Not everyone works in a relatively tame .edu environment as does
Julian (who made the reply partially quoted above). Thus, talk about
"closing the door" and moving on does not make sense in many
environments.
First of all, there are some environments where the security admin is
required, as a matter of law, to report the incident and cooperate
with law enforcement personnel. For instance, computers that are part
of a government operation (esp. military), or certain forms of
regulated financial institution may require reporting.
In other environments, the reporting is up to the local management.
However, if the incident is part of a larger pattern of misbehavior,
then *not* reporting the incident may leave the organization (and
personnel!) open to later civil charges (and perhaps even criminal
charges if the personnel knew that the hackers were involved in fraud
or espionage). For example, if I discover that hackerX has
compromised my system and is using it to hack into Bankk of America,
and I do nothing, then I might possibly be the target of a civil suit
by the bank as it attempts to recoup some losses...or set some
examples.
In some environments, the damage could never amount to enough to be
worth the hassle of investigation. Most educational institutions are
like this, assuming the management has made good backups, etc.
However, even in these environments, there may be damages that are
significant (e.g., loss of patent disclosure material, violation of
confidential records).
In a few environments, business decisions have been made to not
disclose computer incidents because it might have a greater impact on
the business reputation than any loss could have. For instance, many
banks do not report security incidents to anyone because they fear a
loss of reputation would be worse than the actual computer loss.
Given all that, how do you decide what to do? Well, like anything
else in computer security, you need to do some cost-benefit analysis
based on threat, loss, and effect. Here are some of the things you
need to take into account with such an analysis:
+ successful investigations and prosecutions help decrease the overall
threat by taking some hackers off the wires, and by discouraging
others.
+ successful investigations etc. may cut down on threat to you from
hackers (or at least the wannabes) by making you a more dangerous
target to mess with. (Example: on our campus, it is well known that
some departments aggressively investigate and prosecute misuse,
including expulsion from the university and arrest. Those
departments have less security incidents than those with a "let it
be" attitude.)
+ successful investigations can sometimes be a prelude to recovering
losses via a civil judgement
+ successful investigations can result in better security. For
instance, I know of several cases where firms found that they had
other, undiscovered security problems. The way they found this was
when they had search warrants executed against suspects in security
cases and the authorities discovered evidence of other problems.
+ investigations may result in reduced insurance rates, and certainly
in helping reduce your liability profile.
- investigations may be time and labor intensive.
- law enforcement personnel you deal with may be largely clueless and
you'll need to spend extra time and energy educating them. (This is
not a one-time cost, but it is not an every-time cost, either. In
many places there are already trained personnel.)
- investigations may result in negative publicity about the incident
(however, a good PR person can often spin this to a positive)
- resources may be temporarily out of service during evidence
collection (depends on the resources and on the material needed)
There are other factors, but those seem to be the main ones, based on
the people I've talked to and the cases I'l helped with.
There are at least three other things to keep in mind about trying to
do an investigation and prosecution:
1) Simply because you have only spotted someone logging in and doing
an "ls" or "ps" or whatever is **NO** clue as to what else has been
done, or what the person intends to do. This may be the first
penetration, or it may be the 200th and the hacker's luck as run out.
Maybe it is only someone seeing how many accounts he can break, and
maybe it is a member of a foreign intelligence agency or competitor
intent on copying your proprietary files, altering system software,
and planting a logic bomb. You *CANNOT* tell from what you see here,
nor can you depend on your logs unless you are using very strong
security methods (few places are). Even if you catch or communicate
with the perpetrator, you can't depend on what he/she says: the
relatively naive hacker and the professional spy will both claim to be
"just looking around." You also have no idea what they would have
done tomorrow had you not caught them today.
If you have little to lose on your system, you may be willing &
able to ignore the person. If you have a lot to lose, you better get
busy.
2) Don't push an investigation yourself until you have contacted law
enforcement, if you have any possible intent in prosecution. The
reason for this is that certain acts must be done in the right order,
and with proper record keeping. If you investigate too far, you may
contaminate evidence that is needed for prosecution. Furthermore, you
may actually muck up the trail to where it is not possible to track
the intruder. The majority of system admins do not have the necessary
training or legal background to do this by themselves. Get law
enforcement and other professionals involved early.
Also, realize that what you may initially think is something simple
and local could be part of a very wide-spread and serious pattern of
activity. By the time you discover this, it could be too late. So,
your policy should make it clear when to call in law enforcement --
before you get too far into it.
3) The field of computer crime investgation is new. Law enforcement
personnel are learning as they go. They need good cases and
cooperation to get that experience, though. Not every case will
work. But more will as time goes on. And more resources will become
available as the magnitude of the problem becomes apparent. However,
if firms make it a policy not to investigate or prosecute, the
community will be deprived of the resources we may need later. It is
also the case that we need the deterrent -- if we can collectively
make hacking less glamorous and more risky, it should help reduce it.
That's a very brief summary of the major issues. So, the answer to
the original question is "it depends on a lot of things." But then,
that's what good security is all about.
--spaf
PS to Julian: if this makes your stomach ache too, you may need to see
a good physician. Unless you'd rather "close the door and get on with
it." :-)