> > > I'm presently working on security policies for a customer, > > > they're asking me what to do with intruder ;) > > > > [ one reply deleted...] > > What is this neurotic escalation? Has the intruder actually done > anything other than intrude? If not then close the door they used to get > in and be thankful that you had this kind of intruder who in effect > pointed out you were not doing your job properly, rather than one that > actually did damage. Learn and let live. > > [more stuff] > > My stomache turns every time I see an exceptionaly ordinary system > administrators suddenly wet their pants and quiver with excitement and > anticipation when they come to the conclusion they can really be > important secret agents, wooed by police, intelligence officers and the > media. Its a enormous waste of public and private funds. And all for the > ego and self-delusion of glorified computer managers who are devoid > of any real life. That kind of reply was really uncalled for. It displays an ignorance of the issues, and it insults professionals who are seriously undertaking their duties. Security professionals work in a variety of different environments. Not everyone works in a relatively tame .edu environment as does Julian (who made the reply partially quoted above). Thus, talk about "closing the door" and moving on does not make sense in many environments. First of all, there are some environments where the security admin is required, as a matter of law, to report the incident and cooperate with law enforcement personnel. For instance, computers that are part of a government operation (esp. military), or certain forms of regulated financial institution may require reporting. In other environments, the reporting is up to the local management. However, if the incident is part of a larger pattern of misbehavior, then *not* reporting the incident may leave the organization (and personnel!) open to later civil charges (and perhaps even criminal charges if the personnel knew that the hackers were involved in fraud or espionage). For example, if I discover that hackerX has compromised my system and is using it to hack into Bankk of America, and I do nothing, then I might possibly be the target of a civil suit by the bank as it attempts to recoup some losses...or set some examples. In some environments, the damage could never amount to enough to be worth the hassle of investigation. Most educational institutions are like this, assuming the management has made good backups, etc. However, even in these environments, there may be damages that are significant (e.g., loss of patent disclosure material, violation of confidential records). In a few environments, business decisions have been made to not disclose computer incidents because it might have a greater impact on the business reputation than any loss could have. For instance, many banks do not report security incidents to anyone because they fear a loss of reputation would be worse than the actual computer loss. Given all that, how do you decide what to do? Well, like anything else in computer security, you need to do some cost-benefit analysis based on threat, loss, and effect. Here are some of the things you need to take into account with such an analysis: + successful investigations and prosecutions help decrease the overall threat by taking some hackers off the wires, and by discouraging others. + successful investigations etc. may cut down on threat to you from hackers (or at least the wannabes) by making you a more dangerous target to mess with. (Example: on our campus, it is well known that some departments aggressively investigate and prosecute misuse, including expulsion from the university and arrest. Those departments have less security incidents than those with a "let it be" attitude.) + successful investigations can sometimes be a prelude to recovering losses via a civil judgement + successful investigations can result in better security. For instance, I know of several cases where firms found that they had other, undiscovered security problems. The way they found this was when they had search warrants executed against suspects in security cases and the authorities discovered evidence of other problems. + investigations may result in reduced insurance rates, and certainly in helping reduce your liability profile. - investigations may be time and labor intensive. - law enforcement personnel you deal with may be largely clueless and you'll need to spend extra time and energy educating them. (This is not a one-time cost, but it is not an every-time cost, either. In many places there are already trained personnel.) - investigations may result in negative publicity about the incident (however, a good PR person can often spin this to a positive) - resources may be temporarily out of service during evidence collection (depends on the resources and on the material needed) There are other factors, but those seem to be the main ones, based on the people I've talked to and the cases I'l helped with. There are at least three other things to keep in mind about trying to do an investigation and prosecution: 1) Simply because you have only spotted someone logging in and doing an "ls" or "ps" or whatever is **NO** clue as to what else has been done, or what the person intends to do. This may be the first penetration, or it may be the 200th and the hacker's luck as run out. Maybe it is only someone seeing how many accounts he can break, and maybe it is a member of a foreign intelligence agency or competitor intent on copying your proprietary files, altering system software, and planting a logic bomb. You *CANNOT* tell from what you see here, nor can you depend on your logs unless you are using very strong security methods (few places are). Even if you catch or communicate with the perpetrator, you can't depend on what he/she says: the relatively naive hacker and the professional spy will both claim to be "just looking around." You also have no idea what they would have done tomorrow had you not caught them today. If you have little to lose on your system, you may be willing & able to ignore the person. If you have a lot to lose, you better get busy. 2) Don't push an investigation yourself until you have contacted law enforcement, if you have any possible intent in prosecution. The reason for this is that certain acts must be done in the right order, and with proper record keeping. If you investigate too far, you may contaminate evidence that is needed for prosecution. Furthermore, you may actually muck up the trail to where it is not possible to track the intruder. The majority of system admins do not have the necessary training or legal background to do this by themselves. Get law enforcement and other professionals involved early. Also, realize that what you may initially think is something simple and local could be part of a very wide-spread and serious pattern of activity. By the time you discover this, it could be too late. So, your policy should make it clear when to call in law enforcement -- before you get too far into it. 3) The field of computer crime investgation is new. Law enforcement personnel are learning as they go. They need good cases and cooperation to get that experience, though. Not every case will work. But more will as time goes on. And more resources will become available as the magnitude of the problem becomes apparent. However, if firms make it a policy not to investigate or prosecute, the community will be deprived of the resources we may need later. It is also the case that we need the deterrent -- if we can collectively make hacking less glamorous and more risky, it should help reduce it. That's a very brief summary of the major issues. So, the answer to the original question is "it depends on a lot of things." But then, that's what good security is all about. --spaf PS to Julian: if this makes your stomach ache too, you may need to see a good physician. Unless you'd rather "close the door and get on with it." :-)