What would you do if a major US computer security firm
attempted to hack your site's servers and networks?
Would you tell the company or let their experts figure
it out?
matthew black
network services
california state university, long beach
Matthew Black wrote:
What would you do if a major US computer security firm
attempted to hack your site's servers and networks?
Would you tell the company or let their experts figure
it out?matthew black
network services
california state university, long beach
I'd contact the chiefs of the company in order to assess
what actually happened. Define attack. If its an IP based
attack, would be difficult to prove unless it was ongoing
as spoofing could play a role. It could turn out to be
something as trivial as said company ending up with a
machine they own which was compromised and used as an
attack vector... I've seen it happen to a few companies.
Personally, I would seek out the CSO, Senior IT personnel,
and follow that route.
1) Locate baseball bat
2) Acquire plane ticket
3) Call friends in city where said company is located
4) help them locate their own bats
5) ...
6) Profit
On a more serious note, I'd contact them and ask for them to stop.
Barring that call a lawyer and have a fancy letter sent to someone's
boss.
Can you better define "attempted to hack", please.
-Jim P.
I'd hold a very public discussion on the matter.
If their people are intentionally trying to hack your network, they're probably using proprietary information in violation of some NDAs.
It's also indicative of a larger problem.
If their servers are compromised and are being remotely abused by a third party, that's something their clients need to know.
If it's a spoof, that should also be publicly exposed and addressed.
Submit your log files to http://www.dshield.org/howto.html ?
Block their IP addresses?
Call their registrar and have their domain shut down?
Sell the movie rights to a famous Hollywood producer and make sure you
get to play the lead character along with Harrison Ford?
Is this a theoretical question?
Cheers,
Andre
What would you do if a major US computer security firm
attempted to hack your site's servers and networks?
Would you tell the company or let their experts figure
it out?
call the fuzz
While you’re pursuing that route from a legal/business side, on the technical side I’d suggest null routing the block they’re coming from at your edge.
-brandon
I think the first thing to do would be to attempt to determine whether they were trying to actually 'hack' anything, or whether they were doing some kind of hostscanning as part of a survey, or what (or even if it's traffic which isn't spoofed - i.e., is it TCP) - i.e., classify the traffic - and then if the activity is annoying/harmful/undesirable, implement appropriate filtering mechanisms to block said traffic.
[Of course, various OS, application, and network infrastructure BCPs should be implemented so as to combat interactive cracking-type activity in the first place.]
The next thing to do would be to contact them directly and ask if they're aware of this situation - if so, ask what they're doing and ask them to stop if it's annoying/harmful, secondly if they're not aware, let them know so that they can see if they've an unauthorized individual/group generating the traffic in question, or perhaps have systems on their network which have been compromised and are being used for illicit activity.
IANAL, but I'd suggest trying to have a conversation before getting lawyers involved. Hopefully, it's just a misunderstanding of some sort, and can be resolved amicably.
On a more serious note, I'd contact them and ask for them to stop.
Barring that call a lawyer and have a fancy letter sent to someone's
boss.
Being as they are a security company it is possible- if unlikely- that someone typo'd an address range into a vulnerability scanner.
"Never attribute to malice that which is adequately explained by stupidity"
-Don
Step 0: Define "attempted to hack"?
Step 1: Ask whoever acts as your CTO/CIO if you contracted for a pen test
from the company.
Step 2: If you're not a customer of the security company, contact the company,
and explain the concept of "negative advertising" to them.
Personally, I would try to find out who at my site- potentially
including S-OX, PCI, other auditors, and the Board- contracted for
them to do it.
Matthew Black wrote:
What would you do if a major US computer security firm
attempted to hack your site's servers and networks?
Would you tell the company or let their experts figure
it out?matthew black
network services
california state university, long beach
What happened to me one time was that one of my hosting customers hired
a firm to do a security check on their website. This company ran a
whole battery of penetration tests against the server. The bad news is
that the customer never told us this was going to happen. The good news
was that we detected the "attack" and blackholed the tester's IP
address. 
We passed with flying colors.
Better check with your management to make sure that they haven't
authorized something.
Roy
Just a few words of caution....
First make sure that it is a hack, and not just a ping or SMTP test
because they are trying to deliver you email. I did ask for a
definitive of what the OP meant by hack, but haven't seen anything yet.
Secondly, make sure that no one else in your company authorized this. A
lot of companies do pay outside agencies to test their security.
Security Audits are notorious for being requested by the corporate
Financial personnel, and those are the same folks that the networking
dept communicates the least with (IMHO).
Finally, is it possible that the "hack" was planned behavior or a well
intended mistake? Years ago, others at $DAYJOB, received customer
provided configuration files to try an emulate a customer problem. All
sorts of interesting traffic left our network and hit the customers,
after all their configs had all their IPs listed. The customer's
security department (left hand) called the FBI simply because they
didn't know what their own network department (right hand) was asking
$DAYJOB to do.
-Jim P.
On top of the other suggestions, I would add: Make sure you're really
being hacked before complaining. If I had a dollar (or even a nickle)
for every "stop hacking my port 80" complaint I've seen in my career,
I would currently be in possession of all the currency on this planet.
Automated tools make mistakes. Stateless firewalls, personal desktop
alarms, and god knows what else are really great at seeing legitimate
FTP, DNS, HTTP and other traffic and making an incorrect assumption
that it must be due to something nefarious.
That being said, I have actually seen other networks leak like a sieve
due to infected desktops or what not. I've found the quickest way to
find out if they are aware was to call them on the phone and ask to
speck to their IT help desk or security team.
I'd then also null route the offending IPs, and potentially put in a
calendar reminder to consider removing the null route in three months
and observing to see if the unwanted traffic continues.
Regards,
Al Iverson
Contact your internal security and legal folks. Sometimes in large organizations, a group hires an external security firm to perform an audit (e.g. PCI, SAS70, etc) without talking to the correct people
elsewhere in their organization.
"Security firms" should conduct due dilegence of the information before
using it, but sometimes they type the wrong numbers or addresses in their auditing tools. Your internal security and legal folks should send the appropriate cease and desist letter to the security firm. However, keep
in mind....the following:
Since you didn't actually describe what you consider an attack; in many cases attacks aren't actually attacks but unusual, but "normal" network activity which some people aren't familar with. Or there is always the possibility of spoofed packets and routing, especially of "brand name" firms, by third parties.
If you can actually prove malicious intent on the part of a brand-name company, your lawyers will probably be very happy to start tallying their legal fees. But accidents, stupidity and ignorance explain a lot of things.
What would you do if a major US computer security firm attempted to
hack your site's servers and networks? Would you tell the company or
let their experts figure it out?
Personally, I would treat it like any other attack. You do have
policy and procedures for responding to intrusions and intrusion
attempts?
convene your CERT, preserve logs, document the time and other costs,
contact the law enforcement, your lawyers, and their ISP.
Personally, I would try to find out who at my site- potentially
including S-OX, PCI, other auditors, and the Board- contracted for
them to do it.
Even if this were a contracted penetration test, you can't go wrong by
treating it as if this were an actual hostile attack.
If I were conducting a "pen test" and the target had managed to get an
FBI case started and convinced ISP to terminate connectivity due to
AUP violations, I would have to give them straight A's for their
response
Kevin
1) Locate baseball bat
On a more serious note, I'd contact them and ask for them to stop.
Barring that call a lawyer and have a fancy letter sent to
someone's boss.
Seems pointless really. If you detect someone hacking your servers and
your company does not have a network security department where you can
report these things, then dust off your resume and look for a new job.
Basically, one of two things is happening. Either someone is breaking
the law, or someone has been hired by senior management to test your
abilities. If the former, then tell your security people and let them
figure out whether to get the lawyers involved. If the latter, then tell
your security people and get some brownie points for a) noticing, b)
acting promptly, and c) notifying the proper people to deal with
security threats to your business.
--Michael Dillon
Hello;
What would you do if a major US computer security firm
attempted to hack your site's servers and networks?
Would you tell the company or let their experts figure
it out?On top of the other suggestions, I would add: Make sure you're really
being hacked before complaining. If I had a dollar (or even a nickle)
for every "stop hacking my port 80" complaint I've seen in my career,
I would currently be in possession of all the currency on this planet.
You might (or might not) be surprised at how many times network types have
written me claiming that high bit rate video streams requested by their users were actually
UDP DOS attacks or some other kind of attack.
Regards
Marshall