Here you study how to recover from an intrusion. Although following the advice in Part I on making your system secure will keep out most crackers and prevent most systems from being cracked, no system is completely secure, just as no program can be guaranteed to be bug-free. It would be a fine idea to use the techniques for detecting cracker alterations to your system to check your system occasionally, perhaps monthly. This will catch the occasional cracker who breaks in without causing visible damage. One security expert reinstalls his system from scratch every six months to ensure no cracker possibly could "stay in."
Now the dreaded moment is here, when you realize that your system may have been broken into! Instead of panicking or watching CNN headlines talk about your downed site hour after hour as you scratch your head and get angry calls from the President, you follow your plan. In a short period of time, the cracker's path into your system is found, the hole is plugged, and your site is back to normal. It may be written off as a glitch and little thought given to it by other than yourself.
These techniques work! Do not take my advice; I encourage one of your System Administrators or another privileged and trusted user to deliberately add a security hole (in a way that will not allow anyone untrusted to get unauthorized access) and practice detecting and plugging the hole.
If there is any possibility that you will want to take criminal or civil legal action against the cracker (if you catch him), you need to log and itemize all costs and document all actions associated with this cracking or DoS incident. This is to increase the likelihood and depth of police and FBI investigation and increase the likely sentence or civil judgment. There are a number of different types of costs and it is important for you to track them separately. This is because the amounts of these various damages will determine how the police, FBI, and the courts will handle your case.
According to my contacts at the FBI's Atlanta Bureau, the amount of actual monetary damages (excluding the cost of the time personnel spend repairing the system) is a very strong factor in their deciding whether to take the case and how much effort they decide to spend in investigating it. The FBI did repeatedly politely decline to state what the formula is. The Secret Service was less secret regarding their policy. In early 2000, U.S. federal computer crime law only could be used for prosecution if a victim suffered at least $5000 in damages. (For U.S. government sites and matters of national security the threshold is much lower.)
Even if your damages are less than $5000, the FBI still has jurisdiction and may investigate so long as the attacked computer was used in interstate commerce. For this purpose, interstate commerce is defined very loosely in that if your computer is used to communicate with any computer across U.S. state lines, it is involved in interstate commerce, even if this border crossing is only to surf yahoo.com in California or redhat.com in North Carolina or you used telnet to access your work system from your mom's house in another state.
I itemize the common types of costs here. Certainly, there are other types.
One type of cost would be actual monetary loss such as lost business because customers could not get to your Web site (based on what your normal business would be). This is a common cost particularly with DoS attacks.
In the cover story of the February 10, 2000 issue of USA Today, Forrester Research is quoted as estimating the cost of downtime for some well-known Internet sites. These costs are shown in the following table.
Cost (US $Million/Day) | Site[*] |
|---|
1.6 | Yahoo |
4.5 | Amazon |
30.0 | Cisco Systems |
33.0 | Intel |
35.0 | Dell Computer |
[*] Copyright 2000, USA Today. Reprinted with permission.
In one DDoS attack in February 2000, Amazon, Yahoo, eBay, cnn.com, buy.com, E*TRADE, and ZDNet were kept down for about four hours each at a cost in lost business of roughly $3 million for Amazon and Yahoo alone!
Theft of products or services should be a separate category from lost business, because this frequently is treated differently and more harshly by the criminal laws.
If you must pay additional fees to vendors or consultants, or pay your own people overtime to repair the damage, this would count as monetary damages, but you should include it as a separate category from lost business or theft.
Another common cost is the time of salaried people in repairing the damage, including contacting customers whose credit card numbers or other data might have been compromised. Unfortunately, this cost is not weighed as heavily, as "these people would be paid anyway" and never mind that this took them away from other projects that affect the company's bottom line.
A last common cost would be investment loss. A week before I wrote this, buy.com was knocked off the Web for four hours by a Distributed Denial of Service (DDoS) attack on the day their stock went public. This may have cost them millions of dollars from investors who were scared away. (DDoS attacks are discussed in detail in "Distributed Denial of Service (Coordinated) Attacks" on page 397.)
In Part IV, you will learn how to find and analyze any Trojan horses that the cracker left running before you shut the system down. If you simply shut it down without first doing this analysis, you destroy valuable information about what the cracker was up to. You then go about the task of repairing your system less painfully than the "restore from backup" that most "experts" give.
The chapters in this part are:
Chapter 18, "Regaining Control of Your System" on page 671
Chapter 19, "Finding and Repairing the Damage" on page 685
Chapter 20, "Finding the Attacker's System" on page 707
Chapter 21, "Having the Cracker Crack Rocks" on page 719
