10 Tips on Preparing for & Responding to Internet Security Incidents

Every connected business will have an internet security incident at some stage in its life, most likely many more than one. Sadly most businesses are unaware that they have been compromised until disaster strikes or they are notified by external parties.

The good news is that if you do a few very simple things you can avoid disaster and help the police to catch those responsible.

Internet Security: YOUR Responsibility

Lets address a line that businesses and IT managers use when talking about internet security:

“I don’t have anything of value on my network, I don’t need to be worried”

Even a small business with 3 PC’s, no server and 3 mobile phones is valuable to someone looking for spare CPU cycles and connectivity for their botnet. If your data is boring and useless to anyone but you, think about the value that the equipment and network your boring data is stored on could bring to someone else with 99,999 other boring networks like yours in their control.

The other side to that coin is responsibility. If your network is compromised, you may well be providing a gateway for other corporate networks with much more exciting data (like your bank or credit card provider), leaving you responsible for someone else’s pain and anguish.

Put simply, we are all responsible for security on the internet. Doing anything other than the right thing can leave you personally responsible for the outcomes, you DO need to be worried.

Internet Security: Be Prepared

Over the next 10 weeks I am going to be writing a series of 10 tips to help you prepare for & respond to internet security incidents.

Here are my top 10 tips for Internet Security Incident Readiness:

  1. Have a Plan
  2. Have Good Backups
  3. Always be Patching
  4. Backup Logs are Your Friend
  5. Network Monitoring
  6. Keep a Day Book
  7. If you notice something, don’t act
  8. Call for Help
  9. Protect Yourself
  10. Front Foot

Follow me on Twitter, Facebook or Linked-in to receive my internet security tip series every Monday for the rest of the year.

About Me.

I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.

This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.

I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.

If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!

Shoot me an email – david@hooton.org or grab me on Social Media for more information.

David Cecil – ‘Evil’ the NBN hacker jailed


What started as an investigation into a misbehaving DNS server in December 2010, grew into a multinational Australian Federal Police operation & media circus covering the “NBN Hacker”, culminating in the successful arrest conviction and sentencing of David Cecil (who ran by the online moniker “Evil”) today in Orange District Court.

ITNews Article – “Evil” Platform hacker jailed: http://t.co/oGZ9S6pB

There has been much spectacular and often misinformed reporting on this case.  The sad thing is that this kind of case is not a rare event, system compromises happen all the time to businesses large and small all over the world.  What is unique about this case is that there has been an arrest and subsequent conviction.

When we discovered the problem we did what others fail to do – we took an evidence based approach, we observed, collected data and sandboxed the risk over a 7 month period and we were not afraid to stand up and be named. This approach allowed us to assist the AFP in achieving a successful conviction, ensured that we were able to protect our customers and the internet in general from the risks that the investigation was monitoring.

Now that the case is over and I am able to talk about more of the operational details, I plan to write up a case study covering the key learnings I took away from the case, along with some suggested processes that can be followed if you are ever confronted with a similar situation.

If you’re impatient and want the information faster than I can write it, please feel free to drop me an email or give me a call.

 


Judgement – issued today:


Date of Listing: 22 Jun 2012 before Judge A Blackmore at District Court – Crime, Orange
Appearances:
  • Cecil , David Noel, Accused
  • NSW Police, Prosecuting Authority
Offence:
Actual offence – Unauthorised access/modification of restricted data
2011/00241456-001, 2011/00241456-004, 2011/00241456-005, 2011/00241456-008, 2011/00241456-009, 2011/00241456-011, 2011/00241456-015, 2011/00241456-018, 2011/00241456-019, 2011/00241456-020, 2011/00241456-024, 2011/00241456-036, 2011/00241456-037, 2011/00241456-042, 2011/00241456-043, 2011/00241456-044, 2011/00241456-045, 2011/00241456-046

Sentence:
The offender, David Noel Cecil, is sentenced to a term of imprisonment of 6 months to commence on 5 April 2012 and expiring on 4 October 2012

This sentence is Concurrent with other sentences being served by the offender.

The offender is sentenced to a period of 6 months (fixed) full time imprisonment to commence on 5 April 2012. These 18 sentences are to be served concurrently.

Offence:
Actual offence – Cause unauthorised modification of computer data 2011/00241456-049

Sentence:
The offender, David Noel Cecil, is sentenced to a term of imprisonment of 2 years to commence on 5 July 2012 and expiring on 4 July 2014 with a non-parole period of 12 months. The offender is to be released to supervised parole when the non-parole period expires.

This sentence is Partly concurrent with other sentences being served by the offender.

There is to be a partial accumulation of the two unauthorised modification of data to cause impairment charges.

The offender is sentenced to a period of 2 years imprisonment to commence on 5 July 2012. There is to be a non-parole period of 12 months.

During the period of the recognisance the offender is to accept the direction and supervision of the NSW Probation and Parole Service.

Offence:
Actual offence – Cause unauthorised modification of computer data
2011/00241456-050

Sentence:
The offender, David Noel Cecil, is sentenced to a term of imprisonment of 2 years to commence on 5 October 2012 and expiring on 4 October 2014 with a non-parole period of 12 months. The offender is to be released to supervised parole when the non-parole period expires.

This sentence is Partly concurrent with other sentences being served by the offender.

The offender is sentenced to a period of 2 years imprisonment to commence on 5 October 2012. There is to be a non-parole period of 12 months.

During the period of the recognisance the offender is to accept the direction and supervision of the NSW Probation and Parole Service.