[CentOS] What to do when you've been hacked?

Mon Jan 25 18:56:19 UTC 2016
Warren Young <wyml at etr-usa.com>

On Jan 25, 2016, at 11:04 AM, Benjamin Smith <lists at benjamindsmith.com> wrote:
> We have a prospective client who is asking us what our policy is in the event 
> of unauthorized access.

Tell them you use the Mr. Miyagi defense: “Don’t get hit.”

Your prospective client sounds like they’re expecting someone to have established procedures to deal with breaches.  You know who has established procedures?  Organizations that see the same problems again and again.

Selecting an information service provider based on which one is best at recovering from a hack attack is like hiring a football coach based on how skilled he is at setting bones or selecting a cargo ship captain based on how good he is at patching hull breaches.

Why is “We’ve been at this for 20 years and have never *had* to clean up after a hacking incident” not an excellent rejoinder?

> what steps do you take to mitigate the effects of a breach? 
> What is industry best practice?

You should not have to ask this.  You should know it, because you are a professional and have been in this industry long enough.

Since you don’t, maybe you shouldn’t be bidding on this job.

I don’t mean to make this sound cabalistic, where only insiders know the secret handshakes, but rather exactly the opposite: this is information you should have been slowly absorbing for years:

 - SSH instead of telnet and FTP
 - HTTPS wherever possible over HTTP
 - Always enable SELinux
 - Prefer to surf default SELinux policies rather than override or custom-craft
 - Know in your heart that deny-by-default firewalls are a good thing
 - Turn off unnecessary services…
 - …then run “netstat -na | grep LISTEN” and justify each output line
 - Understand chown and chmod effects implicitly
 - Be able to read ls -l output at a blink

And much more.

All of this will be covered in any decent text on Unix/Linux security.  Sorry, I can’t give recommendations since I got past the book learnin’ stage long ago, and have been accreting such things ever since.

Coming back to martial arts, at some point you get past the point of conscious action and react implicitly.  The equivalent in security is recognizing risks and mitigating against them before they become NY Times headlines.