Hacker News new | ask | show | jobs
by xorcist 996 days ago
If you find yourself owned by, and not only from a 0-day, then yes, you wipe everything clean and re-build with mitigations in place from the start as to not get reinfected in the process.

That's pretty much the only option if you safeguard valuable data for your customers. Yes, it's expensive to get breached, so take precautions to make it a rare event and contain it as much as possible when it happens.

I don't think the article is unreasonable. This is cloud infrastructure sold to companies with defense industry contracts where breaches are taken seriously.
1 comments
insanitybit 996 days ago
I mean, yes, obviously, you have malware on a box you rotate that box. They had keys and they rotated the keys. But the implication here is that the attacker could have done anything and therefor they have to destroy everything, which is unreasonable.
link
xorcist 995 days ago
Rotating keys are far from enough. If your keys are compromised, you need to revoke everything. Then you need to assess what the impact is and wipe anything the compromised keys had access to during the period.

This is not theoretical. When the openssl fiasco hit, I worked in a place under financial regulation. Not even the defense sector, which is under much stricter rules. We had to go through all logs to ascertain customer data was intact, and since leaking private keys did not leave a trace in the logs we then wiped clean all systems these keys secured.

This was a massive undertaking to coordinate and minimize downtime for customers but it was deemed necessary to comply with security regulations. To hear that a big juggernaut such as Microsoft doesn't even do this without facing much consequences is mind boggling. I can not understand how that would ever pass an audit.

link
insanitybit 995 days ago
Revoke everything? Everything?

I have literally done incident response I am well aware of what the investigation process is like.

link
xorcist 995 days ago
Everything a potentially compromised key has signed, yes. What are we discussing here? This is standard procedure by every compliance processes I have ever had the misfortune to work with, but for quite good reasons. Hope alone won't pass an audit.
link
insanitybit 994 days ago
OK but "everything" and "everything the key may have signed" are obviously so insanely different.
link
TheHappyOddish 995 days ago
> I mean, yes, obviously, you have malware on a box you rotate that box.

"The box" in this case is their entire org.

link