What would you do if you discovered a serious vulnerability in one of your web services, for which a patch has not been released? How would you cope with such a situation?
P.S: This is not part of any of my assignments, just for the sake of a good discussion.
Re: IT Security related question
shut down the web services? or just power down the host :D
Re: IT Security related question
first hing to do is to notify the vendor of th system.
if it's open souce then you can look at the code and may be patch it out yourself.
if the problem is with some process listening on a certain port and it's not for public use then you can put it behind the firewall and only allow certain people to access it.
if the process is very imp and cant be shutdown then the best thing u can do is to monitor it regulary, backup the imp data and make sure if some one breaks in they cant go any furhter. you can remove compilers, interpreters etc from that system etc ..
and if it's a linux system u can creat a chroot jail, it's like that if someone breaks into the system all they will be able to damage is a certain folder, which the system will show them to as the system root folder :D
search for chroot bind on google.
Re: IT Security related question
Oye DS, leave something for other ppl too man!
Anywho, depending on the importance on the system, I would agree with 5watery. Its better to be down for period than risk penetration. Then as DS said call up the developer and beat them with a bailan like so 
Then have them come up with a patch ASAP. In the meantime search for a replacement for that service/application, and inform clients about your finding (specially true if it had any consumer info and really specially if you are in California).
Re: IT Security related question
hmm ... interesting replies. Here a similar situation with more details. The first one was just to get you going :p
and What would you do if a vulnerability was made public by someone and the vendor never produced a patch (even after a couple of days after bring released to the public). This vulnerability is related to a web service that you offer to thousands of clients and you cannot stop offering it cause that would cost you millions. You can't possibly continue online due to the huge risk involved that could cost you millions **plus **intagible loss, like theft of cutomer data, loss of customer trust etc. What steps would you take to minimize the effect of this vulnerability.
Re: IT Security related question
I guess it would depend a lot on where that company was located. If in the US losing millions in sales would be nothing compared to potentially tens of millions in fines due to breach of security, and as you said customer trust, and god forbid if you lose consumer data, credit card info etc. (these BTW are NOT intangible losses).
So if i'm the vendor selling this product I'd get my developers working nights to put out a patch before somebody says "gotcha".
Re: IT Security related question
**You have to pay for fines in U.S? **
enlighten me bro
Yeh, but you are not the developer … you are only a client … using that software. Would you **dedicate **staff to support the same service offline
Good good …
Re: IT Security related question
Oh, I thought you were implying that I was the vendor.
If I was the client I would have tested it out before putting the application/service into production. And if the vulnerability came out later I would really get the vendor to fix it. If I was one of the many customer of that vendor then I would get in touch with the other customers and gang up on the vendor to get them to fix it. If I was one of the very few then I would have power over that company anyway so dedicated resources would have to be assigned. Specially if you are talking millions I would sue them for everything they have.
By fines I meant if consumer data was lost the Feds would be after me, if private data was lost and ppl suffered damages I would be liable for damages and what not.
Re: IT Security related question
**وعليكم السلام
I would not hestiate to deactivate the service, no matter what.
less functionality is something you could survive with … but a hacked server means losing much more
**
Re: IT Security related question
^ hmm .. that's what you think 'eh ... I am more of the opinion to dedicate some extra resources and offer the service offline ... more like a hotline kinna thing