Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999_2

NFR Wizards Archive: Re: OK, I've been hacked, now what?

Re: OK, I've been hacked, now what?

Rachel Rosencrantz (rachelrpobox.com)
Fri, 4 Jun 1999 13:17:34 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Frank W. Keeney: "RE: Configuring a firewall under Unix"
Previous message: Steven M. Bellovin: "Re: IMAP- how to protect a server?"
Maybe in reply to: Aaron D. Turner: "IMAP- how to protect a server?"

Sorry to be so late in responding to this thread, but I've been changing
jobs and my person mail time had been reduced to "quick scan" only.

-----Original Message-----
From: Crispin Cowan <crispincse.ogi.edu>
To: sedwardssedwards.com <sedwardssedwards.com>
Cc: Scott, Richard <Richard.Scottbestbuy.com>; 'firewall-wizardsnfr.net'
<firewall-wizardsnfr.net>
Date: Thursday, May 06, 1999 1:47 PM
Subject: Re: OK, I've been hacked, now what?

>sedwardssedwards.com wrote:
>
>> I'm curious why you don't consider the cost of identifying and
eliminating
>> a security hole the "fault of the hacker?"
>
>It makes perfect sense to me that the cost of identifying and eliminating a
>security hole is not the fault of the hacker. I'm curious why you think it
is
>the hacker's fault that you have a vulnerability?
>
>On the other hand, for a sophisticated e-commerce site such as yours, I
certainly
>agree that the recovery cost is substantial, and that is the fault of the
>attacker.
>

I think an additional concern in placing the cost of the vulnerability on
the hacker
is the message it sends to management. As a corporation I can
understand wanting to place the whole cost on the hacker. If the objective
is to defray costs placing the whole cost elsewhere makes money sense.
However, if the security professional backs this up I think s/he's asking
for some budgetary troubles as well as problems with upper management
support problems.

Think about it. If the cost of the vulnerability itself is the hacker's
responsibility,
then management has no reason to provide the time, resources, and money to
keep up on vulnerabilities and apply those patches. It's not the companies
responsibility or cost (even if the money isn't regained from the hacker) so
why should they pay for it.

I think that even for the simple purpose of making sure upper management
sees security, and especially pro-active security as critical and important
it is necessary to be extra careful in assigning cost responsibility.
Otherwise, in their minds the cost of the hack (that could have
been prevented by proactive patching and the like) is not their cost,
and so they are not responsible for not budgeting sufficient money/resources
for that type of security. After all, it's not their responsibility.

-Rachel

Next message: Frank W. Keeney: "RE: Configuring a firewall under Unix"
Previous message: Steven M. Bellovin: "Re: IMAP- how to protect a server?"
Maybe in reply to: Aaron D. Turner: "IMAP- how to protect a server?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT