http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss486_art1001,00.html By Carole Fennelly October 2004 Attorney: Is it fair to say that, prior to March 24, 2000, you were not aware of [a] bug that allowed someone to enter the system? Bloomberg: That's correct. It's not just someone. You would have to work pretty hard to do it and have to be reasonably competent to do it. Attorney: Would it be fair to say that that bug was a dangerous threat to the security of your system? Bloomberg: Absolutely. -Testimony of Michael Bloomberg, U.S. v. Zezev New York City Mayor Michael Bloomberg endured more than an hour of cross-examination during the 2003 criminal trial of Oleg Zezev, a Russian citizen later convicted of hacking Bloomberg LLP's network and making extortion demands. Bloomberg didn't make excuses for weaknesses in the company's digital infrastructure. He met the issue head-on. Is your CEO prepared to do that? Your company will undergo intense scrutiny if a case against a cybercrime suspect goes to trial. Your employees, from the IT staff to the corner office, will be cross-examined by defense attorneys, who will attack their competence, challenge their statements and attempt to discredit corporate polices and processes. Internal, often sensitive, documents and information may become part of the public record, and, if the case generates enough buzz, it's fair game for CNN and The New York Times. When your company takes the stand, you're asking for an open--and very public--security audit. Although you can't control everything that goes on in the courtroom, you can prepare your employees for the concentrated defense questioning. If your IT security policies are strong, and if you have solid incident response plans, you'll be ready for the onslaught. If not, your secrets and flaws may be exposed in the worst possible light. Fair Game Prosecutors rely on corporate cooperation to convict cybercriminals, and most will try to limit the admissible evidence to avoid unnecessarily embarrassing the company or revealing sensitive information. Through the discovery process, the defense counsel has access to all seized evidence and can subpoena anything that may show negligence or weaken the case--possibly revealing holes in IT security policies, processes and infrastructure. If your security is weak, it's much more difficult to prove that a particular individual was responsible for the crime. Much of what happens in court is dependent on pretrial maneuverings--when admissibility is argued and judges rule on motions to suppress evidence. This is the stage at which you can try to avoid exposing sensitive corporate security data. "The company can communicate the big stuff that it doesn't want to come out--company trade secrets, information about response policies or vulnerabilities--to the [law enforcement] agent," says Richard Salgado, former senior counsel with the Computer Crime and Intellectual Property Section of the U.S. Department of Justice. "A motion may be made to exclude that kind of questioning." [...] _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Mon Oct 18 2004 - 03:41:10 PDT