RE: [ISN] On Trial - Prosecuting cybercrime puts your organization--andyour security--on the hot seat.

From: InfoSec News (isn@private)
Date: Tue Oct 19 2004 - 19:39:25 PDT


Forwarded from: "smoshlak@private" <smoshlak@private>
To: abriney@private

TAC-

Although defense counsel can subpoena records and perform depositions
(within reason), there has to be something known as relevance to the
matter.  Any competant counsel can have this type of scenario blown
out of the water, using the following analogy.

A person has entered upon another's property and is charged with
trespass.  Did he crawl over the fence, drive through the fence or
parachute onto the property?  Shall we call in the gate builder, the
architect or the manufacturer to testify about the security of gate
and fence?  Whether it was made of wood, chain link or of the
"concertina-wire" type?  It doesn't matter, since he has trespassed.

In this case, they were able to identify the who, where and the what.  
Whether or not an institution has a security plan (for purposes of the
Court), is irrelevant.  A computer network is not a swimming pool,
which is defined by law as an "attractive nuisance."  This individual
allegedly tried to extort money from an entity, whether the threat is
real or perceived.  Specifically speaking, if one walks into a bank
and states to the teller, "I have a pistol in my pocket and to fill
the bag up with money..," and doesn't have a pistol, but takes the
bank's money, begs the question: Is it still robbery?

Having Michael Bloomberg to the stand to testify about his information
systems security plan or outlining, in detail, his digital
infrastructure was irrelevant and immaterial, considering the
circumstances.  The same holds true for other employees in his office.

Just my thoughts,

Steven Moshlak
Expert Witness, Information Security and Technology

Original Message:
-----------------
From: InfoSec News isn@private
Date: Mon, 18 Oct 2004 01:23:25 -0500 (CDT)
To: isn@private
Subject: [ISN] On Trial - Prosecuting cybercrime puts your
organization--andyour security--on the hot seat. 


http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss486_art1001,00.htm
l

By Carole Fennelly
October 2004

Attorney: Is it fair to say that, prior to March 24, 2000, you were 
not aware of [a] bug that allowed someone to enter the system?

Bloomberg: That's correct. It's not just someone. You would have to 
work pretty hard to do it and have to be reasonably competent to do 
it.

Attorney: Would it be fair to say that that bug was a dangerous threat 
to the security of your system?

Bloomberg: Absolutely. 

-Testimony of Michael Bloomberg, U.S. v. Zezev 


New York City Mayor Michael Bloomberg endured more than an hour of 
cross-examination during the 2003 criminal trial of Oleg Zezev, a 
Russian citizen later convicted of hacking Bloomberg LLP's network and 
making extortion demands. Bloomberg didn't make excuses for weaknesses 
in the company's digital infrastructure. He met the issue head-on. 

Is your CEO prepared to do that? 

Your company will undergo intense scrutiny if a case against a 
cybercrime suspect goes to trial. Your employees, from the IT staff to 
the corner office, will be cross-examined by defense attorneys, who 
will attack their competence, challenge their statements and attempt 
to discredit corporate polices and processes. Internal, often 
sensitive, documents and information may become part of the public 
record, and, if the case generates enough buzz, it's fair game for CNN 
and The New York Times. 

When your company takes the stand, you're asking for an open--and very 
public--security audit. Although you can't control everything that 
goes on in the courtroom, you can prepare your employees for the 
concentrated defense questioning. 

[...]



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Wed Oct 20 2004 - 00:24:23 PDT