Forwarded from: security curmudgeon <jericho@private> : http://www.cio.com/archive/061505/tl_security.html : : BY MICHAEL JACKMAN : June. 15, 2005 : CIO Magazine : While it's true that not all network mischief comes at such a high : price, John Sgromolo, lead investigator for digital forensics at Verizon : Communications and a former special agent with the United States Naval : Criminal Investigative Service, says that such large sums are the real : deal. More or less. : : Consider cases in which a hacker brings down a server that's used for : selling products. "If you're averaging $3,000 an hour on this server, : that's not hard to figure out based on how many hours it was down," : Sgromolo says. Then there's the cost of replacing damaged equipment and : the hours spent on repairs, installation and recovery. A good point, and something many folks in the industry have been pointing out for almost a decade now. The problem is these damage figures are put forth with little or no explanation. In the past we've seen reports of "millions of dollars of damage" to systems, but no justification for the figure, no explanation of how it was derived, and no logic could make the leap to such high numbers. We're all painfully aware of how damage figures can be manipulated by the prosecution as well. Look back to the Mitnick case in which Sun Microsystems was pressured into claiming an 82 *million* dollar loss for the theft of their source code. Did Sun ever mention this loss in their SEC filings? Do any of these companies that suffer "million" dollar losses at the hands of hackers report such losses? If not, isn't that fraud? In some cases we see a company claiming high damage figures due to "loss of information". Apparently negligence in backup policy is perfectly acceptable to the company. If it wasn't an evil hacker, it could just as well have been a cup of water spilled on a primary server that caused the loss. Some companies go so far as to count all the time and effort spent securing the system after a break-in as part of the damage cost. What should have been done proactively to prevent a break-in is now dumped in the lap of the person who broke in. If we applied that reasoning to non computer crimes, the courts would openly laugh at some damage figures. "yes your honor, the $13,500 damage figure for my bike getting stolen is perfectly reasonable. first, i had to buy the bike before it could get stolen which cost $250 bucks. then i had to buy a lock. i'm also including a portion of my rent which covers the locked garage it was kept in, the security surveillance system which we had to install to prevent it from happening again, my time and materials, the time spent by the police officer for taking my report and investigating the crime (my tax dollars pay his salary!), your honor's time..." _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jun 16 2005 - 00:31:57 PDT