RE: CRIME Firms Look to Limit Liability for Online Security Breaches

From: Andrew Plato (aplato@private)
Date: Sat Mar 20 2004 - 14:36:52 PST

Next message: rain forest puppy: "RE: CRIME Firms Look to Limit Liability for Online Security Breaches"

Previous message: Andrew Plato: "CRIME Attention all RealSecure/BlackICE Users"
Maybe in reply to: Sasha Romanosky: "CRIME Firms Look to Limit Liability for Online Security Breaches"
Next in thread: rain forest puppy: "RE: CRIME Firms Look to Limit Liability for Online Security Breaches"
Reply: rain forest puppy: "RE: CRIME Firms Look to Limit Liability for Online Security Breaches"
Reply: rain forest puppy: "RE: CRIME Firms Look to Limit Liability for Online Security Breaches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sounds to me like these companies are essentially saying "We give up. We
cannot secure our systems with any degree of certainty. So, rather than
do things securely, we're just going to wash our hands of the
liability." 

It's a crummy thing to do, but it will probably work. Average customers
don't read those warnings. As long as the web sites have little lock
icons on them, the end user thinks its secure. The illusion of security
can more powerful than actual security. 

In some ways, this kind of practice indirectly reflects on the
information security community. It suggests that infosec is not
delivering reliable, repeatable ways for businesses to obtain reliable
levels of security and risk reduction. Or that such methods are not
being implemented and/or communicated properly. Thus, it's easier for
these firms to simply throw the liability back at their customer. 

Consider this issue from the executive's perspective: He/she has
listened to hundreds of sales pitches about how some box full of wires
will make his/her company totally secure. Meanwhile, teams security
consultants are conducting round after round of gap analysis and
security assessments. After months of reports and spending millions on
boxes full of wires - the company still gets 0\x/n3d by some 1337 hax0r
in Bulgaria. And the executive thinks - why the hell am I paying all
this money? Why do I listen to all these box-pushing sales people? Why
do we hire these consultants?  For all this advanced technology and
brilliant security genius - they can't even handle some pimply 14 year
old in Bulgaria? 

And its at that point when the legal weasels come up and say, "we can
get out of this, with just a few lines of text on the web site and a
dialog box."  Well, you can understand why that executive might say "to
hell with infosec! Get that disclaimer on the web site." 

I am not saying I agree with that course of action. But I can understand
why a company might go there. Especially a large financial firm. 

 
___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security


 


________________________________

	From: owner-crime@private [mailto:owner-crime@private] On
Behalf Of Sasha Romanosky
	Sent: March 19, 2004 9:33 AM
	To: crime@private
	Subject: CRIME Firms Look to Limit Liability for Online Security
Breaches 
	
	
	 
	Ohhh, news like this really burns me up.

Next message: rain forest puppy: "RE: CRIME Firms Look to Limit Liability for Online Security Breaches"
Previous message: Andrew Plato: "CRIME Attention all RealSecure/BlackICE Users"
Maybe in reply to: Sasha Romanosky: "CRIME Firms Look to Limit Liability for Online Security Breaches"
Next in thread: rain forest puppy: "RE: CRIME Firms Look to Limit Liability for Online Security Breaches"
Reply: rain forest puppy: "RE: CRIME Firms Look to Limit Liability for Online Security Breaches"
Reply: rain forest puppy: "RE: CRIME Firms Look to Limit Liability for Online Security Breaches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Mar 20 2004 - 16:48:52 PST