RE: CRIME Firms Look to Limit Liability for Online Security Breaches

From: Andrew Plato (aplato@private)
Date: Sat Mar 20 2004 - 14:36:52 PST

  • Next message: rain forest puppy: "RE: CRIME Firms Look to Limit Liability for Online Security Breaches"

    Sounds to me like these companies are essentially saying "We give up. We
    cannot secure our systems with any degree of certainty. So, rather than
    do things securely, we're just going to wash our hands of the
    liability." 
    
    It's a crummy thing to do, but it will probably work. Average customers
    don't read those warnings. As long as the web sites have little lock
    icons on them, the end user thinks its secure. The illusion of security
    can more powerful than actual security. 
    
    In some ways, this kind of practice indirectly reflects on the
    information security community. It suggests that infosec is not
    delivering reliable, repeatable ways for businesses to obtain reliable
    levels of security and risk reduction. Or that such methods are not
    being implemented and/or communicated properly. Thus, it's easier for
    these firms to simply throw the liability back at their customer. 
    
    Consider this issue from the executive's perspective: He/she has
    listened to hundreds of sales pitches about how some box full of wires
    will make his/her company totally secure. Meanwhile, teams security
    consultants are conducting round after round of gap analysis and
    security assessments. After months of reports and spending millions on
    boxes full of wires - the company still gets 0\x/n3d by some 1337 hax0r
    in Bulgaria. And the executive thinks - why the hell am I paying all
    this money? Why do I listen to all these box-pushing sales people? Why
    do we hire these consultants?  For all this advanced technology and
    brilliant security genius - they can't even handle some pimply 14 year
    old in Bulgaria? 
    
    And its at that point when the legal weasels come up and say, "we can
    get out of this, with just a few lines of text on the web site and a
    dialog box."  Well, you can understand why that executive might say "to
    hell with infosec! Get that disclaimer on the web site." 
    
    I am not saying I agree with that course of action. But I can understand
    why a company might go there. Especially a large financial firm. 
    
     
    ___________________________________
    Andrew Plato, CISSP
    President/Principal Consultant
    Anitian Enterprise Security
    
    
     
    
    
    ________________________________
    
    	From: owner-crime@private [mailto:owner-crime@private] On
    Behalf Of Sasha Romanosky
    	Sent: March 19, 2004 9:33 AM
    	To: crime@private
    	Subject: CRIME Firms Look to Limit Liability for Online Security
    Breaches 
    	
    	
    	 
    	Ohhh, news like this really burns me up. 
    	 
    



    This archive was generated by hypermail 2b30 : Mon Mar 22 2004 - 20:51:10 PST