Sounds to me like these companies are essentially saying "We give up. We cannot secure our systems with any degree of certainty. So, rather than do things securely, we're just going to wash our hands of the liability." It's a crummy thing to do, but it will probably work. Average customers don't read those warnings. As long as the web sites have little lock icons on them, the end user thinks its secure. The illusion of security can more powerful than actual security. In some ways, this kind of practice indirectly reflects on the information security community. It suggests that infosec is not delivering reliable, repeatable ways for businesses to obtain reliable levels of security and risk reduction. Or that such methods are not being implemented and/or communicated properly. Thus, it's easier for these firms to simply throw the liability back at their customer. Consider this issue from the executive's perspective: He/she has listened to hundreds of sales pitches about how some box full of wires will make his/her company totally secure. Meanwhile, teams security consultants are conducting round after round of gap analysis and security assessments. After months of reports and spending millions on boxes full of wires - the company still gets 0\x/n3d by some 1337 hax0r in Bulgaria. And the executive thinks - why the hell am I paying all this money? Why do I listen to all these box-pushing sales people? Why do we hire these consultants? For all this advanced technology and brilliant security genius - they can't even handle some pimply 14 year old in Bulgaria? And its at that point when the legal weasels come up and say, "we can get out of this, with just a few lines of text on the web site and a dialog box." Well, you can understand why that executive might say "to hell with infosec! Get that disclaimer on the web site." I am not saying I agree with that course of action. But I can understand why a company might go there. Especially a large financial firm. ___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security ________________________________ From: owner-crime@private [mailto:owner-crime@private] On Behalf Of Sasha Romanosky Sent: March 19, 2004 9:33 AM To: crime@private Subject: CRIME Firms Look to Limit Liability for Online Security Breaches Ohhh, news like this really burns me up.
This archive was generated by hypermail 2b30 : Mon Mar 22 2004 - 20:51:10 PST