Re: Calcuating Loss

[Harlan Carvey <keydet89 () yahoo com>]

> So let's say (hypothetically) someone hacks a
> company's network. Let's say
> the hack is internal (as opposed to external). The
> company detects the
> hack (let's say) and runs down to the suspected
> cubicle and ...does what?



> Well, if they're smart they have an in-house team
> (or outside consultants)
> remove the suspected workstations and they do
> forensics on those machines,
> then they bring in the suspected hacker (who's been
> on suspension or in 
> stir or whatever) and have their lawyers depose
> him/her with respect to
> the forensic evidence that they gathered. Pretty
> much SOP so far. 
>
> What has this cost the company?  Well, the time and
> money for the forensics
> can run into the hundreds of thousands of dollars
> ($US). The inability of 
> the company to use the workstations could be
> hundreds. The impact to any
> projects could be thousands or even millions. The
> cost of doing the
> forensics on the network to ensure that nothing else
> has been tampered
> with or compromised can run into the hundreds of
> thousands (forensics
> people are not cheap). So the potential outlay for
> such an incident is
> pretty high. If the company has standing and the
> damage is sufficiently 
> great that they can interest the FBI or Treasury or
> Scotland Yard, the
> legal costs of taking the case to trial could easily
> reach the millions
> mark.
>
> Now the question is, how much does it cost the
> company? Well I just 
> laid out the dollar figures above, right? Wrong.
> Basically the company
> is inconvenienced only for the real cost of
> employing people whom it
> would not otherwise have employed. Things like
> project impact and loss
> of reputation (say word got out that the company had
> been hacked) are
> intangible costs. These cannot be calculated
> (they're intangible). There
> may be monetary loss, but any good financial person
> will tell you that
> it's completely arbitrary how such costs are handled
> in accounting. Kind
> of like coming up with fair market value for
> clothing donated to charity.
>
> So while the costs to a company for a
> hack/virus/whatever incident may 
> include real costs (paying people whom they would
> otherwise not pay),
> most of what companies report as "costs" are the
> intangible costs of
> "not being able to do what they were going to do if
> <incident> had
> not occurred. Unfortunately those are both hard to
> measure and are
> less likely to be judged to have monetary value.
>
> Company gets infected with sasser. Company spends
> all Monday cleaning 
> up sasser. Company *would* have worked on project X
> if they hadn't spent
> Monday cleaning up sasser. Real cost - someone
> running around cleaning
> up sasser. Company's perceived costs - one man day
> times everyone who
> was infected, plus good will, reputation, project X
> being on schedule,
> plus phone charges for calling everyone, plus lunch
> and maybe pizza,
> plus whatever else they want to lump in there.
>
> Contrast this with companies (and we've all had one)
> who wouldn't pony
> up the few hundred or thousand dollars for a decent
> person/software
> package/whatever to *prevent* this kind of crap from
> happening.
>
> Companies get huge write-downs from security
> incidents, and the costs
> are (mostly) intangible - i.e. "made-up" costs that
> don't *really*
> cost the companies *real* dollars. But they won't
> spend *real* dollars
> on decent software/people. Works for them I guess,
> but I'm not buying
> it, and I hope no one else on this list does either.
>
> G
>
> On or about 2004.05.11 08:57:48 +0000, Michael
> Schaefer (mbs () mistrealm com) said:
>
> > Loss?
> >
> > One of my biggest complaints is the way the
> industry "loses billions" 
> > whenever a virus or worm breaks out.
> >
> > I mean, securing and maintain your server is not a
> loss. Installing and 
> > updating your anti virus or IDS package is not a
> loss. All of these 
> > things should have been done anyway.
> >
> > If a server goes off line, I guess you could
> measure the revenue it may 
> > have produced as a loss, but technically, that is
> lack of income, not 
> > true loss.
> >
> > If you see someone complaining about all the money
> they lost doing what 
> > they should have been doing all along, I just see
> spin. And politics.
>
> Gregory A. Gilliss, CISSP                           
>   E-mail: greg () gilliss com
> Computer Security                             WWW:
> http://www.gilliss.com/greg/
> PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52
> BA B7 83 D9 B4 14 0E 8C A3
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html