Re: A question for the list...

[Jimi Thompson <jimit () myrealbox com>]

> <SNIP>
>
> At last year's Blackhat conference in Las Vegas, Tim Mullen presented what
> turned out to be a very controversial proposal. Briefly, he questioned why
> it would be inappropriate to strike back and disable (if not remove) a
> worm from hosts that are clearly not being adequately managed.
</SNIP>

I have isolate the item above since it contains the gist of your 
question.  My personal feeling is that sooner or later the owners of 
the mis-managed devices in question will be held to the legal 
definition of negligence which covers the "failure to take safe 
guards used by a reasonable and prudent individual".  As a former 
claims adjustor, I have considerable experience with this particular 
bit of legal doctrine, so I feel fairly confident in speaking about 
it.   If someone else is an attorney, please correct me if I am in 
error.

Juries tend to hold professionals to a MUCH higher standard than the 
general public.  IT professions who do not patch and manage their 
gear in accordance with generally accepted industry standard may well 
find themselves not only out of a job, but out of a lot of money. 
Negligence by a "professional", at least in Texas, allows the 
employer, when sued, to litigate against the individual under 
"malfeasance of duty".  There are many precedents from other fields 
for this - HMO's who were sued and have in turn sued the doctor they 
employed, Firms that have sued individual accountants whom they 
employed, etc.  It is only a matter of time until this bleeds over in 
to IT.  Personally, I would welcome it as it would greatly reduce the 
number of nimrods in our profession.

My contention is that we should be litigating against the people who 
are attacking our networks.  Out with the notion that "they cannot 
help it".  When the patch has been out for year, and very few people 
have applied it, something drastic needs to be changed.   Companies 
will not pay attention to and address this issue adequately until it 
impacts their bottom line.  When some high-up manager doesn't get his 
usual fat bonus because his company had to pay out a large 
settlement, things will start to change and rather quickly.
--
Thanks,

Ms. Jimi Thompson, CISSP, Rev.

"Those who are too smart to engage in politics are punished by being 
governed by those who are dumber." --Plato




----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------