Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OK, I've been hacked, now what?

From: "Rachel Rosencrantz" <rachelr () pobox com>
Date: Fri, 4 Jun 1999 13:17:34 -0400
Sorry to be so late in responding to this thread, but I've been changing
jobs and my person mail time had been reduced to "quick scan" only.

-----Original Message-----
From: Crispin Cowan <crispin () cse ogi edu>
To: sedwards () sedwards com <sedwards () sedwards com>
Cc: Scott, Richard <Richard.Scott () bestbuy com>; 'firewall-wizards () nfr net'
<firewall-wizards () nfr net>
Date: Thursday, May 06, 1999 1:47 PM
Subject: Re: OK, I've been hacked, now what?



sedwards () sedwards com wrote:


I'm curious why you don't consider the cost of identifying and

eliminating

a security hole the "fault of the hacker?"


It makes perfect sense to me that the cost of identifying and eliminating a
security hole is not the fault of the hacker.  I'm curious why you think it

is

the hacker's fault that you have a vulnerability?

On the other hand, for a sophisticated e-commerce site such as yours, I

certainly

agree that the recovery cost is substantial, and that is the fault of the
attacker.



I think an additional concern in placing the cost of the vulnerability on
the hacker
is the message it sends to management.   As a corporation I can
understand wanting to place the whole cost on the hacker.  If the objective
is to defray costs placing the whole cost elsewhere makes money sense.
However, if the security professional backs this up I think s/he's asking
for some budgetary troubles as well as problems with upper management
support problems.

Think about it.  If the cost of the vulnerability itself is the hacker's
responsibility,
then management has no reason to provide the time, resources, and money to
keep up on vulnerabilities and apply those patches.  It's not the companies
responsibility or cost (even if the money isn't regained from the hacker) so
why should they pay for it.

I think that even for the simple purpose of making sure upper management
sees security, and especially pro-active security as critical and important
it is necessary to be extra careful in assigning cost responsibility.
Otherwise, in their minds the cost of the hack (that could have
been prevented by proactive patching and the like) is not their cost,
and so they are not responsible for not budgeting sufficient money/resources
for that type of security. After all, it's not their responsibility.

-Rachel
Previous By Date Next
Previous By Thread Next

Current thread: