Firewall Wizards mailing list archives
Re: OK, I've been hacked, now what?
From: "Rachel Rosencrantz" <rachelr () pobox com>
Date: Fri, 4 Jun 1999 13:17:34 -0400
Sorry to be so late in responding to this thread, but I've been changing jobs and my person mail time had been reduced to "quick scan" only. -----Original Message----- From: Crispin Cowan <crispin () cse ogi edu> To: sedwards () sedwards com <sedwards () sedwards com> Cc: Scott, Richard <Richard.Scott () bestbuy com>; 'firewall-wizards () nfr net' <firewall-wizards () nfr net> Date: Thursday, May 06, 1999 1:47 PM Subject: Re: OK, I've been hacked, now what?
sedwards () sedwards com wrote:I'm curious why you don't consider the cost of identifying and
eliminating
a security hole the "fault of the hacker?"It makes perfect sense to me that the cost of identifying and eliminating a security hole is not the fault of the hacker. I'm curious why you think it
is
the hacker's fault that you have a vulnerability? On the other hand, for a sophisticated e-commerce site such as yours, I
certainly
agree that the recovery cost is substantial, and that is the fault of the attacker.
I think an additional concern in placing the cost of the vulnerability on the hacker is the message it sends to management. As a corporation I can understand wanting to place the whole cost on the hacker. If the objective is to defray costs placing the whole cost elsewhere makes money sense. However, if the security professional backs this up I think s/he's asking for some budgetary troubles as well as problems with upper management support problems. Think about it. If the cost of the vulnerability itself is the hacker's responsibility, then management has no reason to provide the time, resources, and money to keep up on vulnerabilities and apply those patches. It's not the companies responsibility or cost (even if the money isn't regained from the hacker) so why should they pay for it. I think that even for the simple purpose of making sure upper management sees security, and especially pro-active security as critical and important it is necessary to be extra careful in assigning cost responsibility. Otherwise, in their minds the cost of the hack (that could have been prevented by proactive patching and the like) is not their cost, and so they are not responsible for not budgeting sufficient money/resources for that type of security. After all, it's not their responsibility. -Rachel
Current thread:
- Re: OK, I've been hacked, now what? Rachel Rosencrantz (Jun 04)