Full Disclosure mailing list archives
Re: Calcuating Loss
From: Harlan Carvey <keydet89 () yahoo com>
Date: Tue, 11 May 2004 06:56:10 -0700 (PDT)
Michael, To quote Morpheus..."welcome to the desert of the real." Perhaps more appropriately...to quote Neo..."There is no spoon." How does the industry "calcuate" [sic] loss? Yes, that's a very interesting question. Removing a script mapping from IIS at install time as part of a configuration management worksheet would take very little time, and could have been scripted w/ the included mdutil.exe. Blocking all inbound requests at the firewall and only allowing authorized services is perhaps equally inexpensive. But figure monetary costs to the company, particularly up-front costs. They'd have to actually hire someone who knew what they were doing. So...when it comes down to an admin position, do you want to hire the brand new paper-MCSE at $42K or the well-qualified MCSE w/ hands-on experience who's asking for $68K? Federal and DoD acquisitions define "best value" as "lowest up-front cost"...so that should get you your answer pretty quickly. The stage is set. So how do companies compute loss after an incident? What sorts of factors come into play? Well, many times, you have to take into account not only losses in productivity and down-time of systems, but the costs associated w/ hiring consultants to assess your situation, help you clean up, etc. Then there's the intial loss of customer confidence when the delay of work-product coincides with a worm being released, and then the follow-on effects to stock prices should the information be made public...consider what happens to stock when an analyst changes a rating. At this point, we're just talking about a worm being released...not an actual intrusion where third parties or LEOs are brought in, further eroding confidence in the stock and adversely affecting productivity. In a nutshell, it's the American way. Do all companies react this way? No. Some...maybe even a good many...have hired consultants to come in a get them set up, and maybe even pay a subscription fee to keep things on an even keel. I think what needs to happen is that at some regulatory function...HIPAA, Sarbannes-Oxley, the SEC, the GAO, whatever...there needs to be some technical capability or functionality that can understand network infrastructures and the risks they face. For example, say Company X gets hit by a worm...someone from the Board or the regulatory body has to sit down w/ the C*-level folks and ask the tough questions..."ok, it's 2004, why did you have this port open in your firewall??" Or, if the worm got in behind the firewall due to dial-up or a WAP, someone has to ask the tough technical questions regarding *why* such a design was allowed. High-level hand waving should no longer be condoned.
Loss? One of my biggest complaints is the way the industry "loses billions" whenever a virus or worm breaks out. I mean, securing and maintain your server is not a loss. Installing and updating your anti virus or IDS package is not a loss. All of these things should have been done anyway. If a server goes off line, I guess you could measure the revenue it may have produced as a loss, but technically, that is lack of income, not true loss. If you see someone complaining about all the money they lost doing what they should have been doing all along, I just see spin. And politics. MMichal Zalewski wrote:If we must toy with bogus marketspeak "equations",shouldn't E - at thevery least - numerically correspond to theconsequences (loss?) caused byan event, rather than being an event itself?_______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Learn from history?, (continued)
- RE: Learn from history? Michal Zalewski (May 10)
- RE: Learn from history? Alerta Redsegura (May 10)
- RE: Learn from history? Gwendolynn ferch Elydyr (May 10)
- Re: Learn from history? Calum (May 11)
- RE: Learn from history? Ron DuFresne (May 11)
- RE: Learn from history? Michal Zalewski (May 10)
- Re: Learn from history? James Riden (May 10)
- RE: Learn from history? Steffen Kluge (May 11)
- Calcuating Loss Michael Schaefer (May 11)
- Re: Calcuating Loss Harlan Carvey (May 11)
- Re: Calcuating Loss Clint Bodungen (May 11)
- Re: Calcuating Loss Harlan Carvey (May 11)
- Re: Calcuating Loss Clint Bodungen (May 11)
- Re: Calcuating Loss Valdis . Kletnieks (May 11)
- Re: Calcuating Loss Jay Beale (May 11)
- Re: Calcuating Loss Frank Knobbe (May 11)
- Re: Calcuating Loss Seth Alan Woolley (May 11)