Re: Support the Sasser-author fund started

[Harlan Carvey <keydet89 () yahoo com>]

Micah,

> I wonder if people forget the liability that any
> organization inherits if
> they do NOT maintain a above standard protection
> scheme for their network/hosts. 

What kind of liability are you talking about?  Social?
 I'm not aware of any legal liability that's been
tested here in the US.  

For example, are you aware of any cases in which
Company A has sustained damage (loss of revenue in
production time, data, or stock dropping due to drop
in customer confidence...) b/c a bad guy broke into
Company B, and used those systems as stepping stones
into Company A?  

> Misconfiguration of network hosts/machines after
> being
> NOTIFIED of a OS flaw or other should deem that
> organization responsible.

Ah...there's the key..."should".  Unfortunately, it
just isn't the case.

> Maybe companies should start hiring
> clueful people that care about not only their
> internal infrastructure but
> the last mile facing their own customers. 

At what level?  I just left a company where the CIO
had the *only* security type doing clerical work.  The
security weenie was knowledgeable enough and
consciencious enough...but was too busy to even review
IIS logs.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html