Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: OK, I've been hacked, now what?
From: Crispin Cowan <crispin () cse ogi edu>
Date: Wed, 05 May 1999 17:56:20 -0700
sedwards () sedwards com wrote:


I'm curious why you don't consider the cost of identifying and eliminating
a security hole the "fault of the hacker?"


It makes perfect sense to me that the cost of identifying and eliminating a
security hole is not the fault of the hacker.  I'm curious why you think it is
the hacker's fault that you have a vulnerability?

On the other hand, for a sophisticated e-commerce site such as yours, I certainly
agree that the recovery cost is substantial, and that is the fault of the
attacker.

So while your partition of effort into "forensics" and "recovery" makes great
sense from an operational point of view, it does nothing to clarify which costs
were imposed by the hacker, and which costs are really yours that were just
brought to your attention by the hacker.  Within both "forensics" and "recovery",
there will be work done on identifying and repairing the security vulnerability
that the attacker used (which is your cost) and work done repairing the damage
the attacker wrought (which is the attacker's fault).




Is he going to remove the stickers and hope that it doesn't happen again?
Not if he values his job. Having every entrance to the building examined,
interviewing the janitorial staff and having the stickers dusted for
prints all sound like responsible actions. How about taking inventory and
examining stock for tampering?

So who is responsible for the cost of these actions?


The store is responsible for the expense of discovering and fixing the security
hole that allows the attacker to get in and vandalize.  The attacker is
responsible for the cost of repairing the vandalism.  Vulnerabilities are always
the fault of the party that created the vulnerability (either you or the vendor
that sold you the product) and never the fault of the individual that reveals it
to you.



These costs can get huge. Imagine that instead of pushing boxes your
stores sold aspirin. Every bottle is now suspect and must be examined. A
paranoid manager may decide to pull all stock and have it destroyed rather
than risk the exposure.


And that cost would be the attacker's fault, highly analogous to the cost of
changing all compromised passwords.



Your claim that "It is often the case that figures of such are made up to
bring about a prosecution" needs to be substantiated. I would counter that
I believe the prosecution would err on the conservative side rather than
risk having the case tossed out of court or being hit with something like
"filing a fraudulent action" or "malicious prosecution."


I strongly suspect that the truth lies somewhere between these extremes, and is
HIGHLY context-dependent.  The cost of recovering a very simple sit is low (back
up from tape) while the cost of recovering a site that stores any kind of secrets
will be very high.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

                 Support Justice:  Boycott Windows 98

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]