Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ISN] The High Costs of Hacking

from [InfoSec News] Network Security [Permanent Link]
Subject: Re: [ISN] The High Costs of Hacking
Date: Thu, 16 Jun 2005 02:16:05 -0500 (CDT) 
Forwarded from: security curmudgeon <jericho@attrition.org>

: http://www.cio.com/archive/061505/tl_security.html
: 
: BY MICHAEL JACKMAN
: June. 15, 2005 
: CIO Magazine 

: While it's true that not all network mischief comes at such a high 
: price, John Sgromolo, lead investigator for digital forensics at Verizon 
: Communications and a former special agent with the United States Naval 
: Criminal Investigative Service, says that such large sums are the real 
: deal. More or less.
: 
: Consider cases in which a hacker brings down a server that's used for 
: selling products. "If you're averaging $3,000 an hour on this server, 
: that's not hard to figure out based on how many hours it was down," 
: Sgromolo says. Then there's the cost of replacing damaged equipment and 
: the hours spent on repairs, installation and recovery.

A good point, and something many folks in the industry have been pointing 
out for almost a decade now. The problem is these damage figures are put 
forth with little or no explanation. In the past we've seen reports of 
"millions of dollars of damage" to systems, but no justification for the 
figure, no explanation of how it was derived, and no logic could make the 
leap to such high numbers.

We're all painfully aware of how damage figures can be manipulated by the 
prosecution as well. Look back to the Mitnick case in which Sun 
Microsystems was pressured into claiming an 82 *million* dollar loss for 
the theft of their source code. Did Sun ever mention this loss in their 
SEC filings? Do any of these companies that suffer "million" dollar losses 
at the hands of hackers report such losses? If not, isn't that fraud?

In some cases we see a company claiming high damage figures due to "loss 
of information". Apparently negligence in backup policy is perfectly 
acceptable to the company. If it wasn't an evil hacker, it could just as 
well have been a cup of water spilled on a primary server that caused the 
loss. Some companies go so far as to count all the time and effort spent 
securing the system after a break-in as part of the damage cost. What 
should have been done proactively to prevent a break-in is now dumped in 
the lap of the person who broke in. If we applied that reasoning to non 
computer crimes, the courts would openly laugh at some damage figures.

"yes your honor, the $13,500 damage figure for my bike getting stolen is 
perfectly reasonable. first, i had to buy the bike before it could get 
stolen which cost $250 bucks. then i had to buy a lock. i'm also including 
a portion of my rent which covers the locked garage it was kept in, the 
security surveillance system which we had to install to prevent it from 
happening again, my time and materials, the time spent by the police 
officer for taking my report and investigating the crime (my tax dollars 
pay his salary!), your honor's time..."



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ISN] To Find Solid Security Candidates, Look Beyond Tech Certificates, InfoSec News
Next by Date:  [ISN] Security UPDATE -- Supercharging Snort -- June 15, 2005, InfoSec News
Previous by Thread:  [ISN] The High Costs of Hacking, InfoSec News
Next by Thread:  [ISN] GAO: Feds miss mark on security reporting, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]