Micah, > I wonder if people forget the liability that any > organization inherits if > they do NOT maintain a above standard protection > scheme for their network/hosts.
What kind of liability are you talking about? Social? I'm not aware of any legal liability that's been tested here in the US. For example, are you aware of any cases in which Company A has sustained damage (loss of revenue in production time, data, or stock dropping due to drop in customer confidence...) b/c a bad guy broke into Company B, and used those systems as stepping stones into Company A? > Misconfiguration of network hosts/machines after > being > NOTIFIED of a OS flaw or other should deem that > organization responsible. Ah...there's the key..."should". Unfortunately, it just isn't the case. > Maybe companies should start hiring > clueful people that care about not only their > internal infrastructure but > the last mile facing their own customers. At what level? I just left a company where the CIO had the *only* security type doing clerical work. The security weenie was knowledgeable enough and consciencious enough...but was too busy to even review IIS logs. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
