Michael, To quote Morpheus..."welcome to the desert of the real."
Perhaps more appropriately...to quote Neo..."There is no spoon." How does the industry "calcuate" [sic] loss? Yes, that's a very interesting question. Removing a script mapping from IIS at install time as part of a configuration management worksheet would take very little time, and could have been scripted w/ the included mdutil.exe. Blocking all inbound requests at the firewall and only allowing authorized services is perhaps equally inexpensive. But figure monetary costs to the company, particularly up-front costs. They'd have to actually hire someone who knew what they were doing. So...when it comes down to an admin position, do you want to hire the brand new paper-MCSE at $42K or the well-qualified MCSE w/ hands-on experience who's asking for $68K? Federal and DoD acquisitions define "best value" as "lowest up-front cost"...so that should get you your answer pretty quickly. The stage is set. So how do companies compute loss after an incident? What sorts of factors come into play? Well, many times, you have to take into account not only losses in productivity and down-time of systems, but the costs associated w/ hiring consultants to assess your situation, help you clean up, etc. Then there's the intial loss of customer confidence when the delay of work-product coincides with a worm being released, and then the follow-on effects to stock prices should the information be made public...consider what happens to stock when an analyst changes a rating. At this point, we're just talking about a worm being released...not an actual intrusion where third parties or LEOs are brought in, further eroding confidence in the stock and adversely affecting productivity. In a nutshell, it's the American way. Do all companies react this way? No. Some...maybe even a good many...have hired consultants to come in a get them set up, and maybe even pay a subscription fee to keep things on an even keel. I think what needs to happen is that at some regulatory function...HIPAA, Sarbannes-Oxley, the SEC, the GAO, whatever...there needs to be some technical capability or functionality that can understand network infrastructures and the risks they face. For example, say Company X gets hit by a worm...someone from the Board or the regulatory body has to sit down w/ the C*-level folks and ask the tough questions..."ok, it's 2004, why did you have this port open in your firewall??" Or, if the worm got in behind the firewall due to dial-up or a WAP, someone has to ask the tough technical questions regarding *why* such a design was allowed. High-level hand waving should no longer be condoned. > Loss? > > One of my biggest complaints is the way the industry > "loses billions" > whenever a virus or worm breaks out. > > I mean, securing and maintain your server is not a > loss. Installing and > updating your anti virus or IDS package is not a > loss. All of these > things should have been done anyway. > > If a server goes off line, I guess you could measure > the revenue it may > have produced as a loss, but technically, that is > lack of income, not > true loss. > > If you see someone complaining about all the money > they lost doing what > they should have been doing all along, I just see > spin. And politics. > > M > > > > > >Michal Zalewski wrote: > > > > > > > >>If we must toy with bogus marketspeak "equations", > shouldn't E - at the > >>very least - numerically correspond to the > consequences (loss?) caused by > >>an event, rather than being an event itself? > >> > >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
