> So let's say (hypothetically) someone hacks a > company's network. Let's say > the hack is internal (as opposed to external). The > company detects the > hack (let's say) and runs down to the suspected > cubicle and ...does what?
> Well, if they're smart they have an in-house team > (or outside consultants) > remove the suspected workstations and they do > forensics on those machines, > then they bring in the suspected hacker (who's been > on suspension or in > stir or whatever) and have their lawyers depose > him/her with respect to > the forensic evidence that they gathered. Pretty > much SOP so far. > > What has this cost the company? Well, the time and > money for the forensics > can run into the hundreds of thousands of dollars > ($US). The inability of > the company to use the workstations could be > hundreds. The impact to any > projects could be thousands or even millions. The > cost of doing the > forensics on the network to ensure that nothing else > has been tampered > with or compromised can run into the hundreds of > thousands (forensics > people are not cheap). So the potential outlay for > such an incident is > pretty high. If the company has standing and the > damage is sufficiently > great that they can interest the FBI or Treasury or > Scotland Yard, the > legal costs of taking the case to trial could easily > reach the millions > mark. > > Now the question is, how much does it cost the > company? Well I just > laid out the dollar figures above, right? Wrong. > Basically the company > is inconvenienced only for the real cost of > employing people whom it > would not otherwise have employed. Things like > project impact and loss > of reputation (say word got out that the company had > been hacked) are > intangible costs. These cannot be calculated > (they're intangible). There > may be monetary loss, but any good financial person > will tell you that > it's completely arbitrary how such costs are handled > in accounting. Kind > of like coming up with fair market value for > clothing donated to charity. > > So while the costs to a company for a > hack/virus/whatever incident may > include real costs (paying people whom they would > otherwise not pay), > most of what companies report as "costs" are the > intangible costs of > "not being able to do what they were going to do if > <incident> had > not occurred. Unfortunately those are both hard to > measure and are > less likely to be judged to have monetary value. > > Company gets infected with sasser. Company spends > all Monday cleaning > up sasser. Company *would* have worked on project X > if they hadn't spent > Monday cleaning up sasser. Real cost - someone > running around cleaning > up sasser. Company's perceived costs - one man day > times everyone who > was infected, plus good will, reputation, project X > being on schedule, > plus phone charges for calling everyone, plus lunch > and maybe pizza, > plus whatever else they want to lump in there. > > Contrast this with companies (and we've all had one) > who wouldn't pony > up the few hundred or thousand dollars for a decent > person/software > package/whatever to *prevent* this kind of crap from > happening. > > Companies get huge write-downs from security > incidents, and the costs > are (mostly) intangible - i.e. "made-up" costs that > don't *really* > cost the companies *real* dollars. But they won't > spend *real* dollars > on decent software/people. Works for them I guess, > but I'm not buying > it, and I hope no one else on this list does either. > > G > > On or about 2004.05.11 08:57:48 +0000, Michael > Schaefer ([EMAIL PROTECTED]) said: > > > Loss? > > > > One of my biggest complaints is the way the > industry "loses billions" > > whenever a virus or worm breaks out. > > > > I mean, securing and maintain your server is not a > loss. Installing and > > updating your anti virus or IDS package is not a > loss. All of these > > things should have been done anyway. > > > > If a server goes off line, I guess you could > measure the revenue it may > > have produced as a loss, but technically, that is > lack of income, not > > true loss. > > > > If you see someone complaining about all the money > they lost doing what > > they should have been doing all along, I just see > spin. And politics. > > Gregory A. Gilliss, CISSP > E-mail: [EMAIL PROTECTED] > Computer Security WWW: > http://www.gilliss.com/greg/ > PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 > BA B7 83 D9 B4 14 0E 8C A3 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
