[ISN] The High Costs of Hacking
isn at c4i.org
Thu Jun 16 03:16:05 EDT 2005
Forwarded from: security curmudgeon <jericho at attrition.org>
: BY MICHAEL JACKMAN
: June. 15, 2005
: CIO Magazine
: While it's true that not all network mischief comes at such a high
: price, John Sgromolo, lead investigator for digital forensics at Verizon
: Communications and a former special agent with the United States Naval
: Criminal Investigative Service, says that such large sums are the real
: deal. More or less.
: Consider cases in which a hacker brings down a server that's used for
: selling products. "If you're averaging $3,000 an hour on this server,
: that's not hard to figure out based on how many hours it was down,"
: Sgromolo says. Then there's the cost of replacing damaged equipment and
: the hours spent on repairs, installation and recovery.
A good point, and something many folks in the industry have been pointing
out for almost a decade now. The problem is these damage figures are put
forth with little or no explanation. In the past we've seen reports of
"millions of dollars of damage" to systems, but no justification for the
figure, no explanation of how it was derived, and no logic could make the
leap to such high numbers.
We're all painfully aware of how damage figures can be manipulated by the
prosecution as well. Look back to the Mitnick case in which Sun
Microsystems was pressured into claiming an 82 *million* dollar loss for
the theft of their source code. Did Sun ever mention this loss in their
SEC filings? Do any of these companies that suffer "million" dollar losses
at the hands of hackers report such losses? If not, isn't that fraud?
In some cases we see a company claiming high damage figures due to "loss
of information". Apparently negligence in backup policy is perfectly
acceptable to the company. If it wasn't an evil hacker, it could just as
well have been a cup of water spilled on a primary server that caused the
loss. Some companies go so far as to count all the time and effort spent
securing the system after a break-in as part of the damage cost. What
should have been done proactively to prevent a break-in is now dumped in
the lap of the person who broke in. If we applied that reasoning to non
computer crimes, the courts would openly laugh at some damage figures.
"yes your honor, the $13,500 damage figure for my bike getting stolen is
perfectly reasonable. first, i had to buy the bike before it could get
stolen which cost $250 bucks. then i had to buy a lock. i'm also including
a portion of my rent which covers the locked garage it was kept in, the
security surveillance system which we had to install to prevent it from
happening again, my time and materials, the time spent by the police
officer for taking my report and investigating the crime (my tax dollars
pay his salary!), your honor's time..."
More information about the ISN