| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: Calcuating Loss
* * * LONG * * *
This whole loss thing needs to be put into perspective, IMHO.
So let's say (hypothetically) someone hacks a company's network. Let's say
the hack is internal (as opposed to external). The company detects the
hack (let's say) and runs down to the suspected cubicle and ...does what?
Well, if they're smart they have an in-house team (or outside consultants)
remove the suspected workstations and they do forensics on those machines,
then they bring in the suspected hacker (who's been on suspension or in
stir or whatever) and have their lawyers depose him/her with respect to
the forensic evidence that they gathered. Pretty much SOP so far.
What has this cost the company? Well, the time and money for the forensics
can run into the hundreds of thousands of dollars ($US). The inability of
the company to use the workstations could be hundreds. The impact to any
projects could be thousands or even millions. The cost of doing the
forensics on the network to ensure that nothing else has been tampered
with or compromised can run into the hundreds of thousands (forensics
people are not cheap). So the potential outlay for such an incident is
pretty high. If the company has standing and the damage is sufficiently
great that they can interest the FBI or Treasury or Scotland Yard, the
legal costs of taking the case to trial could easily reach the millions
mark.
Now the question is, how much does it cost the company? Well I just
laid out the dollar figures above, right? Wrong. Basically the company
is inconvenienced only for the real cost of employing people whom it
would not otherwise have employed. Things like project impact and loss
of reputation (say word got out that the company had been hacked) are
intangible costs. These cannot be calculated (they're intangible). There
may be monetary loss, but any good financial person will tell you that
it's completely arbitrary how such costs are handled in accounting. Kind
of like coming up with fair market value for clothing donated to charity.
So while the costs to a company for a hack/virus/whatever incident may
include real costs (paying people whom they would otherwise not pay),
most of what companies report as "costs" are the intangible costs of
"not being able to do what they were going to do if <incident> had
not occurred. Unfortunately those are both hard to measure and are
less likely to be judged to have monetary value.
Company gets infected with sasser. Company spends all Monday cleaning
up sasser. Company *would* have worked on project X if they hadn't spent
Monday cleaning up sasser. Real cost - someone running around cleaning
up sasser. Company's perceived costs - one man day times everyone who
was infected, plus good will, reputation, project X being on schedule,
plus phone charges for calling everyone, plus lunch and maybe pizza,
plus whatever else they want to lump in there.
Contrast this with companies (and we've all had one) who wouldn't pony
up the few hundred or thousand dollars for a decent person/software
package/whatever to *prevent* this kind of crap from happening.
Companies get huge write-downs from security incidents, and the costs
are (mostly) intangible - i.e. "made-up" costs that don't *really*
cost the companies *real* dollars. But they won't spend *real* dollars
on decent software/people. Works for them I guess, but I'm not buying
it, and I hope no one else on this list does either.
G
On or about 2004.05.11 08:57:48 +0000, Michael Schaefer (mbs@...trealm.com) said:
> Loss?
>
> One of my biggest complaints is the way the industry "loses billions"
> whenever a virus or worm breaks out.
>
> I mean, securing and maintain your server is not a loss. Installing and
> updating your anti virus or IDS package is not a loss. All of these
> things should have been done anyway.
>
> If a server goes off line, I guess you could measure the revenue it may
> have produced as a loss, but technically, that is lack of income, not
> true loss.
>
> If you see someone complaining about all the money they lost doing what
> they should have been doing all along, I just see spin. And politics.
Gregory A. Gilliss, CISSP E-mail: greg@...liss.com
Computer Security WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
Powered by blists - more mailing lists