From: keydet89 at yahoo.com (Harlan Carvey)
Subject: Calcuating Loss

Michael,

To quote Morpheus..."welcome to the desert of the
real."

Perhaps more appropriately...to quote Neo..."There is
no spoon."

How does the industry "calcuate" [sic] loss?  Yes,
that's a very interesting question.  Removing a script
mapping from IIS at install time as part of a
configuration management worksheet would take very
little time, and could have been scripted w/ the
included mdutil.exe.  Blocking all inbound requests at
the firewall and only allowing authorized services is
perhaps equally inexpensive.  But figure monetary
costs to the company, particularly up-front costs. 
They'd have to actually hire someone who knew what
they were doing.  So...when it comes down to an admin
position, do you want to hire the brand new paper-MCSE
at $42K or the well-qualified MCSE w/ hands-on
experience who's asking for $68K?  Federal and DoD
acquisitions define "best value" as "lowest up-front
cost"...so that should get you your answer pretty
quickly.

The stage is set.  So how do companies compute loss
after an incident?  What sorts of factors come into
play?  Well, many times, you have to take into account
not only losses in productivity and down-time of
systems, but the costs associated w/ hiring
consultants to assess your situation, help you clean
up, etc.  Then there's the intial loss of customer
confidence when the delay of work-product coincides
with a worm being released, and then the follow-on
effects to stock prices should the information be made
public...consider what happens to stock when an
analyst changes a rating.

At this point, we're just talking about a worm being
released...not an actual intrusion where third parties
or LEOs are brought in, further eroding confidence in
the stock and adversely affecting productivity.

In a nutshell, it's the American way.  Do all
companies react this way?  No.  Some...maybe even a
good many...have hired consultants to come in a get
them set up, and maybe even pay a subscription fee to
keep things on an even keel.

I think what needs to happen is that at some
regulatory function...HIPAA, Sarbannes-Oxley, the SEC,
the GAO, whatever...there needs to be some technical
capability or functionality that can understand
network infrastructures and the risks they face.  For
example, say Company X gets hit by a worm...someone
from the Board or the regulatory body has to sit down
w/ the C*-level folks and ask the tough
questions..."ok, it's 2004, why did you have this port
open in your firewall??"  Or, if the worm got in
behind the firewall due to dial-up or a WAP, someone
has to ask the tough technical questions regarding
*why* such a design was allowed.  High-level hand
waving should no longer be condoned.

> Loss?
> 
> One of my biggest complaints is the way the industry
> "loses billions" 
> whenever a virus or worm breaks out.
> 
> I mean, securing and maintain your server is not a
> loss. Installing and 
> updating your anti virus or IDS package is not a
> loss. All of these 
> things should have been done anyway.
> 
> If a server goes off line, I guess you could measure
> the revenue it may 
> have produced as a loss, but technically, that is
> lack of income, not 
> true loss.
> 
> If you see someone complaining about all the money
> they lost doing what 
> they should have been doing all along, I just see
> spin. And politics.
> 
> M
> 
> 
> 
> 
> >Michal Zalewski wrote:
> >
> >  
> >
> >>If we must toy with bogus marketspeak "equations",
> shouldn't E - at the
> >>very least - numerically correspond to the
> consequences (loss?) caused by
> >>an event, rather than being an event itself?
> >>    
> >>
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists