[ISN] The High Costs of Hacking

InfoSec News isn at c4i.org
Thu Jun 16 03:16:05 EDT 2005 

Forwarded from: security curmudgeon <jericho at attrition.org>

: http://www.cio.com/archive/061505/tl_security.html
: 
: BY MICHAEL JACKMAN
: June. 15, 2005 
: CIO Magazine 

: While it's true that not all network mischief comes at such a high 
: price, John Sgromolo, lead investigator for digital forensics at Verizon 
: Communications and a former special agent with the United States Naval 
: Criminal Investigative Service, says that such large sums are the real 
: deal. More or less.
: 
: Consider cases in which a hacker brings down a server that's used for 
: selling products. "If you're averaging $3,000 an hour on this server, 
: that's not hard to figure out based on how many hours it was down," 
: Sgromolo says. Then there's the cost of replacing damaged equipment and 
: the hours spent on repairs, installation and recovery.

A good point, and something many folks in the industry have been pointing 
out for almost a decade now. The problem is these damage figures are put 
forth with little or no explanation. In the past we've seen reports of 
"millions of dollars of damage" to systems, but no justification for the 
figure, no explanation of how it was derived, and no logic could make the 
leap to such high numbers.

We're all painfully aware of how damage figures can be manipulated by the 
prosecution as well. Look back to the Mitnick case in which Sun 
Microsystems was pressured into claiming an 82 *million* dollar loss for 
the theft of their source code. Did Sun ever mention this loss in their 
SEC filings? Do any of these companies that suffer "million" dollar losses 
at the hands of hackers report such losses? If not, isn't that fraud?

In some cases we see a company claiming high damage figures due to "loss 
of information". Apparently negligence in backup policy is perfectly 
acceptable to the company. If it wasn't an evil hacker, it could just as 
well have been a cup of water spilled on a primary server that caused the 
loss. Some companies go so far as to count all the time and effort spent 
securing the system after a break-in as part of the damage cost. What 
should have been done proactively to prevent a break-in is now dumped in 
the lap of the person who broke in. If we applied that reasoning to non 
computer crimes, the courts would openly laugh at some damage figures.

"yes your honor, the $13,500 damage figure for my bike getting stolen is 
perfectly reasonable. first, i had to buy the bike before it could get 
stolen which cost $250 bucks. then i had to buy a lock. i'm also including 
a portion of my rent which covers the locked garage it was kept in, the 
security surveillance system which we had to install to prevent it from 
happening again, my time and materials, the time spent by the police 
officer for taking my report and investigating the crime (my tax dollars 
pay his salary!), your honor's time..."

More information about the ISN mailing list