Why Due Diligence as a Defense is Not Enough
by Carter Schoenberg - CISSP - Second Chairs - Monday, 28 March 2005.
This should be expected and embraced from upper level management as it holds each person to a higher level of accountability thus demonstrating a higher standard. Using this same scenario, the CEO or CIO should sign and then document the basis for their decision with the assistance of in-house or third-party counsel. Just because the CEO didn’t agree to what was presented, doesn’t necessarily mean he/she was wrong. But if you do not document the basis for your decision, will 12 jurors believe your intentions were in the best interest of the company, or are you just trying to save yourself?

A fairly recent survey reported most businesses fail to address medium to low rated risks in information security. A noticeable trend started in the middle of last year. Hackers started using older vulnerabilities as a vector of attack. Most noticeably was “Phatbot”. Phatbot is like any other “bot” designed to perform a repetitive process as designed by its creator. In Phatbot’s case, the repetitive function was designed to be stealthy and install malware. In 2004, vulnerabilities in Microsoft from as far back as early 2003 were encoded into Phatbot’s payload as well as key-loggers and remote administration exploits.

From the point a vulnerability is discovered and a remedy is made available, the clock starts ticking. The longer you wait to address the threat, the closer you encroach upon negligence. This is just one demonstration for providing due care.

While the use of antivirus products might be acceptable for short term as the vulnerability is actually being patched on individual systems. Exclusively relying on this method does not work and is not accepted under “Best Practices”. This is why you will see multiple variants of the same named worm.

Verizon discovered a valuable lesson when it pursued civil action against the State of Maine’s Public Utility Commission for a rebate because of the negative impact resulting from the Slammer worm. In Maine, the telecommunication providers sublease lines from the State’s Public Utility Commission. At the time the attack took place, a remedy from Microsoft was available for several months. A common opposing argument is that the larger the company, the more difficult it becomes to apply software patches. While many networking and security professionals believe that best practices or regulatory statutes such as HIPAA (Health Insurance Portability & Accountability Act), GLB (Graham Leach-Bliley) or even Sarbanes-Oxley do not take into consideration the size and scope of each business. However, it doesn’t have to from a legal liability standpoint!

The Defendant, The State of Maine, utilized a fairly unheard of legal principle, the “Neighbor Policy”. Defense argued that AT&T and WorldCom, both telecommunication providers like Verizon, applied the patches as recommended by Microsoft and neither of these parties filed suit because they were not harmed. This information was utilized to attack Verizon’s claim and the judge not only found in favor of the defendant but also went on record to state that these types of attacks are foreseeable and preventable.

Even though the defense won, they lost. Consider how much money was spent on legal representation in protecting their position? Still think you’re ready for court? Given the United States current legal landscape and what is now being framed for certain case law, perhaps the use of legal counsel should be rethought. Rather than rely on legal representation post facto, consider utilizing it preemptively while designing, managing and executing your business’ security posture. If in-house counsel is not trained or experienced enough in understanding this critical area, it is then wise to utilize independent legal representation.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th