President Bush has set forth an initiative for tort reform. Just recently in Georgia, medical physicians are limited to a maximum of $350,000 per claim where before claims in the millions were very common. Even with tort reform in place, civil lawsuits will continue to take place. Are you ready for court? Is your CEO or President? Think so? As a result of incidents from Enron and Tyco, it should come as no surprise to business executives that security and networking personnel have a duty to document transgressions that can lead to a breach or fraud. If your networking manager provides the CIO or CEO information to support the need for enhanced security and it is denied, it should be incumbent on this same individual to say, “I understand. I need for you to sign here acknowledging that you were advised on this issue and declined my recommendations.”

This should be expected and embraced from upper level management as it holds each person to a higher level of accountability thus demonstrating a higher standard. Using this same scenario, the CEO or CIO should sign and then document the basis for their decision with the assistance of in-house or third-party counsel. Just because the CEO didn’t agree to what was presented, doesn’t necessarily mean he/she was wrong. But if you do not document the basis for your decision, will 12 jurors believe your intentions were in the best interest of the company, or are you just trying to save yourself?

A fairly recent survey reported most businesses fail to address medium to low rated risks in information security. A noticeable trend started in the middle of last year. Hackers started using older vulnerabilities as a vector of attack. Most noticeably was “Phatbot”. Phatbot is like any other “bot” designed to perform a repetitive process as designed by its creator. In Phatbot’s case, the repetitive function was designed to be stealthy and install malware. In 2004, vulnerabilities in Microsoft from as far back as early 2003 were encoded into Phatbot’s payload as well as key-loggers and remote administration exploits.


From the point a vulnerability is discovered and a remedy is made available, the clock starts ticking. The longer you wait to address the threat, the closer you encroach upon negligence. This is just one demonstration for providing due care.



While the use of antivirus products might be acceptable for short term as the vulnerability is actually being patched on individual systems. Exclusively relying on this method does not work and is not accepted under “Best Practices”. This is why you will see multiple variants of the same named worm.