tag:blogger.com,1999:blog-21633793.post115834703822448000..comments2023-12-12T03:19:42.467-05:00Comments on CYB3RCRIM3: Hold People Liable for Cybercrime?Susan Brennerhttp://www.blogger.com/profile/17575138839291052258noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-21633793.post-1159099505830866682006-09-24T08:05:00.000-04:002006-09-24T08:05:00.000-04:00Wow. And I thought I was the only one. ;-)But se...Wow. And I thought I was the only one. ;-)<BR/><BR/>But seriously, it is a provocative post. As a forensic engineer, I see (or have the possibility of seeing) this all the time. <BR/><BR/>I'm not a lawyer, but I don't feel that this is something that will work for home users...definitely not. Home users will end up installing so much anti-* software on their systems that they won't be able to run Solitaire, let alone do whatever it is they do.<BR/><BR/>I do believe, however, that corporate environments are different. Let first say that I'm dismayed that, having been both an infosec consultant and worked in full time positions doing security, there are so many corporate environments that do so little with regards to security up front, and then quibble when they are *legislated* to perform what should have been common sense, or just good customer service.<BR/><BR/>Corporate e-commerce infrastructures amaze me. Developers will be hired to provide an incredible customer experience, but no where along the way will someone with a security viewpoint be brought in. Sites will use Flash and all manner of interesting graphics and design to entice customers to purchase products, and to make that process easier...but how secure is the information the customer is sending? What about that privacy notice at the bottom of the page, where the corporation tells the customer that their personal information will not be shared...but someone breaks into the site and is able to access that information? <BR/><BR/>I'm used to seeing it...as a young 2ndLt in the Marines I was very often held to a standard that my seniors (I hesitate to say "superior officer" in some cases) did not adhere to themselves. I see the same thing in corporate arenas...senior managers will hold low-level techs to a standard, but will those same senior managers require that a new project have security personnel on the development team, or that a current project be subject to a security review?<BR/><BR/>Here's an example to consider...identity theft monitoring products. In the face of security breaches in the last year or so where personal infomrmation was stolen and possibly accessed, these services are becoming more and more important. When choosing which one is best for you, don't look at the price...instead, ask if the CEO (and/or senior managers) use the service. There are such services available where the CEOs themselves do not trust the security of their own systems/products.<BR/><BR/>So...who's liable? Who should be held responsible? Should the attacker be responsible for his actions? Yes. Should the CIO or CISO for the corporation that got hacked be responsible b/c they left a hole in the firewall, or an unpatched system, or failed to be aware of that rogue system on their network? At some point, a senior manager sat down and said, "we can't afford to hire a security person/staff", or they decided "we have to take the head count from security and assign them to another function"...that decision should have consequences, particularly if your sensitive personal information is exposed as a result (either directly or indirectly).<BR/><BR/>H. Carvey<BR/>http://windowsir.blogspot.comAnonymousnoreply@blogger.com