Full Disclosure mailing list archives

Re: Responsibility

From: Sol Invictus <sol () haveyoubeentested org>
Date: Mon, 22 May 2006 09:57:29 -0400

Paul Schmehl wrote:

--On May 22, 2006 8:05:47 AM +1000 Greg<full-disclosure3 () pchandyman com au> wrote:
Large motel/hotel chain I recently acquired wants to sue previouscompany
who did their I.T. work for them as a customer's wifi connected machine
infected their network and caused loss of booking data thus money.

My question then is - if you have done the utmost to lock down your
customer but someone connects an infected machine and somehow it getsin,
is the customer right in suing you?
There's way too many unanswered questions here to provide anintelligent answer.
1) What was the nature of the virus? New and undetected? Or old andwell known?
2) What was the status of patching?  Current?  Or way behind?
3) What was the response to the infection? Rapid and effective? Orslow and ineffective?4) Where the critical assets protected from the rest of the network?Or exposed?5) What was the nature of the security effort? Organized and focused?Disorganized and unfocused?
Those are just some starting questions. You would need to know muchmore to accurately assess the culpability of the previous company.


Responses to previous Questions.

1) This is Moot. When designing a "public" network you must alwaysassume that these are the worst possible machines that are accessing thenetwork. The design must reflect and prepare for this.2.) Good question. I would add... What does their policy state aboutpatching?

3.)  I would add, how soon after infection was it discovered?

4.) to add here... Were the critical assets DoS'd by this or infectedthemselves?5.) Great generic question.. The answer to this would lead to many morequestions.


More Questions

1) What was the scope of the original project?

2) Did the IT consultant raise the issues that are now rearing theirUgly head? If so, what and who made a decision?3) Who's decision was it to put the customers on the same network as theHotel itself? (This is the person that should be held responsible forthis.)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Responsibility Greg (May 21)
- Re: Responsibility Line Noise (May 21)
- Re: Responsibility Paul Schmehl (May 21)
  - Re: Responsibility Sol Invictus (May 22)
- Re: Responsibility <...> (May 23)
- Re: Responsibility Sean Comeau (May 23)
- <Possible follow-ups>
- RE: Responsibility Scott Forrest (May 25)
  - Re: Responsibility Michael Holstein (May 25)
- RE: Responsibility Scott Forrest (May 25)
  - Re: Responsibility Valdis . Kletnieks (May 25)
    - Re: Responsibility gboyce (May 25)