Firewalls: Re: Insurance policy covering security breach

Firewalls
(December 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Insurance policy covering security breach
From:	Bob Beck <beck @ obtuse . com>
Date:	Tue, 10 Dec 1996 19:43:37 -0700 (MST)
To:	adam @ homeport . org (Adam Shostack)
Cc:	pmcmahan @ v-one . com, adam @ homeport . org, firewalls @ GreatCircle . COM
In-reply-to:	<199612102147 . QAA10257 @ homeport . org> from "Adam Shostack" at Dec 10, 96 04:46:13 pm

[ Firewall Insurance ]


Adam Shostack reportedly said:
> 
> 
> 	What is the risk?  I assert that you can't quantify it, and
> thus insurance is not reasonable.  You seem to say its very high, and
> thus insurance is not reasonable.  I agree that its very high, but
> what about a company that goes to certain lengths to mitigate those
> risks?  We don't have mathematical tools to measure the effectiveness
> of the security tools that we use.

	I think there's another issue WRT insurance. If you're going
to have "firewall insurance", you can't simply "measure the risk at
the firewall" even if you could, and base your assessment on that.  If
I compromise someone by simple human engineering, I.E. I bypass the
firewall completely. "Oh Joe, your sysadmin won't let you do ActiveX?
What a mean SOB! Here, I've got this little program you can try that
might let you do it. Take it in and run it, but bring the disk back to
me, I've only got one copy."  Let's say I obtain something I shouldn't
have. Now let's say I make that available so the victim knows they've
been had. Ok, time for insurance, but was the firewall compromised or
not? If I didn't "come through it" it probably wasn't. This isn't like
a flood where you can tell after the fact what happened. Did
it go through the firewall or not, and how would you convince your
Insurance Adjuster that it had. 

	Never mind that the potential for fraud is obvious. If the
only evidence of a "breakin" is electronic logs, the next time I go to
upgrade/reinstall the OS on an internal machine, I just make it look
as if it was "broken into" with some clever logs, some RM's. an IRC
robot server and some kiddie porn. Oh the shame, my firewall's been
compromised and I have reinstall from clean media. Please send the
cheque soon, we need it to cover the bonus flat of Jolt and the
Porsche I'm getting from my unscrupulous boss for putting the company
in the black this quarter :-)

	-Bob
--
Bob Beck					 Obtuse Systems Corporation
beck @
 obtuse .
 com					 http://www.obtuse.com/	
True Evil hides its real intentions in its street address. Search and you
shall find it, and the truth shall set you free.

References:

Re: Insurance policy covering security breach
From: Adam Shostack <adam @ homeport . org>

Indexed By Date	Previous:	Re: Insurance policy covering security breach From: Steven Herod <sherod @ medeserv . com . au>
Indexed By Date	Next:	Re: SUPER OPPORTUNITY!! From: osiris @ pacificnet . net
Indexed By Thread	Previous:	Re: Insurance policy covering security breach From: Steven Herod <sherod @ medeserv . com . au>
Indexed By Thread	Next:	Re: Insurance policy covering security breach From: Robert Bonomi <bonomi @ delta . ece . nwu . edu>