Impact Mitigation
Mitigation Panel Members
Marr T. Haack
- Assistant Vice President, Technology Market
- USF&G Corp, Baltimore, MD
Fred Chris Smith
- Trial Attorney in Private Practice in Santa Fe, New Mexico
- Special Prosecutor and Computer Security Consultant
Frederick G. Tompkins
- Senior INFOSEC Systems Engineer
- Science Applications International Corporation,
McLean, VA
L. Dain Gary
- Principal, Booz Allen and Hamilton, McLean, VA
Marshall D. Abrams (Chair)
- Principal Scientist, The MITRE Corporation, McLean,
VA
Impact Mitigation
Conventional assurance techniques focus on reducing
the vulnerabilities of the information system
Impact mitigation assurances instead seek to
- Mitigate the impact of defects
Includes
- Flaw remediation (security-relevant software repair)
- Monetary reimbursement
- Warrantees
- Insurance
- Legal liability
Fundamental Issues
Absolute dependence on computers but they are viewed
as tactical investments, not strategic
Computers now in the hands of the lowest paid staff
members (Empowered Workforce)
Less human interaction - Oversight, Ownership, Responsibility
Financial pressures reduce security's priority
"Downsized" I/T organizations - reduced
worker loyalty and disgruntled ex-employees
Metrics to measure security cost/benefit analyses
are not fully developed
Mitigation Approach Examples
Proactive
- Software quality
- Warranties
- Insurance
Reactive
- Repair security-relevant flaws
- Monetary reimbursement
- Sue
Standard of Care
In a negligence action
- A service provider will be liable only if it breached the standard of care society expects of it.
- If it did not breach the standard of care, it bears
no liability - even though injury may have occurred.
The defendant's standard of care increases as his/her
skills increase
A security professional is deemed to possess certain
skills, even if s/he does not
Who's to Blame When It Happens?
Business community integrates information technology into its key business processes
- Electronic commerce replaces paper
- Both users and suppliers of IT grow more dependent upon and vulnerable to system failures and weaknesses in security
- Vendors can't produce perfect software
- Business continuity planners can't always see the impact
- Warranties, licenses and other contracts frequently
are tested in court
Insurers don't want to be left holding the bag
All the stakeholders need to share in the risk
- Apportioned equitably
- Minimize legal costs of affixing blame later
Software Flaw Remediation Issues
Activities: product developers & users
- Security incident reporting, analysis, repair,
distribution, installation
Responsibilities
- Level of commitment: timeliness, resources
- Contractual or good will
- When to publicize
Accountability
- Contract, warrantee
Telecommunication Miracles Valuable for Criminal
Enterprises
Almost perfect vacuum of law enforcement capabilities
Pressure upon alternatives to criminal enforcement
of financial fraud and other white collar crimes
Increased regulation and civil litigation
- Rely on negotiation, custom or jury verdict
- Rather than legislation enforced by regulation
or police action
Major deterrents to attacks on network security systems will be privately orchestrated and pursued
- Increased number of civil law suits
- Difficult to distinguish
Unjustified civil suits based on phantom risks
Negligent failures to comply with generally
recognized standards for adequate security precautions
Using Technology And In Particular Software Is
A "Risky" Business
Insurance industry does not currently provide insurance
against information loss other than limited business interruption
insurance
Most policies specifically exclude information losses
Most COTS software vendors provide an exceptionally
Limited Warranty
Most organizations, whether or not they know or understand,
are "self-insurers"
Understand the risks
- Take appropriate steps to reduce risk to an acceptable level
- Good risk management approach is the only true impact mitigation strategy