Saturday, 1 March 2008

Sunday again

New weekend and another type of frog.

And here we see that the rain has the creek following strongly (and brown). Just a few snaps as I went for a walk around a few areas I have not been in a while to check that everything is ok.

Security Stats and how I got them.

Mark Palmer asked a good question in respect of the stats. This is the extension of the comment to enable an understating of how they were (and still are) collected.

Working with a Chartered Firm we get to see a large number of clients. At the least there is a requirement for "information gathering". This is where we are engaged with a Financial Audit, but need to do a quick and nasty risk assessment of the financial systems for the client.

I run the team, so I (much to the disdain of many others) get to spend a little more time then is billed and have a lower productivity to offer a better result. Most auditors do not do this as it has direct financial consequences. My salary and bonus is tied to productivity. Most are. In the Big 4 firms this is even truer. This comes to a factor known as materiality that I will discuss later in the post. I prefer to offer value and hate not reporting on security issues. So in effect I do more than I am meant to.

There are over 500 clients, but we see some of these only every 2-3 years. Any of this type is excluded.

What is materiality?
Materiality is the point where the auditor really cares. This is set a fraction of the client profit; turn-over or whatever is being checked. If the audit was of stock and the client had a total value of $10,000,000 held in stock and materiality was set to 5% (a standard limit), materiality would be set at $500,000. We as auditors care about a loss of GREATER then the materiality limit. That is if the loss is less then $500,000, it is a SEP (somebody else’s problem).

This also applies to the IT audit side when conducted as a component of the financial system. In the case of what we care about – it is current losses. So a data breach that could occur or a loss of private data is an MLP (management letter point) and no more. Financial Audits do not (and this is why I am naughty for doing the extra) care about potential losses.

Where the Stats come from
I have to do or oversee all of the IT work in the state. This is that for any complex (and now also non-complex) job, I have to verify the work and ensure that it was completed correctly. So even when I did not complete the audit, I have oversight and I trained those doing them.

As a statistician as well, I have an issue with the stats. They are naturally subject to bias. This is not personal bias, but rather these are representative of a chartered firm (being a mid-tier accountancy). They are not necessarily representative of the population; they are representative of the type of organisations that use a mid-tier firm. I can not extrapolate these to the population without comparable data from a Big 4 firm, and I do not see this occurring. (I do see that there are not many Snr Managers in the Big 4 willing to lower their productivity however ;)

I do see reports from Big 4 firms. I review them on a weekly basis. Again, these are reports for organisations that are not necessarily representative of the population. What I would really need is to have a TRUE random sample of organisation to make the statistics valid to the population. Even a small sample could be used to make an inference of the existing stats – but this would mean choosing 50 companies at random and doing an audit without being their auditor – never happen.

For the moment, these statistics are valid for the type of organisation that will use a mid-tier chartered accounting firm.

Complex - this is a client with a relational database, ecommerce, multiple systems etc
Non-complex - this is a client with a simple accounting package (eg MYOB or quickbooks).

Friday, 29 February 2008

Current Statistics on InSecurity - The REAL Issue!

The numbers of each class are included in the previous posts as are the descriptors. The three system classes are:

  • Financal Systems Databases,
  • User Management Systems (Including Active Directory Domain server),
  • Key Critical System (this is the system with the highest loss or damage value for the organisation).
In this post I am detailing the very basics of system security on these hosts. I have set a VERY poor security strandard as the baseline for this post. I have used compliance with the "Level 1" system configuration guidelines from the Center for Internet Security (http://www.cisecurity.org/). To pass and be listed in the "ok" class for these statistics, an organisation need to get at least 50% compliance with the CIS baseline.

By the way, 50% on CIS "level 1" benchmarks is generally a fail to most security people. This is a system that will only survive as it has a firewall. On the Internet, it will last hours. I would have used at least 80% on level 1, but I have seen only three organisations that have met this level. So making this the baseline for this would just be a line of zeros.

Financal Systems Databases
Working for an Audit firm, these are the systems that are generally of most concern. These are systems that hold user data, client data, confidential trade secrets, personally identifiable information on staff and the finances of the organisation.
In Australia, it is a criminal offense not to protect an employees tax file number. I would point the reader to: http://www.privacy.gov.au/act/tfn/ and the guidelines from http://www.privacy.gov.au/publications/tfngls.pdf.

Forgetting even the provisions of the Corporations Act and the requirements to protect and ensure the integrity of financial data, "Unauthorised use or disclosure of tax file numbers is also an offence under the Taxation Administration Act 1953 with a penalty of up to $10,000 fine, two years imprisonment, or both". The Privacy Commissioner has the power to conduct audits on TFN recipients pursuant to section 28(1)(e) of the Act. What a pitty more do not occur.

The commissioner notes that "tax file number information handling procedures and safeguards should anticipate all reasonably foreseeable risks to security. "

With BASEL II, the finacial sector has cleaned up their act in the last couple years. It is a shame about the rest. Shareholders should be hitting retail with a barage of requests for explainations. In one case, a firm I audted was losing over $1,500,000 due to fraud across the POS system alone. This is not even the fact that identity theft was (and is) likely occuring. The fix - about $200,000 to $300,000 as a project taking 12 months. The issue being that it would pay for itself in months.

Why did this project NOT occur (or at least in a highly cut down version that is not effective and that will not comply to PCI-DSS)? Because this would mean disclosure to shareholders. Something I believe is legally required.

User Management Systems (Including Active Directory Domain server)
In this I have included Domain controllers, Active Directory systems and the like.

Again, there is a move towards improvement in some sectores, but it is by no means good.

Key Critical System (this is the system with the highest loss or damage value for the organisation).

This is THE system that the organisation needs the most. This is the system that they have defined as their core system. In a newspaper firm, this is the system that runs the press and which if it was to crash would result in no papers in the morning. In the case of a Stock Exchnage, this is the trading platform.

This gives an idea of how bad things really are.

Finance seems to care more - they understand money so at least protect some systems.

Go Retail! Forget PCI. Forget the criminal provisions, all these get in the way of losing money! It you want to ensure that you do not have your credit card stollen, use cash - forget giving it to a store.

Thursday, 28 February 2008

Current Statistics on InSecurity - IDS

The following are a compilation of statistcs on a year by year basis. These are all in Australia and have been followed over a number of years.The columns are split by Year, into Industry and the numbers of organisations that have an IDS in place. This is divided further to HIDS (host based IDS) and NIDS (Network IDS). The firewall stats where published in the prior post. This is just that the system is in place. The statistics for those who monitor the system are lower (and looking at the logs on a monthly basis is not monitoring the IDS!).

Over the next week I will publish the statistics I have noted in audits and compliance work for this period. Following posts will include NIDS (those organisations using a network based IDS of some type - even if poorly), HIDS (those with something as simple as AIDES or Tripwire). In the next posts there will be a set of statistics by system.The systems I have been recording are:
  • Financal Systems Databases,
  • User Management Systems (Including Active Directory Domain server),
  • Key Critical System (this is the system with the highest loss or damage value for the organisation).
The results are listed from 2004 to 2007 with the number of systems that are compliant with the noted test against the number or organisations in the class (except in the case of 100% compliance which is listed). So a result of "89 / 102" means that 89 organisations of a total sample space of 102 clients are compliant. In the case of the firewall section, 89 organisations of the 102 would have a minimal firewall in place (or 87%).
Network and Host IDS as a fraction
Network and Host IDS as a percentage
Network Based IDS as a graph ploting changes over time
Host Based IDS as a graph ploting changes over time

The worst industries are retail and property. In the case where there is a requirement for PCI-DSS to be met, I have ignored these all together. I have seen 2 orgainsations that are compliance with PCI-DSS.

I have seen 45 organisations that have PCI-DSS requirements that need to be met. Of these, 2 met the compliance standards as they had minimal systems. On top of this, 2 organisations have filed that they are nowhere near meeting the standards and file as being non-complaince, but Visa has yet not done anything. A further 3 organisations have "lodged" with Visa/Mastercard and thier banks that they are non-compliance but working on getting there and have an extension. 17 organisations have "fudged the results" and 6 have - well let us just say misrepresented the truth.

Current Statistics on InSecurity

The following are a compilation of statistcs on a year by year basis. These are all in Australiaand have been followed over a number of years.

The columns are split by Year, into Industry and the numbers of organisations that have a Firewall in place. Those with a firewall are not necessary even secure as this is being generous and includes both commercial firewalls and also some clients with a simple set of ACLs (and NO egress filters) on a router.

Over the next week I will publish the statistics I have noted in audits and compliance work for this period. Following posts will include NIDS (those organisations using a network based IDS of some type - even if poorly), HIDS (those with something as simple as AIDES or Tripwire), and finally there will be a set of statistics by system.

The systems I have been recording are:

  • Financal Systems Databases,
  • User Management Systems (Including Active Directory Domain server),
  • Key Critical System (this is the system with the highest loss or damage value for the organisation).
The results are listed from 2004 to 2007 with the number of systems that are compliant with the noted test against the number or organisations in the class (except in the case of 100% compliance which is listed). So a result of "89 / 102" means that 89 organisations of a total sample space of 102 clients are compliant. In the case of the firewall section, 89 organisations of the 102 would have a minimal firewall in place (or 87%).

2004
Finance 102 / 103
Government 15 / 17
Retail 41 / 64
Health 8 / 14
Telecoms 8 (100%)
Property 6 (100%)
Media 7 (100%)
Gaming 3 (100%)

2005
Finance 98 (100%)
Government 16 / 17
Retail 53 / 64
Health 8 / 14
Telecoms 8 (100%)
Property 6 (100%)
Media 7 (100%)
Gaming 3 (100%)

2006
Finance 86 (100%)
Government 17 / 18
Retail 54 / 64
Health 12 / 14
Telecoms 8 (100%)
Property 6 (100%)
Media 7 (100%)
Gaming 3 (100%)

2007
Finance 64 (100%)
Government 17 / 18
Retail 60 / 64
Health 13 / 15
Telecoms 9 (100%)
Property 6 (100%)
Media 7 (100%)
Gaming 3 (100%)
  • Finance includes mid-tier banks and credit unions, insurance campanies and other organisations such as stock broking frms.
  • Government includes both state and Commonwealth departments, Councils and commissions.
  • Retail includes about anything that ends up being sold to consumers.
  • Health includes medical facilities and Hostpitals.
  • Telecoms includes traditional and Internet based organistions
  • Media is broadcasting, news, and printing
  • Gaming is betting and casinos.

The following table is the previous firewall data in a simpler format.

Practice

In addition to “Buggy Bank” in with the SANS course CDs. Please have a look at the following practice “Hack examples” if you are interested in practicing and developing testing skills.
· Hacme Travel v1.0
o http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
· Hacme Bank v2.0
o http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
· Hacme Casino v1.0
o http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
· Hacme Books v2.0
o http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
· Hacme Shipping v1.0
o http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
· Hacme Travel v1.0
o http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
· Hacme Bank v2.0
o http://www.foundstone.com/us/resources/proddesc/hacmebank.htm

Wednesday, 27 February 2008

The latest Insecurity and NON-Compliance Statistics

My current tally on audits is 1761 audits for 363 organisations over 22 years (I am a statistician as well as auditor). Of these audits I have the following statistics (from large companies such as News Ltd, financial organisations, credit unions, a stock exchange, government depts. and even the to smaller firms).

_______________No. Audits __No. Organisations
Compliant with ALL
criminal
Provisions of
the law ________________54____________7_______

Compliant with ALL
Tortious and Contractual
requirements ___________32____________ 1 ______
(and I will not say who it is *)

Compliant with ALL
Regulatory
Provisions _____________45 ____________2 ______

The few (less then 0.1%) who made any way towards being compliant achieved this by breaking down the scope and not trying to overlap.

In fact, the worst cases are those that try to "simplify" things doing them all at once.

And the laws on evidence are that you need to hold all business records that MAY in some future point (say 6 years in the future) possibly be subject to a filing. That is not only existing legal action, but potential action.

* By stating the one who was compliance I also in effect remove all doubt as to those who are not.

Tuesday, 26 February 2008

Enforcing Law on the Internet.

The Internet remains the wild, wild, web not because of a lack of laws, but rather the difficulty surrounding enforcement. The Internet’s role is growing on a daily basis and has reached a point where it has become ubiquitous and an essential feature of daily life both from a personal perspective and due to its role in the international economy. The recently released “Creative Britain; new talents for the new economy”[1] framework paper has demonstrated a reversal of many of the positions formerly held by the British government. This new position is likely to require internet service providers to take action on illegal file sharing, as a consequence leaving intermediaries liable if they fail to take action.

If an ISP is to be held liable for authorisation as an intermediary, it must have knowledge, or otherwise deduce that infringements are proceeding.[2] Although, intermediaries commonly monitor their systems and have the means to suspect when infringements are occurring, Internet intermediaries also require the authority to prevent infringement if they are to be held liable for authorisation, a condition that entails an aspect of control.[3] The government’s proposal[4] requires monitoring from the destination ISP places the responsibility firmly on the local provider of Internet services. Though this may seem unfair to many, as source ISPs may be located in any location in the world and can easily move when facing restrictions, holding the destination ISP responsible for monitoring content would appear as the only feasible solution as it is infeasible for the destination ISP to provide services within the UK from other locations.

It is clear that a framework similar to that proposed by Mann and Belzley[5] or by Lichtman & Posner[6] is needed to effectively control infringements over the Internet and that such a solution is economically the most effective solution. The proposed strategy of the British government[7] is unlikely to be popular at first. Recommendations for a French style system of three strikes[8] would require additional monitoring from the ISP and also introduce a possibility of infringing the customer’s privacy rights[9]. The concurrence of privacy legislation and the need for additional controls will make the introduction of these initiatives interesting to say the least. The pirates are starting to replace the Cowboys changing the wild, wild, web to that of the proverbial high seas. The need for sensible legislation that will limit the increasing criminal activity while also considering the impacts on the law-abiding users of the internet is clear. The proposed strategy of the British government[10] offers great potentials, but will come down to the implementation as to whether these are successful. The Internet is entering its final stage of development, legislative control.

Anonymity and leaky international boundaries impede the prosecution of the primary malfeasors. Internet intermediaries, especially those that service end users are both easily identifiable and have many of their assets within the UK. The malfeasors require payment intermediaries to process their transactions. The “Creative Britain” strategy[11] has provided little in either incentive or regulation concerning these actors. Payment intermediaries have the technological competence to avert detrimental transactions at the lowest cost of any intermediary with the largest potential payback. Further, in many cases the largest effect on the Internet pirates is provided through economic means. As such, the legislation should be adapted to mandate internet intermediaries control illicit transactions and consequently protect the public interest. To do this effectively will require more than just a mandate that Internet intermediaries monitor illicit activity. It will be also necessary to regulate liability in order to protect Internet intermediaries from the actions that they are required to take in order to protect the Internet. The constant seesawing between policy positions that has occurred in respect of the Internet demonstrates that we have not achieved this yet.

The position of the British Government[12] with its recent moves to call Intermediaries to action in the formation of a voluntary body to stop Intellectual Property violations is a start to the reforms that are needed. The problem is well defined in this call for reform, however, the call for voluntary changes are unlikely to bring about the required changes. Intermediaries have the capability to stop many of the transgressions on the Internet now, but the previous lack of a clear direction and potential liability associated with action rather than inaction[13] remains insufficient to modify their behaviour. Even in the face of tortuous liability, the economic impact of inaction is unlikely to lead to change without a clear framework and the parallel legislation that will provide a defence for intermediaries who act to protect their clients and society.

[1] Department for Culture, Media and Sport, 22 Feb 2008
[2] Ibid, Gibbs J at 12-13; cf Jacobs J at 21-2. See also Microsoft Corporation v Marks (1995) 33 IPR 15.
[3] Ibid, University of New South Wales v Moorhouse, supra, per Gibbs J at 12; WEA International Inc v Hanimex Corp Limited (1987) 10 IPR 349 at 362; Australasian Performing Right Association v Jain (1990) 18 IPR 663. See also Lim YF, 199-201; S Loughnan, See also BF Fitzgerald, “Internet Service Provider Liability” in Fitzgerald, A., Fitzgerald, B., Cook, P. & Cifuentes, C. (Eds.), Going Digital: Legal Issues for Electronic Commerce, Multimedia and the Internet, Prospect (1998) 153.
[4] The “Creative Britain; new talents for the new economy” strategy was issued on the 22nd Feb 2008 and is available online.
[5] Mann, R. & Belzley, S (2005) “The Promise of the Internet Intermediary Liability” 47 William and Mary Law Review 1 at 27 July 2007]
[6] Lichtman & Posner (2004) “Holding Internet Service Providers Accountable”
[7] Supra Note 4.
[8] One of the current recommendations is based on the three-strikes policy began in France late last year. The violation of digital rights management or other similar infringements including provisions for Internet users that are caught distributing copyrighted files would require the ISP to send an e-mailed warning to the infringing user. The second offence would then have file-sharers face a temporary account suspension. On a third offence, they would be entirely cut off from the Internet. (See also http://arstechnica.com/news.ars/post/20080218-three-strikes-infringement-policy-may-be-headed-down-under.html).
[9] The UK Privacy & Electronic Communications (EC Directive) Regulations 2003 and Directive 2002/58/EC (the E-Privacy Directive) may create problems. The juxtaposition of privacy versus control creates a fine line that is easily crossed.
[10] The “Creative Britain; new talents for the new economy” strategy was issued on the 22nd Feb 2008 and is available online.
[11] Supra Note 4.
[12] Supra Note 4.
[13] The most obvious example of this action can be found in the history of the Communications Decency Act. Congress directly responded to the ISP liability found in Stratton Oakmont, Inc. v. Prodigy Services, 23 Media L. Rep. (BNA) 1794 (N.Y. Sup. Ct. 1995), 1995 WL 323710, by including immunity for ISPs in the CDA, 47 U.S.C. § 230(c)(1) (2004) (exempting ISPs for liability as the “publisher or speaker of any information provided by another information content provider”), which was pending at the time of the case. Similarly, Title II of the Digital Millennium Copyright Act, codified at 17 U.S.C. § 512, settled tension over ISP liability for copyright infringement committed by their subscribers that had been created by the opposite approaches to the issue by courts. Compare Playboy Enters., Inc. v. Frena, 839 F. Supp. 1552, 1556 (M.D. Fla. 1993) (finding liability), with Religious Tech. Ctr. v. Netcom, Inc., 907 F. Supp. 1361, 1372 (N.D. Cal. 1995) (refusing to find liability).; The fear of being seen as a publisher rather than mere conduit has resulted in many ISPs and ICPs to a state of inaction.

Monday, 25 February 2008

Remedy in Tort and Civil Suits (Internet Intermediaries)

The availability of the Internet Intermediary as co-targets for actions makes them susceptible to the actions of both their clients and also uninterested third parties for passing off and misleading and deceptive conduct. An action for intentional interference with business by unlawful means may also be possible. The tort of intentional interference with business by unlawful means may be available where the use of the trade mark is unlawful.

The courts generally seem willing to apply conventional fault-based tort principles to weigh up the behaviour of intermediaries. There instances in which comparatively egregious conduct has ended in the liability of the intermediary are few,[1] and the majority of cases conclude with the absolution of the intermediaries from blame.[2] Those circumstances that have resulted in a decision by the court that in effect states the intermediaries hold considerable accountability for the behaviour of any primary malfeasors have mutually in the EU and the US Congress resulted in the respective parliaments acting to overrule the decision through the legislative conceding of expansive exemptions from liability to the intermediaries.[3] The paths share not only the reflexive and unreflective fear that recognition of liability for intermediaries might be catastrophic to internet commerce; they also share a myopic focus on the idea that the inherent passivity of internet intermediaries makes it normatively inappropriate to impose responsibility on them for conduct of primary malfeasors. That idea is flawed both in its generalization about the passivity of intermediaries and in its failure to consider the possibility that the intermediaries might be the most effective sources of regulatory enforcement, without regard to their blameworthiness.

In the US, Congress has endorsed legislative protections for intermediaries from liability through defamation with the introduction of the Communications Decency Act[4]. In 47 U.S.C. §230, it is unambiguously stated as regarding internet regulation[5]: This act introduced a series of “Good Samaritan provisions” as a part of the Telecommunications Act of 1996. This was tested in DiMeo v Max (2007),[6] in which the court found the defendant not liable for comments left by third parties on a blog. The plaintiff alleged that the defendant was a publisher of the comments hosted on the website but did not allege that the defendant authored the comments on the website or that the defendant was an information content provider. Under 47 U.S.C. § 230 (f)(3), the court determined “the website posts alleged in the complaint must constitute information furnished by third party information content providers" and as a consequence immunity applied to the forum board operator. The Court upheld the dismissal of the suit.

The act, first passed in 1996[7] and subsequently amended in 1998,[8] has the apparent rationale of minimising Internet regulations in order to promote the development of the Internet and safeguard the market for Internet service. The internet has consequently become so essential to daily life that it is improbable that the addition of extra legislation would intimidate service providers away from the provision of services at a competitive rate.[9]
In the US, 47 U.S.C. § 230(c)(1) provides a defence for ISPs stating that, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This statute would seem[10] to afford absolute immunity from any responsibility. Contrasting the DMCA, the ISP or ICP could chose not to do away with material in the event that the ISP or ICP has tangible awareness of the defamatory nature of material it is in fact hosting.[11] Notwithstanding the focal point of this legislation having been towards liability for defamation, it has pertained to seemingly unrelated auction intermediaries, including eBay.[12]

Inside the European Union, judgments obtained in the courts of one state are enforceable in any other state included within the Brussels Convention. If not, a judgment in one state will be enforceable in another only where there is a bilateral treaty creating the provision for such reciprocal enforcement between them. Frequently, these treaties add formalities surrounding the enforcement process that offer the courts of the jurisdiction in which the defendant is situated prudence both as to a decision to enforce, or to what degree. It is consequently vital when deciding on a jurisdiction to bring suit to decide if any judgment obtained is enforceable against a defendant who may in effect be judgement proof.

Cyber Negligence
Not acting to correct a vulnerability in a computer system may give rise to an action in negligence if another party suffers loss or damage as the result of a cyber-attack or employee fraud. Given proximity[13], a conception first established in Caparo Industries Plc. v. Dickman, [1990][14] and reasonable foreseeability as established in Anns v. Merton London Borough Council, [1978][15] A.C. 728, the question of whether there exists a positive duty on a party to act so as to prevent criminals causing harm or economic loss to others will be likely found to exist in the cyber world. The test of reasonable foreseeability has however been rendered to a preliminary factual enquiry not to be incorporated into the legal test.

The Australian High Court regarded a parallel scenario, whether a party has a duty to take reasonable steps to prevent criminals causing injury to others in Triangle Shopping Centre Pty Ltd v Anzil[16]. The judgment restated the principle established by Brennan CJ in Sutherland Shire Council v Heyman[17]. The capacity of a plaintiff to recover hinges on the plaintiff’s ability to demonstrate a satisfactory nexus (e.g. a dependence or assumption of responsibility) between the plaintiff and the defendant such that it gives rise to a duty on the defendant to take reasonable steps to prevent third parties causing loss to the plaintiff[18]. Consequently, if a plaintiff in a case involving a breach of computer security could both demonstrate that the defendant did not in fact take reasonable measures to ensure the security of their computer systems (as against both internal and external assault), and they show the act of the third person (e.g. an attacker/hacker or even a fraudulent employee) occurred as a direct consequence of the defendant's own fault or breach of duty, then an action in negligence is likely to succeed.

Many organisations state that current standards of corporate governance for IT systems pose a problem due to the large number of competing standards. However, it needs to be taken into account that all of these standards maintain a minimum set of analogous requirements that few companies presently meet. Most of these standards, such as the PCI-DSS[19] and COBIT[20], set a requirement to monitor systems. COBIT control ME2 (Monitor and Evaluate Internal Controls) is measured through recording the “number of major internal control breaches”. PCI-DSS at 10.5.5 states a minimum requirement to “use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)”. As a general minimum, it may be seen that an organisation needs to maintain a sufficiently rigorous monitoring regime to meet these standards.

Installation guidelines provided by the Centre for Internet Security (CIS)[21] openly provide system benchmarks and scoring tools that contain the “consensus minimum due care security configuration recommendations” for the most widely deployed operating systems and applications in use. The baseline templates will not themselves stop a determined attacker, but could be used to demonstrate minimum due care and diligence.

It is interesting to contrast this general proposition with a peculiar case where the plaintiff went to great lengths in an attempt to recover loss caused by its own negligence, namely loss suffered due to computer fraud perpetrated by its own employee in its own system.

In Mercedes Benz (NSW) v ANZ and National Mutual Royal Savings Bank Ltd[22] (unreported), the Supreme Court of New South Wales considered if a duty to avert fraud would occur in cases where there is an anticipated prospect of loss. The Mercedes Benz employee responsible for the payroll system fraudulently misappropriated nearly $1.5 million by circumventing controls in the payroll software. Mercedes Benz alleged that the defendants, ANZ and NMRB, were negligent in paying on cheques that where fraudulently procured by the employee and in following her direction. The plaintiff's claim was dismissed by the court. It was held that employers who are careless in their controls to prevent fraud using only very simple systems for the analysis of employee activities will be responsible for the losses that result as a consequence of deceitful acts committed by the organisations’ employees.

The decision was founded on the judgment of Holt CJ in Hern v Nichols (1701)[23] that stated in "seeing somebody must be a loser by this deceit, it is more reason that he that employs and puts a trust and confidence in the deceiver should be a loser than a stranger"[24]. The question remains open as to the position that may result from unsound practices operated not by the plaintiff but by an organisation in supplying services under an outsourcing agreement. In either event, the requirement for an organisation to provide controls to ensure a minimum level of system security is clear.

The situation is further compounded in instances of cyber-attack that lead to a loss. An innocent third party that suffers an attack that originates from an inadequately secured system would be able to easily demonstrate a lack of reasonable care if the minimum consensus standards mentioned above are not achieved. Coupled with facts demonstrating that the attack originated from the defendant’s insecure system, the evidence would provide the requisite substantiation of both proximity and reasonable foreseeability.

[1].See A & M Records, Inc. v. Napster, Inc., 114 F. Supp. 2d 896 (N.D. Cal. 2000).
[2].For criticism of this perspective, see Landes & Lichtman.
[3].The most obvious example of this action can be found in the history of the Communications Decency Act. Congress directly responded to the ISP liability found in Stratton Oakmont, Inc. v. Prodigy Services, 23 Media L. Rep. (BNA) 1794 (N.Y. Sup. Ct. 1995), 1995 WL 323710, by including immunity for ISPs in the CDA, 47 U.S.C. § 230(c)(1) (2004) (exempting ISPs for liability as the “publisher or speaker of any information provided by another information content provider”), which was pending at the time of the case. Similarly, Title II of the Digital Millennium Copyright Act, codified at 17 U.S.C. § 512, settled tension over ISP liability for copyright infringement committed by their subscribers that had been created by the opposite approaches to the issue by courts. Compare Playboy Enters., Inc. v. Frena, 839 F. Supp. 1552, 1556 (M.D. Fla. 1993) (finding liability), with Religious Tech. Ctr. v. Netcom, Inc., 907 F. Supp. 1361, 1372 (N.D. Cal. 1995) (refusing to find liability).
[4] The Communications Decency Act of 1996 (CDA)
[5].47 U.S.C. § 230(b) (2004) (emphasis added)
“It is the policy of the United States—
(1) to promote the continued development of the Internet and other interactive computer services and other interactive media;
(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation;
(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;
(4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower parents to restrict their children’s access to objectionable or inappropriate online material; and
(5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer”.
[6] WL 2717865 (3rd Cir. Sept. 19, 2007); See also Fair Housing Council of San Fernando Valley v. Roommates.com, LLC , CV-03-09386-PA (9th Cir. May 15, 2007); and Universal Communication Systems, Inc. v. Lycos, Inc. , 2007 WL 549111 (1st Cir. Feb. 23, 2007)
[7].1996, Pub. L. 104-104, Title I, § 509.
[8].1998, Pub. L. 105-277, Div. C, Title XIV, § 1404(a).
[9].There remains, however, the fear that additional regulation will stifle innovation in the industry. Would, for instance, eBay enter the market as a new company today if it were liable for trademark infringement it facilitated? Such liability adds new start-up and ongoing costs that may make some new ventures unprofitable (or even more unprofitable). For an article addressing regulation in this way, see Lemley & Reese.
[10].There is at least the possibility that the statute would permit a State to require intermediaries to act. See Doe v. GTE Corp. 347 F.3d 655 (7th Cir. 2003) (per Easterbrook, J.) (suggesting that Section 230(e)(3) “would not pre-empt state laws or common-law doctrines that induce or require ISPs to protect the interests of third parties”).
[11].Thus minimising the likelihood of a decision such as Godfrey in the United States. See supra note 88.
[12].Gentry v. eBay, Inc., 121 Cal. Rptr. 2d 703 (Ct. App. 2002)
[13] Proximity, a notion first established in Caparo Industries Plc. v. Dickman, [1990] 2 A.C. 605, is the initial phase of the assessment. The subsequent phase enquires as to whether there are policy considerations which would reduce or counteract the duty created under the initial stage. Mutually, the phases are to be met with reference to the facts of cases previously determined. The dearth of such cases would not however avert the courts from finding a duty of care.
[14] [1990] 2 A.C. 605
[15] [1978] A.C. 728
[16] Modbury Triangle Shopping Centre Pty Ltd v Anzil [2000] HCA 61.
[17] (1985) 157 CLR 424.
[18] Dixon J elucidated how a “special relationship” of this variety may occur in Smith v Leurs (1945) 70 CLR 256. This case was derived from an indication of occurrences that entail a special danger and the control or of actions or conduct of the third person; See also [2000] HCA 61, para 140.
[19] PCI-DSS (version 1.1) is the Payment Card Industry Data Security Standard and is contractually required to be adhered to by all merchants that process VISA, Mastercard and other payment card products. This requirement and standard is maintained by the PCI Standards Council at https://www.pcisecuritystandards.org/
[20] COBIT v 4.1 is the computer control objectives and standard maintained by ISACA at http://www.cobitonline.info
[21] CIS benchmark and scoring tools are available from http://www.cisecurity.org/
[22] No. 50549 of 1990.
[23] (1701) 1 Salk 289
[24] Id., at 358.

Sunday, 24 February 2008

Today's Images

Today's melange of images. Our cat - Peanut. The lizard above survives as our cats do not go outside.
And Young Skippy.
One of the Peacocks. Basically wild, except that they seem to believe that they own the veranda.
A bee - making more chives.

A local piece of the bird life.
And it again.
Both our cats. Reeses, the fawn one is undergoing chemo.
And the lizard in its explorations.