Thursday, August 18, 2005

Worms meet corporations in legal minefield

Charlie Demerjian brings up some rather important points in this article, and I urge anyone who is involved with a network that was hit with any of the worms/bots this week to not only read it, but absorb it, and understand the underlying implications.

Charlie Demerjian writes in The Inquirer:

I SPENT MOST OF Tuesday morning at a financial services provider, and the talk of the morning was all about a large financial services giant and the Zotob worm. Any guesses why? It was claimed that said large financial giant was another notch in the Zotob author's belt, and while they were not down per se, it cased problems, slow networks, and downed services.

Another day, another massive bot infection. When will these people learn trusted computing and Microsoft promissory press releases are not worth the paper they are printed on? And yes I know they are not on paper anymore. Here is when they'll learn, when someone notices that getting infected violates a whole bunch of laws, and that brings down the legal hammers on them.

What do I mean? Well, for this said large financial organisation, there are several new regulations that are now in force, but the one that I am specifically thinking of is SarbOx. If they were an HMO or hospital, they would have HIPPA to contend with too. These laws have some pretty onerous data access and authenticity requirements backed up by civil and criminal penalties. Several states like California also have laws on notification and reporting on top of these.

So, what's the problem? The large financial organisation just got potentially owned bad, it was infected by a bot carrying worm that allows outside access to the computers, the data carried within, and potentially the servers. Keyloggers? Maybe. Things riding on the back of Zotob? Maybe. I don't know, do you? Do you think the large financial organisation does either?

0 Comments:

Post a Comment

<< Home