Why Due Diligence as a Defense is Not Enough
Posted by jericho
Why Due Diligence as a Defense is Not Enough
Interesting article, but one portion stood out to me:
From the point a vulnerability is discovered and a remedy is made available, the clock starts ticking. The longer you wait to address the threat, the closer you encroach upon negligence. This is just one demonstration for providing due care.
[..]
Given the long history of debate on what constitutes responsible disclosure (3 days? 2 weeks? 3 months?), attempting to define negligence in the sense of “windows of risk” may be debated for years to come. Schoenberg poses his question and directs it to the corporate world and deployment of technology. What happens when we turn this time table toward the vendors and patching? Suddenly, we have dozens of cases of some vendors (Sun, HP) being guilty of “gross negligence”.
Thank you for your interest in my timeline. I would like to stress that this timeline for negligence is based upon information being “known” and confirmed. This does not apply to a posted vulnerability not confirmed by the vendor or an independent third party. If a vendor is aware of a critical issue, such as a major DB provider last year,… and a breach occurs as a result of the vendor not providing a solution, at that point, a case can be derived. But knowing and “proving” is not the same animal in the courtroom.
Once a vendor provides a solution, it is incumbent upon the end-user to mitigate the risk by applying the recommended solution. Failing to do so because of an argument “We have not fully tested it yet,..such as XP SP2” a year plus after announcement, will not hold water.
If there are questions on litigation strategies and solutions pertaining to information security, please feel free to contact me via my website at www.secondchairs.com.
Thank you,
Carter Schoenberg – CISSP