Upload File

infosecurity needs its t.j. hooper

1
[ INDUSTRY VIEW ] By Ben Rothke Infosecurity Needs Its T.J. Hooper I ’m not a lawyer, but a good friend of mine—blogger Ron Coleman—is. A bit of jurisprudence has rubbed off on me, and I want to tell you about the T.J. Hooper case. In 1932, Judge Learned Hand heard this precedent-setting tort case and, in his ruling, devised what is now called the “calculus of negligence.” The case started with two tugboats, one of which was the T.J. Hooper, towing barges. A storm came up, the barges sank and their cargoes were lost. The owners of the cargo sued the barge owners, who in turn sued the tugboat owners. They claimed the tug oper- ators were negligent because they failed to equip their boats with radios that would have warned them of the bad weather. The tugboat companies used the pre- vailing practice theory in their defense. They claimed that because other tugboat operators in the area weren’t using radios, the standard of care for the industry didn’t require their use. Judge Hand found the tugboat companies liable because they did not use readily available technology to lis- ten for weather reports, even though the use of radios was not yet standard practice. Hand observed that “in most cases, rea- sonable prudence is in fact common pru- dence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices. Courts must in the end say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission.” He ruled a defendant was negligent if the cost of preventing an incident was less than the likelihood of causing damage mul- tiplied by the severity of that damage. This idea is commonly expressed as B (burden of prevention) < PL (possibility times loss). As an information security professional, I have tried, along with others in the field, to get clients to be more serious about secu- rity and privacy controls. To a large extent, we have succeeded. But there are still far too many weak links in the security chain. Many companies’ practice regarding infor- mation security is to do the bare minimum required. Meanwhile, millions of consumer records are breached every week. It’s early 2011 and, in spite of the stagger- ing quantity of security solutions available, companies often fail to devote the requisite staff and budget to information security and privacy needs. This is becoming even more critical as websites focus on personalizing the user’s digital experiences by aggregat- ing personal data. As the value of this per- sonal information increases, so does the potential for its misuse and the severity of the consequences of that misuse. Hundreds of millions of personal records have been breached in the last few years, often due to negligence in establish- ing security and privacy controls. Congress occasionally tries to do something—pass- ing a watered-down Gramm-Leach-Bliley Act, for example—but has not effected the change needed. A more pragmatic step was the PCI Security Standards Council’s creation of the Payment Card Industry Data Security Stan- dard (PCI DSS). But rather than embracing the standard as long overdue, regulators developed a bad case of Stockholm syndrome. Congress held hear- ings to determine why PCI DSS had not ended every merchant secu- rity issue, even though it had been around for less than four years. Congress seemed to feel that PCI should be the security equivalent of David Copperfield— that it could magically make every security problem disappear. Have information security professionals failed or have the people they have been speaking to failed to listen? Perhaps the lawyers need to step in and file a Hooper-style case for the informa- tion security and data-protection fields that would compel companies to take security seriously. For a long time now, corporate America has had more than enough information- security and privacy tools available to obviate many of the most common secu- rity problems. That alone suffices to tip the equation toward negligence. n Ben Rothke is a senior security consultant with BT Professional Services. Illustration by Carl Spackler 34 www.csoonline.com March 2011

Upload: ben-rothke

Post on 11-Nov-2014

1.194 views

Category:

Education


1 download

Report

DESCRIPTION

Article from March 2011 issue of Information Security magazine - Infosecurity Needs Its T.J. Hooper by Ben Rothke

TRANSCRIPT

Page 1: Infosecurity Needs Its T.J. Hooper

[ indu stry view ]By Ben Rothke

Infosecurity Needs Its T.J. Hooper

I’m not a lawyer, but a good friend of mine—blogger Ron Coleman—is. A bit of jurisprudence has rubbed off on me, and I want to tell you about the T.J. Hooper case. In 1932, Judge

Learned Hand heard this precedent-setting tort case and, in his ruling, devised what is now called the “calculus of negligence.”

The case started with two tugboats, one of which was the T.J. Hooper, towing barges. A storm came up, the barges sank and their cargoes were lost. The owners of the cargo sued the barge owners, who in turn sued the tugboat owners. They claimed the tug oper-ators were negligent because they failed to equip their boats with radios that would have warned them of the bad weather.

The tugboat companies used the pre-vailing practice theory in their defense. They claimed that because other tugboat operators in the area weren’t using radios, the standard of care for the industry didn’t require their use. Judge Hand found the tugboat companies liable because they did not use readily available technology to lis-ten for weather reports, even though the use of radios was not yet standard practice.

Hand observed that “in most cases, rea-sonable prudence is in fact common pru-dence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices. Courts must in the end say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission.”

He ruled a defendant was negligent if the cost of preventing an incident was less than the likelihood of causing damage mul-tiplied by the severity of that damage. This idea is commonly expressed as B (burden of prevention) < PL (possibility times loss).

As an information security professional, I have tried, along with others in the field, to get clients to be more serious about secu-rity and privacy controls. To a large extent, we have succeeded. But there are still far too many weak links in the security chain. Many companies’ practice regarding infor-mation security is to do the bare minimum required. Meanwhile, millions of consumer

records are breached every week.It’s early 2011 and, in spite of the stagger-

ing quantity of security solutions available, companies often fail to devote the requisite staff and budget to information security and privacy needs. This is becoming even more critical as websites focus on personalizing the user’s digital experiences by aggregat-ing personal data. As the value of this per-sonal information increases, so does the potential for its misuse and the severity of the consequences of that misuse.

Hundreds of millions of personal records have been breached in the last few years, often due to negligence in establish-ing security and privacy controls. Congress

occasionally tries to do something—pass-ing a watered-down Gramm-Leach-Bliley Act, for example—but has not effected the change needed.

A more pragmatic step was the PCI Security Standards Council’s creation of the Payment Card Industry Data Security Stan-dard (PCI DSS). But rather than embracing the standard as long overdue, regulators

developed a bad case of Stockholm syndrome. Congress held hear-ings to determine why PCI DSS had not ended every merchant secu-rity issue, even though it had been around for less than four years.

Congress seemed to feel that PCI should be the security equivalent of David Copperfield—that it could magically make every security problem disappear.

Have information security professionals failed or have the people they have been speaking to failed to listen? Perhaps the lawyers need to step in and file a Hooper-style case for the informa-tion security and data-protection fields that would compel companies to take security seriously.

For a long time now, corporate America has had more than enough information-security and privacy tools available to obviate many of the most common secu-rity problems. That alone suffices to tip the equation toward negligence. n

Ben Rothke is a senior security consultant with BT Professional Services.

Illustration by Carl Spackler34 www.csoonline.com March 2011

Developer Evidences (Infosecurity Russia 2013)

WWW. KAYHOOPER · hooper unmasking kelsey kay hoot hooper Š"lïÅ'bËŠ 0fgray on wing raffertys wife kay hooper derek i hooper kay- hooter web hooper za h's hooper

Infosecurity Argentina – 2013

Tobe hooper

STAYING ALIVE TOUR 2018 - INFOSECURITY VIP

Infosecurity 2008

Infosecurity Pro Issue 11

Hooper ignite

SECURITY AS A WAR - Infosecurity 2015

Download Infosecurity Magazine

ISEC INFOSECURITY TOUR 2020 GLOBAL INFOSECURITY ROADMAP...PROGRAMA DE PATROCINIOS 2020 ISEC INFOSECURITY TOUR 2020 Welcome to “NO PAIN!TOUR” EL UNICO EVENTO QUE RECORRE 25 CIUDADES

Целевые атаки. Infosecurity Russia 2013

Cloud en datacenter security (infosecurity 2013)

Infosecurity Puerto Rico – 2013

Infosecurity Professional Magazine - isc2.org

Liability Implications of Security Vulnerabilities · securing the future ™ T.J. Hooper, et al. v. Northern Barge Corp. in 1932, two barges were lost to a storm that arose after

Grace Hooper

Infosecurity Cali, Colombia Event

Infosecurity 2007

Capacitación InfoSecurity 2015

Next generation firewall (infosecurity 2013)

1 Confidential Dell Software - INFOSECURITY VIP

Infosecurity 2016 Presentacion Final v02 INFOSECURITY CD… · Microsoft PowerPoint - Infosecurity 2016 Presentacion Final v02 Author: jortega Created Date: 4/8/2016 12:22:10 PM

Infosecurity Mexico event information

STIX HOOPER

InfoSecurity 2014 - Cloud Trust

Hooper, Development

Infosecurity Europe 2016: Operationalizing Threat Intelligence

Presentatie Infosecurity 2011

Infosecurity Professional Magazine Mar April 2015

Citrix Infosecurity 2009

Infosecurity russia 2015

When%Commercially%Reasonable% … · – T.!J.!Hooper!v.!Northern!Barge,!60!F.2d!737!2d!Cir.,!1932 ... • Echoes!of!the!famous!T.J.!Hooper!case!(1932)! – Tug!loses!barge!and!cargo!due!to!storm

Infosecurity 2014 - Superbees Wanted

Infosecurity management in the Enterprise