Get cyber insurance to cover the other risk factors of intrusion. -----Original Message----- From: Edward L. Jones [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 11:38 AM To: Hall Duane; [EMAIL PROTECTED] Subject: RE: Legal problem - IDS - Commercial Vs Open Source.
I have a BS in criminal justice Pre-Law and a masters in Information System Science and I have never heard of a company suing a IDS vendor because of the software not catching the break in your company would definitely set a "Precedence" and I am curious to see what the outcome would be if your company actually went to court with this. I would agree with your reply to the answer as being NO But here are a few points you should propose to your management. 1) Was the problem really that of the software or was it a human error in overlooking the incidents leading up to the intrusion such as the recon phase and finally failure to detect the actual intrusion? 2) In the purchase order, contract or agreement to buy the software does it anywhere explicitly say that there IDS product protects you from all known and/or unknown attacks? 3) Finally does your company really think another vendor will help them if word gets out in the industry that you guys sue for this type of stuff? E.L. Jones Network Security Engineer -----Original Message----- From: Hall, Duane [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 8:09 AM To: [EMAIL PROTECTED] Subject: Legal problem - IDS - Commercial Vs Open Source. I have been a lurker to this mail-list for quite a while, so here it goes. I have come across an issue asked by management about IDS products. They are asking about the legality issues. For instance: If we have a breaking and are using a commercial IDS product and the IDS software doesn't catch it, do you have any legal recourse against the commercial product vendor? Can you sue them for not catching the intrusion. My thinking is NO. I'm sure the software license agreement takes care of this. The same is asked if we decide to use an open source product, like Snort. I have said the same. I tried to give an example, for instance Microsoft. If some one breaks into a Windows server, no one but the administrator is responsible. You can't sue Microsoft, because you didn't apply a patch or weren't watching the server. Does anyone have any articles or case studies to support my thinking.? Any help would be appreciated. Duane Hall ************************** Duane Hall Security Administrator Hastings Entertainment, Inc. 806-351-2300 X-3945 [EMAIL PROTECTED]