try this link for info http://www.serverworldmagazine.com/opinionw/2001/04/05_insurance.shtml
this link gives links in the article to speciality firms who offer cyber insurance http://www.computerworld.com/cwi/story/0,1199,NAV47_STO48721,00.html -----Original Message----- From: -l0rt- [mailto:[EMAIL PROTECTED]] Sent: 29 January 2002 23:50 To: Matthew F. Caldwell Cc: Edward L. Jones; Hall Duane; [EMAIL PROTECTED] Subject: RE: Legal problem - IDS - Commercial Vs Open Source. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can anyone tell me where I can get good "cyber insurance"?. - -l0rt- - --------------------------------------------------------------------- Disclaimer: Any resemblance between the above views and those of my employer, my terminal, or the view out my window are purely coincidental. Any resemblance between the above and my own views is non-deterministic. The question of the existence of views in the absence of anyone to hold them is left as an exercise for the reader. The question of the existence of the reader is left as an exercise for the second god coefficient. (A discussion of non-orthogonal, non-integral polytheism is beyond the scope of this article.) - --------------------------------------------------------------------- On Tue, 29 Jan 2002, Matthew F. Caldwell wrote: > Get cyber insurance to cover the other risk factors of intrusion. > > -----Original Message----- > From: Edward L. Jones [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 11:38 AM > To: Hall Duane; [EMAIL PROTECTED] > Subject: RE: Legal problem - IDS - Commercial Vs Open Source. > > > I have a BS in criminal justice Pre-Law and a masters in Information System > Science and I have never heard of a company suing a IDS vendor because of > the software not catching the break in your company would definitely set a > "Precedence" and I am curious to see what the outcome would be if your > company actually went to court with this. I would agree with your reply to > the answer as being NO > > But here are a few points you should propose to your management. > 1) Was the problem really that of the software or was it a human error in > overlooking the incidents leading up to the intrusion such as the recon > phase and finally failure to detect the actual intrusion? > > 2) In the purchase order, contract or agreement to buy the software does it > anywhere explicitly say that there IDS product protects you from all known > and/or unknown attacks? > > 3) Finally does your company really think another vendor will help them if > word gets out in the industry that you guys sue for this type of stuff? > > > E.L. Jones > Network Security Engineer > > > > -----Original Message----- > From: Hall, Duane [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 8:09 AM > To: [EMAIL PROTECTED] > Subject: Legal problem - IDS - Commercial Vs Open Source. > > > I have been a lurker to this mail-list for quite a while, so here it > goes. I have come across an issue asked by management about IDS > products. They are asking about the legality issues. > > For instance: > > If we have a breaking and are using a commercial IDS product and the IDS > software doesn't catch it, do you have any legal recourse against the > commercial product vendor? > Can you sue them for not catching the intrusion. My thinking is NO. > I'm sure the software license agreement takes care of this. > > The same is asked if we decide to use an open source product, like > Snort. I have said the same. > > I tried to give an example, for instance Microsoft. If some one breaks > into a Windows server, no one but the administrator is responsible. > You can't sue Microsoft, because you didn't apply a patch or weren't > watching the server. > > Does anyone have any articles or case studies to support my thinking.? > Any help would be appreciated. > > Duane Hall > > ************************** > Duane Hall > Security Administrator > Hastings Entertainment, Inc. > 806-351-2300 X-3945 > [EMAIL PROTECTED] > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8VzVDHs/COEe/P4cRArp7AKDzgC32c+P2ITmmHZch6zh3qRxOEwCgzLYf IPh5EWkOcQcDn7URc5RHKaY= =NQEx -----END PGP SIGNATURE-----
