This editorial was written shortly after the Distributed Denial of Service attacks in 2000. It describes the emerging issue of legal liability associated with poor security practices. In 2002, we actually have courts taking action in this critical area. While I think due diligence will be a key motivator for information security, the fact that federal judges can shut down entire infrastructures (as happened with the Department of Interior) makes me a little nervous.


During the past week, we have seen an unprecedented level of denial of service attacks against major e-commerce sites such as Yahoo, eBay,, Etrade and These attacks have undoubtedly cost millions of dollars in lost revenue, not to mention the intangible affects on customer confidence. In fact, one recent estimate is that the cumulative damages may total as much as $1.2 billion.

The underlying technical method of attack is not new. The Internet community has seen similar attacks for at least the past five years, and the theoretical basis for the attack has been known for decades. With tools that allow for distributed attacks, there is little that a diligent system administrator can do to avoid becoming a victim. However, in their concern about becoming a victim, many are missing the larger issue.

When the dust has settled and the perpetrators of the attack have been identified, the real issues will revolve around downstream liability. These distributed denial of service attacks are only successful because the attacker is able to compromise numerous systems and install “Zombie” software that will be used in a coordinated attack. This means that the compromised hosts have become part of a distributed attack platform. Did the owners of these compromised hosts practice due diligence with respect to their security? What if these systems were compromised using a well-known vulnerability for which a vendor patch was issued 10 months ago? Does the organization perform periodic vulnerability assessments to ensure they are maintaining an adequate security posture? There are many steps that you can perform to help ensure that your systems are not used as an attack vehicle against someone else.

Corporate executives are spending a lot of time worrying about whether they will be the next victim of attack, when in reality they should be worrying about whether their organization unknowingly participated in the attack. Have you been diligent? Matthew G. Devost – 2000