In a precedent-setting civil lawsuit, a Saskatchewan woman, who overdosed on crystal methamphetamine, has successfully won a suit against the drug dealer who sold her the highly addictive drug. From the article:
She has since developed a heart condition that leaves her constantly fatigued and limits her chances of ever having children.
In her statement of claim, Bergen said Davey knew the drug was highly addictive and the sale of the drug was “for the purpose of making money but was also for the purpose of intentionally inflicting physical and mental suffering on Sandra.”
Let’s take this crazy, and blatantly stupid, case and shift it over to the security world. Could you imagine suing your firewall vendor because the product they sold you didn’t prevent a breach from happening? What about an IDS vendor for not detecting an attack? Their legal team would flat-out laugh in your face. I know the situations are not identical but a parallel immediately came to mind. When you purchase something, anything, there is a certain expectation that the user knows what they are doing.
You buy a firewall to prevent unauthorized network access between network segments. If you don’t configure the solution correctly then unwanted traffic might still get through.
You buy an IDS to inspect for malicious or inappropriate traffic as it flows through your network. If you don’t configure the solution correctly then unwanted traffic might still get through.
You buy a NAC solution to allow access to resources only when the proper credentials are presented. If you don’t configure the solution correctly then unwanted traffic might still get through.
You buy illicit drugs to get high. If you use them you might injure yourself or die.
Security vendors are selling you a tool to perform a task – prevent or detect breaches. In the case of the methamphetamine fiasco the drug dealer was providing his customer with a tool as well – drugs. These drugs were made to perform a task – get the user high. The moral of the story is, if you buy something, make sure you know all the pros and cons of your purchase before implementing them.
I had to write about this because it made me SOOOOO ANGRY!