[kybernetikos]

This is perhaps not directly related to this story, but it seems common that hackers are taken to be liable for the cost to fix whatever weaknesses they used to make the breach. This is like not fitting any locks on your doors, and then charging the burglar to put new locks on after a burglary.

The cost should generally be limited to the actual damage done by the hacker, rather than include things that the company should have been doing anyway.

After someone uses an open window to obtain entry, does that mean that they can be charged with the cost of locating and auditing every copy of every physical key to the premises, on the basis that they could have found one and stolen it while they were in the building?

[tptacek]

No, that's not common. The damages imputed to attackers arise directly from what they did. The problem is that people ignore a whole class of damages in these cases: the DFIR work that is required to ensure that whoever attacked you didn't also persist themselves somehow.

[kybernetikos]

The problem is that that work seems essentially unlimited (you can invent crazier and crazier possibilities that you need to check for), and doesn't seem to be something that we do so much for physical intrusions which nevertheless have the same features (you can find keys, take copies of keys, even change locks or cut make false walls / doors).

Your infrastructure should aim to be robust against people persisting themselves (in this case, something that allows an employee to persist themselves beyond the validity of their credentials is a serious problem whether the hacker does it or not). Where it is not, that's your failing. Charging the hacker for finding out where your infrastructure is failing is perverse since if anything their attack made it easier to spot a failing. If they did persist themeselves, then obviously the cost to fix that belongs on the hacker, but the cost to identify such things is something you should be doing anyway.

[tptacek]

The costs imputed to Keys in this case were under $20,000. There is absolutely no way the Tribune Corporation got a real, industry standard forensics investigation done for that sum of money.

I don't understand how you could impute the cost of auditing infrastructure for backdoors that could have been planted in a breach to the victim of the breach, rather than to the person convicted of causing the breach. We're not talking about having each of Trib Corp's applications assessed (the cost of that would be in the many hundreds of thousands of dollars, minimum).