×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Information Security and Ignorant Management?

Cliff posted more than 7 years ago | from the valid-concerns-falling-on-deaf-ears dept.

96

jmahler asks: "Suppose you work for a fairly decent-sized (but independent) CPA firm in the IT department. Suppose further that you have repeatedly warned the partners of the dangers of having unsecured laptops in the field, and have requested to replace the very thin, and rapidly aging line of defense (and functionality) currently protecting your network from all of the mean and nasty folks on the Internet. Let's continue, then, to suppose that the partners have all agreed to ignore every recommendation put forward regardless of cost or benefit. Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous? What about absolving ourselves of responsibility for data theft and loss from a laptop 'disappearance' in the field?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

96 comments

If you're worried, resign. (3, Interesting)

Ph33r th3 g(O)at (592622) | more than 7 years ago | (#16029708)

Ideally, with another job already lined up. Or obtain a good errors and omissions policy, because you can bet you'll be sued if they get pwned.

Re:If you're worried, resign. (3, Interesting)

Desolator144 (999643) | more than 7 years ago | (#16029838)

historically, people tend to get really mad and do something when their own work computer breaks or gets hacked so I second that idea. Remember what happened when advertisers got infected with adware displaying their own ads a couple years ago and it kept crashing their computers and they couldn't remove it? Well it's sort of like that I suppose. They know they're doing something they shouldn't (or not doing something they should) but they need a little personal nudge to actually take action.

Re:Stop Laptop Data Theft (1, Funny)

datatheftsecurity (999806) | more than 7 years ago | (#16031303)

There is an easy solution that many CPA firms have bought for auditors in the field for their laptops. Go to www.hlsworldwide.com and you can find a Biometric Encryption USB Flash Drive I saw on Fox News (News feature can be seen live on the website). It completely locks down any laptop without the biometric encryption (your live sub-dermal electric signal from your fingerprint) authentication. The device has highest level of encryption in the world 384 Bit 18 layer security far superior to the old 256 AES. Now CIA, NSA and government agencies switching to this technology as it takes a Cray Super Computer 12 years to decrypt one line.

Re:Stop Laptop Data Theft (1)

MadUndergrad (950779) | more than 7 years ago | (#16031880)

Wow, you are such a shill. What are you going to say next? "Call in the next 10 minutes and you'll receive this mini biometric-encrypted usb drive, a $30 value, absolutely free!" ? I would have just modded you down, but that crap really deserved a good vocal response.

Re:Stop Laptop Data Theft (1)

datatheftsecurity (999806) | more than 7 years ago | (#16032189)

What I posted was fact, unlike your childish ranting response. The device I mentioned has been bought by numerous government agencies including NSA and CIA whose technology expertise more than likely far exceeds any you possess. CPA firms have bought the device to protect auditors laptops in the field and protect clients data.Please get your mothers permission when she gets back to the trailer before playing with adults on the internet again. You father should of taught you "It is better to remain silent and thought the FOOL, than to speak and remove all doubt." LMAO at your self-imposed ignorance.

Re:Stop Laptop Data Theft (1)

Ph33r th3 g(O)at (592622) | more than 7 years ago | (#16032276)

So you're saying, then, that you have no affiliation with the product you're advertising? Because if you do, and you're not disclosing it, then you're a shill. And this is the last place you want to do that, because people who find your comments in a search (which is usually the object of this type of advertising) will find the ones pointing you out as a shill as well.

Re:Stop Laptop Data Theft (1)

datatheftsecurity (999806) | more than 7 years ago | (#16032290)

The poster asked how to resolve the problem he was facing with exposure to the data theft from laptop. My only affiliation is that I have bought the product and know people in his stated field that are using the product to resolve his stated problem. I don't construe that as advertising but offering a current viable solution. I feel the more people that know there is a solution to laptop data theft and/or identity theft the better.

Re:Stop Laptop Data Theft (1)

Ph33r th3 g(O)at (592622) | more than 7 years ago | (#16032294)

So you created an ID called "datatheftsecurity" recently which has no other posting history other than pointers to this product out of a desire to benefit mankind? You'll forgive my skepticism.

Re:Stop Laptop Data Theft (1)

datatheftsecurity (999806) | more than 7 years ago | (#16032321)

I had never heard of this site before this weekend. I subscribe to Google alerts for data and identiy theft stories as I work in as a security engineer in a datacenter. Google alert had CPA question and our data center hosts CPA firm website that had bought the Biometric Encryption Drives for the same problem. Sorry if my posted message to help him launched any "conspiracy alarms".

Re:Stop Laptop Data Theft (1)

bombshelter13 (786671) | more than 7 years ago | (#16036792)

You 'work as a security engineer in a datacenter' and 'had never heard of this site' before this weekend? That's the least believable thing you've said so far. About the only person working in a datacenter that can believably claim not to have heard of this site would be the janitor. If you ~do~ really work in a datacenter, you should be fired.

Re:Stop Laptop Data Theft (1)

datatheftsecurity (999806) | more than 7 years ago | (#16036917)

I am not sure of the self-importance you attach to this site. I have not needed to maintain our 3 datacenters we own around the world or support our base of clients. This is hardly a "bible reference" source for running datacenters. So far the posts have been much like yours....childish rantings as opposed to intellectual insights.

Re:Stop Laptop Data Theft (0)

Anonymous Coward | more than 7 years ago | (#16038058)

You're a little bit bitter for having been called out for posting an ad, Mr. Datacenter, aren't you.

Re:Stop Laptop Data Theft (0)

Anonymous Coward | more than 7 years ago | (#16031940)

That is the funniest thing I've read on Slashdot in a long long time.

Re:Stop Laptop Data Theft (1)

Amouth (879122) | more than 7 years ago | (#16033030)

"a Biometric Encryption USB Flash Drive" && " device has highest level of encryption in the world" != sence

you realize that USB is nothing but a huge unsecured network.. all someone would have to do is place their own device on the USB network on the computer that is using it.. listen and get the key and after that just repeate it for access without the person.. i am sorry but no... if someone wanted to get the data all it would take is alittle planning..

also the Idea of highest level of encryption.. the nubmer of bits and shit don't matter if they are predictable.. look at blowfish.. >400 bits.. and cracked faster than i can make lunch..

Re:Stop Laptop Data Theft (1)

datatheftsecurity (999806) | more than 7 years ago | (#16033971)

You failed to comprehend the technology. Please enlighten me how you can imitate somebody elses "live beating fingerprint" and the variable of the 384-bit 18 layer encryption assigned to it??? Surely, the NSA and CIA who tested the device must not of thought of this....NOT....LOL

Re:Stop Laptop Data Theft (1)

Amouth (879122) | more than 7 years ago | (#16037478)

i never said imatate.. all you would need to do is listen to the comuniucations between the device and the computer..

mabey make it simple.. a device that prevents the computer from seeing the device removal

Re:Stop Laptop Data Theft (0)

Anonymous Coward | more than 7 years ago | (#16042290)

Please enlighten me how you can imitate somebody elses "live beating fingerprint"

There are many ways to obtain a targets fingerprint, a short amount of time with the device would let you know how to reproduce that fingerprint in a format that the device would accept. Even if the fingerprint "key" is augmented with a password, few users will use a truely secure password. Fingerprint authentication is convenient, not secure.

Re:Stop Laptop Data Theft (1)

datatheftsecurity (999806) | more than 7 years ago | (#16033998)

"A USB is nothing but a huge unsecured network" only if it is a network unsecured by the device I mentioned. Once this device is plugged into the USB drive of any laptop and then removed you have no chance in hell of accessing the encrypted drives. End of story...

Re:Stop Laptop Data Theft (1)

Amouth (879122) | more than 7 years ago | (#16037470)

"plugged into the USB drive of any laptop "

i agree because well if you mananged to plug it into the USB Drive with the data on it.. well i am sure you would break something..

Re:If you're worried, resign... AND QUICK (1)

rbochan (827946) | more than 7 years ago | (#16032404)

Resign... today. Seriously.
I was in a similar situation a few years back at a company I was working for. For _months_ I'd been warning about about issues that would have cost less than $1000 to take care of. Memos did nothing. Emails did nothing. Phone calls did nothing. Actually showing them what could happen and the resulting chaos that would ensue did nothing. Setting up a budget and implementation schedule did nothing.
When the shit finally hit the fan and the cost to them was in the 6-figures, I was called in and about to be blamed/bitched out, so I walked in, and just as I was being asked "Why couldn't this have been prevented...", I took off my tie, dropped the inch-thick file with copies of all the memos, emails, and budgeting I'd tried to get taken care of on the desk, said "I quit", and walked out.

Never looked back.

When you're given a responsibility, but denied the tools and/or budget to carry out that responsibility, yet still have to accept the blame, it's a godawful situation. If they won't accept that you have the skills and initiative to see that there's a problem, there's not much you can do.

Re:If you're worried, resign... AND QUICK (1)

rtb61 (674572) | more than 7 years ago | (#16037233)

It can be a seriously frustrating problem. The is an alternate, provide them with a letter detailing your denial of resposibility for the legal ramifications and possible criminal and civil penalties should the network be hacked and used for criminal activities.

Make note about the removal of all computer equipment for up to 30 days in the event of a criminal investigation and that also includes the home computers of the responsible officers of the company, which you categorically and legally state in the document that you provide, you are not counted amongst them (provide a copy of the laws that relate).

Also list whom you believe will be the responsible officers of the company who the authorities and lawyers will be pursuing at work as well as at home, until such time as they can prove, they are innocent even when their computers are guilty.

Before you resign (1)

thedletterman (926787) | more than 7 years ago | (#16043749)

I would have a chat with the legal department, and find out personal liability issues, and if it is possible to indemnify yourself against adverse potential effects. Not only is this smart as a CYA move, it will also certainly raise the issue again with the senior partners as to "why is the IT guy seeking to mitigate his liability in the event of a catastrophy?" They would then advise from a legal perspective the reprocussions of them having not heeded your advice, and any cost/benefit comparisons of action vs non-action would then be weighed against the different spectrum of action vs legal action.

Fortunately for you, many companies are structured in a way as to prevent employees from personal liability in the performance of their duties so long as they did not act in a criminal manner, so resignation to "avoid" lawsuit might be throwing the baby out with the bath. It's always frusterating to see an urgent need unaddressed, but not every company plays the 'safety first' motto. Oddly, I would think a CPA would.

ooo... shiny (2)

xhamulnazgul (996557) | more than 7 years ago | (#16029710)

This could be the perfect time to stage a hacking attempt on those systems as well as a quick theft of a system or two. It's simple yet effective, not to mention that they have no chance to ignore it.

Re:ooo... shiny (3, Insightful)

legoburner (702695) | more than 7 years ago | (#16029878)

If he then demonstrates that he did it to show them how bad the system is then he could lose his job. If he does not then he could get caught and sued/arrested. If he recovers lost data then they will think there is no problem as nothing was lost. If he does not recover data he could cause unfixable damage to the company. I would say the same as other posters, write a nice long letter with a threat to quit, then if that causes no increase in responsiveness just quit.

Two things... (4, Insightful)

Aadain2001 (684036) | more than 7 years ago | (#16029713)

First, keep a very accurate paper trail, with dates and responses, of every suggestion and action you wanted to take. That way, when (not if) they suffer a massive data theft or loss of income from their computer systems being down, you can point to your evidence and basicly say "I told you so, no one to blame but yourselves".

Second, quit that job. Make it very clear that you are unable to perform your job duties and move on to greener pastures. Unless you have stake, financial or otherwise, beyond just a paycheck, is it worth all the frustration and coming headaches? You know they will suffer a very bad event and want to blame you. Even with your evidence, you know you'll be the scape-goat and be fired. Just leave now and get a better job.

Re:Two things... (2, Interesting)

TubeSteak (669689) | more than 7 years ago | (#16030113)

That paper trail you should be building, IMHO, is going to end up as exhibit A-Z if the company has an info leak.

Because that is when the customers are going to sue and win, since your company refused to do its due diligence in protecting the information.

Additionally, hire a penetration tester (bonded and insured, unless (s)he's a buddy of yours) without telling your bosses. Even if the results don't change their minds, you've Covered Your Ass.

...Or if you want to be a bastard about it, ignore everything I said, poke through your customer list, quit, then start whispering in the ears of any reporters that use your former employer's services.

Re:Two things... (1)

John Hasler (414242) | more than 7 years ago | (#16030233)

> That paper trail you should be building, IMHO, is going to end up as exhibit
> A-Z if the company has an info leak.

Sure. So what? He'd be deposed anyway, and it doesn't sound like he'd lie for his bosses.

> Additionally, hire a penetration tester (bonded and insured, unless (s)he's a
> buddy of yours) without telling your bosses.

And get fired and prosecuted. Tell the bosses you want to hire a pen-tester. If they refuse, document it.

Re:Two things... (0)

Anonymous Coward | more than 7 years ago | (#16035548)

And get fired and prosecuted. Tell the bosses you want to hire a pen-tester. If they refuse, document it.

What is all this crap about documenting the situation? These bozos are at least smart enough to maintain deniability. Go up against them and they'll leave no paper trail. If you use email, they'll answer by crapping on your evaluation. You'd have to be pretty far along in a trial before you were able to dig out the emails from backups. And they'd simply say they'd accidentally deleted it without reading it. Fuck them -- if they don't show they're going to do the right thing when you first bring it up,look for a new job and let them hang themselves.

Re:Two things... (1)

Aadain2001 (684036) | more than 7 years ago | (#16030293)

That paper trail you should be building, IMHO, is going to end up as exhibit A-Z if the company has an info leak.

While that paper trail can definately be bad for the company, for the person in question it is almost necessar. If the company does get sued by a victum of their incompitence, they will get what they deserve. However, if the people in charge start looking for a scape goat, the IT person won't have to worry. Especially in anything public, the documents help shield the employee, both from managers and prosecuters. The only time it could hurt is if the upper manager found out about the paper trail being generated and fires the guy for doing so. But from the sounds of it, that wouldn't be a big loss for the IT guy. He needs to head to a company that actually listens to their employees.

Re:Two things... (1)

SanityInAnarchy (655584) | more than 7 years ago | (#16030370)

Unless you have stake, financial or otherwise, beyond just a paycheck, is it worth all the frustration and coming headaches? You know they will suffer a very bad event and want to blame you.

If there's enough of a paper trail, it shouldn't matter. I'd keep the paper trail ready, and try to line up another job first -- better than going without a paycheck for awhile.

Re:Two things... (1)

hey! (33014) | more than 7 years ago | (#16032475)

Actually, keeping a paper trail is not only a good idea, if you want to change things then being seen keeping a paper trail is a good idea too.

Often where one avenue of information is saturated, it's hard to get a message through. Email is a perfect example. People have too much useless email, so its a bad way to get a message through. But people do take cues from others' behavior, and if you are seen acting as if this is a big problem, then others will get the message.

So, instead of email, send paper memos. You may have to use the post to do so. Make sure you put "file" on the distribution list. If you have a notary working at your company (which as CPAs there is a good chance that you do) making a production of having him notarize your file copy would be a nice touch.

Re:Two things... (1)

pr0file (238078) | more than 7 years ago | (#16039476)

Actually.. scratch the second option.... it's just plain dumb! Based on the excellent advice initially given.. you'll be a very rich scapegoat should you be fire because of "their" incompetence.

As an information security professional you have one job to do and that is reduce risk. If you have done all that is within your power to highlight the level of risk your company is facing and they effectively "sign off" on your report/comments (its best to get try and get this "sign off" in some formal document, failing that an email will suffice)then my friend your job is done.

They have decided, despite your professional opinion, given in your capacity as the designated security/IT expert, that this is an acceptable level of risk. If all goes tits up and the company goes to pot well.. it wasnt your fault now was it??? after all, those that held the purse strings kept them tightly closed now didnt they?

Having done infosec for about 10 years now, i have come to the conclusion that businesses will invariably do what they darn well want to.. its your job to ensure that they do it as safely as possible, based on what their risk apetite is.

Re:Two things... (1)

cavemanf16 (303184) | more than 7 years ago | (#16043974)

I agree with the paper trail part, totally disagree with the "quit the job" part of your advice. First, it IS important to keep that paper trail so that when things go wrong you and your employer can evaluate why things went wrong and how to mitigate that error in the future. (It also provides extra CYA if anything goes really south with your employer because of the error.) However, there is no such thing as the "better job" when you think it will just be found *somewhere else*. The "better job" is the one where you have the freedom to make the job into the one you want. So, if you're requesting money for system security enhancements and they're not giving it to you, make improvements to security for free, or do things to work around the lack of money to make security enhancements. You should only consider leaving when the initiatives that you take (when they're the right initiatives and only benefit, not harm, others) are stomped on simply because "we didn't tell you to do that." That's when you know that management is beyond clueless, and actually potentially harmful to your own career and the business as a whole - which could certainly spell long-term trouble for your continued gainful employment in the future.

You did your job (2, Informative)

Ckwop (707653) | more than 7 years ago | (#16029717)

Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous?

You're only paid to do your job and you did your job. If they don't listen to your advice that's their problem. Just make sure you keep copies of the e-mail you sent on the topic. If something "really bad" happens, then you can say you recommended X, Y, Z and they did absolutely nothing about it.

Simon

Re:You did your job (1)

harrkev (623093) | more than 7 years ago | (#16029849)

It also wouldn't hurt to set up a Gmail account just for this. CC (or BCC) all e-mail to that address. Then, if the unthinkable happens, you can just point your lawyer to that account and tell him to have a good time.

Re:You did your job (1)

tengu1sd (797240) | more than 7 years ago | (#16033954)

Exporting company data, work product or internal messages and memos to an out side source could in itself be a security issue. This is a good way to hang yourself. Far better to maintain paper copies, the suggestion to get these notarized above is an excellent idea.

Re:You did your job (1)

Monkelectric (546685) | more than 7 years ago | (#16029886)

Spot on advice. Business is about cutting every corner and not getting caught (bad business at least). They have decided to take this risk and there is nothing he can do about it.

My advice for you -- look for a new job. The longer you are in a job that bad -- the harder it will be to find a good job later.

Re:You did your job (1)

try_anything (880404) | more than 7 years ago | (#16031592)

You're only paid to do your job and you did your job. If they don't listen to your advice that's their problem.

It also may be time for him to ask what you wants to do with his career. He obviously has no credibility with management and will be nothing but an "OMG fix the Internet" monkey. If he ever wants to be anything more, he needs to leave.

Poster, time to start taking yourself seriously and demanding that others do so! Or gain forty pounds, grow a ponytail, and prepare yourself for a life of Cheeto-stained, bottom-of-the-totem-pole geekdom.

Fucking CPAs (2, Funny)

Anonymous Coward | more than 7 years ago | (#16029721)

Having worked in IT for about nine years and having worked mainly with the Accounting Department, let me be the first to say that you can't tell CPAs anything because they already fucking know everything.

You've told them, you've done your job. Now just sit back and watch. Of course you'll have to pick up the pieces later but that's your job. Or at least that's how the CPAs see it.

Re:Fucking CPAs (0)

Anonymous Coward | more than 7 years ago | (#16030018)

I agree with you, so far, all of the ones I've heard, met or that my friends met were total @$$es. Not to generalize, but it's basically their jobs. They have to go to places, tell everyone how to do their jobs, including how to protect their beautiful little accounting job from all prying eyes. That means bossing the IT department around into putting the things in _their_ way, protect the data _their_ way and to make that, they use their beautiful little sentences they learned at school, as well as their outdated techniques from 5 years ago and they still say it's gold.

*rant rant*

As others have said, quit (2, Insightful)

antifoidulus (807088) | more than 7 years ago | (#16029723)

if you don't want to do that, I would suggest posting news articles about security breaches and identity theft in a prominent place in the office. Make sure to highlight the negative consequences and explain how they can be avoided.
If that still doesn't work, quit. They are going to hold you responsible when the feces hit rapidly spinning blades despite the fact that you have done everything in your power besides smacking them to try to avoid it.

Suggestions (2, Interesting)

Sefi915 (580027) | more than 7 years ago | (#16029731)

First would be not to post to Slashdot with a username that seems to feature your last name. They might be ignorant of security, but even the dumbest people like to hope they're geeky enough to visit here.

Second would be to find the appropriate IRS tax confidentiality laws and try to explain to them how the breech of your network would fuxxor their Happy Place. Most CPA firms I've worked with do have tax information as well, so this is certainly a valid argument.

While I'm doing this, I would see about finding a better work environment.

Face to face meetings (1)

nascarguy27 (984493) | more than 7 years ago | (#16029736)

Bring them all into a big room and explain to them the utter importance of security. Explain the benefits face to face. Also explain the pitfalls of not being locked down. People respond better with face to face meetings than without them. Whenever I need something done, I talk directly to who can do it face to face. If the partnership does not have the time, or if they just do not care, then I'd look into other employment opportunities. I wouldn't want to work somewhere that is "too busy" to pay attention to security. But, that's just me and my opinion.

And use Powerpoint too! (0, Redundant)

IANAAC (692242) | more than 7 years ago | (#16030013)

Bring them all into a big room and explain to them the utter importance of security. Explain the benefits face to face.

Seriously, if they've not listened to him after repeated attempts, they'll most likely not listen to him face-to-face either.

They best he can do is keep good records of his communications, because when something happens, he'll be the scapegoat.

Protect them in spite of themselves (1)

mdhoover (856288) | more than 7 years ago | (#16029748)

This is a very sticky situation to be in, because you are damned either way. When the old PIX gets overrun they aren't going to care that you warned them beforehand (keep all memos, meeting minutes, emails), they are gonna come after you because you failed to protect their network.

If the folks you work with aren't savvy enough to understand the risks, you have a hard sell. Best you can do is try to protect them in spite of themselves. Personally I'd grab a spare box, slap OpenBSD or a minimal linux distro on it, set it up as a firewall (std or bridging) then do a stealth deployment out of hours putting it between the PIX and the rest of the network.

You may get some grief about it, but it is gonna be a lot less grief than having your network compromised

As for the laptops etc, they are out of your hands if there is no buy-in from management. Not much you can do...

Speak to them in their own language (1)

davecb (6526) | more than 7 years ago | (#16032380)

Ask the managing partners for indemnification, so that if and when the firm is sued by its ex-customers, the firm assumes the responsibility for not doing the due diligence you proposed, and and agrees to pay the costs of your defense.

Money speaks to a CPA. Mind you, they may then consider a cost reduction equal to your salary a good thing, so have a new job lined up!

--dave

Re:Protect them in spite of themselves (1)

itwerx (165526) | more than 7 years ago | (#16034591)

...When the old PIX gets overrun

I'm not disagreeing with the BSD box but it's funny nobody has mentioned maybe updating the IOS on the PIX. Every firewall in existence (including the various Linux/BSD-based options like IPchains, IP tables etc) has had the occasional vulnerability.
      Security is not about flipping a switch and walking away, it's an ongoing and ever-evolving process...

don't worry about it (0)

Anonymous Coward | more than 7 years ago | (#16029770)

the company probably won't be around much longer.

joking aside, you could compare the cost of securing laptops to the cost of mass-mailing every potential identity theft victim whose data was on the stolen laptop and providing free credit checks for a year.

Have you tried saying the magic word? (4, Insightful)

wfberg (24378) | more than 7 years ago | (#16029779)

Have you tried saying the magic word?

No, not "Please", but "Sarbanes-Oxley"

Re:Have you tried saying the magic word? (1)

Duckz (147715) | more than 7 years ago | (#16029885)

SOX only is enforced against public corporations where stock holders exist.

Re:Have you tried saying the magic word? (1)

wfberg (24378) | more than 7 years ago | (#16029936)

SOX only is enforced against public corporations where stock holders exist.

So if you aspire, as an accountant, to ever doing any work for any publicly listed corporation, you might want to get with the program...

Re:Have you tried saying the magic word? (2, Insightful)

JWW (79176) | more than 7 years ago | (#16030408)

No, not "Please", but "Sarbanes-Oxley"

It makes me sick to see how much this overreaching, overreacting federal regulation is being used by IT departments to run companies as if its the IT department thats actually in charge of things. The IT department serves the business, not the other way around. IT departments that have to use SOX to enforce their wishes, aren't serving the business, they're playing games with it. The business should (I know there are companies out there that actually are hopeless, but not most) be telling IT what they want to do about SOX, not the other way around.

What really needs to be asked in this situation is "How can I improve security to an acceptable level while impacting the ability of the firm to do business the least?" If every recommendation requires that the workers at the firm jump through hurdles and face extra hardship in using systems, then of course they're not going to be receptive. Make things easy. Go ahead and buy security cables for their laptops and show them how to use them. Help them put boot password on their laptops, or make the next round of laptops you buy have biometrics. But remember the most important lesson you can teach them is never ever leave their laptop out of their sight. Remember, no physical security is no security at all. Tell them that, and then let them do their jobs. If you tell them to watch their laptop like a hawk and if someone steals it they will remember what you told them. If they still try to say its your fault, you should do what a lot of people have suggested here and leave, because they don't have any sense of responsbility to either security or really to their business.

Re:Have you tried saying the magic word? (0)

Anonymous Coward | more than 7 years ago | (#16041590)

It makes me sick to see how much this overreaching, overreacting federal regulation is being used by IT departments to run companies as if its the IT department thats actually in charge of things.

Sorry, I should agree with you, but I don't. Why? Because there are arrogant people in charge of the company(ies) who should be paying attention to the advice they are given by their IT staff. There is a reason that IT staff exist - they have specialized knowledge that is important to the running of a big organization. So, if their resonsibility is to keep the companies information assets running and, in their opinion, the only way to fulfill their responsibilities is to threaten the people who gave them that responsibility with SOX, then where's your complaint? This is doubly true if the IT staff will be held accountable for any failures.

If this guy wanted to get mean about it, he would hire a lawyer and have the partners in the firm sign a statement that he has warned them several times about security and that his recommendations have not been approved. If something happened at the firm, he might be out of a job but the partners would lose all their assets since that would be proof they were negligent. (Not taking the advice of an expert you have hired would seem negligent.) Also, if he were fired over an incident, he would have a nice basis for a wrongful dismissal suit since he was not allowed to take protective measures that he deemed neccesary.

On the plus side, asking they sign something to show they have declined his advice might make them aware enough to approve it. Funny how having to take a definite stance on something makes people change their minds. Of course, if asked he could just (truthfully) state: "I want this signed so when an incident occurs, I can prove that I am not negligent and can't be sued or held criminally responsible by our customers or the government." That should get their attention at the very least.

So, while I agree with you that the IT department serves the company - this isn't a suicide pact, nor are the IT employees slaves. If they need to put pressure on the management/board to get important things done, then that's what they need to do. Also, management should thank them for it - they are being saved from their own stupidity. Maybe it would be better for the entire IT staff to leave - but that would screw the company even more.

Back up your communications with evidence (0)

Anonymous Coward | more than 7 years ago | (#16029792)

Make sure that "memos and emails" includes:

o How likely it is to happen, based on evidence from someone other than you.

o What the direct financial cost / ongoing monetary loss would be, again backed up by information from someone else.

Your job is to inform management (4, Insightful)

strikethree (811449) | more than 7 years ago | (#16029813)

Your job is to inform management in a clear and concise manner. The only time any action is to be taken outside of management's approval is when a law is being broken. If it was your job to decide which risks are worth taking, then you would be management. Understand?

strike

Re:Your job is to inform management (1)

Richard Steiner (1585) | more than 7 years ago | (#16030981)

Wow. In some companies, if folks had to wait for "management approval" for every IT action, then nothing would ever get done.

Did you also propose solutions/steps? (5, Insightful)

TheLink (130905) | more than 7 years ago | (#16029828)

Because many bosses don't like being posed problems if there aren't convenient options provided at the same time.

Or the options proposed are just unacceptable.

e.g. instead of banning laptops on the field- have encryption for the laptops, and regular backup plans.

As for the cisco IOS firewall. I don't think it is really that bad - it just depends on what rules you have. Expensive firewalls aren't so important if you're not dependent on a GUI and don't have very complex requirements.

What you need to do is secure and patch the exposed services - web, mail, app servers etc.

If you have proposed steps and options, and they choose to ignore you, then that's their decision.

But I would recommend that you prioritize on having decent backups.

Three things (1)

n9hmg (548792) | more than 7 years ago | (#16029833)

for(i=0;i3;i++){ document; } Even better, to get your point across, print out the emailed rejection of your recommendation, with said recommendation including a good explanation of the consequences. Take that paper copy to the highest-ranking rejector and request that he sign it. That takes it to a new level in the mind of an ass-covering management weasel. Then, even if doomsday comes before you desert them, and they try to feed you to the courts, you hand that document to the prosecutor.

Here is what I would do... (4, Insightful)

Noryungi (70322) | more than 7 years ago | (#16029891)

As many other people have already said:
  1. Make a copy of every document, every email, every recommendation. Make you own copy, on a USB key, and don't keep only on your work computer.
  2. Update you resume and start looking for a new job. Now.
    With this out of the way...
     
  3. Clearly explain the problems and potentiel consequences (the means $$$ consequences) to every manager and partner one last time.
  4. Point out every legal dispositions that may require the company to protect internal and client information: Sarbanes-Oaxley, etc. Support this by pointing out the amount of money paid by companies that had breaches and/or data stolen following a major security problem.
  5. Provide low/no-cost solutions to the situation at hand: OpenBSD/Linux firewalls, programs like TrueCrypt for the laptops, Snort, Nessus, NMap, Wireshark and other software that can help secure a network.


Remember: managers only understand money matters. Point out the financial risks any chance you get and you will probably have their full and undivided attention.

Again, if all else fail, just get out of the company as quickly as possible, and keep that paper trail on your USB key for the next decade or so... Or, even better, keep two copies, one on the USB key and the other on a CD-ROM.

It reminds me of the day when -- in a security-conscious software publisher -- the CFO wanted everyone to be a Wifi network. During a meeting on this subject, I simply pointed out that anyone with a Wifi card could probably snoop on the network traffic from one of the offices above ours. The Wifi project disappeared before you could say "war driving"...

Re:Here is what I would do... (0)

Anonymous Coward | more than 7 years ago | (#16030832)

Last I checked, paper trails and USB key's didn't go together.

Re:Here is what I would do... (1)

Jesus_666 (702802) | more than 7 years ago | (#16032801)

Again, if all else fail, just get out of the company as quickly as possible, and keep that paper trail on your USB key for the next decade or so... Or, even better, keep two copies, one on the USB key and the other on a CD-ROM.

Some eccentric individuals might also keep a copy of their paper trail printed on actual paper.

Re:Here is what I would do... (0)

Anonymous Coward | more than 7 years ago | (#16036240)

Actually you are better off saving on to a CD-ROM and printing out all your e-mails, etc. Once you have done that go to the post office and mail it to yourself certified mail. That way you have a sealed tamper proof copy of all your documentation.

If it's that important, don't give them an option (2, Interesting)

JoeCommodore (567479) | more than 7 years ago | (#16029901)

If your job is the secure infrastructure of the business then don't give them any option that they have a less secure infrastructure. Tell them "this is a necessary upgrade to the system which will improve the operational condition of the network", etc. There are no false truths there, it is neccesary and will improve conditions. By saying "we should" gives them the opening to pinch pennies and to drag thier feet.

Second wisdom is you better know what you are doing, be able to locically defand your actions and know how to address any potential problems that arise with whatever YOU implement.

Most Slashdotters lead such simple lives. (3, Insightful)

DerekLyons (302214) | more than 7 years ago | (#16029950)

I'm glad to see that most Slashdotters are financially independent - or in a situation (like living in a relatives basement) where having money is irrelevant. I can see no other reason why most of the advice to date boils down to 'quit your job and run'. Few people outside of Slashdot are in such a happy position I suspect.

Re:Most Slashdotters lead such simple lives. (2, Insightful)

dasunt (249686) | more than 7 years ago | (#16030239)

I'm glad to see that most Slashdotters are financially independent - or in a situation (like living in a relatives basement) where having money is irrelevant. I can see no other reason why most of the advice to date boils down to 'quit your job and run'. Few people outside of Slashdot are in such a happy position I suspect.

Maybe the posters that suggest finding another job have the foresight to keep a rainy day fund.

I know I'd rather jump ship before everything comes crashing down.

Re:Most Slashdotters lead such simple lives. (1)

SanityInAnarchy (655584) | more than 7 years ago | (#16030380)

My suggestion would be to have the other job lined up first. Don't tell your current bosses, though -- some places, it's standard practice to throw you out on your ass at the first mention of quitting, to prevent you from having an opportunity to screw them over.

Re:Most Slashdotters lead such simple lives. (0)

Anonymous Coward | more than 7 years ago | (#16030917)

I'm glad to see that most Slashdotters are financially independent

Thanks! I definitely worked hard to get to this point. I've got at least 6 months pay in my money market, and a decent amount in dividend-paying stocks. I never want to be caught in a work-related situation were "walking out" is not an option. That's a conscious choice I made long ago, when all I had was $2500 in my bank account (along with $48,000 debt, oops).

or in a situation (like living in a relatives basement) where having money is irrelevant.

Alas, I have to help my parents with their bills as well, so that's not an option. Hmm, if you OWN your parent's house, is it still wrong to live in the basement? :-) No matter, they don't have one anyway.

I can see no other reason why most of the advice to date boils down to 'quit your job and run'.

Because that's what you do when you have a shitty job? The best thing this guy could do for himself is to start finding another job, pronto. Or go into business for himself, like these CPAs did. I'm sure he has the necessary skills to do one of these things, just based on his slashdot post.

Few people outside of Slashdot are in such a happy position I suspect.

Well, then they shouldn't complain about their jobs, since they made the choice to have them. (Yes I'm one of those crazy people that believes everyone is responsible for their own destiny).

Like Henry Ford said: If you think you can do a thing or think you can't do a thing, you're right.

Re:Most Slashdotters lead such simple lives. (1)

Zadaz (950521) | more than 7 years ago | (#16031681)

I thought most Slashdotters where talented enough to get a job.

(sarc) aside, the odds are that if you can hold one job, you can likely find another. Or are you so amazingly talented a job searching that you hit the perfect, most fulfilling, highest paying job of all time on your first hit?

This is the problem most people have when looking for jobs: They think they (themselves) have nothing to offer. They sell themselves short and go into interviews with their hat in their hand.

Well screw that. A company hires a person because they have a need for a skillset. People have skillsets. When you look for a job, negotiate with the power you have (that you have something the company wants.)

I agree with half of what people have said. He should look at leaving and should document everything.

But look at doing some stuff that's lower tech. (Most CPA's need to be taught where the power button is, and think you're talking about the car when you mention a firewall.) Send some nice color articles on laptop theft and network intrusion (with the important parts highlighted) to the color printer and post them in the public places in the office. (Yes, color. They love color. And large terrifying headlines.) Make a bi-weekly security newsletter and physically send it to peoples offices. No email, have you seen the state of these guys Outlook? They've got 5000 email in their in-box! Half unread!)

Re:Most Slashdotters lead such simple lives. (1)

Svartalf (2997) | more than 7 years ago | (#16032472)

Unfortunately, it's still good advice and if you're thinking ahead you can do this.

You see, the people in these sorts of companies think that they're just simply secure
with things like an anti-virus program, etc. running on them. When something goes horribly
wrong (and it will- it's not really a matter of an if so much as a when in these cases...)
they will blame the poor SOB whose job it was to secure the stuff, but that they knackered
his ability to do so- typically with a dismissal and if they get sued suing you or deflecting
the lawsuit from the customer they screwed over in the matter to go and sue YOU.

Unless you're even MORE well off than you imply, you don't want to be even remotely close
to facing that sort of thing. Cutting and running, preferably with another job in hand
is the sanest and safest thing one can do in a situation like this- unless you can get them
to wise up, it's a ticking timebomb on your career and your financial stability you just
don't want around you.

Lots of wrong answers here... (5, Insightful)

Anonymous Coward | more than 7 years ago | (#16030000)

To date, most of the responses seem to be along the lines of "Cover your butt with a paper trail" or "find a different job." These are very commmon Infosec responses, and a large part of why companies want to keep Infosec insulated from real business management--most infosec people just don't get business.

In a company, you have three value dials: Risk, Cost, and Functionality. Let's address each of them in turn:

  • Risk. This is the big bugaboo, and what everyone seems to be focusing on. Well, earth to IT geeks: businesses deal with risks all the time. Extending credit is a risk, yet it's done daily. Why? Because risk cannot be eliminated, ever, in any business transaction. Still, there are a bunch of possible situations here: management may be underestimating risks, you may be overestimating them, or you may be underestimating management's tolerance for unmitigated risk. You need to find out which of these it is, not just assume the first one is always the case.
  • Cost. Each business is in business to make money. IT spending, including security spending, is money they don't get to keep as retained earnings. No matter how much a business makes, no sane business spends any money without a clear understanding of the associated benefit. Now, you and I may think stuff like sports sponsorships makes less sense than buying a new firewall, but the marketing expenses are designed to increase revenue, and the Infosec expenditures are designed to prevent losses. When push comes to shove, business management almost always prefers to spend money on revenue creation rather than loss prevention. Maybe it's because they've been lied to for so many years by so many IT people about productivity benefits that never materialized--have we considered that no one believes us because we have, as an industry, cried wolf far too often?
  • Functionality. Customers want more functionality, but often don't see the tie between new functionality and increased risk. This is an area where I've seen risk professionals really struggle, because as employees, out job is not to say "no" but "that's not a good idea" and then further explain the consequences of their desired functionality. Again, refer back to risk and cost. If they want to not spend the cost to mitigate the risk, and accept the risk, that's their call. They're entitled and empowered, by virtue of their positional authority, to accept risk on behalf of the company.

Bottom line? You need to ask about their risk tolerance. If their risk tolerance is higher than yours, that's fine. You're not there to impose some arbitrary set of security criteria on your business, you're there to implement the risk level management has decided to tolerate. If you can't tolerate the same risk level business management can, you can either try and continue to educate them--on the assumption that you're right and they're idiots--or quit. So yes, you can document stuff and/or quit, but those are only means to an end, which is to align your business risk expectations with management's.

Re:Lots of wrong answers here... (2, Interesting)

Peter La Casse (3992) | more than 7 years ago | (#16030543)

So yes, you can document stuff and/or quit, but those are only means to an end, which is to align your business risk expectations with management's.

There are two ends that your analysis misses:

1) avoid becoming the fall guy when one of the risks inevitably occurs (documentation)

2) minimize one's personal workload when one of the risks inevitably occurs (quit; see below for more options)

In the submitter's scenario, it appears that management does not understand these particular risks enough to make an educated decision about where to set their risk tolerance. The submitter's question is this: "Disaster is imminent. What do I do?" "Align your risk expectations with management's" doesn't solve the problem.

Some things can be done. Security improvements can be bundled along with "upgrades". Fallback plans for when management panics and says "do something" can be made. Good backups can be kept. Backup restoration procedures can be tested. Case studies of similar organizations that experienced these particular risks can be brought to management's attention.

Re:Lots of wrong answers here... (2, Insightful)

Anonymous Coward | more than 7 years ago | (#16030621)

1) avoid becoming the fall guy when one of the risks inevitably occurs (documentation)

You may be writing from somewhere where this might make a difference. I'm writing from the United States, where they can (and sometimes will) fire you for things that are not your fault, and you really don't have any recourse. I don't think documentation is a bad thing, I just think that anyone whose mind zooms straight to CYA is part of the problem, not part of the solution. Sure, documentation is a good thing, but if you're having the "what level of risk is tolerable?" discussions, documentation is a byproduct.

2) minimize one's personal workload when one of the risks inevitably occurs (quit; see below for more options)

So, if you're salaried and don't get overtime, this might be an issue. If you're NOT salaried, the answer to this is called "overtime." It's a pay-me-now, pay-me-later kind of thing, and any reasonable business manager knows that if he gambles wrong and loses, he has to pay. There really isn't any insurance against unplanned overtime if you're in a production support role, so I should hope that the local employment laws and/or your negotiated contract would provide adequate compensation. Failing that, you can always quit when they need you most, I suppose, if you don't want the overtime. Just realize that asking for more money to handle an unanticipated problem is generally a lot easier than getting a manager to admit that he was wrong.

Overall, your post seems an apology for the sort of thinking I was criticizing earlier, so let me elaborate a bit more: "The sky is falling!" won't get you anywhere, even if it is. Managers will just shut you out, mentally, even if they pretend to listen to you. You need to communicate with your boss as dispassionately as his doctor might, if she were giving him a cancer diagnosis. That's your role: it's not YOUR problem, it's THEIR problem, and you've been hired as an expert helper to get them through so they can achieve their goals. Even if the sky is falling, it's certainly not falling on YOUR head. You get unemployment insurance if they go under, right?

Re:Lots of wrong answers here... (1)

Peter La Casse (3992) | more than 7 years ago | (#16030808)

1) avoid becoming the fall guy when one of the risks inevitably occurs (documentation)

You may be writing from somewhere where this might make a difference.

I am - from the United States. If CYA were ineffective, there wouldn't be so many people doing it. Sometimes, documenting an accurate prediction works to one's benefit.

2) minimize one's personal workload when one of the risks inevitably occurs (quit; see below for more options)

So, if you're salaried and don't get overtime, this might be an issue. If you're NOT salaried, the answer to this is called "overtime." It's a pay-me-now, pay-me-later kind of thing, and any reasonable business manager knows that if he gambles wrong and loses, he has to pay. There really isn't any insurance against unplanned overtime if you're in a production support role...

I believe that most people in the submitter's position are salaried. Despite that, though, "overtime" is not a solution -- it simply makes things less bad. The problem/goal is that the employee would rather be doing other things (be they regular duties or putting out other fires). There is insurance against unplanned overtime: contingency planning.

Overall, your post seems an apology for the sort of thinking I was criticizing earlier

I hope so! Documentation of risk is important, and leaving a bad situation for a better one is a valid strategic move.

Even if the sky is falling, it's certainly not falling on YOUR head. You get unemployment insurance if they go under, right?

Losing one's job, even with unemployment insurance, is not a best-case scenario. If you believe the sky is about to fall, why wait until it actually does before getting a new job?

Re:Lots of wrong answers here... (0)

Anonymous Coward | more than 7 years ago | (#16031164)

Documentation of risk is important

...and this statement is the crux of why your perspective is sub-optimal and unproductive. Nothing personal, lots of people in this thread agree with you, and are equally wrong. It's like saying "breathing is important" in a safety course. Well, yes, breathing is important, but it's not exactly something one generally has to concentrate upon, is it?

Here's my alternative wording:

"As an information security professional, it is my job to accurately assess risk, communicate that risk to relevant management, and carry out the resultant business decision."

Each one of those steps has a piece that is "documentation," but in each case the documentation is a side-effect or byproduct of a real business process. Thus, if I'm doing my job right, documentation comes as naturally, as, well, breathing.

Re:Lots of wrong answers here... (1)

Peter La Casse (3992) | more than 7 years ago | (#16031316)

Documentation of risk is important

...and this statement is the crux of why your perspective is sub-optimal and unproductive. Nothing personal, lots of people in this thread agree with you, and are equally wrong. It's like saying "breathing is important" in a safety course. Well, yes, breathing is important, but it's not exactly something one generally has to concentrate upon, is it?

I wish good processes were as easy as good breathing. If proper documentation occurs at your place of work, don't take it for granted.

Here's my alternative wording:

"As an information security professional, it is my job to accurately assess risk, communicate that risk to relevant management, and carry out the resultant business decision."

That is a good way to state it. The submitter's question is this: having done that, and recognizing that disaster is about to occur anyway, what do I do?

Run, do not walk, to the nearest job posting. (1)

OmniGeek (72743) | more than 7 years ago | (#16031474)

The submitter's question is this: having done that, and recognizing that disaster is about to occur anyway, what do I do?

If, indeed, that is the submitter's question and he cannot in fact avert or mitigate the risk on account of willful neglect by management, the only sensible response is to 1) produce a paper trail demonstrating that it is NOT his fault (in the likely event of a lawsuit -- Americans are, statistically, litigious bastards), and 2) get the Hell out of Dodge before the disaster happens.

Staying in place would be like remaining in the path of a hurricane; don't do it unless you are prepared for personal risk and unpleasantness, and have a VERY good reason for remaining.

Bailing in this situation would be both rational and ethical, given that best efforts at warning of the risk have been made and ignored. Of course, if the situation does NOT embody these elements, it's a different matter with, probably, a different answer to the question, but that appears to be the question that's been asked.

Re:Lots of wrong answers here... (1)

sjames (1099) | more than 7 years ago | (#16039544)

Some things can be done. Security improvements can be bundled along with "upgrades". Fallback plans for when management panics and says "do something" can be made. Good backups can be kept. Backup restoration procedures can be tested. Case studies of similar organizations that experienced these particular risks can be brought to management's attention.

It's also worth questioning if the presentation to management is part of the problem. Were all risks great and small presented as the end of the world? If so, management may write the whole thing off as doomsaying.

Perhaps a balanced presentation with recommendations rated on scales of security and convieniance with the risks of each pointed out. Then they can make an informed decision. A nice side effect is that now it's all well documented and will show clearly that they chose against recommendation. Or perhaps when it's all laid out like that they will see that the risks are real and the inconvieniance is justified.

Re:Lots of wrong answers here... (2, Informative)

sohp (22984) | more than 7 years ago | (#16031549)

That's well put. One way to approach it in discussions with management is something like this:

1) Real infosec breaches that have happened, and the cost (cite the loss of VA data, or other situation, and the costs that the companies have paid, including things like picking up the cost of credit reports for a year, etc)

2) Some real things we can do, right now, and what it has cost to do similar things at other companies.

3) The kinds of user-visible "annoyances" that increased the suggestions will trigger, and potential costs and experiences for the transition. Be sure to acknowledge that change is always going to result in some short-term friction and negative feedback, and give examples of how that's resolved itself in other cases.

After that, as the parent says, it's up to management to decide the cost/risk tolerance they are comfortable with, and if that differs from your own, you have a choice to make. Change jobs, accept their choice without reservation, accept their choice but continue a long-term dialog between your team and the business and resolve and respond to issues as they come up in ways that move towards your goals.

Does the firm have a legal department? (1)

hackwrench (573697) | more than 7 years ago | (#16030002)

If so, go to them with it. I would think that the firm would have to employ lawyers in some capacity, however.

Are you a stockholder? (1)

zogger (617870) | more than 7 years ago | (#16030037)

If you are a stockholder, you might want to consider looking at the situation from that point of view-with your lawyers. When working as an employee doesn't work, turn around and look at it from an ownership position, which as a stockholder you are. If they are putting your investment and the other stockholders and the clients at serious risk, you just might have a rather strong case. Think about it, a firm like that really relies on trust from the clients and public reputation for accuracy and security-if what you say is true they are not doing due diligence to maintain that. Then let your hired mouthpieces do the talking for you, just shutup at that point.. The tightwad stupid managers may ignore you, but they aren't going to ignore them.

CYA Principle... (1)

paploo (238300) | more than 7 years ago | (#16030355)

It doesn't solve your problem, and I saw other posts that said essentially this, but it is *very* important that you properly document your concerns and suggested remedies and propegate it out to all the company officers (CEO, CFO, COO, etc). It is the company officers' problem if the company gets in serious trouble because of their security problems and gets sued by their investors--but only if one can prove they knew about the problem.

In writing the document, I would go beyond digital means. By that, I mean write up the report (it is a report, not a memo) in your favorite word processor, print physical copies for all the people you want to deliver it to, and then *hand deliver* these copies directly into the hands of the officers, usually with words about how critical this problem is and that you are looking out for the company and its officers.

This may have the effect of action, but if you end up with inaction, at least your report will be written and filed to each of the officers. If inaction occurs, you may want to give a copy of your report to other managers and friends in the company, so that you have witnesses that you actually produced the report at a given time.

Lastly, I wanted to follow-up on the report vs memo statement. You really should write a report, complete with identifying the problems and why they exist--complete with references to documents that explain why these problems are so critical, identification of possible solutions (including the upsides and downsides to any competing solutions), and if you have the time, capital cost and time estimates to implement each solution.

It should take you a week or two of using little bits of time you have lying around here and there, but the report will make a very clear case for both your concerns so that upper management knows *exactly* what the concerns are and can make an informed decision with your butt in the clear.

Remember, the company officers are legally responsible for a corporation should a disaster happen due to negligence. Therefore, it is up to them to decide what risks to take regarding security. That being said, you have to make sure your butt is in the clear! Inform the heck out of them.

Liability wavers. (2, Insightful)

SocialEngineer (673690) | more than 7 years ago | (#16030409)

If you can convince them to, have them sign printed copies of you explaining exactly what they are passing up on. Could be a potential "Fire Me", though, so get another job lined up.

I know exactly how you feel. I'm not the sys/net admin at my workplace, but I always chime in with advise, since I'm the only other person there with a degree in computers, and I've been studying computer and network security for a number of years now (my official title is graphic artist/web developer). Most of my security related advise just gets brushed off as paranoia - the classic "We are such and such, why would anybody want to compromise us?" - I try to explain that it isn't always people intentionally targeting specific organizations, but they don't care. When discussing pricing and the deadline for a large scale project with my boss, I mentioned I'd need plenty of time for security auditing, and might bring in some out of house help for pen testing. They stopped me mid sentence and said - "Is this what real people consider good security practices, or YOUR paranoia?" - Feh. I bit my tongue at that point, but I wanted to scream. These people aren't used to having to care - heck, having to use any sort of password is too much for most of them. I'm just waiting for the day we get a network intruder, and have thousands upon thousands of clients information in the wrong hands.

It's a good thing I'm valuable to my workplace, otherwise they'd probably fire me because of my belligerant attitude towards their apathy for security.

Loss, Theft are the LEAST of Your Concerns (1)

aminorex (141494) | more than 7 years ago | (#16030566)

The impact of the loss of an unsecured laptop is probably very low, as the data will probably be wiped immediately to anonymize the item for resale. Much more significant risk derives from the vulnerability of unsecured mobile devices to the injection of a REAL Trojan Horse (not in the sense of a UI deceit, but in the sense of a rootkit that turns the laptop itself into a hostile agent). I should know, I made BIG bucks building scanners for these things, fairly recently.

But of course, it's not feasible to (1) get work done and (2) retain employees without providing them with usable laptops. The solution can only be to secure the laptops using something like SELinux, which is largely immune to rooting.

As regards the thin line of defense, that's just a matter of deploying some free software on disused hardware, so you've got only yourself to blame if it hits the fan.

It's not a business risk .... (2, Insightful)

RallyDriver (49641) | more than 7 years ago | (#16030661)

.... until legal and public pressures force greater accountability to companies for security breaches.

I recently got a disclosure letter (as required by laws like Calfornia SB 1386) from Hotels.com because an employee of their auditors (Ernst and Young) had their laptop stolen from their car, with a ton of credit card numbers, mine included. Most readers here will be able to spot the multiple basic security mistakes that led to this situation, indicating that E&Y doesn't care to even get the most fundamental things right.

The "shaming" benefit of these laws has a small benificial effect, however businesses will not really care about security breaches (and arguably, have a duty to shareholders NOT to spend time and money on the problem) until the law or public opinion changes to the point where such a breach seriously hurts the balance sheet or the stock price, and right now we're a long way from there.

You could share your collection of such letters with your employer, but expect a continued "so what?" response.

 

Make sure you have an incredible paper trail... (0)

Anonymous Coward | more than 7 years ago | (#16031138)

...and then nape' the fuckers. Grab a laptop, use it to log into the network, fuck their shit up. Try and break their data in such ways that individual breakages won't be noticed until the resulting nightmare horror event comes down on them like a ton of bricks. Try to anticipate what they will do when things go fucked-sideways-from-Wednesday and have their actions trigger an event that makes the first look like nothing. Email payroll to every employee in the company through a couple anon. services. Send amazingly embarrasing stuff to their customers, competitors and associates. Post their bank records on usenet. Progromatically introduce small errors to all kinds of transactions in their accounting database such that all the numbers add up correctly and balance when you're done.

Then say that you can't deal with the stress of dealing with their broken shit and go get a new job.

You might also put cement in their gas tanks, glue the toilet seats down and feed them massive doses of laxitive. That combination is always good for a laugh.

SOX? (1)

Danious (202113) | more than 7 years ago | (#16031875)

Does Sarbanes Oxley apply to your firm? If so, then they are not compliant and are knowingly in breach of the law, a crime which carries jail time for the executives involved. It scares the bejeebus out of our CEO, all we have to do is whisper that dreaded TLA and money gets thrown at the problem.

John.

Print the Emails (1)

Fujisawa Sensei (207127) | more than 7 years ago | (#16035026)

Print copies of the suggestions, and responses.

Put your resume online.

If you're feeling really grumpy, and you're in a "right to work" state; when you get the job offer. Tell them you can start immediately. Grab your stuff. Email your resignation. :-P

Speak their language (1)

ebbe11 (121118) | more than 7 years ago | (#16036194)

The language of business people ine general and CPAs in particular is money.

Calculate how much a a security breach will cost them, both in direct costs (e.g. work needed to get back on track) and derived costs (e.g. lost business because customers leave) for several scenarios of different severity and present these numbers to management.

Action list.. (1)

cheros (223479) | more than 7 years ago | (#16040698)

I've recently started an "IT for Leaders" coaching package which gives CEOs insight in what IT actually does for them and how they can (a) tell IT what they need and (b) understand what IT is trying to tell them. I simply got fed up with sales people selling them crap so I figured I'd deal with the root cause.

Now, my background is security so one whole session is dedicated to risk management (with 'Beyond Fear' as one of the important references to read) and you have no idea how much they don't know (it's one of the reasons this course is rather successful :-). The problem is that you cannot get their ear unless they want to hear, so here are 3 steps.

(1) First of all, cover yourself. Preserve emails and keep printed copies. Do NOT rely on the email staying in the system (fatal mistake). You have done your best, but, let's face it, you're the messenger.

(2) Make a detailed risk analysis, or, better, get them to buy time from one of the hideously expensive consultancies to do the same. I could do it, but you'd have to ship me from Europe (CH) so it would get even more costly (although I've done some work in Sacramento a while back, staying a couple of floors under where Arnie apparently has his residence ;-). The reason to throw money at is because some of these guys will not pay attention unless it hurts their budget or wallet (I guess that's why they buy MS, but I digress :-). That doesn't mean that a good consultant cannot add significant value by his/her experience, but I've worked long enough in that field to know that, numerically, the lemons far outweigh the stars so value for money is not always a given..

(3) PUT NUMBERS ON IT. Unauthorised disclosure of information can lead to competitive threat (if trade secrets and strategy), legal threat (violation of privacy), liability (consequential damages) and loss of reputation (damage to brand, company image). Each individual threat can -to a degree- be translated into $$ by making some basic assumptions, that's how insurances work. Speaking of which, lowering risk means lowering insurance premiums - also worth mentioning.

Let's face it, in a way you're in the process of selling your acutely worrying insights to higher management. Well, a basic rule of sales is that it happens either via greed, fear or both. Greed: less income, loss of bonus (notice that "the company" doesn't feature in this, it's personal). Fear: exposure of ignorance, court appearance for negligence, criminal record (depends on country).

And if it all fails, find a sympathetic ear closer to your level and hope that it percolates upwards. Or, just fix the problem without telling them. If you add a crypto section to your build which uses even the basic Windows encryption (i.e. encrypted unless logged in) you have at least started to deal with some of the issues. I found it's quite good to give senior management fingerprint sensing laptops because of the gadget factor. That in the background you can hook up a crypto suite is not something they're even aware of, but it makes you sleep better at night. However, make absolutely sure that you have some sort of automated backup process going that works, like a DLO client. Otherwise, losing the key is about the same as erasing the data.

If you're in the UK, make sure you document crypto key creation and disposal or you could end up in trouble if you get served with a warrant under the Regulation of Investigative Powers Act. Under RIPA you're guilty until you can prove your innocence if you cannot access corporate encrypted data..

In any case, good luck. You'll need it..

Documentation (1)

paulevans (791844) | more than 7 years ago | (#16061703)

Document every time that you spoke with management, write down these "questioning sessions" down with a date/time, who you spoke with, and quote their answers as straight forward as you can.

You have NO power to force them to do anything, it sounds like you did everything you could to inform them of the problems that plague your company. It sucks, but that is all that you can do.

When the bad thing happens, and it will, they'll start pointing their finger at you. Calmly take out these sheets that you made earlier, and show how this solution that you presented would have solved the problem.

They might try to fire you, don't worry, go to court. Bring all of this documentation, this will show the judge that you were attempting to do your job, however your employer roadblocked solutions that would have taken care of the problem. So you presented a solution that would have prevented the problem, and your employer stopped it. Now your employer fired you for . . . not providing the solution . . . nah, that's not going to fly.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...