Information Security and Ignorant Management? 96
jmahler asks: "Suppose you work for a fairly decent-sized (but independent) CPA firm in the IT department. Suppose further that you have repeatedly warned the partners of the dangers of having unsecured laptops in the field, and have requested to replace the very thin, and rapidly aging line of defense (and functionality) currently protecting your network from all of the mean and nasty folks on the Internet. Let's continue, then, to suppose that the partners have all agreed to ignore every recommendation put forward regardless of cost or benefit. Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous? What about absolving ourselves of responsibility for data theft and loss from a laptop 'disappearance' in the field?"
If you're worried, resign. (Score:3, Interesting)
Re: (Score:3, Interesting)
Re:Stop Laptop Data Theft (Score:1, Funny)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
you realize that USB is nothing but a huge unsecured network.. all someone would have to do is place their own device on the USB network on the computer that is using it.. listen and get the key and after that just repeate it for access without the person.. i am sorry but no... if someone wanted to get the data all it would take is alittle planning..
also the Idea of highest level of encryptio
Re: (Score:1)
Re: (Score:2)
mabey make it simple.. a device that prevents the computer from seeing the device removal
Re: (Score:1)
Re: (Score:2)
i agree because well if you mananged to plug it into the USB Drive with the data on it.. well i am sure you would break something..
Re:If you're worried, resign... AND QUICK (Score:2)
I was in a similar situation a few years back at a company I was working for. For _months_ I'd been warning about about issues that would have cost less than $1000 to take care of. Memos did nothing. Emails did nothing. Phone calls did nothing. Actually showing them what could happen and the resulting chaos that would ensue did nothing. Setting up a budget and implementation schedule did nothing.
When the shit finally hit the fan and the cost to them was in the 6-figures, I was cal
Re: (Score:2)
Make note about the removal of all computer equipment for up to 30 days in the event of a criminal investigation and that also includes the home computers of the responsible officers of the company, which you categorically and legally state in the
Before you resign (Score:2)
ooo... shiny (Score:2)
Re:ooo... shiny (Score:4, Insightful)
Re: (Score:1, Offtopic)
Two things... (Score:5, Insightful)
Second, quit that job. Make it very clear that you are unable to perform your job duties and move on to greener pastures. Unless you have stake, financial or otherwise, beyond just a paycheck, is it worth all the frustration and coming headaches? You know they will suffer a very bad event and want to blame you. Even with your evidence, you know you'll be the scape-goat and be fired. Just leave now and get a better job.
Re: (Score:3, Interesting)
Because that is when the customers are going to sue and win, since your company refused to do its due diligence in protecting the information.
Additionally, hire a penetration tester (bonded and insured, unless (s)he's a buddy of yours) without telling your bosses. Even if the results don't change their minds, you've Covered Your Ass.
Re: (Score:2)
> A-Z if the company has an info leak.
Sure. So what? He'd be deposed anyway, and it doesn't sound like he'd lie for his bosses.
> Additionally, hire a penetration tester (bonded and insured, unless (s)he's a
> buddy of yours) without telling your bosses.
And get fired and prosecuted. Tell the bosses you want to hire a pen-tester. If they refuse, document it.
Re: (Score:2)
While that paper trail can definately be bad for the company, for the person in question it is almost necessar. If the company does get sued by a victum of their incompitence, they will get what they deserve. However, if the people in charge start looking for a scape goat, the IT person won't have to worry. Especially in anything public, the documents help shield the employee, both from man
Re: (Score:2)
If there's enough of a paper trail, it shouldn't matter. I'd keep the paper trail ready, and try to line up another job first -- better than going without a paycheck for awhile.
Re: (Score:2)
Often where one avenue of information is saturated, it's hard to get a message through. Email is a perfect example. People have too much useless email, so its a bad way to get a message through. But people do take cues from others' behavior, and if you are seen acting as if this is a big problem, then others will get the message.
So, instead of email, send paper m
Re: (Score:1)
As an information security professional you have one job to do and that is reduce risk. If you have done all that is within your power to highlight the level of risk your company is facing and they effectively "sign off" on your report/comments (its best to get try and get this "sign off" in some formal document, fai
Re: (Score:2)
You did your job (Score:3, Informative)
You're only paid to do your job and you did your job. If they don't listen to your advice that's their problem. Just make sure you keep copies of the e-mail you sent on the topic. If something "really bad" happens, then you can say you recommended X, Y, Z and they did absolutely nothing about it.
Simon
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
My advice for you -- look for a new job. The longer you are in a job that bad -- the harder it will be to find a good job later.
Re: (Score:2)
It also may be time for him to ask what you wants to do with his career. He obviously has no credibility with management and will be nothing but an "OMG fix the Internet" monkey. If he ever wants to be anything more, he needs to leave.
Poster, time to start taking yourself seriously and demanding that others do so! Or gain forty pounds, grow a ponytail, and prepare yourself for a life of Chee
Fucking CPAs (Score:2, Funny)
You've told them, you've done your job. Now just sit back and watch. Of course you'll have to pick up the pieces later but that's your job. Or at least that's how the CPAs see it.
As others have said, quit (Score:3, Insightful)
If that still doesn't work, quit. They are going to hold you responsible when the feces hit rapidly spinning blades despite the fact that you have done everything in your power besides smacking them to try to avoid it.
Suggestions (Score:2, Interesting)
Second would be to find the appropriate IRS tax confidentiality laws and try to explain to them how the breech of your network would fuxxor their Happy Place. Most CPA firms I've worked with do have tax information as well, so this is certainly a valid argument.
While I'm doing this, I would see about
Re: (Score:2)
Face to face meetings (Score:1)
And use Powerpoint too! (Score:1, Redundant)
Seriously, if they've not listened to him after repeated attempts, they'll most likely not listen to him face-to-face either.
They best he can do is keep good records of his communications, because when something happens, he'll be the scapegoat.
Protect them in spite of themselves (Score:1)
If the folks you work with aren't savvy enough to understand the risks, you have a hard sell. Best you can do is try to protect them in spite of themselves. Personally I'd grab a spare box, slap OpenBSD or a minimal linux distro
Speak to them in their own language (Score:2)
Ask the managing partners for indemnification, so that if and when the firm is sued by its ex-customers, the firm assumes the responsibility for not doing the due diligence you proposed, and and agrees to pay the costs of your defense.
Money speaks to a CPA. Mind you, they may then consider a cost reduction equal to your salary a good thing, so have a new job lined up!
--dave
Re: (Score:2)
I'm not disagreeing with the BSD box but it's funny nobody has mentioned maybe updating the IOS on the PIX. Every firewall in existence (including the various Linux/BSD-based options like IPchains, IP tables etc) has had the occasional vulnerability.
Security is not about flipping a switch and walking away, it's an ongoing and ever-evolving process...
Have you tried saying the magic word? (Score:5, Insightful)
No, not "Please", but "Sarbanes-Oxley"
Re: (Score:2)
Re: (Score:1)
So if you aspire, as an accountant, to ever doing any work for any publicly listed corporation, you might want to get with the program...
Re:Have you tried saying the magic word? (Score:4, Informative)
And against accounting firms and CPAs.
Re: (Score:3, Insightful)
It makes me sick to see how much this overreaching, overreacting federal regulation is being used by IT departments to run companies as if its the IT department thats actually in charge of things. The IT department serves the business, not the other way around. IT departments that have to use SOX to enforce their wishes, aren't serving the business, they're playing games with it. The business should (I know there are companies out there that actually are hopeless, bu
Your job is to inform management (Score:5, Insightful)
strike
Re: (Score:2)
Did you also propose solutions/steps? (Score:5, Insightful)
Or the options proposed are just unacceptable.
e.g. instead of banning laptops on the field- have encryption for the laptops, and regular backup plans.
As for the cisco IOS firewall. I don't think it is really that bad - it just depends on what rules you have. Expensive firewalls aren't so important if you're not dependent on a GUI and don't have very complex requirements.
What you need to do is secure and patch the exposed services - web, mail, app servers etc.
If you have proposed steps and options, and they choose to ignore you, then that's their decision.
But I would recommend that you prioritize on having decent backups.
Three things (Score:1)
Here is what I would do... (Score:5, Insightful)
With this out of the way...
Remember: managers only understand money matters. Point out the financial risks any chance you get and you will probably have their full and undivided attention.
Again, if all else fail, just get out of the company as quickly as possible, and keep that paper trail on your USB key for the next decade or so... Or, even better, keep two copies, one on the USB key and the other on a CD-ROM.
It reminds me of the day when -- in a security-conscious software publisher -- the CFO wanted everyone to be a Wifi network. During a meeting on this subject, I simply pointed out that anyone with a Wifi card could probably snoop on the network traffic from one of the offices above ours. The Wifi project disappeared before you could say "war driving"...
Re: (Score:2)
Some eccentric individuals might also keep a copy of their paper trail printed on actual paper.
If it's that important, don't give them an option (Score:3, Interesting)
If your job is the secure infrastructure of the business then don't give them any option that they have a less secure infrastructure. Tell them "this is a necessary upgrade to the system which will improve the operational condition of the network", etc. There are no false truths there, it is neccesary and will improve conditions. By saying "we should" gives them the opening to pinch pennies and to drag thier feet.
Second wisdom is you better know what you are doing, be able to locically defand your actions and know how to address any potential problems that arise with whatever YOU implement.
Most Slashdotters lead such simple lives. (Score:4, Insightful)
Re: (Score:3, Insightful)
Maybe the posters that suggest finding another job have the foresight to keep a rainy day fund.
I know I'd rather jump ship before everything comes crashing down.
Re: (Score:2)
Re: (Score:2)
(sarc) aside, the odds are that if you can hold one job, you can likely find another. Or are you so amazingly talented a job searching that you hit the perfect, most fulfilling, highest paying job of all time on your first hit?
This is the problem most people have when looking for jobs: They think they (themselves) have nothing to offer. They sell themselves short and go into interviews with their hat in their hand.
Well screw that. A company h
Re: (Score:2)
You see, the people in these sorts of companies think that they're just simply secure
with things like an anti-virus program, etc. running on them. When something goes horribly
wrong (and it will- it's not really a matter of an if so much as a when in these cases...)
they will blame the poor SOB whose job it was to secure the stuff, but that they knackered
his ability to do so- typically with a dismissal and if they get sued sui
Lots of wrong answers here... (Score:5, Insightful)
In a company, you have three value dials: Risk, Cost, and Functionality. Let's address each of them in turn:
Bottom line? You need to ask about their risk tolerance. If their risk tolerance is higher than yours, that's fine. You're not there to impose some arbitrary set of security criteria on your business, you're there to implement the risk level management has decided to tolerate. If you can't tolerate the same risk level business management can, you can either try and continue to educate them--on the assumption that you're right and they're idiots--or quit. So yes, you can document stuff and/or quit, but those are only means to an end, which is to align your business risk expectations with management's.
Re: (Score:3, Interesting)
There are two ends that your analysis misses:
1) avoid becoming the fall guy when one of the risks inevitably occurs (documentation)
2) minimize one's personal workload when one of the risks inevitably occurs (quit; see below for more options)
In the submitter's scenario, it appears that management does not understand these particular risks enough to make an e
Re: (Score:2, Insightful)
You may be writing from somewhere where this might make a difference. I'm writing from the United States, where they can (and sometimes will) fire you for things that are not your fault, and you really don't have any recourse. I don't think documentation is a bad thing, I just think that anyone whose mind zooms straight to CYA is part of the problem, not part of the solution. Sure, documentation is a good thing, but if
Re: (Score:2)
I am - from the United States. If CYA were ineffective, there wouldn't be so many people doing it. Sometimes, documenting an accurate prediction works to one's benefit.
Re: (Score:2)
I wish good processes were as easy as good breathing. If proper documentation occurs at your place of work, don't take it
Run, do not walk, to the nearest job posting. (Score:2)
If, indeed, that is the submitter's question and he cannot in fact avert or mitigate the risk on account of willful neglect by management, the only sensible response is to 1) produce a paper trail demonstrating that it is NOT his fault (in the likely event of a lawsuit -- Americans are, statistically, litigious bastards), and 2) get the Hell out of Dodge before the disaster happens.
Re: (Score:2)
Some things can be done. Security improvements can be bundled along with "upgrades". Fallback plans for when management panics and says "do something" can be made. Good backups can be kept. Backup restoration procedures can be tested. Case studies of similar organizations that experienced these particular risks can be brought to management's attention.
It's also worth questioning if the presentation to management is part of the problem. Were all risks great and small presented as the end of the world? If
Re: (Score:3, Informative)
1) Real infosec breaches that have happened, and the cost (cite the loss of VA data, or other situation, and the costs that the companies have paid, including things like picking up the cost of credit reports for a year, etc)
2) Some real things we can do, right now, and what it has cost to do similar things at other companies.
3) The kinds of user-visible "annoyances" that increased the suggestions will trigger, and
Wrong way to parse a post (Score:1)
Did anyone else see "wipe your butt with a paper trail" when they read this message?
Too many replies beneath your current threshold [slashdot.org]
Does the firm have a legal department? (Score:1)
Are you a stockholder? (Score:1)
CYA Principle... (Score:2)
In writing the document, I would go beyond digital means. By that, I
Liability wavers. (Score:3, Insightful)
If you can convince them to, have them sign printed copies of you explaining exactly what they are passing up on. Could be a potential "Fire Me", though, so get another job lined up.
I know exactly how you feel. I'm not the sys/net admin at my workplace, but I always chime in with advise, since I'm the only other person there with a degree in computers, and I've been studying computer and network security for a number of years now (my official title is graphic artist/web developer). Most of my security related advise just gets brushed off as paranoia - the classic "We are such and such, why would anybody want to compromise us?" - I try to explain that it isn't always people intentionally targeting specific organizations, but they don't care. When discussing pricing and the deadline for a large scale project with my boss, I mentioned I'd need plenty of time for security auditing, and might bring in some out of house help for pen testing. They stopped me mid sentence and said - "Is this what real people consider good security practices, or YOUR paranoia?" - Feh. I bit my tongue at that point, but I wanted to scream. These people aren't used to having to care - heck, having to use any sort of password is too much for most of them. I'm just waiting for the day we get a network intruder, and have thousands upon thousands of clients information in the wrong hands.
It's a good thing I'm valuable to my workplace, otherwise they'd probably fire me because of my belligerant attitude towards their apathy for security.
Loss, Theft are the LEAST of Your Concerns (Score:2)
But of course, it's not feasible to
It's not a business risk .... (Score:3, Insightful)
I recently got a disclosure letter (as required by laws like Calfornia SB 1386) from Hotels.com because an employee of their auditors (Ernst and Young) had their laptop stolen from their car, with a ton of credit card numbers, mine included. Most readers here will be able to spot the multiple basic security mistakes that led to this situation, indicating that E&Y doesn't care to even get the most fundamental things right.
The "shaming" benefit of these laws has a small benificial effect, however businesses will not really care about security breaches (and arguably, have a duty to shareholders NOT to spend time and money on the problem) until the law or public opinion changes to the point where such a breach seriously hurts the balance sheet or the stock price, and right now we're a long way from there.
You could share your collection of such letters with your employer, but expect a continued "so what?" response.
SOX? (Score:2)
John.
SOX, Basel II, any sort of privacy law.. (Score:2)
Print the Emails (Score:2)
Print copies of the suggestions, and responses.
Put your resume online.
If you're feeling really grumpy, and you're in a "right to work" state; when you get the job offer. Tell them you can start immediately. Grab your stuff. Email your resignation. :-P
Speak their language (Score:2)
Calculate how much a a security breach will cost them, both in direct costs (e.g. work needed to get back on track) and derived costs (e.g. lost business because customers leave) for several scenarios of different severity and present these numbers to management.
Action list.. (Score:2)
Now, my background is security so one whole session is dedicated to risk management (with 'Beyond Fear' as one of the important references to read) and you have no idea how much they don't know (it's
Documentation (Score:1)
Document every time that you spoke with management, write down these "questioning sessions" down with a date/time, who you spoke with, and quote their answers as straight forward as you can.
You have NO power to force them to do anything, it sounds like you did everything you could to inform them of the problems that plague your company. It sucks, but that is all that you can do.
When the bad thing happens, and it will, they'll start pointing their finger at you. Calmly take out these sheets that you ma