Information Security and Ignorant Management?

jmahler asks: "Suppose you work for a fairly decent-sized (but independent) CPA firm in the IT department. Suppose further that you have repeatedly warned the partners of the dangers of having unsecured laptops in the field, and have requested to replace the very thin, and rapidly aging line of defense (and functionality) currently protecting your network from all of the mean and nasty folks on the Internet. Let's continue, then, to suppose that the partners have all agreed to ignore every recommendation put forward regardless of cost or benefit. Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous? What about absolving ourselves of responsibility for data theft and loss from a laptop 'disappearance' in the field?"

Two things...

[Aadain2001]

First, keep a very accurate paper trail, with dates and responses, of every suggestion and action you wanted to take. That way, when (not if) they suffer a massive data theft or loss of income from their computer systems being down, you can point to your evidence and basicly say "I told you so, no one to blame but yourselves".

Second, quit that job. Make it very clear that you are unable to perform your job duties and move on to greener pastures. Unless you have stake, financial or otherwise, beyond just a paycheck, is it worth all the frustration and coming headaches? You know they will suffer a very bad event and want to blame you. Even with your evidence, you know you'll be the scape-goat and be fired. Just leave now and get a better job.

As others have said, quit

[antifoidulus]

if you don't want to do that, I would suggest posting news articles about security breaches and identity theft in a prominent place in the office. Make sure to highlight the negative consequences and explain how they can be avoided.
If that still doesn't work, quit. They are going to hold you responsible when the feces hit rapidly spinning blades despite the fact that you have done everything in your power besides smacking them to try to avoid it.

Have you tried saying the magic word?

[wfberg]

Have you tried saying the magic word?

No, not "Please", but "Sarbanes-Oxley"

Re:Have you tried saying the magic word?

[JWW]

No, not "Please", but "Sarbanes-Oxley"

It makes me sick to see how much this overreaching, overreacting federal regulation is being used by IT departments to run companies as if its the IT department thats actually in charge of things. The IT department serves the business, not the other way around. IT departments that have to use SOX to enforce their wishes, aren't serving the business, they're playing games with it. The business should (I know there are companies out there that actually are hopeless, but not most) be telling IT what they want to do about SOX, not the other way around.

What really needs to be asked in this situation is "How can I improve security to an acceptable level while impacting the ability of the firm to do business the least?" If every recommendation requires that the workers at the firm jump through hurdles and face extra hardship in using systems, then of course they're not going to be receptive. Make things easy. Go ahead and buy security cables for their laptops and show them how to use them. Help them put boot password on their laptops, or make the next round of laptops you buy have biometrics. But remember the most important lesson you can teach them is never ever leave their laptop out of their sight. Remember, no physical security is no security at all. Tell them that, and then let them do their jobs. If you tell them to watch their laptop like a hawk and if someone steals it they will remember what you told them. If they still try to say its your fault, you should do what a lot of people have suggested here and leave, because they don't have any sense of responsbility to either security or really to their business.

Your job is to inform management

[strikethree]

Your job is to inform management in a clear and concise manner. The only time any action is to be taken outside of management's approval is when a law is being broken. If it was your job to decide which risks are worth taking, then you would be management. Understand?

strike

Did you also propose solutions/steps?

[TheLink]

Because many bosses don't like being posed problems if there aren't convenient options provided at the same time.

Or the options proposed are just unacceptable.

e.g. instead of banning laptops on the field- have encryption for the laptops, and regular backup plans.

As for the cisco IOS firewall. I don't think it is really that bad - it just depends on what rules you have. Expensive firewalls aren't so important if you're not dependent on a GUI and don't have very complex requirements.

What you need to do is secure and patch the exposed services - web, mail, app servers etc.

If you have proposed steps and options, and they choose to ignore you, then that's their decision.

But I would recommend that you prioritize on having decent backups.

Re:ooo... shiny

[legoburner]

If he then demonstrates that he did it to show them how bad the system is then he could lose his job. If he does not then he could get caught and sued/arrested. If he recovers lost data then they will think there is no problem as nothing was lost. If he does not recover data he could cause unfixable damage to the company. I would say the same as other posters, write a nice long letter with a threat to quit, then if that causes no increase in responsiveness just quit.

Here is what I would do...

[Noryungi]

As many other people have already said:

1. Make a copy of every document, every email, every recommendation. Make you own copy, on a USB key, and don't keep only on your work computer.
2. Update you resume and start looking for a new job. Now.
   With this out of the way...
    
3. Clearly explain the problems and potentiel consequences (the means $$$ consequences) to every manager and partner one last time.
4. Point out every legal dispositions that may require the company to protect internal and client information: Sarbanes-Oaxley, etc. Support this by pointing out the amount of money paid by companies that had breaches and/or data stolen following a major security problem.
5. Provide low/no-cost solutions to the situation at hand: OpenBSD/Linux firewalls, programs like TrueCrypt for the laptops, Snort, Nessus, NMap, Wireshark and other software that can help secure a network.

Remember: managers only understand money matters. Point out the financial risks any chance you get and you will probably have their full and undivided attention.

Again, if all else fail, just get out of the company as quickly as possible, and keep that paper trail on your USB key for the next decade or so... Or, even better, keep two copies, one on the USB key and the other on a CD-ROM.

It reminds me of the day when -- in a security-conscious software publisher -- the CFO wanted everyone to be a Wifi network. During a meeting on this subject, I simply pointed out that anyone with a Wifi card could probably snoop on the network traffic from one of the offices above ours. The Wifi project disappeared before you could say "war driving"...

Most Slashdotters lead such simple lives.

[DerekLyons]

I'm glad to see that most Slashdotters are financially independent - or in a situation (like living in a relatives basement) where having money is irrelevant. I can see no other reason why most of the advice to date boils down to 'quit your job and run'. Few people outside of Slashdot are in such a happy position I suspect.

Lots of wrong answers here...

To date, most of the responses seem to be along the lines of "Cover your butt with a paper trail" or "find a different job." These are very commmon Infosec responses, and a large part of why companies want to keep Infosec insulated from real business management--most infosec people just don't get business.

In a company, you have three value dials: Risk, Cost, and Functionality. Let's address each of them in turn:

• Risk. This is the big bugaboo, and what everyone seems to be focusing on. Well, earth to IT geeks: businesses deal with risks all the time. Extending credit is a risk, yet it's done daily. Why? Because risk cannot be eliminated, ever, in any business transaction. Still, there are a bunch of possible situations here: management may be underestimating risks, you may be overestimating them, or you may be underestimating management's tolerance for unmitigated risk. You need to find out which of these it is, not just assume the first one is always the case.
  
• Cost. Each business is in business to make money. IT spending, including security spending, is money they don't get to keep as retained earnings. No matter how much a business makes, no sane business spends any money without a clear understanding of the associated benefit. Now, you and I may think stuff like sports sponsorships makes less sense than buying a new firewall, but the marketing expenses are designed to increase revenue, and the Infosec expenditures are designed to prevent losses. When push comes to shove, business management almost always prefers to spend money on revenue creation rather than loss prevention. Maybe it's because they've been lied to for so many years by so many IT people about productivity benefits that never materialized--have we considered that no one believes us because we have, as an industry, cried wolf far too often?
  
• Functionality. Customers want more functionality, but often don't see the tie between new functionality and increased risk. This is an area where I've seen risk professionals really struggle, because as employees, out job is not to say "no" but "that's not a good idea" and then further explain the consequences of their desired functionality. Again, refer back to risk and cost. If they want to not spend the cost to mitigate the risk, and accept the risk, that's their call. They're entitled and empowered, by virtue of their positional authority, to accept risk on behalf of the company.
  

Bottom line? You need to ask about their risk tolerance. If their risk tolerance is higher than yours, that's fine. You're not there to impose some arbitrary set of security criteria on your business, you're there to implement the risk level management has decided to tolerate. If you can't tolerate the same risk level business management can, you can either try and continue to educate them--on the assumption that you're right and they're idiots--or quit. So yes, you can document stuff and/or quit, but those are only means to an end, which is to align your business risk expectations with management's.

Re:Lots of wrong answers here...

1) avoid becoming the fall guy when one of the risks inevitably occurs (documentation)

You may be writing from somewhere where this might make a difference. I'm writing from the United States, where they can (and sometimes will) fire you for things that are not your fault, and you really don't have any recourse. I don't think documentation is a bad thing, I just think that anyone whose mind zooms straight to CYA is part of the problem, not part of the solution. Sure, documentation is a good thing, but if you're having the "what level of risk is tolerable?" discussions, documentation is a byproduct.

2) minimize one's personal workload when one of the risks inevitably occurs (quit; see below for more options)

So, if you're salaried and don't get overtime, this might be an issue. If you're NOT salaried, the answer to this is called "overtime." It's a pay-me-now, pay-me-later kind of thing, and any reasonable business manager knows that if he gambles wrong and loses, he has to pay. There really isn't any insurance against unplanned overtime if you're in a production support role, so I should hope that the local employment laws and/or your negotiated contract would provide adequate compensation. Failing that, you can always quit when they need you most, I suppose, if you don't want the overtime. Just realize that asking for more money to handle an unanticipated problem is generally a lot easier than getting a manager to admit that he was wrong.

Overall, your post seems an apology for the sort of thinking I was criticizing earlier, so let me elaborate a bit more: "The sky is falling!" won't get you anywhere, even if it is. Managers will just shut you out, mentally, even if they pretend to listen to you. You need to communicate with your boss as dispassionately as his doctor might, if she were giving him a cancer diagnosis. That's your role: it's not YOUR problem, it's THEIR problem, and you've been hired as an expert helper to get them through so they can achieve their goals. Even if the sky is falling, it's certainly not falling on YOUR head. You get unemployment insurance if they go under, right?

Re:Most Slashdotters lead such simple lives.

[dasunt]

I'm glad to see that most Slashdotters are financially independent - or in a situation (like living in a relatives basement) where having money is irrelevant. I can see no other reason why most of the advice to date boils down to 'quit your job and run'. Few people outside of Slashdot are in such a happy position I suspect.

Maybe the posters that suggest finding another job have the foresight to keep a rainy day fund.

I know I'd rather jump ship before everything comes crashing down.

Liability wavers.

[SocialEngineer]

If you can convince them to, have them sign printed copies of you explaining exactly what they are passing up on. Could be a potential "Fire Me", though, so get another job lined up.

I know exactly how you feel. I'm not the sys/net admin at my workplace, but I always chime in with advise, since I'm the only other person there with a degree in computers, and I've been studying computer and network security for a number of years now (my official title is graphic artist/web developer). Most of my security related advise just gets brushed off as paranoia - the classic "We are such and such, why would anybody want to compromise us?" - I try to explain that it isn't always people intentionally targeting specific organizations, but they don't care. When discussing pricing and the deadline for a large scale project with my boss, I mentioned I'd need plenty of time for security auditing, and might bring in some out of house help for pen testing. They stopped me mid sentence and said - "Is this what real people consider good security practices, or YOUR paranoia?" - Feh. I bit my tongue at that point, but I wanted to scream. These people aren't used to having to care - heck, having to use any sort of password is too much for most of them. I'm just waiting for the day we get a network intruder, and have thousands upon thousands of clients information in the wrong hands.

It's a good thing I'm valuable to my workplace, otherwise they'd probably fire me because of my belligerant attitude towards their apathy for security.

It's not a business risk ....

[RallyDriver]

.... until legal and public pressures force greater accountability to companies for security breaches.

I recently got a disclosure letter (as required by laws like Calfornia SB 1386) from Hotels.com because an employee of their auditors (Ernst and Young) had their laptop stolen from their car, with a ton of credit card numbers, mine included. Most readers here will be able to spot the multiple basic security mistakes that led to this situation, indicating that E&Y doesn't care to even get the most fundamental things right.

The "shaming" benefit of these laws has a small benificial effect, however businesses will not really care about security breaches (and arguably, have a duty to shareholders NOT to spend time and money on the problem) until the law or public opinion changes to the point where such a breach seriously hurts the balance sheet or the stock price, and right now we're a long way from there.

You could share your collection of such letters with your employer, but expect a continued "so what?" response.