Slashdot Mirror

← Back to Stories (view on slashdot.org)

Information Security and Ignorant Management?

Posted by ryuzaki0 on from the valid-concerns-falling-on-deaf-ears dept.

jmahler asks: "Suppose you work for a fairly decent-sized (but independent) CPA firm in the IT department. Suppose further that you have repeatedly warned the partners of the dangers of having unsecured laptops in the field, and have requested to replace the very thin, and rapidly aging line of defense (and functionality) currently protecting your network from all of the mean and nasty folks on the Internet. Let's continue, then, to suppose that the partners have all agreed to ignore every recommendation put forward regardless of cost or benefit. Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous? What about absolving ourselves of responsibility for data theft and loss from a laptop 'disappearance' in the field?"

11 of 96 comments (clear)

  1. If you're worried, resign. by Ph33r+th3+g(O)at · · Score: 3, Interesting

    Ideally, with another job already lined up. Or obtain a good errors and omissions policy, because you can bet you'll be sued if they get pwned.

    --
    I too have felt the cold finger of injustice.
    1. Re:If you're worried, resign. by Desolator144 · · Score: 3, Interesting

      historically, people tend to get really mad and do something when their own work computer breaks or gets hacked so I second that idea. Remember what happened when advertisers got infected with adware displaying their own ads a couple years ago and it kept crashing their computers and they couldn't remove it? Well it's sort of like that I suppose. They know they're doing something they shouldn't (or not doing something they should) but they need a little personal nudge to actually take action.

      --
      now stop reading and go play Dance Dance Revolution!
  2. Two things... by Aadain2001 · · Score: 4, Insightful
    First, keep a very accurate paper trail, with dates and responses, of every suggestion and action you wanted to take. That way, when (not if) they suffer a massive data theft or loss of income from their computer systems being down, you can point to your evidence and basicly say "I told you so, no one to blame but yourselves".

    Second, quit that job. Make it very clear that you are unable to perform your job duties and move on to greener pastures. Unless you have stake, financial or otherwise, beyond just a paycheck, is it worth all the frustration and coming headaches? You know they will suffer a very bad event and want to blame you. Even with your evidence, you know you'll be the scape-goat and be fired. Just leave now and get a better job.

    --
    Space for rent, inquire within
  3. Have you tried saying the magic word? by wfberg · · Score: 4, Insightful

    Have you tried saying the magic word?

    No, not "Please", but "Sarbanes-Oxley"

    --
    SCO employee? Check out the bounty
    1. Re:Have you tried saying the magic word? by Scaba · · Score: 3, Informative

      And against accounting firms and CPAs.

  4. Your job is to inform management by strikethree · · Score: 4, Insightful

    Your job is to inform management in a clear and concise manner. The only time any action is to be taken outside of management's approval is when a law is being broken. If it was your job to decide which risks are worth taking, then you would be management. Understand?

    strike

    --
    "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
  5. Did you also propose solutions/steps? by TheLink · · Score: 5, Insightful

    Because many bosses don't like being posed problems if there aren't convenient options provided at the same time.

    Or the options proposed are just unacceptable.

    e.g. instead of banning laptops on the field- have encryption for the laptops, and regular backup plans.

    As for the cisco IOS firewall. I don't think it is really that bad - it just depends on what rules you have. Expensive firewalls aren't so important if you're not dependent on a GUI and don't have very complex requirements.

    What you need to do is secure and patch the exposed services - web, mail, app servers etc.

    If you have proposed steps and options, and they choose to ignore you, then that's their decision.

    But I would recommend that you prioritize on having decent backups.

    --
  6. Re:ooo... shiny by legoburner · · Score: 3, Insightful

    If he then demonstrates that he did it to show them how bad the system is then he could lose his job. If he does not then he could get caught and sued/arrested. If he recovers lost data then they will think there is no problem as nothing was lost. If he does not recover data he could cause unfixable damage to the company. I would say the same as other posters, write a nice long letter with a threat to quit, then if that causes no increase in responsiveness just quit.

    --
    Warhammer forums
  7. Here is what I would do... by Noryungi · · Score: 4, Insightful
    As many other people have already said:
    1. Make a copy of every document, every email, every recommendation. Make you own copy, on a USB key, and don't keep only on your work computer.
    2. Update you resume and start looking for a new job. Now.
      With this out of the way...
       
    3. Clearly explain the problems and potentiel consequences (the means $$$ consequences) to every manager and partner one last time.
    4. Point out every legal dispositions that may require the company to protect internal and client information: Sarbanes-Oaxley, etc. Support this by pointing out the amount of money paid by companies that had breaches and/or data stolen following a major security problem.
    5. Provide low/no-cost solutions to the situation at hand: OpenBSD/Linux firewalls, programs like TrueCrypt for the laptops, Snort, Nessus, NMap, Wireshark and other software that can help secure a network.


    Remember: managers only understand money matters. Point out the financial risks any chance you get and you will probably have their full and undivided attention.

    Again, if all else fail, just get out of the company as quickly as possible, and keep that paper trail on your USB key for the next decade or so... Or, even better, keep two copies, one on the USB key and the other on a CD-ROM.

    It reminds me of the day when -- in a security-conscious software publisher -- the CFO wanted everyone to be a Wifi network. During a meeting on this subject, I simply pointed out that anyone with a Wifi card could probably snoop on the network traffic from one of the offices above ours. The Wifi project disappeared before you could say "war driving"...

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  8. Most Slashdotters lead such simple lives. by DerekLyons · · Score: 3, Insightful

    I'm glad to see that most Slashdotters are financially independent - or in a situation (like living in a relatives basement) where having money is irrelevant. I can see no other reason why most of the advice to date boils down to 'quit your job and run'. Few people outside of Slashdot are in such a happy position I suspect.

  9. Lots of wrong answers here... by Anonymous Coward · · Score: 5, Insightful
    To date, most of the responses seem to be along the lines of "Cover your butt with a paper trail" or "find a different job." These are very commmon Infosec responses, and a large part of why companies want to keep Infosec insulated from real business management--most infosec people just don't get business.

    In a company, you have three value dials: Risk, Cost, and Functionality. Let's address each of them in turn:

    • Risk. This is the big bugaboo, and what everyone seems to be focusing on. Well, earth to IT geeks: businesses deal with risks all the time. Extending credit is a risk, yet it's done daily. Why? Because risk cannot be eliminated, ever, in any business transaction. Still, there are a bunch of possible situations here: management may be underestimating risks, you may be overestimating them, or you may be underestimating management's tolerance for unmitigated risk. You need to find out which of these it is, not just assume the first one is always the case.
    • Cost. Each business is in business to make money. IT spending, including security spending, is money they don't get to keep as retained earnings. No matter how much a business makes, no sane business spends any money without a clear understanding of the associated benefit. Now, you and I may think stuff like sports sponsorships makes less sense than buying a new firewall, but the marketing expenses are designed to increase revenue, and the Infosec expenditures are designed to prevent losses. When push comes to shove, business management almost always prefers to spend money on revenue creation rather than loss prevention. Maybe it's because they've been lied to for so many years by so many IT people about productivity benefits that never materialized--have we considered that no one believes us because we have, as an industry, cried wolf far too often?
    • Functionality. Customers want more functionality, but often don't see the tie between new functionality and increased risk. This is an area where I've seen risk professionals really struggle, because as employees, out job is not to say "no" but "that's not a good idea" and then further explain the consequences of their desired functionality. Again, refer back to risk and cost. If they want to not spend the cost to mitigate the risk, and accept the risk, that's their call. They're entitled and empowered, by virtue of their positional authority, to accept risk on behalf of the company.

    Bottom line? You need to ask about their risk tolerance. If their risk tolerance is higher than yours, that's fine. You're not there to impose some arbitrary set of security criteria on your business, you're there to implement the risk level management has decided to tolerate. If you can't tolerate the same risk level business management can, you can either try and continue to educate them--on the assumption that you're right and they're idiots--or quit. So yes, you can document stuff and/or quit, but those are only means to an end, which is to align your business risk expectations with management's.