Slashdot Mirror
What Should We Do About Security Ethics?
An anonymous reader writes "I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?"
Ignore it?
factor 966971: 966971
Cover your ass.
When the companies start following ethics, we won't have to blow the ethics whistle on them.
how about you gather some evidence and publish it?
Of course, you'll lose your job over it. So decide now. Do you want to sleep at night? Or do you want to feed your family?
Modding Trolls +1 inciteful since 1999
http://www.wikileaks.org/wiki/Wikileaks
Leak the data/information :)
It's more common than you think. Some of it is due to laziness, some due to a lack of knowledge, and some due to time constraints. Fortunately, for the really sensitive information, management at my company finally put into place very strict policies on how we handle the data: How we store it, erase it, encrypt it, and display it. Granted, most of these policies are actually put in place by vendors that require it, but we've taken those standards and extended them across all sensitive information.
If you're failing SOX/SAS-70/404 audits (or whatever types of audits apply to you)... that's bad, although you've already identified that.
We formed a data security team - it's just one dedicated person right now, but since he's really only involved with the policy stuff, that's enough for us - however, he does hold frequent and regular meetings with management across all departments. The DS team recently published our "best practices" which every developer now has posted at his/her desk.
Because management took this very seriously, we became one of the first companies in our industry to have all of the current versions of our software fully compliant with industry security standards.
If there are no standards set forth for you, I suggest you make your own. It takes time and they must be well thought out, and no comprimises can be made (that's a bad pun, sorry). Use your audit results (the actual audit results, not the strong-armed ones) as a baseline for improvement. Dedicate a resource to data security. Whatever you have to do. Since you're a senior level person, you should be able to convince people to allow you to do it.
If you have security issues and a breach occurs, well... I think you know what could happen.
Why, no, I haven't meta-moderated lately. Thanks for asking!
I work for many clients, most are lobbyists and lawyers. Ethics are different for everyone.
We have laws to restrict what people do and police to enforce those laws.
I know of one client, in an attempt to get a Federal contract, created a multi-million dollar program just to meet the "green" requirements that the Federal government is placing on new contacts.
Turns out - nothing much is being done except the bare minimum.
What is ethical is very different from that which is legal.
Because of my personal beliefs which stem from an often insulted and bashed faith, constantly mocked here on Slashdot, I do not sell the information I am privy to.
Unfair labor practices, shady reporting practices, Enron, The entire legal profession, The entire political category (is it truly a profession).
The point is, why single out one area of unethical behavior? Does it surprise you that the executives in our (Techie's Rule) should be any different?
Most executives make their way to the top by lying, cheating and stealing better than the next guy.
What can you expect?
Mean what you say...say what you mean.
Ask yourself whether your "internal findings" are really representative or just attempt to CYA in case there is a problem. Coming at this problem from the side of someone whose job it is to get things done rather create objections, I frequently see security people asking for extremely expensive security "enhancements" that provide marginal if any value.
All business decisions should be made on the basis of cost-benefit analysis. Most staff positions including security usually do a poor job of assessing either side and instead focus on potential risks without quantifying them. Just because security would be better by doing X, does not mean X is good idea. If X is really expensive and your competitors do not it, your firm is now at a cost disadvantage
which depending on the industry can be catastrophic.
I really have no way of knowing whether actions you are talking about really negative expected value actions or not in the sense that over a long period the risks involved will be realized and the damage will be far greater than the cost of taking preventative action. However, changing ratings is troublesome. A much better process is a well defined override or exception procedure. The business should understand what they are doing. A rigid system that says we can not do anything rated 'Y' even if there is 100M at stake will only result in the rating be changed.
I wrote an essay about this very issue a while back.
http://www.aarongreenspan.com/essays/index.html?id=9
The sad fact is that I don't report flaws anymore because I've been threatened too many times.
Is it ethical to place the interests of your employer above the needs of yourself or your family?
Samsung took back my unlocked bootloader because Google wants me to rent movies. They're both evil.
I don't see how there is much you can do. There was an article here a few months ago about a group that started sending out bad XML because too many people were using the DTD they were hosting, to the tune of 10,000s of hits a day that were completely unnecessary.
The company I work (not Fortune 500, smaller) sees some stuff that continues to floor me. Our dealings are mostly transactions of information (containing important things like bank accounts) between our computes and those of other companies. We have had to, quite a few times, flat out turn people down because they refuse to run securely. Not without massive DB encryption. Not hashing everything. Just not using SSL, an easy to implement addition on top of HTTP (which carries our conversations with people).
Every two months or so, we are put in the position of telling people that the SSL certificate on their production system expired last night. This usually entails a discussion as to why we can't just let them slide, or give them a day, etc. We've had people switch off good SSL certificates from very valid authorities to self-signed certificates.
In fact the expiration problem happened enough that someone seriously suggested we consider making a little program to check people's certificates and warn us when they were going to expire so we could warn them. Things got better and it didn't happen. Many people just don't care.
I'm not sure how this happens either. We recently let a certificate lapse on a domain we stopped using and gave up on. For the 6 months before it expired I got emails from the certifying company up to one every 2 weeks or so at the end. Then they called our office to make sure we knew it was about to expire and to find out if we really wanted that to happen. Then today, a few weeks after it expired, I got an email reminding me that it expired and they'd be glad to renew it. I don't know how many companies are this proactive about renewing SSL certs, but I'd have had to have my head buried pretty far in the sand to not have noticed all that.
We've seen plenty of poor security designs. I don't expect other operations to be perfectly secure. But the number of these companies who seem either ignorant or dismissive of SSL continues to surprise me from time to time.
Best advice? If you can at all, shut them down. Very few of the companies we have worked with have been very nice about turning on SSL. Some have said "just add S to the URL" (it was secure, they just didn't give us that URL). Some have said "sorry, we'll get that right up". More than a few have not been that easy. Turning people off is the best power we have. If your contracts are big enough (as a Fortune 300 company, they might be) you could try to put security provisions in them with penalties for shenanigans. But we've found that when discussions aren't working, just disconnecting people usually gets their attention.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
I've been in enough places at this point to know that security does not matter.
As much as it pains me to say it, there just isn't a good enough reason to do it. I think thats why its the OpenBSD guys that end up providing OpenSSL and SSH and the like... Cooperate pressure just kills any desire to get security right.
Of course, the languages and libraries do not help the issue. Its just too easy to make stupid mistakes that result in code with security problems. People always argue that security will always make your software more difficult to use and to write - but I don't buy that. I just don't think we've yet invested enough programmer time into the problem.
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
Security won't be taken seriously until the powers-that-be worry that they will be directly impacted. A giant security breach that compromises tens of thousands of other people doesn't worry them. Once someone brings a successful (maybe class action) lawsuit and wins a lot of money, the powers-that-be will start paying attention.
It is strange. We can't let a piece of equipment that isn't UL approved within a mile of our building. We have a guy whose whole job is to audit all the equipment and make sure it conforms. Security, on the other hand, isn't audited. The bosses sure don't fear us the way they fear the outside people who do all the other audits.
Clearly it would be a good thing if someone were setting standards for security the way UL does for electrical equipment. It would be good to have outside auditors. Only then will the in-house security people get any respect.
Step two: Find another job. If you take a cut, see step one.
Step three: Pull no punches when you resign. Leave a resignation letter stating that you cannot in good conscience continue to sweep serious liabilities under the rug, and that under the circumstances you have no choice but to leave. Copy the BOD. If you want to really play hardball, copy the company's liability underwriters.
Make no mistake, this is a major bridge-burning exercise. It may turn out to be the best thing that ever happened to your career, but don't count in it. See step one.
Lacking <sarcasm> tags,
Unh, perhaps by having the guts to name the company and maybe even the data at risk, rather than just saying n a Fortune 300 company. Oh, I guess you don't want to risk your bonus either, or maybe your job is more important than the safety and security of the citizens of your country. So why the hypocrisy to act like it's only your bosses who are vile evil bloodsuckers hiding the truth for their own enrichment?
I'm an American. I love this country and the freedoms that we used to have.
How should people start blowing the whistle on companies like this?"
If it's as bad as you're indicating, everyone learns eventually, even if it's the hard way. What you need to consider is, is it worth it?
The questions I'd ask are:
Are peoples lives at risk from these vulnerabilities?
Are peoples lives going to be ruined because of these vulnerabilities?
Is the company at serious threat of going under because of these vulnerabilities?
If you can answer yes to one or more of these questions, you might consider risking your job because of it, especially the first two. If you can't answer yes to any of these questions, maybe it's best to either quit, or CYA. The latter means making sure everyone knows what the situation is, and they've ignored it (be sure to get written documentation they've done this). If you're going the CYA route, you can't make a big enough stink to get fired, but you can't be quite enough that you'll eventually get the blame when it comes down.
AccountKiller
So you're saying that you're a Muslim?
Just let them be.
I too worked for a company that catered to the people that made money for it. $40 billion+ in assets at the time. No matter how hard I tried security ALWAYS took a back seat to profit, ease of use, and not rocking the boat. I was the head of network security, there was not even a CSO. The hierarchy wasn't even in place. One day I even saw a live network hack in progress as one of our network engineers was using a VNC server not protected by our corporate firewall! Someone on the outside had found it and started using his desktop! I couldn't believe my eyes! In the end it came down to me just accepting that this company, and a vast majority of corporations, will always and forever be run this way...until, of course, the proverbial $#It hits the fan, at which point I didn't want to be there.
So I left and never looked back. I suggest that this also be your course of action before the one left holding the bag is you.
unknown intruders penetrated xxx, because of security failure yyy you have always complained about, and the only reason you just happened to catch it is because you implented zzz as an afterthought
the catch of course, is that you are also the intruder, and the whole exercise was to deliver a lesson: things are too lacadaisical
that you look like a hero is just gravy
and if you think it is too risky to fake the intrusion, i guess you aren't up to the high standards you hold others by, huh?
put your money where your mouth is, or swallow your anxiety
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
This sort of unethical high pressure tactic has been happening in not just your industry but in almost every other big-money industry for ages. Banks like Citibank used the same tactic to pressure stock analysts to give Enron a high rating or risk losing business, since Enron at that time was a great source of money for Citibank, Credit suisse, Lehman bros, JP Morgan among others, as they were the ones who helped inflate Enron's shares through their enormous Ponzi schemes.
There's lots of other jobs out there where you won't be confronted with this quandary. Your never going to get any credit for pointing out the security problems of your current employer. You run considerable legal risks (and might, in practice, render yourself unemployable in the future) if you try to blow the whistle.
Find another job. Your family will be fed. You will also sleep somewhat better, except when you realize your ex-employer is still out there.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
You are looking at the problem from the wrong direction:
"the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information"
And so it should.
However, you should put up a case to your higher ups about the business reasons why they need the security measures and that they need to be followed. The higher ups recognise this (in theory) and the practise of lowering security threats is classed as a "punishable offence". If a person's job is security, then their job should rely on that security being properly managed. If a critical security breach happens because of a "low risk" security bug, then heads will roll.
If you can't get the higher ups to understand, sit back, wait for the unavoidable security breach and being your "I told you so" speech. Don't be aggressive, but highlight that with proper measures this can be avoided in the future.
Your options are to either collect evidence and go over the heads of your managers (don't be stupid, do it in an explicitly confidential/anonymous manner) or to sit back and not do anything. I do not recommend doing this without actual solid evidence or the only thing that will happen is a lot of blame passing and eventually you will be known as 'that person', despite your good intentions.
No, not really. After all, there are children dying of AIDS in Africa, of hunger all over the world. Old people are being neglected, education is a mess, etc. Apparently your strategy is to give up on doing anything because we can't do everything. The advantage of this approach is to make the problem so far beyond our powers to solve that we can justify not even trying.
In response, I call your attention to the words of a sage from when things were a hell of a lot worse: "It is not for you to finish the task - nor are you free to desist from it."
It may be trite, but doing something to improve one corner of the world beats whining on /. about how bad it all is.
Lacking <sarcasm> tags,
Your best bet is to find someone higher up who understands the problem or to whom you can explain the problem.
You eventually need to get to a C-level officer, something like CTO or COO who can actually mandate change. Somehow, in the places that I've worked I've been lucky enough to have CTOs that understand the concept of (and need for) security. They made a lot of changes that made sense to me (passwords must be changed more than once every 3 years, user data must not be stored on local machines, principles of least access, etc.) but other users didn't understand the business need behind them. "Yes, your department could hit all of its goals and produce its reports a day faster if everyone had access to everything, but if you use these rules then you take the extra day and you know it's right because it's auditable!"
Convince them that your business goals will be met faster / more auditably / with less risk if you implement certain policies. Risk is your best friend, although it sounds like your upper-level managers ignore it rather than mitigate it. It's going to take you a while, so get started now. Does your boss understand the problem? If not, can you explain and convince them that you know what you're talking about?
If you can't explain or justify your views on security, either learn some more or find a new job - it's not worth your while or the damage to your reputation from being associated with an insecure company if your title is Senior Security anything.
Did you ever think this environment was created because the security policies simply do not scale? There's a difference between best practices that keep information secure and having everyone use a dongle and a password that changes weekly to check their fucking e-mail. In my experience, also at a Fortune XX company, "security" is simply a one-size-fits-all plan to cover your ass, which usually results in the least convenient and productive practices possible for average Joe-user. For that matter, security "experts" are rarely experts in security at all; they've just survived the longest by sticking to kneejerk strategies. Because this is Slashdot, let me add that any shop that uses Microsoft in its security platform deserves a shareholder lawsuit. So there.
no good deed ever goes unpunished...
Are you Tom Cruise's Agent?
Don't be a whistleblower, be an activist for change. See if you have a risk compliance manager and talk to them, ask for their advice. At worst, you'll get your name known in the higher echelons, at best you'll get your own way. Most people will shy away from a confrontation, but love giving advice in a tricky situation.
Your mileage may vary, and I may be full of compost. Think and do.
Do not mock my vision of impractical footwear
Awwww, the user behind this AC post must be really PMSing today to mod me down.
Make an appointment with the CEO/MD with a draft of your findings. If he doesn't care, you shouldn't care.
Here's the trouble. If you rat them out, you'll lose your job and they'll make you look so bad you won't be able to get another job in this hemisphere again. But if you don't rat them out, then some security exploit will take place in the future, and 900,000,000 customers' private information will fall into the hands of some con artist in Zimbabwe, who will then proceed to jack a billion dollars from said customers, resulting in an investigation. (Luckily, each consumer will only lose a little more than a dollar, but it's still wrong.) And when you're at the deposition answering why the security problems existed and the issue comes up that you knew about them and didn't rat anybody out, then you will be held responsible for it. In other words, damned if you do, and damned if you don't.
My suggestion is that you should shut the heck up and at the same time gather evidence to make extremely clear what is happening in terms of security, evidence that is easy for any idiot to corroborate, but that doesn't violate any contractual obligations you might have or NDAs, that sort of thing. Do everything on the up-and-up but without exposing your name for the safety of yourself and your family. Send that info to CNN. They don't have to worry about getting fired. If it's really a Fortune 300 company, it's a well enough known brand name that any idiot will recognize it. That will get the management's attention to get the problem fixed. Next thing you know, they'll order you to run everything on OpenBSD heh heheh...
McCain/Palin '08. Now THAT's hope and change!
Make sure that it's documented. Make sure that it's spread into multiple places who took responsibility for it.
Ask tough questions like "alright, this is exploited, what can happen? How much is that worth? What sort of risk reductions do we have in place?".
-- Who is the bigger fool? The fool or the fool who follows him? --
And why bother about security ethics when there are much more important ethical considerations like how they treat staff? Again, most companies screw most of their staff to the limit of the law.
In short: If you're looking for ethics you got off on the wrong planet.
Engineering is the art of compromise.
No wonder jesus ended up on the cross
I have had to make a similar choice twice now and both times, I had to leave the company to feel good about the situation. In one case, I also insisted that my name be removed from all company communications and government vendor documents. I do not regret my decision, although it has cost me.
You say you are an uber security drone with a Fortune 300 company and that you *know* of fraudulent business practices to help the company earn better ratings on its security policies. I'm guessing that some of these impact SOX/404, SAS-70, and probably ALL would be of concern to the company's shareholders and business trading partners. Like it or not, you are now either complicit or you are obligated to inform oversight authorities. Your first duty
should be to your own profession's standard of behavior, your second to the company shareholders, your third to the public's interest, and last to your management chain.
You seem to be entertaining the idea of moving management's priorities to the head of the list and that would be to make yourself complicit. The fact that it would be difficult to prosecute you does not make that considered behavior any less criminal. You will have to live with that knowledge for a long time. I have friends who worked at Enron who to this day have valid concerns about the resume stain they have earned from their time there. Are you willing to bear that also?
How you go about protecting yourself from reprisals is up to you and the reporting authority, but surely anonymous 'tip' reporting is possible. Given senior management is the problem, that is a strong candidate for your response. I would also recommend you document your allegations as best you may and make them to the SEC and your local branch of the FBI. Either agency might request you remain with the company while they investigate your allegations. Otherwise, it may be time to vote with your feet and find employment elsewhere.
You more than anyone should know what will be the eventual outcome of improperly securing vital systems. Do you want it to happen on your watch or to have to answer difficult questions later
about why you did not strongly resist or report events which will lead to that security breach? Do you want the stigma to attach itself to your resume? Do you want to sleep on the knowledge that you passively participated in criminal conspiracy by voluntarily remaining silent?
You cannot fault the ethics of your superiors if you fail to execute upon your own. What are you made of? Decide,and then live with the decision. It only appears to be a difficult decision if you have an off-switch upon your professional ethics.
...but one thing that would improve matters is if sensitive information automatically kicked in compulsary external audits by some independent watchdog. That would require some creative legislation, not only to make acceptable to courts, corporations, etc, but also to keep sufficiently current that poor practices or malpractice aren't actually required. That, I fear, is beyond any Government currently out there, and given the track record of Governments on IT issues, I suspect skepticism and wholesale rejection by the industry to be a more likely response than improvement on practices. Mind you, given that IT is often an afterthought of corporations and security is but a fleeting glint in the eye of IT, I suspect wholesale rejection would be the end result regardless.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Security happens when you think things through.
Thinking things through all the time is hard
Security makes things harder
More developer time can at best, optimise how much we have to think before we act. But as long as users can't act without thought, they will think it's "hard" and will try not to do it.
Battle between developers and human nature, human nature wins.
That's to use, not to write though, more secure code should be easier to understand and debug, and actually be easier to write(provided you take the time to do it right). Good, fast, cheap, pick two.
It seems to me, if there is knowledge of someone downplaying security risks/breaches, their job should be threatened IMMEDIATELY. It is their duty to analyze risk and report it, and they should be held responsible if they neglect those responsibilities.
Yeah, sometimes it's ugly. Some workplaces are a security nightmare, but that's precisely why we create security jobs in the first place. Identify the problems, build a game plan and implement it! A security advisor that finds no problems, is not doing their job right. There's no such thing as a 100% secure environment, it's all about evaluating risk vs benefit, and that is a moving target.
-Billco, Fnarg.com
You mean the punishment he brought upon himself through his own traitorous actions against Rome? There's no difference in the way that the US treats it's own traitors. In Rome they'd crucify their traitors and in the US we hang em. You aren't a martyr same as the vast, vat majority of the other 2 billion Christians out there. The Christians in the US who constantly whine and cry about how they are being persecuted do nothing but spit on the actual persecution that people in other countries truly face.
BTW not getting special treatment from the government and being disallowed from forcing kids in schools to pray to only your god isn't persecution. Though I'm well aware that your average Christians isn't able to understand this.
...he who dares tell the Emperor that he's wearing no clothes gets his head chopped off.
Security ethics is a two-way street. I've seen reasonable risks downplayed when they shouldn't be but I've also had to argue with an auditor about "failed" checklist items whose security implications were clearly understood and very obviously addressed elsewhere in the system's overall architecture.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Take a few steps back and consider your perspective. Try reading about engineers vs. managers: http://www.fourmilab.ch/hackdiet/e4/eatwatch.html (scroll halfway down)
Many computer guys tend to be alarmist and see the world in black and white. Many security firms rate problems only based on potential damage without consideration for existing mitigations elsewhere in the system or the reality of targeting from attackers. Consider your company's situation carefully.
If, after much deliberation, you are certain legitimate problems exist that must be fixed (versus managed) then talk to the managers in their language: build a business case. You work for a company, the company's job is to make money. Security costs money. You must clearly articulate how the security improvements will make money or stop the company from losing money. It's all engineering, in the end. It's just engineering with words and numbers.
Cheers.
- jj
I can only tell you what I told my current boss: "You're about to double the size of the company, sir. Afterwards increasing security to the minimum level will cost four times as much, take twice as long, and require many gallons of coffee, 1000s of hours of overtime and several strippers. And right now we couldn't pass any credit handler's, let alone a GSA inspector's, minimum audit requirements."
He asked me what strip bar IT partied at, so at least the speech wasn't a total loss.
Take my words as an example of why you may need to be careful.
:)
Number one, be a successful example of your policies.
Number two, understand, you are expendable, security is not a tangible deliverable to many. Strong arming people is the worst move that can be made, it will alienate your team. Security is extremely important, but getting a product across the finish line is even more important. If you stand in the way of delivery the barrier will be removed. If your security offerings help deliver a product faster and cheaper, then you'll be a hero.
Here is why I say these two things.
In my environment the security group is the worst example of security as a process, so nobody takes them seriously. People across the board are actually writing code to work around their systems as we need to deliver a product. It is ironic that in the latest audit, they failed worst than the groups, more or less because they didn't follow the enterprise security standards.
I can assure you that the barriers at some point will be removed one way or another.
Pick your battles, and be strategic.
I have observed for over a decade now that index finger pointing is passee at Fortune 50+... pecker-order old-boy corporate welfare companies and the USA government congress, DoD ... use of the middle finger for FU is the management rage for CYA. I suspect the Whitehouse, congress members, some mayors/governors, and many CEOs, CIOs, CFOs ... have a staff of blame-stormers. Blame-stormers are used when the best-framed-truth is (determined by the lawyers on staff) not believable to a jury, idiots and/or dogmatist (Cheney & Rove ... CIA leak) find the best fall-dummy for the boss (point them out with the FUFinger). Things are becoming more FU, because nothing holds these criminals accountable, and negligence is defined as being caused by unpredictable events which does nothing more then extends the victimization of the public. Cheney/Bush/... prove that all good patriotic lawful citizens should fear politicians/corporatist/... as far more dangerous to US than terrorist.
... took the oath of office to protect and defend "The USA Constitution" against all enemies foreign and domestic they intentionally crossed their fingers, eyes, or legs ... never intending to serve the public, but to service the public like good shepherds for money and personal gain. I never saw the pictures; So, I cannot be sure....
I was told that when POTUS Bush/Cheney, Dummy Rummy the War Don
PBS news has even been turned to the will of the dark-side by Bush-Vader and Sith-Lord Cheney. Are all our Jedi Masters dead or seduced by a Monicabj hope of everlasting fame? Tune in after the next exciting election when we will all see more of the same or a spectacular USA finally for democracy and capitalism. I suspect it will be a real tear-jerking, neck-clinching, and nail biting disappointment to USAll.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
If there are issues, probably the only true way of them waking up to themselves is for the violation to take place in a controlled manner. Show them where the problems are by exploiting the problem so that they may fix it. I think you're in for a hard sell but there's no teacher like experience, especially in my customer's business lives. In the end, if it's a controlled violation, my customers are always greatful!
http://www.gibby.net.au
Sorry my friend, but the biggest reason people 'fear losing their job' and not being able to support their family is due to personal irresponsibility. I promised myself a looooong time ago that I would do my best not to get into a situation where my job could bend my ethics due to need for the check every two weeks. Show me a person with little to no debt, a stout (not huge mind you) savings that knows how to live within or below their means and I'll show you someone who won't hesitate to 'blow the whistle', call a spade a spade, insert cliche here. Sadly, employers know as well as retailers and lenders that debt equals power over the indebted. This is not 100% of the problem, but in my opinion it is a very big part of it.
Because of my personal beliefs which stem from an often insulted and bashed faith, constantly mocked here on Slashdot, I do not sell the information I am privy to.
So get over it. What "faith" or religious belief out there isn't insulted and bashed is some culture? You think that your beliefs have a monopoly on getting insulted? Get in line brother.
This law makes the company CEO responsible for making any material mis-statements. If the security in question involves financial information, or if it would affect the financial standing of the company in the eyes of investors, it cannot be covered up.
There may also be other regulatory agencies involved, such as the FDA, FAA, etc.
If this is the case, tell the people pushing for the cover-up that you will gladly comply. But, after the sh*t hits the fan, you will visit the CEO in prison and tell him/her exactly who was responsible for generating the mis-statements.
IANAL, so you should check with one first.
Have gnu, will travel.
fulfill your requirements and document your protests. When your manager comes to collect, point out your protests and mention that they've been documented from the start. Do your due diligence my friend.
They're using their grammar skills there.
Public embarrassment can be useful. We publish a list of major domains being exploited by active phishing scams. These are major domains where an attacker has found a security hole allowing them to exploit the site for phishing purposes. There are 65 sites on the list. There used to be about 140, but by nagging and publicity, we've been able to get most big-name sites to tighten up. Now and then some big site makes the list, but it often disappears within hours as the hole is plugged.
So it actually is possible to get big companies to tighten up security, if you do it right.
America is rotting from the inside out. There is no way to stop it.
But you're forget the fact that Christians are the stalwarts of religious tolera... BWAHAHAHAHAHAHAHAHAHAHA. Sorry, couldn't keep a straight face.
Wow! Do you have numbers to back up the above assertion?
In Soviet Washington the swamp drains you.
u will know the bugs/fu*ks....
but u will never solve them anymore
becoz u need politics before anything technikal
then u will turn to crack things
not reporting things
You may be missing the bigger picture. I would assume that your systems have multiple layers of security, so things are never simple.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
The issue here is not ethics, it's integrity.
How long are YOU (yes, you personally) prepared to continue in your current security role knowing that when it really matters, the powers that be are ignoring you in ways that seriously put your customers at risk?
If your answer is along the lines of "but I'd lose a good job and probably take a paycut" how is that attitude any worse/different than "the problems at upper management" which you're currently whining about?
Visit CryptoGnome in his home.
I suggest that you tell your executives clearly and succinctly what will happen to his bonus if (when) a serious breach occurs. The invisible hand tends to bitch-slap companies that put profits over customer safety.
You can sleep at night and feed your family, you just might have to go through hell with lawyers to get there. If you can document the choices being made really are coverups of violations of the law (and not just weak interpretations of the law) then go ahead and gather the evidence, and then make it clear to your boss or his boss or whoever needs to hear it: this is a problem and if it's not fixed here, you have no choice but to go public with it.
Suddenly, the only way to "cover up" is to fix the problem. If they fire you, you go public anyway, and not only is their coverup work worthwhile, but they're liable under whistleblower protection laws.
And it may not come to that. Most big companies have internal and/or external auditors, who are (or should be) completely independent, and whose job it is to expose internal corruption before it becomes a bigger issue. If not your internal audit group, then perhaps Loss Prevention or even your Legal department -- For all the disrespect they may get, corporate General Counsel recognize liability when they see it, and if something exposes a legal liability, they will push the hole to get closed if only for the sake of saving their own neck.
The requested URL
The simple answer is we need laws, and public servants who understand the laws and the issues, for our new situation of having an "imaginary economy," where the only proof is often the voltage level of a circuit.
:^/
Today: We are in the phase of judges trying to claim that putting a program into RAM might be an illegal copy process, and demanding a core dump as evidence.
The Future: We need mandatory hard records of specified sensitive transactions (e.g.: e-voting, health, finance), we need whistleblower laws that protect what would otherwise be considered improper employee investigation and documentation of ephemeral computer records (it looks a lot like espionage), and we need legislators that understand the technology economy, and know where new laws are needed, and where the old ones will suffice.
Then we need to fund enforcement, which has taken a dive in recent years.
The newly qualified legislators are scheduled to arrive in Congress in about 20-40 years, if the older tech-savvy generation can teach the new aspirants to value their own privacy, and get them to understand that the fifth amendment doesn't apply if you put it all up on MySpace. I have confidence that these qualified people will eventually come to Congress.
Until then, enjoy the wait. In the short term, enforcement money, and will, has been gutted. In the long term, the Congress is not yet savvy to these issues, so the law is inadequate, and new law is written by lobbyists who want less accountability, not more.
Unfortunately, you don't have a leg to stand on while we amend the unintended consequences of our move to the "paperless society." I'm sorry.
--
Toro
Rule Number 1
The bottom line is this, it does not matter one lick how many security measures you put in
place. Short of completely disconnecting the network from every point of entry and encrypting
the entire network. Your security measures are not going to survive a determined attack from
someone with at most average hacking skills. The best you can do is to point out the risks
and figure out how to respond when your network gets owned because someday it is going to.
Security it always a trade off and a continuous game of cat and mouse. It is all about being open
enough to get the job done while doing your best to inform and mitigate the risk.
Got Code?
When my company audits you and attests to the controls being in place and operating effectively, they essentially take legal responsibility for your internal controls. If we get strong-armed or bought off and decided to cover it up (which has never happened in my experience), we are on the legal hook for the results. We can be sued. The CPA that signs off on the audit can lose his license and get in all kinds of other trouble.
If one wanted to keep one's job, but wanted to whistleblow on this situation, one might be prudent to blow the whistle on the auditors (to the AICPA) for materially misstating the operating effectiveness of your company's controls. The auditors take the fall, and your company gets a pass by saying "Hey, we didn't know, they signed off on it!", and subsequently tightening up controls to ensure that no eyebrows are raised in the future.
Food for thought.
There are presently few ways other than documenting it and then leaking it to Wikileaks - especially interesting if losses have occurred that shareholders need to know about. However, your problem SHOULD be that is not really an ethical option for a security manager..
Start with documenting the failures and associated losses, then a list of current risks (in other words, document past loss and then audit the company just to see how leaky the ship is). You can derive an approximate monetary value for failure and take that to the board. In companies like that it takes IMHO 6..9 month max for the brown stuff to hit the fan - something big will go wrong.
I would like to warn you, though. In my experience, discovering such an attitude identifies that you're employed for one purpose only: simply to take the blame when it goes wrong. You need thus strong documentation of how it has proved impossible for you to do your job.
Alternative option: leave. Sometimes it's not worth bailing water..
I work for a Fortune 300 global comp, and I can say that 99% of any issue related to ethics is completely ignored if it relates to anything finacial. Only when something could impact a client process or procedure did the business view the issue in detail.
Welcome to the world of captialism.
I work for a small IT company doing work mostly for law offices in our city. I fully, and completely agree that security is of prime importance and that we spend far to little time on it. The problem is guys, how do I get my CLIENTS to buy it? Most of them are fairly small and the attitude of "It can't happen to me" is all pervasive.
It's upper management's job to decide what is and isn't a worthy threat. You can only inform them of the problem. If you're working in a govt system then there is a designated accrediting authority or DAA that has ultimate responsibility. FISMA requires pretty comprehensive audits for information systems. Just make sure you don't sign off on anything false.
Also, there are a lot of laws protecting whistle blowers. In the long run you should be protected at the highest levels of government.
Credit card data protection would be enforced more by the Payment Card Industry. A loose union of the large credit card companies that monitors and will fine companies that place customer information at risk. I'm sure they've got some kind of whistle blower program setup.
If the threat is very serious and you're a professional willing to take it to a high level then you should consider contacting a federal representative like your congressman or even Senator. They love to get in on things like this. And the more letters you have next to your name the better...i.e. CISSP, CISA or CCSP.
I worked for sometime on some federal systems and the fed employees that paid us were lazy and crooked. I did the job for about 7 months before moving into the private sector...I just couldn't take the BS. Good luck to you, I wish you the best. Ethics and business are usually at odds.
More specific every day. Soon we'll see "Fortune 282", meaning you are actually number 282.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
1. It's not as cut and dry indeed: way too often I hear the "compromise" excuse for something that really _is_ just piss-poor practices.
Yes, sometimes you can have 3 layers of security in front of that mainframe to achieve the same effect.
But too often that's just window dressing and wishful thinking. E.g., is that emulator the _only_ way to access that legacy app? Because if someone can just use telnet on the internal network to bypass that, then all those funky layers in front of it are worth exactly squat.
Not saying that that's necessarily the case there, but I _have_ seen entirely too many places where exactly that was the case. They had layers upon layers of... show business and make-belief magical talismans. They were either routinely bypassed by everyone, or had opened holes in those defenses that you could drive a bus through, or didn't even bother configuring them to actually do anything.
And entirely too often I see this attitude of "auugh, those mean security people are just persecuting us", for stuff which was a genuine security hole. The biggest case I've seen had, among many other faults:
- checked roles only when generating the links, but not on each page. So you could ask to edit your own user's password (and dutifully it would check who you are and generate the link to edit your own user), but then you could edit the URL and change the super-user's password instead. Or see some other company's data. Or pretty much change any other parameter.
- SQL _and_ HTML/javascript injection. The guys were simply too stupid to quote a text, and when asked to, they quoted it twice. Then disabled it again, when asked to fix that.
- failure to keep a proper history. Asking to delete your user would indeed dutifully cause a cascaded delete through anything linked to it via a foreign key, so you and everything you've ever done would simply vanish from the system. Orders you placed, money you owed, posts you've posted, everything.
And a few other problems, not all related to security. The management reaction? It actually got leaked via everyone adding their comment to the top of an email, with everything quoted at the bottom. So when the resulting thread (which by now had branched into other stuff) was forwarded outside that group, buried 10 ft deep was a fragment of a discussion where the security team was painted as "don't listen to them, they're doing evil hacks like editing URLs, to discredit our friends from XYZ." (XYZ being the company supplying the contractors who programmed that catastrophe.)
So, again, _because_ it's not as cut and dry, make sure it doesn't end up painted cut and dry in the other direction. Before concluding that a security auditor is just some evil jerk beating his own drum, make damn sure that you did triple-check and it's not just a knee-jerk reaction.
2. I take particular offense to: "Money and resources are not in unlimited supply, and sometimes standards need to be compromised or worked-around so that business can continue." I'm sorry, but that's just a fancy way of saying that you have _no_ ethics or standards. If that business can't continue in a way that obeys the laws and protects people's privacy (which at least in Europe actually _is_ a legal requirement), then maybe it shouldn't continue at all.
I'm sorry, but noone has a sacred right to make money. So the excuse that sometimes you have to do the wrong thing, or even break the law (at least if you have any branch in Europe), to keep making money, again, is just a way to say that you have no morals. It's not a "compromise", it's lack of ethics. It's that simple.
I can even accept that sometimes compromises can provide the same level of security. I'm fine with that. But, basically, "we have to bend the rules to keep making money" is _not_ it. It just isn't and shouldn't be an excuse, ever. It didn't excuse Ken Lay, it didn't excuse the AOL DBA who exported their database and sold it to spammers (hey, it was for money too), and it doesn't excuse
A polar bear is a cartesian bear after a coordinate transform.
Some idiot with a clipboard and a barely relevant policy document you can hide behind will be round to sort it out shortly...
When I've seen Fortune XXX companies deal with this similar issue, it's rarely been that Company XXX "doesn't care about security" - almost always it's been that Information Security Department doesn't understand the fundamental question "are we secure enough" within the context of the risk tolerance of the organization. When security is ignored, it's usually because we don't use "risk" in a means that is useful to the rest of the business.
So I'd first get a proper definition of risk. I'd start with:
(probable frequency x probable magnitude of loss)
Risk must be a probability issue, and it needs to be expressed as a derived value (how frequently something bad will happen, and how much it will most likely hurt). I recommend using FAIR (see the Open Group website) as a means to derive risk. FAIR was developed by a Fortune 100 CISO who had a similar problem.
It is a Bayesian Network for risk expression, which results in the best probability outcome that your prior information will allow, but more importantly it will help you work with auditors and the data owners to identify any dispute about the amount of risk the organization has by working through the composite factors involved. FAIR also provides KPIs for discreet risk issues.
Next, you need to expend whatever political capital involved and get some flavor of Risk Tolerance/Appetite from the C-Suite. A 15 minute with the CFO with the right questions prepared ahead of time should suffice. Join ISACA and find someone who is all hyped up on COSO. The COSO evangelist will likely help you develop the right questions for the price of a nice lunch. There are good things and things that suck about COSO, but you can use the "Internal Environment" and "Objective Setting" functions of COSO to develop a risk tolerance.
Finally, you need to stop thinking about security in terms of IP addresses, and think in terms of the business processes they support. Businesses, outside of Information Security Departments, usually couldn't give a rats@ss about what a scanner says about an IP address. They want to know the risk (FAIR, above) around the business process that makes them money.
Let me also suggest that if you're already feeling commoditized there, the business isn't going to care about "compliance" either. Hitting them over the head constantly with a large GLBA/HIPAA/PCI/SOX/Whatever hammer might get you some budget, but it's not going to get you credibility.
I'd also work with your CISO to get the company to change the name of your group to Information Risk Management to better reflect your value to the company. You may also want to join the SecurityCatalyst.com website (smart people there) and subscribe to the RSS feed of the Security Bloggers Network on Feedburner.
"oohhh... I didn't know Schopenhauer was a philosopher!"
Probably his Thetan :o)
One swallow does not a fellatrix make
What I was saying was that we as programmers haven't spent enough time to make writing secure software as easy as it should be. A lot of my code is still written in C and I spend a considerable time designing and writing said code to be secure and correct.
It would be a lot faster to write that in Java, but even that is really slow to code frankly. I've programmed in just about every major programming language out there and I can think of none which integrate security into the code itself and make it easy to do so.
An ideal language might have a large set of safe libraries like Java, but be easier to code in like Python, but include more validation like Eiffel, and still be somewhat typesafe, it should include easy to use regex to validate strings, and reading files and streams should be safe from interception. It should have good runtime validation and evaluation and shell execution. It should support parallel math calculations and threads without lots of programmer effort. It should include integration in the language to databases (more like Lua, definitely not like Java).
All of these things have been "done" but never as a whole and where doing things correctly was as cheap as doing it wrong. Java goes a long way in this direction, but I've always hated Java's lack of integration of higher level language features like Python or Perl have in the name of "type safety"
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
You will hate me for this, but I think you will also see some truth in this.
Rule #2 - The business makes the decisions, not security or audit or legal. Everyone serves the business, not security, audit, or legal (or your dept).
As a CISSP and security director, my job is NOT to lock down the business and fix every security hole. (Hang on!) My job is to discover the risk, document it, determine how to mitigate it, determine whether the benefit of mitigation outweighs the $ cost and the user "cost" in productivity, and relay all that information to management (keep some proof you did) so THEY can decide whether they want to assume, mitigate, transfer, or ignore the risk.
If they make a poor decision in your opinion, you challenge them gently with facts that SPEAK TO THE BUSINESS. If you can't do that, shut up, as you're wasting everyone's time and the shareholder's money.
If you challenge MGMT appropriately and it ignores you, you've done your job. Keep harping about it and you'll get fired. Since you raised the issue, you can maintain your ethics and sleep somewhat at night.
If you warn them, mgmt ignores it, and then it happens, you look good. Of course, you may get fired anyway, but at least you can stand tall and tell the next interviewer that you raised the issue proactively, it was rejected, and you were fired as a scapegoat. Not a bad reference in the security world.
Just stop trying to do management's job. Focus on your doing your job well and that should keep you busy enough. If you don't like how mgmt handles things, go somewhere else. But beware: there are few "somewhere elses" that are any different.
Not discounting your question, but I've often observed that the security teams in many Fortune XXX companies aren't doing much to improve the situation.
For some reason, they tend to favor the stick approach. Overly provacative language used in audits, threats of exposing vulnerabilities via whistleblower activity, etc.
My observation is that if they were to take the time to think about their approach, they could make more progress. For example, if you want to push for improvements that require time and expense, approach the dev teams in the same way that the business does, and at the same time. Don't come in a month after the hours are already budgeted for new features and start mandating some new security directive. Come in during the budget cycle and help the dev team negotiate hours from the business. Also, take the time to understand a bit about software, and why the XYZ PCI compliance software you bought, without talking to anyone technical, doesn't do what you think it does.
In short, swallow the whistle and try to be a partner. You might get better results.
www.wikileaks.org :D
"Security" is being used over and over as an excuse to deny everybody something, one way or other, and I don't think it gives us much in return. Isn't it true that by far the biggest security risk is employees either being too naive or being hostile to their employer? But how many companies spend resources on 1) educating employees about how to avoid social engineering and other con tricks? - and 2) building trust and loyalty between employer and employees? Instead they go for the easy way out: technology, which, at the end of the day is next to useless if the employees are either stupid of disloyal.
No, the only sad thing here is that pseudo-security is being used to bully everybody, as if security was more important than life itself.
I actually just dealt with a similar situation. Until October 2007 I was happily employed as a production DBA with a rather larger company, great benefits, good $$$, really had no plans to leave. Somewhere around mid-October, a friend of mine, who was working for a start-up, called me up, saying that the company had lost their DBA, were suffering lots of database performance issues, "if you're interested I can get you six figures", yada, yada, yada. Sounded like a chance to do something new, be a "hero" for a while, and pad the checkbook a little bit, so I took it.
November 1st, I walked into the new place, setup the basic DB monitoring and traces, and started nailing down the biggest performance issues. First thing I noticed was that there were lots of ad-hoc queries being run that were textbook examples of how NOT to write SQL queries - massive temp tables, non-sargable filters, you name it, they did it. Further investigation revealed that many of these queries were being run by DEVELOPERS. Hmmm, wait, this is a production database!?!? Whattya mean ALL developers have read/write access to production? Even the offshore group in Russia???? The same production database that contains SSNs, medical claims, etc..?? Holy shit! I proceeded to yank every developer login I could find out of the production database. Almost immediately, high-level developer A and high-level developer B went to golf-buddy CEO and complained. I was promptly instructed to restore the permissions that I had revoked, because developers needed access to production in order to debug issues. I argued briefly, but backed down until I could regroup.
Soon after that fiasco, I think actually the same week, I discovered that our production database servers (actually ALL of our database servers), which are hosted by a third-party, were PINGABLE from the Internet!!! After picking myself up off the floor, I proceeded to the "IT guy" to find out why. The response was "they're behind a firewall, so it's all good". Umm, no, it's not "all good", they shouldn't even be VISIBLE! If a no-goodnik can ping them, he knows they exist, and he's going to want to know what they contain. I insisted that the public-facing interface be UNPLUGGED (each server has three NICs - one public, one internal, one for admins). "Can't do that, it's not the vendor's standard configuration". Holy shit! I've only been here three weeks, and I'm developing a constant migraine.
The final straw came the week after Thanksgiving when all of the SQL servers rebooted overnight at 3:00am. Anybody care to guess what it was? Yep, Windows Update. Automatic updates were enabled on EVERY machine, even the production SERVERS, because the "IT guy" didn't want to have to worry about keeping up with patches. But what if an update bricks a machine? "I trust Microsoft to test their patches before releasing them, I've NEVER had a problem". Guess you weren't around for some of the NT4 service packs, huh? We have overnight processes running on some of these servers, a reboot will kill those! "Don't schedule anything to run at 3:00am". Holy shit!!!
My "old" boss had been in regular contact with me, continually asking if I was ready to come back. December 7th, I told him I was, gave my 2-weeks notice, took 2 weeks off for Christmas, and returned to my old job on January 2nd. Before leaving, I summed up the three issues above for the CEO of the start-up company, and fired them off in an email before walking out the door that last day. To this day, the SQL Server machines are still pingable from the outside world.
The way you have framed the question is completely wrong. You are overly concerned with rules and regulations. The invisible hand of the market will take care of it, just as it takes care of all problems. Those companies that aren't secure enough will go out of business when they've been hacked enough. The silly rules just delay and impede the invisible hand. You should be fighting against all the silly mandates and let the market decide the optimal level of security. Now, go ahead and flame me because I'm not politically correct.
"I am a senior security xxx in a Fortune 300"
;-)
I was the same, a job change gave me a different perspective.
Start networking in the regulatory space, there are people who need to hear your story.
Ethics is also a key, you'll have both internal (policy) and external (professional/regulatory) codes that you can use for extra leverage to help combat what you describe.
Pay attention to all the letters behind the offenders names - if what you describe is accurate then maybe they need a few less post-nominals
All the best,
Security God.
Fuck Work, Fuck Ethics you got to take care of your job u career. I am from India, work for a really big company in the scales of Microsoft, Oracle and such companies.
I have seen really annoying situations, for the fix that could have gone in none shot we have taken like six months or more.
I spoke to my manager and he said we got to make as much money as possible. So that means do ur job dont worry about ethics and such stuff.
"It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information."
Other people have different priorities than you. To a lot of them their family is more important than anything else. It's not a hard concept.
You really ought to consider strongly trying to get them to improve the security by emphasizing the potential danger first. The downsides to other choices are large for lots of people. you included. Before you step off the cliff give it a lot of thought, make the effort, and document that you did so in such a way nobody can question it.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
I am currently looking for a new job because my supervisor isn't letting me do what I think is necessary for security. I have several things related to HIPAA compliance and basic security on my to-do list and my supervisor acknowledges that these things need to be done but keeps putting other projects, which I would consider lower priority, ahead of security. It's not just that. What happened recently is that they decided to lay off some people and just did it without consulting anyone about the technical consequences. Ethically, they should have talked to us and asked for volunteers. Practically, that would have led to a discussion of how to manage each system without this person or that person.
It's a bad time, in terms of the economy, to be looking for a new job but, once I find one, I will state, in my letter of resignation, that one of the reasons I'm leaving is that I consider it to be a hazard to my career to be responsible for security under these conditions. I'm the only CISSP in the organization and if they won't accept my expert opinion or act on it then I'm outta here.
Security is a feature, like anything else. Pursuing absolute security is bad for both country and company because you ultimately can't have it in either place. Just as much as Bush is wrong for supporting crap like the USA PATRIOT Act and National Security Letters, so too are security people wrong for demanding that businesses become so secure at to be unable to conduct businesses. Accidents will happen, people might have their data stolen and sometimes a building might be blown up, but the flip side of the security coin is a police state nation and a company that fails.
He who trades freedom for security, deserves neither, as Ben Franklin once observed, but I think that we are learning that in this day and age, you don't actually -get- either. So yeah, somebody might ftp something in the plain, and you shouldn't do it, because "they" might get you, and by the same token, every bag on the train must be checked, because "they" might get you. But, sometimes, you have to quit worrying about "they" and focus on what "you" do.
So yeah, the guys that are strong arming security auditors, the business that refuses to invest in security, all of those people are in the right, and the original poster is being like so many security thugs at the airport trying to check my bags already. Buzz off already, dude... we have work to do!
This is my sig.
Yes, gather evidence, but DO NOT publish it. Be very careful who you tell. If you do publish it they will hunt for whoever leaked it; if they find you at the end of the trail, you will be fired and likely blackballed in your city.
Very true.
So do it anonymously. Here is how.
The most anyone will know is which city it was.
...as in _paper_. To the tech polloi out there, you're a wizard who could fake any kind of electronically-stored document forcing you to do these shoddy things (if you are, you might be able to find a better job than this one).
I don't know how to deal with the refusal to give you a hard-copy remit, and this is behaviour that might cost you your job. Of course, in that case, they'd try to deny you unemployment coverage by saying it was "for cause", and your statement about why it really was becomes part of an official record, and they suddenly have triggered an investigation into themselves.... (That's how it can work in the U.S., at least....)
Uh...."Be just and fear not,"?
bernard is watching...
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
If you feel that something is really going down, step up to the plate.
This may actually comes as a shock, but it IS more important to feed your family than to protect bits in a computer, and I don't care what the information is that those bits represent.
Having said that, if you are in an environment where your recommendations are not being taken seriously, perhaps it's time time find an employer that holds to the same security ideals that you do.
Of course you could always have fun blowing the whistle and watching upper-level management try and play dodgeball....
I also worked for a Fortune 500 as a Security Analyst with the same general issues. In addition to the usual corporate regulations (SOX), we were subject to numerous federal agency (such as SEC, FDIC, etc.)
... after all we were not the military or a bank. I've been here a year now..... resolving to exit the security world.
I fully understood the importance of not chicken-littling.... and making the distinction between genuine issues and theoretical. As such, I maintained a prioritized list of risks. The number of "Critical" issues -- i.e., things that could either shut down or destroy the company or lead to immediate large monetary losses with a minimum of effort went on for dozens of pages. "Urgent" and "Important" issues took up nearly another 100 pages. It was truly frightening.
Because Security was not an independent organization, of course there was a natural conflict. The Senior VP of Technology simply refused to accept our findings, and demanded the list be "fixed" and dumbed down. Critical items were dropped to mere mere "Findings". Anything less than critical was simply dropped.
California like many states has mandatory privacy breach laws. On one occasion when we had a clear breach, the law was simply ignore, despite my direct notice to the corporate lawyer.
After 5 years (well a lot sooner), and after some "close calls", I realized that the situation was not going to change. Because our internal auditors were also useless, and frankly a part of the "lets all get along" crowd. So called "security auditors" were given such strict parameters to work within, they rarely found more than nuisance issues.
After much consideration, I realized the only real choice short of going directly to customers was to leak directly to the Board of Directors. I sent information directly to their homes (several of them were former elected officials) and their home addresses were easily obtained. I also sent myself a registered letter to myself outlining containing all the email documenting my attempts to notify management and above.
I wasn't around for the effects, but after a lot of yelling, I'm told they led to very little real change, most likely because I made it clear reporting would end there. I left the company shortly thereafter for multiple reasons in addition to the nonsense above.
Sadly enough, I'm at a new company where when I learned I was to be one of only a three person IT security team for a 15,000 employee / multi billion company I mentioned that I was confident that team would be growing soon.... right. THe answer was that no
If the company is one of those in the adult entertainment business, screwing the staff to the limit of the law could be a good and possibly fun thing.
If it bothers you (and it does me and I have a similar job title) then here is another alternative (that I don't see anyone suggesting in the comments):
...
... yes ... the academic option. This is the option I'm taking. I'm getting myself (one foot at a time, mind you) out of industry and into academia, where I can focus on solving the problems without worrying about whether or not the execs will spend the money to fix the problem. Yet, at that same time, I don't have to have the guilt of selling the dis-service, pseudo-science called "penetration testing" to some foolhardy organization ready to separate themselves from their money for a few moments of make-believe drama.
Get a different TYPE of security job.
Think about it. Most "general security practitioners" are DEFENSIVE roles. A lot of us even have taken time to get mad at even the existence of third party "penetration testers" as some sort of a professionally equivalent role to the defensive security practitioner. I have in the past. But, being a DEFENSIVE practitioner puts a lot of weight on the shoulders of people who are interested in taking on the job. It's not as glamorous and exciting as it seemed, just a few years ago.
Think about it. Suppose one of your organization's cover-ups turns into a full blown incident. What happens? The CXOs pick some heads to roll to appease owners/share-holders. Who's going to roll first? The person who is responsible for security. So, yes, while other slashdotters suggested a CYA approach (document, retain documentation external to your org's control, and present documentation to approach management, etc.), perhaps it's time to consider taking a consulting role from the outside?
As a consultant, a security practitioner can move from shorter engagements to more short engagements. There are no long ties to a single organization. There is no sense of "ownership" of the problem; only "ownership" of presenting the problem with recommended solutions. Even though I'm usually disgusted by them, I envy people with "penetration testing" jobs because they get to poke some holes in stuff that often times you knew already existed (or likely existed, if you didn't know the exact details) and they get to go home, paid well, and sleep comfortably at night. If the holes get exploited, they don't roll. And since pen-testing is a pseudo-science (arguing the positive by proving the negative does NOT exist), even if they didn't find the same hole that lands your org on the front page of the Times, they can just say things like "well, we found other just as disastrous holes-- exploiting any of them could have had the same result" or some other similar bullshit
Lastly, another alternative that you have in front of you, is
Take your pick. There are other options than being defensive and disappointed. But one's thing is right: those who understand security are certain to be VERY pessimistic.
"I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business.
How ironic. I work for a fortune something company, and we provide network and application security to our clients. I wonder if you work on my team. I work in the same environment and see the same thing. I usually appease my ethical issues by just doing my best to bring the issues to light, but when push comes to shove, I can't force anyone to acknowledge the vulnerabilities. Fortunately, a significant potion of my team's client base are being held to regulatory compliance, and as such have to fix what we find.
How should people start blowing the whistle on companies like this?"
Do what you feel you must, but be aware that as a whistleblower you're job security will probably be zilch.
Oderint dum metuant
I'm sorry to hear this is what is going on. Surprising? I think not.
I have, at times, been put in a similar situation - Managment wants to, or believes they can mitigate the risk if they just don't look at it or just pretend it doesn't exist.
What it mainly comes down to is that Upper Mgmt wants to protect their bottom line - return on investment to shareholders. If this comes at a cost of skirting some laws, or bending the rules a little to appease them, then so be it. *cough*Enron
The best advice I could give you is to document, document, DOCUMENT. Document everything. Save it everywhere. Save it on your work hard drive, save it to the server, email it to another trusted individual, print it out and save it in your work filecabinet, etc. If your company wants to erase info, if you have enough copies in the workplace, there will not be any way they will get them all. You get the picture. Because, if something DOES happen (and chances are, it will...we all know it is just a matter of time) then it is documented and you can hopefully save your rear end and not end up in the slammer with Bubba. I would not do anything rash, like post it to wikileaks or something similar, because there is a good chance it could still be tracked down to you, and then you are in a world of hurt.
If you are an Infragard member, perhaps talk to your SA about it. Your conversations with them are confidential and you might be able to get some more advice about the matter. Also, that is another way for you to CYA. Again, protect your rear end. Yes, I know this can go against the grain of what Slashdotters want to do/say/hear/OMG GOV'T IS BAD/etc, but they are a good resource and can offer you advice. Perhaps there is already an ongoing investigation, and your information would be helpful.
I wouldn't do anything that would jeoparidize your job - they are hard to come by, and we all know that the economic outlook isn't the greatest, no matter what part of the world you live in. Just document, document, document. Make sure your boss is aware of your concerns. If that is ignored, then all you can do is document, document, document.
I wish you the best of luck - I do not envy being put in that position, as if the breach is severe enough, it really is a no-win situation for everyone involved.
I've got the flip side. An information security department that stifles ... well almost everything and anything in the name of security.
Worse, they micro-manage and nit-pick instead of looking at the big picture. To wit: the head of information security (VP) himself goes through patching reports on DESKTOP COMPUTERS to bug the desktop team about INDIVIDUAL MACHINES that are missing patches. I'm not talking about an un-patched windows 95 box...but a XP box that's missing 10 or 15 MS patches. I'm pretty sure they'd do better working on network and server hardening.
The theme repeats in every project. Everything we do is hampered by often unreasonable security requirements. So what do we do? We pretend, fake things, and ignore them when ever we can. Why do people ignore security? Because they don't take into account the fact that people want to actually run a business and get things done...so their requirements are so extreme that they get ignored.
14 character passwords you change daily...yep, they're on a sticky. How about an 8-10 character password you only change once a year? I'd actually use something other than welcome01, welcome02, welcome03....
But hey, you know you've been somewhere a while when you have to loop from welcome99 back to 01.
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
I fully agree with this comment by Alexander.
If you are a senior security XXX you should understand that information security is about risk.
You should be able to talk business, think business and breath business.
Management relies on your judgement when you show you know their business and how to minimize risk.
When I started as security officer I was thinking a lot about threat and how to avoid that.
However, threat is only part of the total risk picture.
Lets consider protecting a crown.
At first we need to determine the value.
If it's a paper crown, why would we protect it at all? It's worthless.
If it's a cheap wooden crown it might be worth to invest some money in protection but not very much.
If it's a gold crown that can be replaced security should always cost less then the actual value.
Only if we are talking about a unique crown that is irreplaceable we can talk about extreme measures and protection at all cost.
Now let's take that that crown again.
The actual threat to the paper crown is low, people can make it themself.
The actual threat to the wooden crown is higher, it's convenient to take away and it has some value.
The actual threat to the gold crown is a lot higher because it's still convenient to take away and it has a higher real value. Just melt it and sell the gold seperate.
The actual threat to the unique crown might be lower then the threat to the gold crown.
That last one is odd but not strange. There is a very small market to sell the item and a very small group of people able to steal it.
The reason why protection on the unique crown is extreme is because it can't be replaced, not because of the threat.
When talking to management you may think you are protecting the crown jewels while they think it's a paper or wooden crown. This is a common gap and needs a lot of understanding about business and how to determine the business value of information and assets.
If you think their perception is wrong try to determine how they value the asset and more important: why.
It might be that their reasoning is wrong, it might be that your point of view is wrong.
A long time ago I saw a lot of risks in a particular business process.
When I talked to the manager he agreed from the perspective of my understanding of the process. However, he also explaned the total business process which has a large part that is handled by a third party.
The total process is almost impossible to abuse and it would involve several authorised people in several companies to do actual damage.
Knowing and talking business made my life a lot easier.
I know how management thinks on subjects and how I can report things in a way they understand and can make a fast decision on. They know I don't report anything that has not been discussed with several independend people involved in the process or with knowledge on the information or asset. It's not only my opinion, it's the opinion of the business. If they decide to reject a proposal I always get the reasons why. Most of the time they are understandable from business perspective and if not I ask the people involved their opinion on that reason. Based on that I might challenge management again.
It also made upper management a lot more involved in information security.
Once in a while we as security team challenge them on subjects and they respond very well.
They even want us to organize trainings for them and they do ask for our opinion on subjects.
Because we approach the problems from business perspecive and help them make the right choice.
They know we are on the same line, making business better.
I have a similar role. I'm pretty much under the CIO and most days have to tow the party line. It's very difficult to get the flaws addressed on some of the flagship project because they are near and dear to the CIO. CYA e-mails and TRAs don't do much when you want to clean things up.
So I'm a few levels below the other VPs and totally outclassed to be quite honest. What has served me well are the relationships I built with the (not chief) Privacy Officer, the organization's Risk Manager, the HR director, the Chief Financial Officer, and the corporate lawyer. I usually send an innoccent looking e-mail asking them for their opinion and before I know it, it bubbles up to their bosses, getting the attention of my IT bosses very quickly. Then things get done, and sometimes even exactly how I want it done.
Now, that doesn't make me very well-liked or a "team player", but allows me to sleep at night and keep my own professional integrity.
I have had meeting with senior executives and explained to them that they would be liable. That didn't go to far: "Well, it's your job to ensure that I'm compliant." That's hard to do when you have little or no authority to enforce policies.
Wearing pants should always be optional.
What is a senior security xxx? Is it like the gate-keeper of porn?
alias possession='chmod 666 satan && ls
Maybe I'm still frustrated, but if you want it short and blunt:
Assorted stuff I do sometimes: Lemuria.org
Free tutorials about ethics in IT security are available from http://www.theregister.co.uk/odds/bofh/
In most Fortune 500 companies, it is now common practice to copy any and all company files that you have access to. People take laptops home and copy stuff to a USB drive at home, or they use a USB thumbdrive or MP3 player to walk off with copies of anything that might be useful.
They leverage these files to get a job in another company and then use the files as templates or models for documents/processes/forms that they have to produce in their new job. Some people even share these kinds of documents with friends at the local bar, in a scratch my back, I'll scratch yours, kind of mutual aid society.
There is little to no corporate security to protect against this kind of wholesale data copying. If you glue up the USB ports, then people will set up a web server on their laptop so that they can copy onto their home PC. Or they boot one of the CD versions of Linux to copy files off the Windows hard drive.
Fact is, that most corporate info is not proprietary enough or secret enough to warrant high security. It is only the work of a few high-ranking executives and people doing M&A work, that needs security. Most companies benefit from this copying as well, because new employees bring with them already-designed processes, documents and forms from their previous company. Instead of rebuilding from scratch, they just edit a new draft.
So you think your company is bad about security. The company just wants to make money. How could exploiting the lack of security surrounding what your company does affect the bottom line? What about lawsuits? Could your code be sold and used by a company, and when a security hole in your software is used and that company's customer data is stolen, is your company liable?
Figure out how to show your managers how to improve the bottom line, or to prevent losses, and you'll hopefully see a change.
Maybe even offer to branch a "hardened" version of your service/software, if that's the business you are in, for more money, improving the bottom line.
TossableDigits.com: Temporary Phone Numb
see above
Couldn't be a Scientologist. Their entire business model is about selling the information they're privy to.
DRM: Terminator crops for your mind!
What whistle are you going to blow?
There are three valid ways to deal with risk: mitigate it, insure it, or accept it (self-insure). If the people with the liability choose to accept a risk rather than mitigate it, that's a business decision that probably doesn't need consultation with the mail clerk to make.
If you think they are shooting themselves in the foot, get your foot out of the circle of confusion.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
"All business decisions should be made on the basis of cost-benefit analysis."
I gotta take exception that this should be the only consideration.
By this reasoning, the only reason my employer doesn't get out of the line of business we're in and start distributing heroin wholesale is that there's less profit smuggling h.
Now, maybe network and server support really is more profitable than wholesale narcotics distribution, but I suspect there's other considerations that go into it.
"My job is to apply The Formula. Take the number of vehicles in the field, A, times the probability of a failure, B, times the average out-of-court settlement, C. A, times B, times C, equals X. If X is less than the cost of a recall, we don't issue a recall."
That's the same reasoning the unnamed car company Edward Norton works for in Fight Club.
And the fact that people see nothing unethical in applied amorality is one of the problems in society at large today.
The plural form of "anecdote" is "anecdotes", not "evidence".
Unfortunately we can't have them summarily shot, but the next best thing is to have one or two of the worst offenders in a given area marched out of the building.
Softly, softly goes only so far, and when there are legal and regulatory requirements turning a blind eye should not be an option.
Ensure your contracts of employment specifically support your security policy.
Gee, ethical problems inside a corporation?
We have a government which has ignored the documents which it is bound to follow by law, kills people to make money for private individuals, and basically does everything wrong that any tyranny in history has done. This is the example given of how we are to behave.
In order for companies to take any ethics seriously, there must be severe repercussions for failure, and the people must have some degree of ethical behavior before they are employed.
Neither alone is sufficient.
For starters, people reporting problems must be protected from retaliation.
Those who have ignored problems must be punished/dismissed AND tried in public. They cannot be given good recommendations and sent on their way.
Sadly, over the past decades corporations have managed to have the law rewritten in their favor, to the point that corporate entities are now superior under law to real people.
Corporations sponsored the Nazis and made millions of dollars and more importantly, acquired massive assets for doing so.
GE was fined a few thousand dollars for collaboration and war profiteering, and made millions doing so.
The major financiers of the late 1800's and early 1900's created the Federal Reserve system and through policy the Great Depression--driving all other banks out of business. They then removed any physical backing from the currency. Today's currency is now worth under 1% of what it would purchase 100 years ago.
The US Marines will invade Iran next month to acquire oil fields for the oil companies.
Oil prices are now totally decoupled from supply-demand, and will continue to rise regardless of new reserves or better efficiencies. The same companies will own the nuclear, solar, wind and water power generation facilities. (Note that wind & solar power, once a means of powering off-grid, are now rapidly becoming grid power--and causing environmental problems on scales similar to fossil fueled generators.)
The Greatest Depression has already begun, although manipulation of the economy will delay official notice of a 'recession' until next January.
We live in an abundant universe, with more resources available to us than ever before, and we are convinced that we have nothing.
The US is a country designed to be controlled by the population--not rulers, and yet the population has been convinced that they have no power--and thus are in fact, powerless.
Those in power have created a mercenary army loyal to those who pay, out of torturers and murders from around the world. They have legitimized terror tactics in domestic politics of the US, and created a de facto world government by simply failing to respect any other country's sovereignty.
We once had a leader who said "We have nothing to fear but fear itself."
We now have a tyrant who says "Be afraid, be very afraid. I will protect you."
So long as people require their jobs to pay for their indebtedness, they will follow the unwritten laws of corporate life which conflict with the 'visible' rules.
And it won't change soon.
We once had one of the world's highest savings rates, we now have a NEGATIVE savings rate. This leads to effective debt slavery, and slaves do as they are told.
We have drug testing rules designed to keep low-level workers from changing jobs. But we don't test those who make the really big decisions at all!
The best government is the least government, the worst is no government.
Tyranny comes in all forms, and tyranny of the masses is the one to be most feared, as it is the least rational.
Tell me how removing children from their families helps 'family values?'
How having an economy which REQUIRES both parents to work strengthens families?
How killing and being killed in Iraq brings relief to those who were killed on 9/11?
How we are going to pay for the estimated 200,000 US troops with head trauma brain damage?
How professional sports cheat