Slashdot Mirror
What Should We Do About Security Ethics?
An anonymous reader writes "I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?"
http://www.wikileaks.org/wiki/Wikileaks
It's more common than you think. Some of it is due to laziness, some due to a lack of knowledge, and some due to time constraints. Fortunately, for the really sensitive information, management at my company finally put into place very strict policies on how we handle the data: How we store it, erase it, encrypt it, and display it. Granted, most of these policies are actually put in place by vendors that require it, but we've taken those standards and extended them across all sensitive information.
If you're failing SOX/SAS-70/404 audits (or whatever types of audits apply to you)... that's bad, although you've already identified that.
We formed a data security team - it's just one dedicated person right now, but since he's really only involved with the policy stuff, that's enough for us - however, he does hold frequent and regular meetings with management across all departments. The DS team recently published our "best practices" which every developer now has posted at his/her desk.
Because management took this very seriously, we became one of the first companies in our industry to have all of the current versions of our software fully compliant with industry security standards.
If there are no standards set forth for you, I suggest you make your own. It takes time and they must be well thought out, and no comprimises can be made (that's a bad pun, sorry). Use your audit results (the actual audit results, not the strong-armed ones) as a baseline for improvement. Dedicate a resource to data security. Whatever you have to do. Since you're a senior level person, you should be able to convince people to allow you to do it.
If you have security issues and a breach occurs, well... I think you know what could happen.
Why, no, I haven't meta-moderated lately. Thanks for asking!
Just let them be.
I too worked for a company that catered to the people that made money for it. $40 billion+ in assets at the time. No matter how hard I tried security ALWAYS took a back seat to profit, ease of use, and not rocking the boat. I was the head of network security, there was not even a CSO. The hierarchy wasn't even in place. One day I even saw a live network hack in progress as one of our network engineers was using a VNC server not protected by our corporate firewall! Someone on the outside had found it and started using his desktop! I couldn't believe my eyes! In the end it came down to me just accepting that this company, and a vast majority of corporations, will always and forever be run this way...until, of course, the proverbial $#It hits the fan, at which point I didn't want to be there.
So I left and never looked back. I suggest that this also be your course of action before the one left holding the bag is you.
It isn't bizarre. It is very simple. To any business, an amount of money larger than the profit they will make from you until the person in charge leaves is worth more than your life. If you are an ex-customer, they'd rather see you die than lose $1.
The masses are the crack whores of religion.
... and think it means he works for Microsoft? MS spent billions to improve AppSec. They take is seriously, because customers screamed so loud. The secret? Fortune *300*. The the company you are looking for is here: http://money.cnn.com/magazines/fortune/fortune500/2007/full_list/201_300.htmlHorns are really just a broken halo.
My bet is on SAIC because I have worked with them before. I work in the safety critical industry and believe me it is absolutely terrifying how lax some companies are about security. For them security is checking a bunch of stuff off a bulleted list and calling it done. They dont actually want to hear about real problems that will cost money and time to fix. Its kind of sad too because companies like these employ a metric ton of "security experts" and "software verifiers". Most of them are just paycheck collecters. They are there to produce lots of safety critical paperwork. The paperwork and beauracracy are the artifacts they are paid to produce. Actually finding bugs isnt going to make anyone happy.
Whistleblower laws are a freaking joke.
I have an acquaintance who was a financial underling at a publicly traded company. The CFO discovered some irregularities with the books and blew the whistle on the shenanigans. Within 6 months he was history, along with anyone else who TPTB determined was in the 'penumbra of blame.' Came damn close to my acquaintance but didn't affect them.
Look at it this way; are you gonna want to keep around the guy who spoiled the ride for the rest of the clowns? If you are one of the beneficiaries of the monkey business you'll never look at the whistleblower the same way again.
Mit der Dummheit kämpfen Götter selbst vergebens.
This may depend on the jurisdiction, but in Finland even if higher-ups forbid something (or tell you to do something) it does not give you "get out of jail" card. You are personally responsible for your actions, if they are illegal - tough.
If it bothers you (and it does me and I have a similar job title) then here is another alternative (that I don't see anyone suggesting in the comments):
...
... yes ... the academic option. This is the option I'm taking. I'm getting myself (one foot at a time, mind you) out of industry and into academia, where I can focus on solving the problems without worrying about whether or not the execs will spend the money to fix the problem. Yet, at that same time, I don't have to have the guilt of selling the dis-service, pseudo-science called "penetration testing" to some foolhardy organization ready to separate themselves from their money for a few moments of make-believe drama.
Get a different TYPE of security job.
Think about it. Most "general security practitioners" are DEFENSIVE roles. A lot of us even have taken time to get mad at even the existence of third party "penetration testers" as some sort of a professionally equivalent role to the defensive security practitioner. I have in the past. But, being a DEFENSIVE practitioner puts a lot of weight on the shoulders of people who are interested in taking on the job. It's not as glamorous and exciting as it seemed, just a few years ago.
Think about it. Suppose one of your organization's cover-ups turns into a full blown incident. What happens? The CXOs pick some heads to roll to appease owners/share-holders. Who's going to roll first? The person who is responsible for security. So, yes, while other slashdotters suggested a CYA approach (document, retain documentation external to your org's control, and present documentation to approach management, etc.), perhaps it's time to consider taking a consulting role from the outside?
As a consultant, a security practitioner can move from shorter engagements to more short engagements. There are no long ties to a single organization. There is no sense of "ownership" of the problem; only "ownership" of presenting the problem with recommended solutions. Even though I'm usually disgusted by them, I envy people with "penetration testing" jobs because they get to poke some holes in stuff that often times you knew already existed (or likely existed, if you didn't know the exact details) and they get to go home, paid well, and sleep comfortably at night. If the holes get exploited, they don't roll. And since pen-testing is a pseudo-science (arguing the positive by proving the negative does NOT exist), even if they didn't find the same hole that lands your org on the front page of the Times, they can just say things like "well, we found other just as disastrous holes-- exploiting any of them could have had the same result" or some other similar bullshit
Lastly, another alternative that you have in front of you, is
Take your pick. There are other options than being defensive and disappointed. But one's thing is right: those who understand security are certain to be VERY pessimistic.
I'm sorry to hear this is what is going on. Surprising? I think not.
I have, at times, been put in a similar situation - Managment wants to, or believes they can mitigate the risk if they just don't look at it or just pretend it doesn't exist.
What it mainly comes down to is that Upper Mgmt wants to protect their bottom line - return on investment to shareholders. If this comes at a cost of skirting some laws, or bending the rules a little to appease them, then so be it. *cough*Enron
The best advice I could give you is to document, document, DOCUMENT. Document everything. Save it everywhere. Save it on your work hard drive, save it to the server, email it to another trusted individual, print it out and save it in your work filecabinet, etc. If your company wants to erase info, if you have enough copies in the workplace, there will not be any way they will get them all. You get the picture. Because, if something DOES happen (and chances are, it will...we all know it is just a matter of time) then it is documented and you can hopefully save your rear end and not end up in the slammer with Bubba. I would not do anything rash, like post it to wikileaks or something similar, because there is a good chance it could still be tracked down to you, and then you are in a world of hurt.
If you are an Infragard member, perhaps talk to your SA about it. Your conversations with them are confidential and you might be able to get some more advice about the matter. Also, that is another way for you to CYA. Again, protect your rear end. Yes, I know this can go against the grain of what Slashdotters want to do/say/hear/OMG GOV'T IS BAD/etc, but they are a good resource and can offer you advice. Perhaps there is already an ongoing investigation, and your information would be helpful.
I wouldn't do anything that would jeoparidize your job - they are hard to come by, and we all know that the economic outlook isn't the greatest, no matter what part of the world you live in. Just document, document, document. Make sure your boss is aware of your concerns. If that is ignored, then all you can do is document, document, document.
I wish you the best of luck - I do not envy being put in that position, as if the breach is severe enough, it really is a no-win situation for everyone involved.