What Should We Do About Security Ethics?

An anonymous reader writes "I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?"

Essay: Catch 222-22-2222

[ThinkComp]

I wrote an essay about this very issue a while back.

http://www.aarongreenspan.com/essays/index.html?id=9

The sad fact is that I don't report flaws anymore because I've been threatened too many times.

Not much

[MBCook]

I don't see how there is much you can do. There was an article here a few months ago about a group that started sending out bad XML because too many people were using the DTD they were hosting, to the tune of 10,000s of hits a day that were completely unnecessary.

The company I work (not Fortune 500, smaller) sees some stuff that continues to floor me. Our dealings are mostly transactions of information (containing important things like bank accounts) between our computes and those of other companies. We have had to, quite a few times, flat out turn people down because they refuse to run securely. Not without massive DB encryption. Not hashing everything. Just not using SSL, an easy to implement addition on top of HTTP (which carries our conversations with people).

Every two months or so, we are put in the position of telling people that the SSL certificate on their production system expired last night. This usually entails a discussion as to why we can't just let them slide, or give them a day, etc. We've had people switch off good SSL certificates from very valid authorities to self-signed certificates.

In fact the expiration problem happened enough that someone seriously suggested we consider making a little program to check people's certificates and warn us when they were going to expire so we could warn them. Things got better and it didn't happen. Many people just don't care.

I'm not sure how this happens either. We recently let a certificate lapse on a domain we stopped using and gave up on. For the 6 months before it expired I got emails from the certifying company up to one every 2 weeks or so at the end. Then they called our office to make sure we knew it was about to expire and to find out if we really wanted that to happen. Then today, a few weeks after it expired, I got an email reminding me that it expired and they'd be glad to renew it. I don't know how many companies are this proactive about renewing SSL certs, but I'd have had to have my head buried pretty far in the sand to not have noticed all that.

We've seen plenty of poor security designs. I don't expect other operations to be perfectly secure. But the number of these companies who seem either ignorant or dismissive of SSL continues to surprise me from time to time.

Best advice? If you can at all, shut them down. Very few of the companies we have worked with have been very nice about turning on SSL. Some have said "just add S to the URL" (it was secure, they just didn't give us that URL). Some have said "sorry, we'll get that right up". More than a few have not been that easy. Turning people off is the best power we have. If your contracts are big enough (as a Fortune 300 company, they might be) you could try to put security provisions in them with penalties for shenanigans. But we've found that when discussions aren't working, just disconnecting people usually gets their attention.

Bosses don't fear security breaches

Security won't be taken seriously until the powers-that-be worry that they will be directly impacted. A giant security breach that compromises tens of thousands of other people doesn't worry them. Once someone brings a successful (maybe class action) lawsuit and wins a lot of money, the powers-that-be will start paying attention.

It is strange. We can't let a piece of equipment that isn't UL approved within a mile of our building. We have a guy whose whole job is to audit all the equipment and make sure it conforms. Security, on the other hand, isn't audited. The bosses sure don't fear us the way they fear the outside people who do all the other audits.

Clearly it would be a good thing if someone were setting standards for security the way UL does for electrical equipment. It would be good to have outside auditors. Only then will the in-house security people get any respect.

Re:Wikileaks

I work for a very large US government department. Our agency oversees all of the child agencies. If we leak information about how we fast-talk the 20-some year old college graduate security auditors that know jack about computers, we would surely lose our contract. Our contract pays big, on the order of a few million per year. We have a total staff a little over 20, do the math. If the federal it director says to do it one way, we do it that one way to ensure nice paychecks to our employees.

Now, I am one of these employees and I'm not going to watch my job burn because the government is hiding blatent security problems. The next person that comes in will comply the same way and I'm left searching for a new job. No. What I do is purposely delay audit results. Miss a deadline here and there. Specifically mention other areas of concern while satisfying the customer by fast talking through another area. Results? It turned your governments security finding report from a B to a D. This past year sucked, work wise, but we're far more secure now than we were a year ago.

Just to scare you some more, we were sending backup tapes offsite without using encryption. We also didn't encrypt our laptops until the day before the government stipulated deadline. The best one? One of our budget management systems runs a public X server as root. Guess what else? We hold tons of medical, legal, and personal information for a very large number of you americans. Yea.

You're damn right we need to change how we address security concerns. I have no ideas on how to change this, so I will continue to be very cautious in my personal life. I will also continue to take contracts like this to ensure I can feed my family for the next couple of decades.

Re:There are very few ethical companies.

Don't even get me started. I work at a company which makes document imaging software and our customers send us all kinds of crap that honestly, scares the shit out of me. Not to mention information specifically protected by law. Most of the time, I get the sense that the sender didn't even remotely think about it. All they know is "this is not viewing/printing how it should" and so off they send it, as an attachment on unencrypted email.

So now I am put in the position of -- do I actually work on the client's problem? Or do I immediately destroy the information and tell them they are a dumbass? You know what the reality is? The highly sensitive document gets printed out, sometimes hundreds of times (as I tweak things during the debugging process), and I try to shred everything but when there's hundreds of copies, I'm sure I've missed one. If I was unscrupulous I could have made several million dollars off the information I see on a daily basis and I'm not exaggerating. Millions. Honestly it pisses me off.

Re:There are very few ethical companies.

I remember in my days consulting, I got sent a DB to look at. This DB held all the personal information for everyone who was worth over $X. The DB contained SSN's, spouse's name, spouse's SSN, etc. As soon as I saw this DB, I asked where the NDA for it was. When I was told there was no NDA sent over, I felt sorry for everyone who's information was in there.

Here's an interesting thought:

As an IT auditor doing internal control audits, this thought occurs to me:

When my company audits you and attests to the controls being in place and operating effectively, they essentially take legal responsibility for your internal controls. If we get strong-armed or bought off and decided to cover it up (which has never happened in my experience), we are on the legal hook for the results. We can be sued. The CPA that signs off on the audit can lose his license and get in all kinds of other trouble.

If one wanted to keep one's job, but wanted to whistleblow on this situation, one might be prudent to blow the whistle on the auditors (to the AICPA) for materially misstating the operating effectiveness of your company's controls. The auditors take the fall, and your company gets a pass by saying "Hey, we didn't know, they signed off on it!", and subsequently tightening up controls to ensure that no eyebrows are raised in the future.

Food for thought.