What Should We Do About Security Ethics?

An anonymous reader writes "I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?"

Three Words:

[canUbeleiveIT]

Cover your ass.

Re:Three Words:

[NeverVotedBush]

Actually this is probably better advice than most realize. I don't know if it was tongue in cheek or not, but it is damned good advice.

Where I work, security is a really big issue and I have to deal with people all the time that don't realize that security is something they should consider with every decision they make during the day. Needless to say, many don't feel the same way. They are about to get raked over the coals by management.

Unfortunately for some, they are in the crosshairs for their lax stance on security. I don't know what management is going to do with them, but management knows who they are and they stand a good chance of at least repremands and loss of pay increases, and at the worst for them, pink slips.

Anyone in IT who thinks data security isn't their job is fooling themselves and setting themselves up for a new career. If you read the SANS Newsbites, you see breach after breach and people getting sacked or worse.

People need to tighten up their systems, audit their systems, run configuration management, and even penetration test their systems. If you can show you are at least trying to cover your ass, you stand a better chance of being seen as proactive and trying to protect the company even if it does get breached.

But if something happens and it comes time to pick up the pieces, and all you can say is well, we shoulda done that but we didn't, you might want to have a plan B in terms of a career because you will probably need it.

Wikileaks

[Mondo1287]

http://www.wikileaks.org/wiki/Wikileaks

Re:Wikileaks

I work for a very large US government department. Our agency oversees all of the child agencies. If we leak information about how we fast-talk the 20-some year old college graduate security auditors that know jack about computers, we would surely lose our contract. Our contract pays big, on the order of a few million per year. We have a total staff a little over 20, do the math. If the federal it director says to do it one way, we do it that one way to ensure nice paychecks to our employees.

Now, I am one of these employees and I'm not going to watch my job burn because the government is hiding blatent security problems. The next person that comes in will comply the same way and I'm left searching for a new job. No. What I do is purposely delay audit results. Miss a deadline here and there. Specifically mention other areas of concern while satisfying the customer by fast talking through another area. Results? It turned your governments security finding report from a B to a D. This past year sucked, work wise, but we're far more secure now than we were a year ago.

Just to scare you some more, we were sending backup tapes offsite without using encryption. We also didn't encrypt our laptops until the day before the government stipulated deadline. The best one? One of our budget management systems runs a public X server as root. Guess what else? We hold tons of medical, legal, and personal information for a very large number of you americans. Yea.

You're damn right we need to change how we address security concerns. I have no ideas on how to change this, so I will continue to be very cautious in my personal life. I will also continue to take contracts like this to ensure I can feed my family for the next couple of decades.

How my company handled it.

[awyeah]

It's more common than you think. Some of it is due to laziness, some due to a lack of knowledge, and some due to time constraints. Fortunately, for the really sensitive information, management at my company finally put into place very strict policies on how we handle the data: How we store it, erase it, encrypt it, and display it. Granted, most of these policies are actually put in place by vendors that require it, but we've taken those standards and extended them across all sensitive information.

If you're failing SOX/SAS-70/404 audits (or whatever types of audits apply to you)... that's bad, although you've already identified that.

We formed a data security team - it's just one dedicated person right now, but since he's really only involved with the policy stuff, that's enough for us - however, he does hold frequent and regular meetings with management across all departments. The DS team recently published our "best practices" which every developer now has posted at his/her desk.

Because management took this very seriously, we became one of the first companies in our industry to have all of the current versions of our software fully compliant with industry security standards.

If there are no standards set forth for you, I suggest you make your own. It takes time and they must be well thought out, and no comprimises can be made (that's a bad pun, sorry). Use your audit results (the actual audit results, not the strong-armed ones) as a baseline for improvement. Dedicate a resource to data security. Whatever you have to do. Since you're a senior level person, you should be able to convince people to allow you to do it.

If you have security issues and a breach occurs, well... I think you know what could happen.

There are very few ethical companies.

[EmbeddedJanitor]

Most are only limited by what the law allows. Although a company might speak of ethics, don't expect them to actually practice it.

And why bother about security ethics when there are much more important ethical considerations like how they treat staff? Again, most companies screw most of their staff to the limit of the law.

In short: If you're looking for ethics you got off on the wrong planet.

Re:There are very few ethical companies.

Don't even get me started. I work at a company which makes document imaging software and our customers send us all kinds of crap that honestly, scares the shit out of me. Not to mention information specifically protected by law. Most of the time, I get the sense that the sender didn't even remotely think about it. All they know is "this is not viewing/printing how it should" and so off they send it, as an attachment on unencrypted email.

So now I am put in the position of -- do I actually work on the client's problem? Or do I immediately destroy the information and tell them they are a dumbass? You know what the reality is? The highly sensitive document gets printed out, sometimes hundreds of times (as I tweak things during the debugging process), and I try to shred everything but when there's hundreds of copies, I'm sure I've missed one. If I was unscrupulous I could have made several million dollars off the information I see on a daily basis and I'm not exaggerating. Millions. Honestly it pisses me off.

Re:There are very few ethical companies.

I remember in my days consulting, I got sent a DB to look at. This DB held all the personal information for everyone who was worth over $X. The DB contained SSN's, spouse's name, spouse's SSN, etc. As soon as I saw this DB, I asked where the NDA for it was. When I was told there was no NDA sent over, I felt sorry for everyone who's information was in there.

Fraudulent Security Audit practices

I have had to make a similar choice twice now and both times, I had to leave the company to feel good about the situation. In one case, I also insisted that my name be removed from all company communications and government vendor documents. I do not regret my decision, although it has cost me.

You say you are an uber security drone with a Fortune 300 company and that you *know* of fraudulent business practices to help the company earn better ratings on its security policies. I'm guessing that some of these impact SOX/404, SAS-70, and probably ALL would be of concern to the company's shareholders and business trading partners. Like it or not, you are now either complicit or you are obligated to inform oversight authorities. Your first duty
should be to your own profession's standard of behavior, your second to the company shareholders, your third to the public's interest, and last to your management chain.

You seem to be entertaining the idea of moving management's priorities to the head of the list and that would be to make yourself complicit. The fact that it would be difficult to prosecute you does not make that considered behavior any less criminal. You will have to live with that knowledge for a long time. I have friends who worked at Enron who to this day have valid concerns about the resume stain they have earned from their time there. Are you willing to bear that also?

How you go about protecting yourself from reprisals is up to you and the reporting authority, but surely anonymous 'tip' reporting is possible. Given senior management is the problem, that is a strong candidate for your response. I would also recommend you document your allegations as best you may and make them to the SEC and your local branch of the FBI. Either agency might request you remain with the company while they investigate your allegations. Otherwise, it may be time to vote with your feet and find employment elsewhere.

You more than anyone should know what will be the eventual outcome of improperly securing vital systems. Do you want it to happen on your watch or to have to answer difficult questions later
about why you did not strongly resist or report events which will lead to that security breach? Do you want the stigma to attach itself to your resume? Do you want to sleep on the knowledge that you passively participated in criminal conspiracy by voluntarily remaining silent?

You cannot fault the ethics of your superiors if you fail to execute upon your own. What are you made of? Decide,and then live with the decision. It only appears to be a difficult decision if you have an off-switch upon your professional ethics.

Here's an interesting thought:

As an IT auditor doing internal control audits, this thought occurs to me:

When my company audits you and attests to the controls being in place and operating effectively, they essentially take legal responsibility for your internal controls. If we get strong-armed or bought off and decided to cover it up (which has never happened in my experience), we are on the legal hook for the results. We can be sued. The CPA that signs off on the audit can lose his license and get in all kinds of other trouble.

If one wanted to keep one's job, but wanted to whistleblow on this situation, one might be prudent to blow the whistle on the auditors (to the AICPA) for materially misstating the operating effectiveness of your company's controls. The auditors take the fall, and your company gets a pass by saying "Hey, we didn't know, they signed off on it!", and subsequently tightening up controls to ensure that no eyebrows are raised in the future.

Food for thought.