Re: security not a big priority?

[secbasics () dusty ece cmu edu]

sorry if this goes though twice, I was having some mail client issues

On Thu, Feb 15, 2007 at 10:43:46AM -0600, Francois Yang wrote:
> This is a community college, so I've sent an e-mail to my boss
> everytime there was news about a school being hacked and in every
> e-mail I've added comments on how they could have prevented being
> compromised.
> I even wrote a long letter describing why we need such things as IDS
> and what could happen if we don't have one.

But did you present a business case for it? Because IDS are expensive and the probability of being broken into with an 
IDS doesn't go down, you just get 
alerted faster (unless you meant IPS). Therefore if you want your boss to listen you have to be able to build not a 
technical case where you take some things 
as selfevident, but rather a business case where you break down exactly how much money compromises cost in terms of 
man-hours to repair, legal liability 
(consult the legal department if you have one), lost productivity, etc. Then show how much can be saved by at least 
some amount of preventative measures. 
You're not going to be able to get everything you want because not all security measures really provide that much ROI, 
but you will be able to get some more, 
and you will be able to show that you had presented the information they needed to make the appropriate decision.

 I also included a long
> list of schools that were hacked into in 2006.  apparently that
> doesn't seem to be affective.
> I believe a major incident might be the only thing that will wake them up.
> We've had small ones, and even after catching the person and
> explaining how they got in and how to prevent it.  Guess what...those
> systems are still up because they choose to leave them so they don't
> interrupt productivity.  So yea that sucks. a system gets hacked into.
> I catch the cracker, and recommend some fixes and nothing gets done.
> system gets clean and put right back into production.  WTF

As a security person you should be concerned about their uptime too. Availibility is one of the CIA triad you are 
supposed to be protecting. Again, the thing 
to do is to make a business case for why limited downtime saves money in the long run by allowing you to patch and 
drastically decreasing the probability to 
attack.

I'm sorry to say but if you can't make a business case, you will just end up butting your head against a wall. And when 
making the analysis it's important to 
*not* fudge the numbers, because sometimes, yes, uptime is more valuable than a 10% decrease in the probability of 
compromise, and management needs to have 
accurate numbers to work with.

Aaron


> On 2/15/07, Jim Clark <diegoslice () gmail com> wrote:
> > As echoed many times on this list in the past, security is about
> > managing risk. So the question becomes, what are the assets that are at
> > risk if they are not secured and what damage would result if they were
> > compromised?
> >
> > In my opinion, your boss needs to be educated about security. Perhaps
> > doing some research about similar organizations that have had security
> > lapses and what it cost them both in terms of dollars, time, and
> > reputation would be a start. If any of the applications or systems were
> > compromised or shut down, how would this affect the daily operations of
> > the college? Perhaps this information would be enough to help prioritize
> > some of the projects you have in mind.
> >
> > I would send the results of your research and conclusions to your boss
> > via email (and cc others as appropriate) to leave a documentation trail.
> > You don't want to become a scapegoat after a security incident occurs -
> > and it's not a question of if but when. If you can prove that you were
> > the lone voice screaming why security was important and what needed to
> > be done in advance, perhaps you can escape the ugly aftermath of finger
> > pointing relatively unscathed.
> >
> > HTH,
> > Jim
> >
> > Francois Yang wrote:
> > > So I have a problem and like to know what you guys think.
> > > I'm a Security Analyst at an Education institute. A community college
> > > to be more precise.
> > > So I was brought on board to address security issues and work on
> > > making this place a better place.  Now the problem is.
> > > 1. I'm in the network operation team.  no security group.
> > > 2. My boss doesn't seem to know much about security.
> > > 3. My boss doesn't seem to think highly of security since all my
> > > projects seems to be of low priority.
> > > 4. I have a long list of things that needs to be done and they are all
> > > waiting for the engineers to work on it. But again they have better
> > > things to do.
> > > So what am I suppose to do? look for another job? :)
> > > anyone run into this problem before?
> > > I'm at the point where I'm not sure what to do.
> > >
> > >
> > > Thanks.
>
>
> -- 
> If you think technology can solve your security problems, then you
> don't understand the problems and you don't understand the technology.
> Bruce Schneier