Re: A Rallying Cry to Executives?

["Jim Parkhurst" <JPARKHUR () dot state tx us>]

Good read. How "moldy" was it?

--- 
Jim Parkhurst
Systems Analyst III
Texas Department of Transportation
Maintenance Division
jparkhur(at)dot/state/tx/us
Voice.: 512.416.3219
Pager : 512.606.9774
FAX... : 512.416.3044

> > > <admin () iflipyouoff com> 03/31/2006 13:33 >>>
Our network engineering staff recently came across some old documents
left molding in a closet.  An interesting note from the, at the time,
CIO outlined a communication to our executive management.  This is what
was said:
-------------------
"With the growing proliferation of viruses, worms and malicious code in
the wild, it is imperative we take proactive measures to ensure
confidentiality, integrity and availability of our data. As it has been
stated before, we cannot assess our true vulnerability until we have
assessed our current state. Current state of our network reveals our
weakest points are most vulnerable to attack. The recent outbreak of
Sasser and Netsky should have taught us all a grave lesson. Something
tells me we have yet to fully, "get it"."

"Information Security cannot do it alone. Nor should they be expected.
The greatest type of security breach reported for 2004 was the Denial of
Service attack.  DOS attacks account for almost double the amount of
money lost last year due to a particular genre of attack, targeted DDOS
attacks proliferated through hidden "bots" found in Trojan code.
Denial of Service can be over used as a broad term, however, when access
to any type of data is prohibited by either an exploited system flaw or
introduction of malicious code it is referred to as a denial of
service."

"This paradigm we operate in today is constantly changing. We should
take a more macro approach when scrutinizing security within our
network. By using a complete and trustworthy assessment of our hardware,
in-house software and software provided by our vendors, we should
readily be able to identify gaps in security, unauthorized access points
and unnecessary redundancy."

"It will take a change in the corporate culture itself to rid ourselves
of unnecessary access such as gateway devices into the network and
directed ATM access provided by large vendors.  To date, we as a company
have enjoyed large successes and have reaped the rewards. Unfortunately
we have practiced little restraint and have been even less frugal."

"In order to remedy the problem, we must attack it head on.  The movie
Kill Bill's leading character did not wait for her victims to appear
before her. Nor did she wait until one or more of them created the
opportunity.  Her problem was attacked head on. There still is a
challenge present and we as a company must be strong enough to accept
it."

"End User training should be at the forefront of every line level
manager in this corporation. This should also include good Information
Security practices, such as secure coding initiatives and robust
password management, as well as daily job function Security Awareness
duties. We can only get better at combating unwanted downtime and lost
revenue due to poor security if we take a top-down approach to teaching
and promoting good data security practices. The recent Sasser outbreak
could have been prevented if users simply deleted offending messages. In
addition, the 0-day exploit is upon us. Communication and remediation
efforts must be proactive or at least as close to the release of
malicious code as possible.  Information Security stewards simply must
continue work on enhancing their methods of communication to all areas
of the company. For this is no longer strictly a technological problem.
It is a survival issue."
--------------------

Maybe these executive types are starting to understand.

-PM, IS Director
 I Flip You Off dot Com
 San Mateo, CA


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting
experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity
Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus 
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------