RE: Scare Me !!

["Joseph Judge" <joej () ultranet com>]

All -

Good info ... and I'd like to add another point-of-view or mindset
that may help. (sorry for the length of the ramble)

The Fear Uncertainty and Doubt (FUD) is true -- but not all folks in
a corp respond or believe in it.  Business folks live in the area of
"risk as an opportunity" -- and they see their business risk and
try to make balanced choices in that space.  Security folks tend to
view "risk as a threat" and, the better ones, try to balance the
threat vs. business needs.  But, the company execs (CxO, etc) live
in the space between -- seeing both sides, trying to find best fit.
Many of the previously-though "thats an IT sec issue" (for the back
room) now affect the board room. CEOs go to jail, shareholders sue
them -- a lot of the key security issues are (or should be) of concern
to the folks up the totem pole.

But, you _do_ have to speak to them in terms they can understand
-- as mentioned in the previous email.

        - joe


If you've been touching the area of risk management and technical
security issues for a good length of time, then you know there are
some serious issues out there that do _not_ hit the papers:

        (some examples from my company's client list)
- some seriously sick folks out there (e.g. child pornographer *just*
walked out of a large financial services company into the arms of
U.S. Customs)
- companies firing the a department-sized set of folks due to serious
levels of porno surfing ... even after major warnings and attention
bring brought to bear (awareness).
- very large insider fraud at some very well known companies in the
last month or two (senior execs walking out with huge amounts)
- and the standard missing sources of wire transfers, Boston Globe
highlighting the missing lottery money (small compared to the previous
missing lottery money)

... OK ... noticed we've not even mentioned the items that indicate
that terrorism is intersecting with "cracker-like" activities, the
rising activities in (warning: hype-like term coming) Cyber-warfare.

supporting anecdotes:
- 102 of Fortune 500 have Internet "strike-back" capabilities
- the terrorists that hit the Lockerbie flight targetted that exact
flight due to the larger numbers of what appeared to be US govt folks
as discovered from hacking into a Saaber ticketing system

... OK ... many don't believe in the coming flak or understand the
current state of issue. Human nature also affects us -- we don't like
to think of the "set of folks like me" (e.g. employees in my company)
as potential "bad guys" -- so the insider bad guy has the edge. Heck,
company upper management doesn't want to make employees think they
are viewed as bad guys -- its a bad message for moral.  So try to
focus the approach to awareness on building connections, expressing
a corporate culture of "how we all are" that reinforces the security
aware employee - not for the doom and gloom message of "watch out
for the bad guy that may be sitting next to you!"

        -joe



> -----Original Message-----
> From: owner-firewall-wizards () nfr net
> [mailto:owner-firewall-wizards () nfr net]On Behalf Of Waszak, Thomas
> Sent: Friday, June 11, 1999 2:45 PM
> To: Ken Hardy; firewall-wizards () nfr net
> Subject: RE: Scare Me !!
>
>
> Ken,
>
> I feel for you.  Here's what I would do:  (Bear in mind I don't
> know how far
> up the totem pole you are, what your responsibilities are, what kind of
> company, or how big or small your company is).  (if it's a large
> company and
> you are low on the totem pole, check out Monster.com, it's
> unlikely you will
> be able to influence anyone while you are still young)
>
> 1)    Figure out if this is your problem/responsibility as stated by your
> job description.  If it is not and you are being the companies
> "Crusader for
> Security", identify whose problem it is and start with them.  If it is not
> your responsibility and not clear whose responsibility it is, take
> ownership.  ***Danger Will Robinson Danger*** security is a potential
> political hotbed, proceed with caution.  Do not piss anyone off or they
> won't hear your message.
>
>
> 2) Conduct a internal risk assessment and work to convince management that
> security is a serious issue (as high up the totem pole as
> possible).  To do
> this, put everything into a context that management can
> understand and care
> about.  Don't say "our servers will get shut down if we don't do
> something"
> or "hackers can do this by exploiting the XYZ vulnerability".  They won't
> understand or care.  Instead say "if X happens it will affect our business
> operations by Y"  Use terms like "revenue loss" , "lack of confidence",
> "inability to beat competition to the market" etc.  Make sure you do the
> homework when you make these statements though.  Be as non-technical as
> possible and be prepared to answer "So What" questions tailored to your
> audience.
>
> 3)  Consider bringing in an outside consultant.  ****Danger Will
> Robinson**** The issues you are trying to combat are not Network Security
> issues as much as they are Information Security issues.  In other words
> don't bring in someone who knows about firewalls to help you deal
> with user
> awareness and policy issues.
>
> 4)    Your problems are not going to be solved with FUD documentation and
> horror stories unless you get management buy-in to start some kind of info
> sec program.  Policy is your number one issue.  From there based upon your
> risk assessment prioritize what and how you proceed.
>
> Good Luck, your going to need it.  Remember that there are plenty of other
> jobs out there.
>               -----Original Message-----
>               From:   Ken Hardy [mailto:ken () bridge com]
>               Sent:   Thursday, June 10, 1999 1:01 PM
>               To:     firewall-wizards () nfr net
>               Subject:        Scare Me !!
>
>               I need to induce a healthy respect for Internet dangers into
>               some folks around here.  I know the dangers, or enough of
> them,
>               but it's wearing to try to educate one after another exec,
>               network tech, etc.
>
>               In addition to the regular sort of security literature, a
> list
>               of real-life (or very possible) security incidents that
> could
>               help foster a healthy respect for the potential dangers
> might
>               be real useful.  An internet shop of horrors website,
> perhaps.
>               I'd appreciate anything useful in this regard.
>
>               I'm trying to reach the sort of people who think that a) we
>               have a firewall so we're safe; b) a packet filter is a
> firewall
>               (even if all ports >1024 are open!); c) desktop modems are
>               nothing to worry about; d) we *need* to support the
>               impossible-to-defend protocols of the latest whiz-bang
> internet
>               app through the firewall; e) policy?  we don't need no
> stinkin'
>               policy; f) etc., etc., etc.
>
>                -- KH