RE: Scare Me !!

["Waszak, Thomas" <Thomas.Waszak () connect xerox com>]

Ken, 

I feel for you.  Here's what I would do:  (Bear in mind I don't know how far
up the totem pole you are, what your responsibilities are, what kind of
company, or how big or small your company is).  (if it's a large company and
you are low on the totem pole, check out Monster.com, it's unlikely you will
be able to influence anyone while you are still young)

1)      Figure out if this is your problem/responsibility as stated by your
job description.  If it is not and you are being the companies "Crusader for
Security", identify whose problem it is and start with them.  If it is not
your responsibility and not clear whose responsibility it is, take
ownership.  ***Danger Will Robinson Danger*** security is a potential
political hotbed, proceed with caution.  Do not piss anyone off or they
won't hear your message. 


2) Conduct a internal risk assessment and work to convince management that
security is a serious issue (as high up the totem pole as possible).  To do
this, put everything into a context that management can understand and care
about.  Don't say "our servers will get shut down if we don't do something"
or "hackers can do this by exploiting the XYZ vulnerability".  They won't
understand or care.  Instead say "if X happens it will affect our business
operations by Y"  Use terms like "revenue loss" , "lack of confidence",
"inability to beat competition to the market" etc.  Make sure you do the
homework when you make these statements though.  Be as non-technical as
possible and be prepared to answer "So What" questions tailored to your
audience.

3)  Consider bringing in an outside consultant.  ****Danger Will
Robinson**** The issues you are trying to combat are not Network Security
issues as much as they are Information Security issues.  In other words
don't bring in someone who knows about firewalls to help you deal with user
awareness and policy issues.  

4)      Your problems are not going to be solved with FUD documentation and
horror stories unless you get management buy-in to start some kind of info
sec program.  Policy is your number one issue.  From there based upon your
risk assessment prioritize what and how you proceed.

Good Luck, your going to need it.  Remember that there are plenty of other
jobs out there.
                -----Original Message-----
                From:   Ken Hardy [mailto:ken () bridge com]
                Sent:   Thursday, June 10, 1999 1:01 PM
                To:     firewall-wizards () nfr net
                Subject:        Scare Me !!

                I need to induce a healthy respect for Internet dangers into
                some folks around here.  I know the dangers, or enough of
them,
                but it's wearing to try to educate one after another exec,
                network tech, etc.

                In addition to the regular sort of security literature, a
list
                of real-life (or very possible) security incidents that
could
                help foster a healthy respect for the potential dangers
might
                be real useful.  An internet shop of horrors website,
perhaps.
                I'd appreciate anything useful in this regard.

                I'm trying to reach the sort of people who think that a) we
                have a firewall so we're safe; b) a packet filter is a
firewall
                (even if all ports >1024 are open!); c) desktop modems are
                nothing to worry about; d) we *need* to support the
                impossible-to-defend protocols of the latest whiz-bang
internet
                app through the firewall; e) policy?  we don't need no
stinkin'
                policy; f) etc., etc., etc.

                 -- KH