I'd like to add to this that in many cases your legal department can be
your best friend. Many times having the C-level guys presented with a
risk-acceptance form is enough to nudge them into actually shelling out
the dollars to do what's needed. Once they realize that they won't be
able to point the finger elsewhere, it's amazing how fast the checkbook
magically appears ;) The flip side of that is you had best be right
about that SuperWidget 2000 that you're asking for or at least able to
show that the vendor was negligent.
Add to that the average life span for a company who has it's proprietary
data disclosed is 18 months from the date of disclosure, and you have a
potent argument for doing "the right thing."
For those you fighting the patch management battle, I'd like to make a
plug for a piece of 'ware we discovered. We've been using it for two
years now and it works remarkably well and this is likely to make the
honchos happy, it's cheap. http://www.kaseya.com/
Thanks,
Ms. Jimi Thompson
Manager of Web Operations
SMU Cox School of Business
If computers get too powerful, we can organize them into a committee --
that will do them in. -- Bradley's Bromide
-----Original Message-----
From: johnnicholson@aol.com [mailto:johnnicholson@aol.com]
Sent: Sunday, October 23, 2005 1:20 PM
To: rharmer@internode.on.net; bradleyb@bradleyb.net
Cc: security-management@securityfocus.com
Subject: Re: Senior Management Buy-in (was Top Information Security
Management Challenges in the Enterprise Today?)
I would second Rob's comments about brevity, but the thing that I've
seen missing from most attempts to educate senior management about
privacy and security issues is any understanding of how those issues
create BUSINESS risk.
It's all well and good to argue that with infinite money we could make
an enterprise completely secure (and I think the law of diminishing
returns would still apply). What senior management needs is a true
business case regarding security.
One of the posts listed patch management as a continual concern. True,
but if you try to talk to a C-level exec about patching, his/her eyes
will glaze over and you will rapidly be shuffled out of the office. On
the other hand, if you present to the same C-level exec a
monetary/reputational/BUSINESS risk, and explain what needs to be
invested in order to mitigate that risk, you'll get their attention.
There are specific things you can do to call security to senior
executives' attention. There are a number of laws being enacted at the
state level regarding security and notification. If your data is
cracked or exposed some other way, your company may be subject to some
of these laws even if you aren't in one of those states. California's
Security Breach Information Act, for example, applies to any company
that stores certain personal data about a California resident. Even if
you only have data about one CA resident, if that data is disclosed,
you have to notify that CA resident. This is the reason the Choicepoint
breach became common knowledge. Right now, 22 states have laws that are
similar, but that can be inconsistent with each other.
Following the Choicepoint breach, Choicepoint's stock fell 9%. Make a
point like that to an executive who gets stock options, and you'll get
their attention. Other surveys done by the Ponemon Institute have shown
that a sizable percentage of people would switch away from a company
that allowed their data to get disclosed. The IMPACT of poor security
is what will get executive's attention. Show them the risk, then tell
them what you need in order to mitigate that risk.
On another front, the US Federal Trade Commission (FTC) has started
going after companies who do not live up to the privacy promises made
on their web sites or who simply do things in a shoddy manner. The FTC
went after Guess, Inc., because Guess "didn't use reasonable or
appropriate measures to prevent consumer information from being
accessed at its Web site." See the FTC press release at
http://www.ftc.gov/opa/2003/06/guess.htm According to the FTC,
statements on Guess' website included "This site has security measures
in place to protect the loss, misuse, and alteration of information
under our control" and "All of your personal information, including
your credit card information and sign-in password, are stored in an
unreadable, encrypted format at all times." In fact, according to the
FTC, the personal information was not stored in an unreadable,
encrypted format at all times and Guess' security measures failed to
protect against SQL and other commonly known attacks. In February 2002,
a vistor to the Web site, using an SQL injection attack, was able to
read in clear text credit card numbers stored in Guess' databases,
according to the FTC.
The result of the Guess settlement with the FTC is that Guess has to
have its security certified by an external consultant every other year.
That can be a lot more expensive than doing it right the first time.
In another case, the FTC went after BJ's Wholesale Club. See the FTC
press release at http://www.ftc.gov/opa/2005/06/bjswholesale.htm. After
a scam was uncovered that enabled crooks to make at least $13 million
in unauthorized purchases using fraudulent credit card data allegedly
stolen from BJ's databases, the FTC came after BJ's because BJ's:
- Failed to encrypt consumer information when it was transmitted or
stored on computers in BJ?s stores;
- Created unnecessary risks to the information by storing it for up to
30 days, in violation of bank security rules, even when it no longer
needed the information;
- Stored the information in files that could be accessed using commonly
known default user IDs and passwords;
- Failed to use readily available security measures to prevent
unauthorized wireless connections to its networks; and
- Failed to use measures sufficient to detect unauthorized access to
the networks or to conduct security investigations.
Under the terms of the consent decree, BJ's has to have its security
program audited, as well. Although BJ's was not fined, the total cost
of defending itself has been estimated at $10 million.
Going back to patch management, a little known case in Maine is
something to be aware of. In January 2003, Verizon Maine failed to
meet certain performance obligations and was obligated to make service
level failure-related payments to certain customers (about $45,000).
Verizon claimed it was due to a flood of traffic caused by the Slammer
worm. Verizon said that it hadn't managed to patch all of its systems
before the Slammer worm hit, and it should be excused from making the
payments. Since the warning about the Slammer vulnerability came out on
Oct. 16, and Verizon was able to patch all of its machines within two
days after the shutdown, the Public Utility Commission did not excuse
Verizon's performance. See
http://mainegov-images.informe.org/mpuc/orders/2000/2000-849er.pdf
While $45,000 is not a big deal to Verizon, there is an important
precedent here. Patch management must be done in a commercially
reasonable manner, or your company may be liable for the consequences.
Finally, there's Sarbanes-Oxley compliance. With significant personal
financial and criminal penalties for executives, Sar-Box gets their
attention. They have to attest to financials. How can financials
generated from insecure systems be considered solid? If your company
needs to comply with Sar-Box, you need to have the resources to comply
with the requirements of the IT Governance Institutes Framework Topics.
See http://www.itgi.org.
Business people cannot translate IT discussions into business risk. You
need to do that for them. Once they understand the risks, they can do
the cost-benefit tradeoffs that ARE their job. But it's the job of IT
personnel to give them that information.
Hope this helps,
John
