[ISN] [infowarrior] - An Open Letter to CEOs Regarding Information Security

From: InfoSec News (isnat_private)
Date: Fri Aug 23 2002 - 00:31:16 PDT

  • Next message: InfoSec News: "[ISN] Hackers beg boring people to stop encrypting email"

    ---------- Forwarded message ----------
    Date: Thu, 22 Aug 2002 20:36:13 -0400
    From: Richard Forno <rfornoat_private>
    To: rfornoat_private
    Subject: [infowarrior] - An Open Letter to CEOs Regarding Information Security
    An Open Letter to CEOs Regarding Information Security By understanding
    the needs of security admins, corporate executives can ensure the
    ongoing security of their crucial information systems.
    By Richard Forno Aug 22, 2002
    (c) 2002 Securityfocus
    Dear Esteemed Corporate Leaders;
    By the time you read this, our summer vacations will be winding down,
    the long days of summer will be rapidly receding into memory, and, for
    those of us slaving away in the corporate trenches, work will begin to
    pick up again.
    Given that summer may be a time for forgetting the drudgery of work
    (particularly for vacationally endowed executives), on behalf of
    security managers everywhere, I humbly offer this epistle as a short
    refresher course for our corporate leaders, as we head back to the
    business of doing business. I hope that this brief letter will help
    jog their memories as to what our duties truly are, and make it more
    bearable for them when their respective security managers begin to
    pester them with dire warnings of impending network doom and requests
    for ever-more increases in security budgets. May it also help our
    beleaguered security managers get some real support as the fall
    Security Managers are Not Paranoid ­ They Just Seem That Way
    You may think that we believe threats lurk behind every router, hub,
    and user, and sometimes to us it seems that way. However, we realize
    that repeated, unsubstantiated gloom-and-doom warnings about
    cyber-terrorism, viruses, and hackers will only make you ignore us,
    much like we ignore those ubiquitous NIPC warnings. Therefore, we
    pledge to only report tangible, confirmed items that present a
    pressing danger to the continued operation of the company. In return,
    we ask that you acknowledge our advice, heed our warnings, and support
    us in the best interests of the company.
    Furthermore, while you may not want us to be involved in the policy
    approval process, we ask to be included as trusted advisors when such
    items are discussed and that you allow us to make informed comments as
    necessary. After all, you hired us because our credentials were sound,
    our knowledge deep, and our abilities strong. And weıre still employed
    because you trust us to do the right thing. That includes giving you
    objective, informed advice on security matters when appropriate. Itıs
    up to you to take our counsel as the experts in this field and make
    the right decision for the companyıs best interests.
    Security is More than Technology Components
    Our three guiding principles are to serve the business by ensuring the
    confidentiality, integrity, and availability of the systems under our
    responsibility. As good security practitioners, itıs our duty to think
    like the bad guys, and figure out how they might cause damage to our
    corporate information environment. Sure, we know that our firewalls
    are good and are updated regularly, but simply spending money on
    technological solutions will not ensure the security of the
    enterprise. If we do not have redundancy built into our networks, if
    we continue to use software thatıs full of recurring security holes,
    if we continue to treat security as a secondary issue, our
    organizationsı data will continue to be at risk.
    Security professionals know that the people are inevitably the weakest
    link in the security chain. We can minimize the negative affects of
    human error if we have your support in designing well-designed
    policies and procedures. We must be able to count on your support when
    itıs necessary for us to implement and enforce them. Organizations
    place a premium on employee education and knowledge for their success,
    this should extend to security as well.
    Our calls for better security education amongst employees arenıt to
    fuel our ego or increase our power in the company, they are merely to
    ensure that security is considered and implemented throughout our
    corporate environment. Just as you would ask all stakeholders to take
    responsibility for the success of the enterprise, we would ask that
    all employees take responsibility for the security of the
    organizationıs crucial data. It doesnıt cost much to raise awareness,
    and in the long run, itıs a great return on investment.
    We think ­ we hope ­ you would prefer to have problems prevented
    through effective education and planning before the fact than through
    costly damage control and repair after the fact, when it will likely
    disrupt operations, cost more money, be harder to address, and
    endanger our revenue stream, not to mention embarrass us in the eyes
    of our shareholders and the media.
    The More We Sweat In Training, The Less We Bleed in Combat
    If you happen to wander the corridors around our work areas and see us
    surfing the Net, rest assured, we arenıt goofing off. If you hear our
    hoots of glee from the test lab when playing around with new software
    or hardware, trust us, weıre not playing frivolous games. Believe it
    or not, weıre doing research.
    Computer security is a rapidly changing field. New vulnerabilities are
    announced everyday. New exploits to take advantage of those bugs
    inevitably follow soon after. To be truly effective security
    guardians, we need to know not only what weıre up against but how to
    defend against it. That means we have to be on the prowl for new
    attack tools and hacker news, so that we can be better prepared to
    respond if and when such attacks occur.
    We take it upon ourselves to learn the tools and techniques of the bad
    guys, and apply them against our own systems first to see where they
    might be effective at causing damage to our company. Knowing that, we
    can then prepare and protect ourselves accordingly. This may sound a
    little kooky or far-fetched, and it is certainly unconventional in the
    button-down corporate environment, but you'll thank us when the next
    major virus, bug, or exploit passes us by unscathed.
    We Must Become A Distinct, Trusted Entity
    Weıre not the secret police. Our primary customer is the company and
    its employees. We canıt be effective without their participation and
    support, and that includes working well with product teams and
    business unit leaders. As such, we pledge to be objective, trusted
    third parties for the company ­ just like the legal and HR departments
    ­ and will work to earn and keep their trust by being available, easy
    to work with, professional, and helpful. While we may report to the
    CIO, unless weıre free to work with other business units and
    departments without multiple layers of bureaucratic stovepipes, weıll
    never be perceived as anything but a bunch of glorified geeks trying
    their best to make it difficult to accomplish anything in the
    companyŠwhich is not the case. Weıre here to help, and work with
    people to move the company ahead, not slow it down. Weıre business
    assurance specialists, not obstacles to profitability.
    By the same token, we need the support of your fellow corporate
    muckety-mucks to ensure that we receive the support and respect that
    we need to do our jobs as effectively as possible. This may mean
    giving us the authority to enforce security policies. It may mean
    allowing us to participate in the education of the end users. It may
    mean giving security personnel a higher profile in the company.
    However it is done, by integrating us into the company and giving us
    the respect and status our work deserves, you will make it easier for
    us to do our jobs. And that can only benefit everyone.
    In Closing...
    Autumn always seems to be a time of renewal in the workplace. I hope
    that these few points will explain how I plan to build and administer
    my security team this coming year. It may sound strange, but I do want
    to work with you and make our companyıs information environment much
    more secure, so we can continue to be profitable, even in todayıs
    goofy market.
    Thanks for listening. See you by the water cooler.
    # # # #
    Richard Forno is the coauthor of Incident Response (O'Reilly) and The
    Art of Information Warfare (Universal). He helped to establish the
    first incident response team for the U.S. House of Representatives,
    and is the former Chief Security Officer at Network Solutions. Richard
    is currently writing and consulting in the Washington, DC area.
    -- You are a subscribed member of the infowarrior list. Visit
    www.infowarrior.org/lists for list information or to unsubscribe. 
    This message may be redistributed freely in its entirety.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 03:03:01 PDT