What Should We Do About Security Ethics? 244
An anonymous reader writes "I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?"
Three Words: (Score:5, Insightful)
Gee, I dunno (Score:4, Insightful)
Of course, you'll lose your job over it. So decide now. Do you want to sleep at night? Or do you want to feed your family?
Ethics in Business (Score:3, Insightful)
Unfair labor practices, shady reporting practices, Enron, The entire legal profession, The entire political category (is it truly a profession).
The point is, why single out one area of unethical behavior? Does it surprise you that the executives in our (Techie's Rule) should be any different?
Most executives make their way to the top by lying, cheating and stealing better than the next guy.
What can you expect?
Think about where the problem really lies (Score:4, Insightful)
All business decisions should be made on the basis of cost-benefit analysis. Most staff positions including security usually do a poor job of assessing either side and instead focus on potential risks without quantifying them. Just because security would be better by doing X, does not mean X is good idea. If X is really expensive and your competitors do not it, your firm is now at a cost disadvantage
which depending on the industry can be catastrophic.
I really have no way of knowing whether actions you are talking about really negative expected value actions or not in the sense that over a long period the risks involved will be realized and the damage will be far greater than the cost of taking preventative action. However, changing ratings is troublesome. A much better process is a well defined override or exception procedure. The business should understand what they are doing. A rigid system that says we can not do anything rated 'Y' even if there is 100M at stake will only result in the rating be changed.
Re:Wikileaks (Score:5, Insightful)
Re:Ethics in Business (Score:3, Insightful)
How to blow the whistle (Score:5, Insightful)
Step two: Find another job. If you take a cut, see step one.
Step three: Pull no punches when you resign. Leave a resignation letter stating that you cannot in good conscience continue to sweep serious liabilities under the rug, and that under the circumstances you have no choice but to leave. Copy the BOD. If you want to really play hardball, copy the company's liability underwriters.
Make no mistake, this is a major bridge-burning exercise. It may turn out to be the best thing that ever happened to your career, but don't count in it. See step one.
Re:Ethics? Where? On Slashdot? (Score:1, Insightful)
Re:Three Words: (Score:5, Insightful)
Where I work, security is a really big issue and I have to deal with people all the time that don't realize that security is something they should consider with every decision they make during the day. Needless to say, many don't feel the same way. They are about to get raked over the coals by management.
Unfortunately for some, they are in the crosshairs for their lax stance on security. I don't know what management is going to do with them, but management knows who they are and they stand a good chance of at least repremands and loss of pay increases, and at the worst for them, pink slips.
Anyone in IT who thinks data security isn't their job is fooling themselves and setting themselves up for a new career. If you read the SANS Newsbites, you see breach after breach and people getting sacked or worse.
People need to tighten up their systems, audit their systems, run configuration management, and even penetration test their systems. If you can show you are at least trying to cover your ass, you stand a better chance of being seen as proactive and trying to protect the company even if it does get breached.
But if something happens and it comes time to pick up the pieces, and all you can say is well, we shoulda done that but we didn't, you might want to have a plan B in terms of a career because you will probably need it.
Part of the precipitate (Score:5, Insightful)
No, not really. After all, there are children dying of AIDS in Africa, of hunger all over the world. Old people are being neglected, education is a mess, etc. Apparently your strategy is to give up on doing anything because we can't do everything. The advantage of this approach is to make the problem so far beyond our powers to solve that we can justify not even trying.
In response, I call your attention to the words of a sage from when things were a hell of a lot worse: "It is not for you to finish the task - nor are you free to desist from it."
It may be trite, but doing something to improve one corner of the world beats whining on /. about how bad it all is.
Check out the culture. If doomed, leap. (Score:5, Insightful)
Don't be a whistleblower, be an activist for change. See if you have a risk compliance manager and talk to them, ask for their advice. At worst, you'll get your name known in the higher echelons, at best you'll get your own way. Most people will shy away from a confrontation, but love giving advice in a tricky situation.
Your mileage may vary, and I may be full of compost. Think and do.
Re:Think about where the problem really lies (Score:3, Insightful)
Is it national security?
Is somebody going to die or come to serious harm?
Or is it more mundane? Maybe some future business ideas will leak out and diminish their value. There's a whole spectrum of possibilities and the mundane once ought to be decided on cost.
After all the most secure computer is one that's kept in a locked, guarded room with no network connections what so ever. It's just not a very productive setup.
Re:Three Words: (Score:5, Insightful)
When I am running a tech project at work, I simply schedule resources in the project plan for security assessment and risk abatement. If these are cut from the resource budget of the project, it is documented on whose authority such was removed from the project.
Basically stated: COVER your ass, and those below you. When those internal emails get leaked onto the internets or wikileaks it will be you shown as having 'concerns' about the security practices, and others who are guilty of the massive security problems being allowed to propagate. That makes finding the next job much easier.
Additionally, all managers can find a few hours here and there within their department resources to do some security auditing and testing. Showing these results on your status reports documents proactive use of company resources. Additionally, if you can show that customer xyz just survived an attack because of something you did, you may end up being given more slack to accomplish your true and altruistic goals ( - that is sad state of affairs ) of providing secure products and services. Each time the company suffers a loss through security problems and documents the cost of recovery, you can show next time what security auditing would have saved them if they had taken actions earlier, such as the nice plan you hand them to peruse which would stop future such attacks.
There are very few ethical companies. (Score:5, Insightful)
And why bother about security ethics when there are much more important ethical considerations like how they treat staff? Again, most companies screw most of their staff to the limit of the law.
In short: If you're looking for ethics you got off on the wrong planet.
Fraudulent Security Audit practices (Score:5, Insightful)
You say you are an uber security drone with a Fortune 300 company and that you *know* of fraudulent business practices to help the company earn better ratings on its security policies. I'm guessing that some of these impact SOX/404, SAS-70, and probably ALL would be of concern to the company's shareholders and business trading partners. Like it or not, you are now either complicit or you are obligated to inform oversight authorities. Your first duty
should be to your own profession's standard of behavior, your second to the company shareholders, your third to the public's interest, and last to your management chain.
You seem to be entertaining the idea of moving management's priorities to the head of the list and that would be to make yourself complicit. The fact that it would be difficult to prosecute you does not make that considered behavior any less criminal. You will have to live with that knowledge for a long time. I have friends who worked at Enron who to this day have valid concerns about the resume stain they have earned from their time there. Are you willing to bear that also?
How you go about protecting yourself from reprisals is up to you and the reporting authority, but surely anonymous 'tip' reporting is possible. Given senior management is the problem, that is a strong candidate for your response. I would also recommend you document your allegations as best you may and make them to the SEC and your local branch of the FBI. Either agency might request you remain with the company while they investigate your allegations. Otherwise, it may be time to vote with your feet and find employment elsewhere.
You more than anyone should know what will be the eventual outcome of improperly securing vital systems. Do you want it to happen on your watch or to have to answer difficult questions later
about why you did not strongly resist or report events which will lead to that security breach? Do you want the stigma to attach itself to your resume? Do you want to sleep on the knowledge that you passively participated in criminal conspiracy by voluntarily remaining silent?
You cannot fault the ethics of your superiors if you fail to execute upon your own. What are you made of? Decide,and then live with the decision. It only appears to be a difficult decision if you have an off-switch upon your professional ethics.
Re:Three Words: (Score:3, Insightful)
Why add another hurdle to finding a job?
And that kind of attitude is what I see in some of my coworkers. Smartass people who think they know it all and just don't care about consequences. And coincidentally, those are the same ones in management's crosshairs. Pretty much without exception.
And also... always remember that... (Score:4, Insightful)
perspective (Score:5, Insightful)
Many computer guys tend to be alarmist and see the world in black and white. Many security firms rate problems only based on potential damage without consideration for existing mitigations elsewhere in the system or the reality of targeting from attackers. Consider your company's situation carefully.
If, after much deliberation, you are certain legitimate problems exist that must be fixed (versus managed) then talk to the managers in their language: build a business case. You work for a company, the company's job is to make money. Security costs money. You must clearly articulate how the security improvements will make money or stop the company from losing money. It's all engineering, in the end. It's just engineering with words and numbers.
Cheers.
- jj
Re:How my company handled it. (Score:3, Insightful)
I think one of the problems is the idea that has become prevalent that "business drives IT." This is taken by many to mean that business decides what IT does, and that IT's rules have to bend to the desires of business whenever they clash. Personally, I think this is asinine, especially because it leads to a completely unnecessary adversarial relationship. I was told once that if IT was going to start telling business what it could and could not do, they'd go back to filing cabinets and typewriters. Not at all realistic, but it shows the frustration levels that are present.
While it's true that without business, there would be no IT, the reverse is also true -- no IT, no business. It has to be a partnership. There are people on our side of the fence that are just as bad, and sometimes worse. Between business managers feeling superior because they fund IT and IT people feeling superior because they support the business applications, the battle of egos can only end up hurting the overall enterprise.
The uses of publicity (Score:4, Insightful)
Public embarrassment can be useful. We publish a list of major domains being exploited by active phishing scams [sitetruth.com]. These are major domains where an attacker has found a security hole allowing them to exploit the site for phishing purposes. There are 65 sites on the list. There used to be about 140, but by nagging and publicity, we've been able to get most big-name sites to tighten up. Now and then some big site makes the list, but it often disappears within hours as the hole is plugged.
So it actually is possible to get big companies to tighten up security, if you do it right.
Re:Think about where the problem really lies (Score:4, Insightful)
But before cost-benefit analysis even begins, problems to be solved are classified by their risk. There is a class of problems that absolutely must be solved regardless of the cost. If you're writing a filesystem, anything that has the remotest chance of data loss is unacceptable, regardless of how slow it is. If one of these crucial elements costs too much for the system to handle, take out something else.
A large number of businesses don't seem to see anything as unacceptable risk. Medical companies, car manufacturers, baby toy manufacturers, etc. consider anything that could possibly cause loss of human life an unacceptable risk. Banks and retailers should treat anything with the remotest possibility of leakage of customer data a must fix problem, and this means IT security should get done, regardless of cost.
Re:The uses of publicity (Score:1, Insightful)
Re:Gee, I dunno (Score:5, Insightful)
Check around, maybe your company already has a CISSP on staff you could talk to. If not, as a large company you likely have an Info Security officer or manager, or perhaps a Loss Prevention or Asset Management department. Or perhaps you have someone in the networking area responsible for security (firewall installers, Active Directory admins, etc.) Corner the person in charge, and start asking him pointed questions, like "Did you see the news about company Y, who got hacked by exploiting this same vulnerability we've got?" "Have you done a risk analysis?" "What would you do if X happened?" "Do we have an incident response plan?"
Or maybe you take credit cards, and have a PCI auditor running around. It's their job to care about security holes. Get your findings to them.
Just saying "OMG, we're using WEP!" or "look, someone keeps pulling these XSS attacks on us, I told you so!" isn't likely to be earth shatteringly bad news; trust me, it's pretty much just irritating to those who politely listen to you whine. But offering constructive organizational advice might let these people know that you're not stupid, and that you really could help them improve their security.
If you're considering a career change into the security field, a positive attitude towards fixing the systemic problems (big picture, not just the one set of things you're looking at) might get you somewhere.
Re:Fraudulent Security Audit practices (Score:5, Insightful)
In that case, management was correct to lower the risk of this flaw, because they mitigated it. Access controls to that particular system were moved to a web-based terminal emulator, which is secured by complex passwords and a two-factor authentication system. Those six character passwords were randomized daily and linked to a specific user in the emulation system.
All I am saying is that there is a difference between fraud, negligence and compromise. Just because management is twisting the arm of a zealous auditor, or the infosec crew is pissed off because their latest policy or acquisition got shot down doesn't mean your organization is run by Gorden Gecko or Ken Lay. Money and resources are not in unlimited supply, and sometimes standards need to be compromised or worked-around so that business can continue.
If you're ethical standards can't handle that, you'd better move to academia or write security books, because there isn't an non-trivial environment anywhere that achieves perfect adherence to security standards.
Rule Number 1 (Score:4, Insightful)
The bottom line is this, it does not matter one lick how many security measures you put in
place. Short of completely disconnecting the network from every point of entry and encrypting
the entire network. Your security measures are not going to survive a determined attack from
someone with at most average hacking skills. The best you can do is to point out the risks
and figure out how to respond when your network gets owned because someday it is going to.
Security it always a trade off and a continuous game of cat and mouse. It is all about being open
enough to get the job done while doing your best to inform and mitigate the risk.
The problem is, how do I get my CLIENTS to buy it? (Score:2, Insightful)
Re:What Should We Do About Security Ethics? (Score:4, Insightful)
2. Leak
3. Profit !!
(May involve forfeiture of your immortal soul, prison time and other side effects.)
Re:Three Words: (Score:3, Insightful)
Re:There are very few ethical companies. (Score:1, Insightful)
How to disclose stuff (Score:2, Insightful)
Yes, gather evidence, but DO NOT publish it. Be very careful who you tell. If you do publish it they will hunt for whoever leaked it; if they find you at the end of the trail, you will be fired and likely blackballed in your city.
Very true.
So do it anonymously. Here is how.
The most anyone will know is which city it was.
Inform External Auditors or Board of Directors (Score:1, Insightful)
I fully understood the importance of not chicken-littling.... and making the distinction between genuine issues and theoretical. As such, I maintained a prioritized list of risks. The number of "Critical" issues -- i.e., things that could either shut down or destroy the company or lead to immediate large monetary losses with a minimum of effort went on for dozens of pages. "Urgent" and "Important" issues took up nearly another 100 pages. It was truly frightening.
Because Security was not an independent organization, of course there was a natural conflict. The Senior VP of Technology simply refused to accept our findings, and demanded the list be "fixed" and dumbed down. Critical items were dropped to mere mere "Findings". Anything less than critical was simply dropped.
California like many states has mandatory privacy breach laws. On one occasion when we had a clear breach, the law was simply ignore, despite my direct notice to the corporate lawyer.
After 5 years (well a lot sooner), and after some "close calls", I realized that the situation was not going to change. Because our internal auditors were also useless, and frankly a part of the "lets all get along" crowd. So called "security auditors" were given such strict parameters to work within, they rarely found more than nuisance issues.
After much consideration, I realized the only real choice short of going directly to customers was to leak directly to the Board of Directors. I sent information directly to their homes (several of them were former elected officials) and their home addresses were easily obtained. I also sent myself a registered letter to myself outlining containing all the email documenting my attempts to notify management and above.
I wasn't around for the effects, but after a lot of yelling, I'm told they led to very little real change, most likely because I made it clear reporting would end there. I left the company shortly thereafter for multiple reasons in addition to the nonsense above.
Sadly enough, I'm at a new company where when I learned I was to be one of only a three person IT security team for a 15,000 employee / multi billion company I mentioned that I was confident that team would be growing soon.... right. THe answer was that no