Explaining security to employers.......

stop preventing, wait till something bad happens, say i told you so and pray they dont fire you.


some people just cant be helped

aawwwwwwwwwwwh!

There has to be some way to provide a book or something which can at least give them a heads up.

books on computer security are everywhere....ever been in a bookstore?

Actually, check the Security Focus archives. Theres been a number of white papers on this. Its hard to sell security. Heres some things I've found that work.

1. Evangelize security. Bring it up when possible. You may feel like you are pounding your head against a wall but it can pay off. The day something bad happens, don't gloat but be sure to let folks know that the event could have been prevented with adequate planning. I have been at several companies where this proved to be the kick in the pants needed to get folks interested.

2. Think like the person you are selling it to. Wether you are a consultant trying to broker a deal with a client or an internal employee trying to convince your superiors to focus on security, you have to sell it. Remember, the people that make the yes/no decisions are not engineers. When you try to sell them on the technical aspects of security, you either lose them or frighten them. The folks that control the direction of the company dont know (or care) about how fast the backplane speed is on a PIX vs. a Nokia, or the difference between IDS and IPS systems. The people who make these decisions care about things like Return on Investment, product life cycle, and training/finances/resources required. Security is a big drain from their perspective and thus they will never go for it unless you change their mindset. When you try to pitch security to them, dont give them technical talk. Talk to them in business terms. Let them know that while it may cost XXXXXX to do what you want to do, it will be protecting them from XXXXXXX worth of damage.

I personaly like to put it in laymans terms and use a lot of analogies. To sell the security mindset I always like the shark net analogy. You own a private beach where the swimmers keep getting attacked by sharks. Now no one wants to swim there. So, you buy some shark nets. Now, these shark nets are expensive, but each lawsuit against you keeps costing millions of dollars so it balances out. Well, eventually the swimmers return and there are no more shark attacks. So, years go by and your CFO notices one day 'we are spending thousands of dollars every year on these stupid shark nets and we havent even had one attack! We could save tons of money if we got rid of them'. When presented like that, it makes the arguement against security look pretty stupid. The purpose of the shark net isnt to generate revenue, but rather protect you from losing it, and by preventing attacks it does exactly that.

The return on security is hard to quantify as its measured in the ammount of incidents that DONT happen. Ever wonder how many times your car HASNT been stolen because of your car alarm? Same shit.

Also, when you are trying to sell this to your company present it on their terms. C** executives dont read Linux Journal or Dr. Dobbs. They do read Forbes, Fortune, and Business 2.0. Security is a big topic on the 'business' side of things and there are plenty of articles that relate to what you are doing in those rags. Your Sr. executive types are going to be far more interested when you pitch your firewall solution when you demonstrate its ROI and back it up with figures from the Wall Street Journal. At that point you have de-mystified security to them. You are talking to them as business people and referencing things they know and understand. They'll be more apt to listen.

Basically, engineers understand the need for security and executives do too, its just that something gets lost in the translation when its pitched to them..


Fuck this got big quick..I could probably turn this into a white paper..

BAD fucking idea! That happens, management looks for a scapegoat. Guess who they are going to use? Hint: it is the smartass screaming "I told you so!".

I was in the same boat, and my boss's response was "Who has time for security.. we are so small, no one will hack us.." etc..
I finally did a quick audit myself, and showed my boss what could be done to exploit the network and how it could be fixed (w/o making a scene about it or defacing anything, just showed how SQL injection is not a good thing on a server), and told him I would not want to be the one to explain to the CEO why the homepage is linked to <insert beastality site here>. He quickly changed his tune, and now defcon is on the company's dime. (It helps to say "look what I learned at Defcon" and not show any pictures. ) This was done without making him look like a jackass or steping over any other bounderies or on toes.

Bruce Schneier at Counterpane is someone who really gets it (except for the necessary outsourcing, but hey, he has to make money too).

http://www.counterpane.com/presentation1.pdf

The Art of Deception by: Kevin Mitnick is a very good book for companies on how to prevent social engeneering attacks.

It gives situations, examples and then analyzes them.
It also gives tips on how to prevent each individual type of attack.

i think you guys have got this all wrong.....

you are the employee. it is your job to fix things. it is your job to protect.

showing them books and manuals on how things get hacked and how to secure data is not what your employer needs to know. thats what You need to know.

showing them ways they are insecure doesnt give them any idea as to what you are trying to tell them. they need to see/hear stories of the aftermath of attacks. they need to hear about how Management got fucked in other companies. they need to be able to speak to the budget people in a way that they both understand...... such as, "this is what happened to These other people when they were too lax."

make security affect THEIR lives. then people start listening. if something goes wrong now, all they know now is that you were responsable and have to deal with it.

dont wait for something to happen.... TELL them about OTHERS that waited for something to happen.

in any case, write all your findings and concerns in reports and send them up the line. keep a copy of everything you write. that way you have something to show your bosses boss when shit starts to roll down hill....



p.s. whats the name of this insecure company? ;)

There is a commercial on TV that presents a statistic, stating that 9 of 10 business networks have been hacked this year.(Or last year?) I can't remember who the commercial is for, but its not important. I think that it is important to remember we lock our doors for a reason, to secure our home or office. The network should be secured as well. Script Kiddies will hack into any network, just because they found it to be open. According to my professor at school, a business competitor will hack into your customer records, to steal your customer base. Is that accurate?
If it is, that should motivate any business executive to have his network secured.

I was at a tech conference last week and realized that managment has less of a clue than we thought on this.

There was a session on security ROI (Return on Investment) where the speaker gave a huge formula for calculating how much value there was in securing the company. ((Value=cost of cleanup - cost of security) or something along those lines)

I sat there dumbfounded at what I was hearing. He was basically explainign to people that unless there was a positive (money) value attached to the securing of the enterprise, it was'nt worth doing.

I asked him why he though security was even an option and not a given need. Thier guestimate of the cost of cleanup from an incident did'nt take into account that doing things right from the beginning will make that cost go away.

You had to be there but it was dreadful for me to hear.

Well, they have a point, albeit a short sighted one. Would you spend thousands of dollars to build a state of the art security system to protect a ham sandwich? When you use their ROI calculations it would be far cheaper to replace the ham sandwich when it gets stolen than invest thousands in an infrastructure to protect it. Where they are short sighted is that information has a value that hard to quantitate. The physical value may not be that much at all, but what it represents is much more. One thing management types don't take into consideration when trying to figure out ROI are things like image damage, public relations damage, and long term fallout from a security related incident. To use the ham sandwich again, lets say an incident occurs and the sandwich is stolen. Ok, you're out 4 bucks. However, if the purpose of your company is to provide customers with the most secure place to store their ham sandwiches, well that 4 dollar loss just got a lot bigger since you are now pretty much out of business. For a group of people that are supposed to see things from the 40,000 foot perspective, they can be very myopic when it comes to seeing The Big Picture.

Jesus Christ man...you are killing me. I had just incorporated my unique new Ham Sandwich Security firm...a new and different idea that you have now leaked to all these potential competitors. I guess it's back to the sandwich (err...drawing) board.

I belive we should leave them in their ignorance...they made it to themselves...i once saw a firm's website with links to porn sites...and i don't think the CEO ordered that

If the website had to do with "Ham Sandwich security", then the CEO probably did order it.