Security Basics mailing list archives
Re: A Rallying Cry to Executives?
From: "Jim Parkhurst" <JPARKHUR () dot state tx us>
Date: Mon, 03 Apr 2006 12:22:27 -0500
Good read. How "moldy" was it? --- Jim Parkhurst Systems Analyst III Texas Department of Transportation Maintenance Division jparkhur(at)dot/state/tx/us Voice.: 512.416.3219 Pager : 512.606.9774 FAX... : 512.416.3044
<admin () iflipyouoff com> 03/31/2006 13:33 >>>
Our network engineering staff recently came across some old documents left molding in a closet. An interesting note from the, at the time, CIO outlined a communication to our executive management. This is what was said: ------------------- "With the growing proliferation of viruses, worms and malicious code in the wild, it is imperative we take proactive measures to ensure confidentiality, integrity and availability of our data. As it has been stated before, we cannot assess our true vulnerability until we have assessed our current state. Current state of our network reveals our weakest points are most vulnerable to attack. The recent outbreak of Sasser and Netsky should have taught us all a grave lesson. Something tells me we have yet to fully, "get it"." "Information Security cannot do it alone. Nor should they be expected. The greatest type of security breach reported for 2004 was the Denial of Service attack. DOS attacks account for almost double the amount of money lost last year due to a particular genre of attack, targeted DDOS attacks proliferated through hidden "bots" found in Trojan code. Denial of Service can be over used as a broad term, however, when access to any type of data is prohibited by either an exploited system flaw or introduction of malicious code it is referred to as a denial of service." "This paradigm we operate in today is constantly changing. We should take a more macro approach when scrutinizing security within our network. By using a complete and trustworthy assessment of our hardware, in-house software and software provided by our vendors, we should readily be able to identify gaps in security, unauthorized access points and unnecessary redundancy." "It will take a change in the corporate culture itself to rid ourselves of unnecessary access such as gateway devices into the network and directed ATM access provided by large vendors. To date, we as a company have enjoyed large successes and have reaped the rewards. Unfortunately we have practiced little restraint and have been even less frugal." "In order to remedy the problem, we must attack it head on. The movie Kill Bill's leading character did not wait for her victims to appear before her. Nor did she wait until one or more of them created the opportunity. Her problem was attacked head on. There still is a challenge present and we as a company must be strong enough to accept it." "End User training should be at the forefront of every line level manager in this corporation. This should also include good Information Security practices, such as secure coding initiatives and robust password management, as well as daily job function Security Awareness duties. We can only get better at combating unwanted downtime and lost revenue due to poor security if we take a top-down approach to teaching and promoting good data security practices. The recent Sasser outbreak could have been prevented if users simply deleted offending messages. In addition, the 0-day exploit is upon us. Communication and remediation efforts must be proactive or at least as close to the release of malicious code as possible. Information Security stewards simply must continue work on enhancing their methods of communication to all areas of the company. For this is no longer strictly a technological problem. It is a survival issue." -------------------- Maybe these executive types are starting to understand. -PM, IS Director I Flip You Off dot Com San Mateo, CA --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- A Rallying Cry to Executives? admin (Apr 03)
- <Possible follow-ups>
- Re: A Rallying Cry to Executives? Jim Parkhurst (Apr 03)
- RE: A Rallying Cry to Executives? Beauford, Jason (Apr 03)
- Re: A Rallying Cry to Executives? Andrew Haninger (Apr 05)
- Re: Re: A Rallying Cry to Executives? admin (Apr 04)
- Re: RE: A Rallying Cry to Executives? admin (Apr 05)