Re: [PEN-TEST] 'selling security' & risk

[Wandering One <wanderingone () core com>]

Missy, E:
> If this is way off topic, please kill mercifully.  It's Saturday night &
> I'm feeling cranky, so here's where I take the opportunity (I'm blaming
> it on you, Carv! and Azimuth wrote in about 'educating' a fellow admin a
> couple days earlier) to complain about what I've personally noticed
> recently - too small a sampling for me to call it a trend, but FWIW how
> about those who want to acquire the latest fashion accessory: a security
> policy.

There seems to be a small consensus among some of the managerial level
security folks that I have been talking to recently that have had the risk's
analysis along with the lawyers list of responsibilities showed to them all
too often, that having a policy and showing that you have the policy is all
you need to protect your company from a lawsuit.

There was some concern when months ago it was noticed that Board Mambers of
companies could be held responsible for failing to act upon the results of a
security audit.  So making a Policy is an action, and therefore protects the
Board Member from facing the liability of being held fiscally liable to
shareholders for ignoring the results of an audit.

The above rant is a little sarcastic and over the top, but not all that
much.

> Actually *implementing* and *enforcing* is still another matter,
> though.  That's where the kicking and screaming occurs.  How about
> companies who (it is eventually revealed) never really intend to
> enforce, because they just want a policy in place to show their
> customers?  (Note:  Not dotcoms/e-commerce -- but nevertheless
> accessible, with stored, sometimes very sensitive data.)

If there is any truth behind the allegation that they never intended to
enforce the policy that they crafted within response to a known risk, then
they still may be held liable should anything happen that would take
advantage of the known risk.

Now there is some truth to the fact that knowing the risk and having a plan,
even should that plan be dig a hole in the sand and stick your head in that
hole, will protect you to a certain extent from the possibility for being
held fiscally liable for damages.

It just feels really dirty to look at it that way.  There are some things
that as Security Professionals we can not 'fix' due to a possible triple
constraint of money, time, and resources.  That is what insurance is there
for, but there should be some statement that due to the constraints we are
going to not fix this problem till next year and during that time we have an
insurance policy for this problem.

> That's when a client wants to know what might be called the bottom-line
> number:  'the odds of being hit' (I can cite projected stats and sampled
> guesstimates and data that I intuitively feel doesn't reflect the actual
> state of the net).  Then the client may seek safety in the harbor of
> 'we're too small for anyone to really go after us' or 'we don't store
> anything of interest to a hacker!' and feel comfortable that not having
> to go through 'the inconvenience and hassle' of implementing the policy
> is actually a good trade-off in terms of the daily business process, at
> least not for right now.
>
> Which it frequently is -- unless lightning strikes catastrophically.
>
> Does anyone add any kind of risk-benefit analysis (even rudimentary) to
> your selling bag of tricks, i.e. a profile of vulnerabilities/network
> architecture matched to loss potential, to help them through the
> implementation process, at least initially?  Or do you reckon that to be
> the client's responsibility?  What about for smaller companies whose 'IT
> division' frequently consists of overworked sysadmins/network guys
> desperately trying to keep up with patches, downtime,  management
> expectations, and rambunctious, free spirited users?
That should be part of the Security Audit.  In my opinion (as useless as it
is sometimes) I think that is part of doing a penetration test is handing
the client a here's what I think your risks are and in talking with your
financial group these are the costs and benefits to not makign plans to
alleviating risks.  If the business decides that it can assume the risks and
moves forward then there is not all the much that can be done, until like
you said they get hit with that proverbial lightning strike.  If the
lightning strike hits and damages an area that they have assumed the
liability for instead of putting something in place to alleviate the risk,
it's their decision.

Wandering One