Penetration Testing mailing list archives
Re: [PEN-TEST] 'selling security' & risk
From: Wandering One <wanderingone () core com>
Date: Tue, 19 Sep 2000 19:12:35 -0500
Missy, E:
If this is way off topic, please kill mercifully. It's Saturday night & I'm feeling cranky, so here's where I take the opportunity (I'm blaming it on you, Carv! and Azimuth wrote in about 'educating' a fellow admin a couple days earlier) to complain about what I've personally noticed recently - too small a sampling for me to call it a trend, but FWIW how about those who want to acquire the latest fashion accessory: a security policy.
There seems to be a small consensus among some of the managerial level security folks that I have been talking to recently that have had the risk's analysis along with the lawyers list of responsibilities showed to them all too often, that having a policy and showing that you have the policy is all you need to protect your company from a lawsuit. There was some concern when months ago it was noticed that Board Mambers of companies could be held responsible for failing to act upon the results of a security audit. So making a Policy is an action, and therefore protects the Board Member from facing the liability of being held fiscally liable to shareholders for ignoring the results of an audit. The above rant is a little sarcastic and over the top, but not all that much.
Actually *implementing* and *enforcing* is still another matter, though. That's where the kicking and screaming occurs. How about companies who (it is eventually revealed) never really intend to enforce, because they just want a policy in place to show their customers? (Note: Not dotcoms/e-commerce -- but nevertheless accessible, with stored, sometimes very sensitive data.)
If there is any truth behind the allegation that they never intended to enforce the policy that they crafted within response to a known risk, then they still may be held liable should anything happen that would take advantage of the known risk. Now there is some truth to the fact that knowing the risk and having a plan, even should that plan be dig a hole in the sand and stick your head in that hole, will protect you to a certain extent from the possibility for being held fiscally liable for damages. It just feels really dirty to look at it that way. There are some things that as Security Professionals we can not 'fix' due to a possible triple constraint of money, time, and resources. That is what insurance is there for, but there should be some statement that due to the constraints we are going to not fix this problem till next year and during that time we have an insurance policy for this problem.
That's when a client wants to know what might be called the bottom-line number: 'the odds of being hit' (I can cite projected stats and sampled guesstimates and data that I intuitively feel doesn't reflect the actual state of the net). Then the client may seek safety in the harbor of 'we're too small for anyone to really go after us' or 'we don't store anything of interest to a hacker!' and feel comfortable that not having to go through 'the inconvenience and hassle' of implementing the policy is actually a good trade-off in terms of the daily business process, at least not for right now. Which it frequently is -- unless lightning strikes catastrophically. Does anyone add any kind of risk-benefit analysis (even rudimentary) to your selling bag of tricks, i.e. a profile of vulnerabilities/network architecture matched to loss potential, to help them through the implementation process, at least initially? Or do you reckon that to be the client's responsibility? What about for smaller companies whose 'IT division' frequently consists of overworked sysadmins/network guys desperately trying to keep up with patches, downtime, management expectations, and rambunctious, free spirited users?
That should be part of the Security Audit. In my opinion (as useless as it is sometimes) I think that is part of doing a penetration test is handing the client a here's what I think your risks are and in talking with your financial group these are the costs and benefits to not makign plans to alleviating risks. If the business decides that it can assume the risks and moves forward then there is not all the much that can be done, until like you said they get hit with that proverbial lightning strike. If the lightning strike hits and damages an area that they have assumed the liability for instead of putting something in place to alleviate the risk, it's their decision. Wandering One
Current thread:
- [PEN-TEST] 'selling security' & risk Missy, E (Sep 18)
- Re: [PEN-TEST] 'selling security' & risk Wandering One (Sep 20)