| Here's the whole story...
The World's Biggest Security Risk: Management
April 11, 2008
By Jimmy Ray Purser
Courtesy of Cisco Systems
Your management needs to understand the very real security issues facing your company's network. But how does an IT guy explain these very serious, but frequently very intangible, security threats? Jimmy Ray shows you how
Some people just don't get it. Ever try to explain what you do to someone who doesn't use a computer? It's as hard as my trying to eat my mother-in-law's cooking making the "mmmm" sound.
Now imagine trying to sell a ghost to someone. That is what it's like trying to sell security to people who just do not "get" security. Lack of buy-in from management is the single biggest threat to any company's security posture today. Many people in management see little return on investment with security or, even worse, that data is not a tradable commodity on the black market today. The FBI reports that last year data was worth more than $67 billion to hackers on the worldwide market.
People say, "Why would anyone want to hack my network?" or "I am too small to hack." Security seems to be the stuff that gets in the way of business processes rather than protecting our most valuable company asset: the data. Many times, I've had to prove a hacker was trying to break into a network. To me, this is like trying to prove the size of Neptune with a yardstick and binoculars.
Hackers Can Attack Your Network
Proving a network is ripe for attack is hard to do and even harder to catch if you are doing it in small increments. This is what we have to do most of the time if we are billable per hour, as most of us engineers are. Many attacks come from Europe or Asia, so when we're working, they're sleeping and vice versa. Overseas hackers use this to their advantage to slip by human-watched controls and monitoring. What I have had some success with is installing a Snort server with the C&C signature set from Bleedingthreats.com. This worked in capturing automated bots and port scanners, which can normally scare the purchase orders out of a goober manager. Data rules, or in hacker speak D4t4 Ru13z! Especially if it's the customer's own data. I install Snort in monitor mode and come back to collect the data in a week's time and sit down with the customer and analyze it. This hits about three out of 10 times. Sometimes, a week just isn't long enough. A month is good, but that gets pricey. This takes a lot of effort on your part, so I would only do this if the deal size is large. This is a good low-cost method to check for threats for convincing people. I normally don't bring one of our Cisco IPS appliances so that to management it looks like I'm not trying to sell them tons of hardware. Truthfully, I'm just looking to prove that a threat is real and not that the hardware works. If it's a small deal and not really worth the time and effort, I would get the customer (not technical management) to review some data at some U.S. government organizations such as:
* Understanding Hidden Threats: Rootkits and Botnets
* Over 1 Million Potential Victims of Botnet Cyber Crime
Geek sites are good for geeks to show them solid data. My favorite is Shadowserver.
I avoid vendor sites for proof points and analyst sites, mainly because that's like a car dealer asking, "What can I do to put you in this car today?" But in the end, some people just don't get it. I can think of 10 customers of mine who didn't get security and thought security breaches couldn't happen to them. They would argue and resist security at all turns. All 10 were eventually hacked, some of them very badly, and without exception, that entire IT staff and management were fired, the company was fined, and the bad press and loss of customer confidence did them in within 18 months after the attack. It's sad to see, because this could have been so easily prevented. My honeynets have been more active in the last six months than they have been in the previous year. Even now, I would adjust my expectations if you believe you can catch a hacker in the act. It's certainly possible, but very rare. Many of the hackers I have caught have been from post-analysis of my honeynets. I have configured my devices to send an e-mail when certain hacker groups are active on my gear, but many times, I'm sleeping or watching Futurama, so it's more of a passive method.
Geeks and Managers Speak Different Languages
The biggest thing that hurts most of us geeks today is that we speak geek-lish and not manager-ish. For example:
* Geek to manager: We found tron32v2a establishing a channel to a C&C server located on the RBN over IRC to propagate warez on your network.
* Manager to geek:...[translation: blank stare]
When I was in the U.S. Navy, I had a manager who used to get the ship's cooks to help us out during battle conditions. I thought this was an odd choice until we needed to eat during battle conditions, and I found out real quickly what a genius this dude actually was! Same principle works here: Grab a sales rep/account manager who can speak manager-ish really well. Then train that person on security, how important it is, and what your results mean. This is time very well spent. Credibility and a positive belief really go a long way here to management.
Finally, knowing when to walk away is crucial. Security-minded people normally feel that we must convince management that they have to buy into security, but some people just won't. Personally, it is so hard for me to walk away from those accounts. It is like walking away from Popeye's all-you-can-eat chicken buffet after eating a single wing. Securing data is the ultimate responsibility of management, and it cannot be delegated to IT people. What management doesn't know about security can and certainly will hurt them: It's only a matter of time. | 
The World's Biggest Security Risk: Management 
Linear Mode
