< This is very appropriate and interesting discussion for many of us.>
I liked and agree with many of the responses posted on the list ...
Here's my take though you may well be past this point.
Part of your role is to inform management of the all the details necessary to
come to the 'correct' decision. I'm sure you have so in spades. But, you might
also try to overwhelm the management with your analysis of the potential cost
and risk of their decision.
Add up all the costs one would incur to restore the system, and the invasive
measures you would have to take to do so. Brainstorming the possible risks can
be a bit of a game. Not saying you'd resort to BS, not exactly, but the list can
be _very_ extensively fleshed out to total up with large numbers.
<bs>
Your policy might reasonably read like: Take down the whole exposed network;
Keep each workstation and server off-line until damage control is done. All
internal users would be without computer resources for a 'week'. All account
passwords reset to tough-to-crack values. { Of course they won't buy into it and
won't let you do it. But Try. You can find documentation on the Net to
substantiate this. } All work in progress on workstations on the intranet would
be perturbed for a week anyway as you restore older files. Support for other
'outside' or 'contract' customers would be impacted since support systems would
be down.
Look at attached systems and networks. The environment may be more distributed
that one normally considers. Many OSs and applications use their own version of
"trusted hosts" to communicate to other systems (Unixes, NT servers, Win9x file
and printer shares, Lotus notes, OS.2, and Novell. Also applications such as:
time entry systems, purchase systems, helpdesk systems, database, accounting
systems, activity tracking, workflow management, calander). Do you run the risk
of corrupting all these connected systems?
Are there any connections from within your network to peer networks outside your
own security perimiter? Will these external partners take kindly to your
lowering the security barrier? Will some peers terminate their connection with
you if they are made aware of the risk? Are there any DOD security issues
(classified data, or workstations authorized to connect to classified systems)
or network connections?
Risk (in $) of lost data (pick their favorate project), or worse of corrupted
data (bad numbers may be worse than no numbers). Try to think in their terms -
find and bring out projects that are cost-critical, time-critical,
contract-critical, revenue-producers, management pets, or publicity attacters.
Costs can be 'compounded' by considering data passed from yet corrupted hosts to
sanatized hosts, also by considering all lost time (from time from infection to
detection plus time to recover the network and all hosts), plus re-work time,
and the cost of periodic re-currence. Then add cost of removing the easy
solution and implementing a secure solution.
{I offer that it _may_ take two weeks to notice an intrusion (particularly if
you have not been equipped with network monitoring tools) and two weeks for you
to recover each host with data from backups made four weeks ago. Then the
corporate users are four+ weeks behind in their work and may need four+ weeks to
catch up the backlog - for a total of eight weeks, or more, of lost time!}
If you buy my prevous argument, then any deadline or deliverable of your company
is at risk of at least eight (or fill in your best guess) weeks of delay -
probably at the worst time. What's your managers most vulnerable week: software
delivery; contract review; CEO presentation; stockholders meeting? What's the
cost of delay of delivery of contracts and services. Do you face any penalities?
Have any fixed price contracts to swallow?
Add possible risk of exposure of customer data (LAW SUITE!), exposure of
corporate name (NEWs, Stock market, and loss of corporate credibility), risk of
exposure of corporate sensitive data (proposals, cost numbers, and staff
resources). Risk of outright thieft (are there cost accounts, charge card
numbers, inventory or purchasing systems, time-entry data connected online?).
How about corporate image if forged documents, emails, websites are
proliferated? Stock-holders?
Do you expose other security items that must be re-purchased or re-licensed
(crypto keys, OTP, public/private keys)? How bout just getting all passwords
changed after an event?
If hiring sufficient staff to implement your proposed security is an issue -
point out that you will have to hire on staff anyway to fend off the new network
risks, and more to recover the network after it's hacked anyway. For each cost
item (security staff, tools purchased, backups, pagers, after-hours support,
tapes or CD burners) that it costs to implement your pro-active solution - make
sure that you request even MORE for supporting their risky solution.
</bs>
Can you produce and document any real data that substantiates the risk? Show
data from a Firewall for intrusion attempts? Put up a sacrificial host with open
services and see what happens? Lack of this data does not reduce the risk in our
eyes - but examples will highlight the immediate risk in their eyes.
While it is a bit of a game and is best developed over a pitcher of beer, it is
really in their best interests for you to present the cost and risk in their
terms. If you develop (and inflate) the costs suficiently, the cost may be too
much for the business to bear, or at least cost more than the sensible measures
you wish to take.
Good luck,
--Dave
p.s. Does anyone know how to make LotusNotes act ( reply/indent/wrap ) like a
real emailer?
--original message-----
From: Bill Husler
Cc: [EMAIL PROTECTED]
Sent: 4/14/00 9:57 AM
Subject: Off Topic: Upper Management decision making
Has anyone here had occasion to face the situation where Upper Management
decides to move forward in a direction against to the recommendations of the
group responsible for data security disregarding their concerns? If so, what did
you do about it? Did you write it up and ask them to formally acknowledge their
acceptance of the exposure? What form would this document take? Any examples?
Bill
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
