mailing list archives
Re: [PEN-TEST] 'selling security' & risk
From: Wandering One <wanderingone () core com>
Date: Tue, 19 Sep 2000 19:12:35 -0500
If this is way off topic, please kill mercifully. It's Saturday night &
I'm feeling cranky, so here's where I take the opportunity (I'm blaming
it on you, Carv! and Azimuth wrote in about 'educating' a fellow admin a
couple days earlier) to complain about what I've personally noticed
recently - too small a sampling for me to call it a trend, but FWIW how
about those who want to acquire the latest fashion accessory: a security
There seems to be a small consensus among some of the managerial level
security folks that I have been talking to recently that have had the risk's
analysis along with the lawyers list of responsibilities showed to them all
too often, that having a policy and showing that you have the policy is all
you need to protect your company from a lawsuit.
There was some concern when months ago it was noticed that Board Mambers of
companies could be held responsible for failing to act upon the results of a
security audit. So making a Policy is an action, and therefore protects the
Board Member from facing the liability of being held fiscally liable to
shareholders for ignoring the results of an audit.
The above rant is a little sarcastic and over the top, but not all that
Actually *implementing* and *enforcing* is still another matter,
though. That's where the kicking and screaming occurs. How about
companies who (it is eventually revealed) never really intend to
enforce, because they just want a policy in place to show their
customers? (Note: Not dotcoms/e-commerce -- but nevertheless
accessible, with stored, sometimes very sensitive data.)
If there is any truth behind the allegation that they never intended to
enforce the policy that they crafted within response to a known risk, then
they still may be held liable should anything happen that would take
advantage of the known risk.
Now there is some truth to the fact that knowing the risk and having a plan,
even should that plan be dig a hole in the sand and stick your head in that
hole, will protect you to a certain extent from the possibility for being
held fiscally liable for damages.
It just feels really dirty to look at it that way. There are some things
that as Security Professionals we can not 'fix' due to a possible triple
constraint of money, time, and resources. That is what insurance is there
for, but there should be some statement that due to the constraints we are
going to not fix this problem till next year and during that time we have an
insurance policy for this problem.
That's when a client wants to know what might be called the bottom-line
number: 'the odds of being hit' (I can cite projected stats and sampled
guesstimates and data that I intuitively feel doesn't reflect the actual
state of the net). Then the client may seek safety in the harbor of
'we're too small for anyone to really go after us' or 'we don't store
anything of interest to a hacker!' and feel comfortable that not having
to go through 'the inconvenience and hassle' of implementing the policy
is actually a good trade-off in terms of the daily business process, at
least not for right now.
Which it frequently is -- unless lightning strikes catastrophically.
Does anyone add any kind of risk-benefit analysis (even rudimentary) to
your selling bag of tricks, i.e. a profile of vulnerabilities/network
architecture matched to loss potential, to help them through the
implementation process, at least initially? Or do you reckon that to be
the client's responsibility? What about for smaller companies whose 'IT
division' frequently consists of overworked sysadmins/network guys
desperately trying to keep up with patches, downtime, management
expectations, and rambunctious, free spirited users?
That should be part of the Security Audit. In my opinion (as useless as it
is sometimes) I think that is part of doing a penetration test is handing
the client a here's what I think your risks are and in talking with your
financial group these are the costs and benefits to not makign plans to
alleviating risks. If the business decides that it can assume the risks and
moves forward then there is not all the much that can be done, until like
you said they get hit with that proverbial lightning strike. If the
lightning strike hits and damages an area that they have assumed the
liability for instead of putting something in place to alleviate the risk,
it's their decision.