A Rallying Cry to Executives?

[admin () iflipyouoff com]

Our network engineering staff recently came across some old documents left molding in a closet.  An interesting note 
from the, at the time, CIO outlined a communication to our executive management.  This is what was said:
-------------------
"With the growing proliferation of viruses, worms and malicious code in the wild, it is imperative we take proactive 
measures to ensure confidentiality, integrity and availability of our data. As it has been stated before, we cannot 
assess our true vulnerability until we have assessed our current state. Current state of our network reveals our 
weakest points are most vulnerable to attack. The recent outbreak of Sasser and Netsky should have taught us all a 
grave lesson. Something tells me we have yet to fully, “get it”."

"Information Security cannot do it alone. Nor should they be expected. The greatest type of security breach reported 
for 2004 was the Denial of Service attack.  DOS attacks account for almost double the amount of money lost last year 
due to a particular genre of attack, targeted DDOS attacks proliferated through hidden “bots” found in Trojan code. 
Denial of Service can be over used as a broad term, however, when access to any type of data is prohibited by either an 
exploited system flaw or introduction of malicious code it is referred to as a denial of service."

"This paradigm we operate in today is constantly changing. We should take a more macro approach when scrutinizing 
security within our network. By using a complete and trustworthy assessment of our hardware, in-house software and 
software provided by our vendors, we should readily be able to identify gaps in security, unauthorized access points 
and unnecessary redundancy."

"It will take a change in the corporate culture itself to rid ourselves of unnecessary access such as gateway devices 
into the network and directed ATM access provided by large vendors.  To date, we as a company have enjoyed large 
successes and have reaped the rewards. Unfortunately we have practiced little restraint and have been even less frugal."

"In order to remedy the problem, we must attack it head on.  The movie Kill Bill’s leading character did not wait for 
her victims to appear before her. Nor did she wait until one or more of them created the opportunity.  Her problem was 
attacked head on. There still is a challenge present and we as a company must be strong enough to accept it."

"End User training should be at the forefront of every line level manager in this corporation. This should also include 
good Information Security practices, such as secure coding initiatives and robust password management, as well as daily 
job function Security Awareness duties. We can only get better at combating unwanted downtime and lost revenue due to 
poor security if we take a top-down approach to teaching and promoting good data security practices. The recent Sasser 
outbreak could have been prevented if users simply deleted offending messages. In addition, the 0-day exploit is upon 
us. Communication and remediation efforts must be proactive or at least as close to the release of malicious code as 
possible.  Information Security stewards simply must continue work on enhancing their methods of communication to all 
areas of the company. For this is no longer strictly a technological problem. It is a survival issue."
--------------------

Maybe these executive types are starting to understand.

-PM, IS Director
 I Flip You Off dot Com
 San Mateo, CA


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------