Fri 20 Feb 2009
Reaping what you sow
Posted by andyitguy under information security, policy enforcement
[4] Comments
I get tired of reading the same things over and over. As good as the blog sphere is at keeping you up to date with what is going on it can also repeat the same info over and over and over. One example of this is the Fannie Mae logic bomb issue. It seems that everyone and their mother wrote about it. Don’t get me wrong, there are lots of lessons to be learned from this. There is plenty to say about it that we need to hear. Yet, it seems that so many people just repeat the same thing over and over. The problem with this (other than boring you to death) is that it numbs you to the point that you quit reading posts about a topic and you miss something good.
This morning as I was skimming through my RSS Feeds on the bus I ran across this from Bruce Schneier about the Fannie Mae issue. He does cover some of the same ground that everyone else covered but he also gave a list of 5 suggestions of how we can learn from this and put into practice some things that will lessen the chance of an insider doing something malicious on our networks. Again, most of them have been repeated time and again by others. It’s his last suggestion that caught my attention. He says
Detect breaches of trust after the fact and prosecute the guilty. In the end, the four previous techniques can only do so well. Trusted people can subvert a system. Most of the time, we discover the security breach after the fact and then punish the perpetrator through the legal system: publicly, so as to provide a deterrence effect and increase the overall level of security in society. This is why audit is so vital.
Much of the problem is that when someone does something wrong we let them get away with it. We give them a slap on the wrist and send them back to their desk with a warning. I’m not talking about something big like attempting to destroy 4000 servers. I’m talking about things such as ignoring policy and taking data home to work on. Things such as surfing porn, loading games on company computer. Ignoring Acceptable Use and other policies. These are the kinds of things that often get overlooked and ignored. I’m not suggesting that we fire someone for these things but we have to let them know the seriousness of their acts. They need to understand that you “reap what you sow”.
I would agree and the only way for this to be effective is if the people who wield the power stick actually do something about it when notified.
The problem I am faced with though is the man with the power stick is the most guilty – he’s the one who “get’s away with it” (and in this case I mean bad practises like demaning access to everything, being able to do what they want on their equipment, browse anywhere on the web, etc) is the CTO. Other staff are powerless / afraid to stand up to him and no one high up seems to care (or know).
Combined with an attitude of double standards – it’s one thing having a lowly worker do wrong but dont even think of approaching any of the directors / CxO’s – it certainly makes trying to enforce security fun
I agree but I think the problem is that there needs to be management buy in from the beginning. If you have policies and standards in place merely for the sake of saying you do to be compliant then you may actually be worse off when something bad happens.
For example let’s say that management decides to fire Joe down the hall because they came in and saw he was surfing porn on the company computer. They can because they have a policy for it. Great.
Now Joe sues for wrongful termination. He claims that many others were surfing porn in violation of the policy and that he was unfairly singled out. If you don’t think he has a case then think again.
If you didn’t have anything in place then the company could claim ignorance but if they did then they might have trouble explaining that one away. They might just settle the case and Joe gets paid off. Nothing like being rewarded for bad behavior. If you don’t think that happens all the time then start talking with some corporate councils around town. It might open your eyes.
I once had a similar situation where the CIO and CEO were the worst offenders in every way. Log on as domain admin, never lock system, surf porn. I finally had to threaten to quit to get them to stop.
Graydon, I agree 100%. That is part of the problem. We can’t enforce policy b/c management doesn’t follow the policies. Obviously I was dreaming when I said this could happen.