Intentional Security Blindness

In previous columns I talked about two types of employees, contractors, and the like who could cause your organization harm through poor security practices resulting in loss of data, money, or trade secrets, etc. The first type were people who caused such losses inadvertently through security policy violations such as taking unencrypted medical records home on a lap top or memory stick and losing it. The second type was someone who intentionally stole such valuable data or caused a denial of service which in both cases had potentially significant cost to your company in terms money, lost business, or management time lost to litigation. But there is a third type individual who could cause these undesirable losses to your company and they are almost always employees.

Who are they?

So who are these people? Generally, they are the most powerful or influential people in your company who often are higher up in the corporate hierarchy than the security department. They could be the CEO, the CFO, the head of marketing, or the powerful heads of profit centers. So what do they do and why do they do it?

What do they do?

First, the what. They demand new or modified applications that open up serious security flaws, either by web enabling legacy applications that were never designed with security in mind beyond authenticating a user which is, of course, anyone with a web browser. A very good example of this has occurred in the electric power industry whose systems are controlled by a technology called SCDADA (System Control and Data Acquisition). SCADA was intended for use in closed company system and so has little built in security. However, over time, SCADA systems have been opened to the internet which poses a significant threat to the nation’s grid systems. Alternatively, they may demand new applications such as Web 2.0 Mash-ups, or Voice Over IP (VOIP) to name a couple. These applications are inherently insecure as any review of the security literature will reveal. Not only are they insecure, but they are exceedingly difficult to provide with an acceptable degree of security. Now, if the security department is performing its role, the people demanding these applications would be aware of the security issues. But in many cases, the security people are not high up enough in the organization to be heard, or even if they are, there message is ignored.

Why do they do it?

Now the Why. In a word – money. These new applications are seen as increasing revenue or reducing operating costs by opening up applications to the web. In addition, they may be seen to enable the business to become more nimble. Finally, they may be needed because the competition has such applications or the customers are demanding them. Because of the perceived financial gain, the executives will turn a blind eye to the security implications of these applications, or simply say “You’re the security department, fix it.”

What do we do?

So in the end, the security people try to make the best of it by finding security solutions that address the most serious of the security exposures and simply accept the rest. So how do we reduce “Security Blindness?” The best way is to achieve a position in the organization where the executive requesting these applications has to accept the residual risk (in writing) rather than the security group.

2 Comments

  1. Scott Wright Apr 29, 2008 at 6:32 am | Permalink

    This same group is also susceptible to what I call the “immunity by importance” paradox. Many executives feel hindered by the rules that are supposed to apply to their staff, and feel that because their work is “different” or “special”, they should be immune.

    However, nothing could be further from the truth, as evidenced by the growing phenomenon of “Whaling” – phishing attacks targeted at the “big fish” in an organization who often use their status as an excuse to bypass security – making C-Level management very attractive targets for attacks from outside (or even inside).

  2. Anish Apr 30, 2008 at 4:43 am | Permalink

    I agree with you on the point that “Higher Ups” do put security at stake, I have seen that in small companies where they have ACL’s , audits happening every 3 months, they follow the principal of least privilege but when these things are happening by default every net work share needs to have a user who is the CEO of the company and the single point of failure happens when he looses his Password / Laptop.

    No matter what the Network Share is or what server it is, it can be Payroll, it can be HR, it can be IT stuff the CEO has to be added…

    And yes u cannot blame him if he changed some figures in your Excel Sheet and he wont even bother to drop u an email regarding the modification.

    Why do the Higher Ups do it ? Sometimes just for the sake of showing Power and sometimes to prove their stupidity.

    Anish

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*