How to Get A Real Security Budget
Sun Aug 15 04:47:59 MDT 1999

There you are, a highly paid professional administrator for a large
Information Technology (IT) shop. Responsible for dozens, sometimes
hundreds or thousands of machines that process company business;
business in the form of vital correspondence between Research and 
Development, financial transactions for your countless customers.
Perhaps your systems also manage the entire payroll system of a 
fifty-thousand employee outfit: all things deemed important and 
sensitive by everyone from the janitor all way up the food chain 
to the management.

So if management considers those resources and income so valuable, why
won't they allocate more than a couple rolls of pennies for you to
secure the networks you are there to run and protect? Worse, why do
you receive the brunt of all heat when any security mishap occurs?
The age old Corporate 22 (AKA, Catch-22): secure all of our networks,
but you get no resources to do so, yet you will be blamed when
something goes wrong. Good luck!

The Trick
So how do you get the budget or resources required to do your job?
The trick is to provide hard evidence of insecurity that you can readily
show to your boss. Often times administrators are given a small budget 
to achieve their goals. The trick is not necessarily using that limited 
budget to work miracles on your systems. The trick is turning that 
limited budget into real money. This is a gamble of sorts, but it is a 
safer bet than most.

Despite what you may have heard, penetration testing/auditing serves
several good uses. Many people already know it can be a valuable method 
of testing network security and showing weaknesses in a corporation's 
access points. However, this audit doesn't need to come in the form of a
six figure/six month ordeal. Hiring a team to do a quick audit can be 
much more effective.

Secure a reliable and talented penetration team. Define the scope
of their test to include ONLY the resources you are responsible
for, lest other administrators in the company deem the probes as
genuine attacks. Further qualify that the team's goal is to take
some kind of trophy from the servers rather than leave a fingerprint. (1)
Suggest a trophy such as a portion of a restricted database, headers
to your CEO's email, or your customer's credit cards. There are two 
qualifications to this advice:

        1) Make sure this measure is approved by management in advance.
	   Sniffing the CEO's email before it reaches him could prove
	   risky to your career.

        2) Make sure the CEO will recognize the trophy as sensitive.
           CEO's don't care about theory or technology; they care about
           concrete, quantifiable items.  Company assets and company
           secrets rank high on that list. And handing your CEO his
           own words written to his senior management will certainly
           open his eyes.

If this is within the realm of your existing budget, explain to the team
your goal. Their report should be written in a clear and concise manner
as usual and indicate nothing about your secret agenda. The report
should be accompanied by your own letter or paper introducing the team's
report. Who they are, why they performed the penetration audit, and
the results. And should your CEO not comprehend the ramifications
of the report, your letter should go one step further and qualify the
report; particularly how it specifically applies to your company.  It is important
that your letter and the audit team's report do not exaggerate the
problem. As much as possible, let the facts demonstrate the issues and
their severity. Most importantly, keep the report positive. Management
does not like doomsday prophets and whiners!

Make proactive security a more-bang-for-the-buck sale.  CEOs understand
revenue; they understand revenue loss; and they understand revenue
enhancement. Pitch security as that canonical ounce-of-prevention that
will save them untold dollars in the long run.  If you must, give them
a "you-can-pay-me-now-or-pay-me-later" pitch.  Nothing drives home the
point of how small the cost of a full security makeover pales in
comparison to the recovery from an institution-wide intrusion.

Your friends

Security Professionals as Validators:

If your current budget is too tight to allow a penetration audit, you
still have another option. The same security team can fulfill the same
role by writing an assessment report based on information provided
by you and your staff. Instead of having the team find all of the information
on their own, give them vital information about your network, trust
relationships, firewall rules and more. From these details, the team
can piece together a good idea of the security posture of your network.
From that picture, recommendations and concerns may be addressed.
In many cases, your technical staff can write up the paper detailing the
network. At that point, use your small budget to get outside professional
validation of your own assessment report.

Be careful, though.  Politically-entrenched know-nothings in the CIO's office
may not take kindly to your actually consulting with people who actually know
their Information Technology.  There's a fine line to walk in securing your
system and burning as few bridges as possible.

Corporate Legal Staff:

Yes, lawyers can be your friend! Approach the company lawyers
with your intentions. Illustrate your concerns and your goals as a basis
for their help. Quote examples of how insecure networks can lead to
corporate liability lawsuits (2). At this point, the legal staff should be quite
interested in what you have to say. In essence, you are making the legal
staff part of the responsibility for maintaining a secure network.

Cover Your Assets:

Document EVERYTHING.  Write memos, file reports, issue advisories, the works.
If you don't write it down, it didn't happen.  Keep a record of where you're
right and where you're wrong.  You can bet your detractors will keep the latter
record, so you're going to have to be your own champion.  Even the most stern
resistance from upper management can be worn away when a history of correct
conclusions is brought to the fore.  In short: nothing speaks like being right.
If you see something dire coming down the pike, document it.  If your cautions are
ignored, keep hold of the documents until you're vindicated.  (I have a way of
re-issuing memos authored years before, prefacing them only with a one line
note which indicates that the attached document is a reiteration of cautions issued
years prior.  That has an unusually powerful effect.)

If All Else Fails...
Sometimes you may not have the resources to hire an audit team to
help prove your point. In that case, fall back on the same tactics
I use to attempt to help everyone else out there. Use your creative
writing to persuade your boss you need more resources. Rather than
a technical audit report, resort to at least a two-page paper outlining
the same things the report normally would. The advantage to this method
is that you get to use a bit more flare, a bit more creativity and
scary proposed situations to help get your point across.

It's not a matter of stretching those few dollars to accomplish
the impossible. We all know that most IT shops are not given adequate
resources to fulfill the requirements placed on them. With security
becoming an ever popular buzzword thrown around by management, it will
continue to come down on you.

Brian Martin Copyright 1999 Brian Martin Thanks: Carole Fennelly, Jay Dyson, Dale Coddington and Space Rogue for suggestions and editing. Thanks to B.K. Delong for the URL and reference material. Footnotes 1. Many penetration teams will touch a file owned by root/administrator in a restricted directory in order to prove they gained access. 2. German Court Ruling Another Blow to U.S. Encryption Standard