http://www.securityfocus.com/templates/forum_message.html?forum=2&head=205&id=205 How to Get A Real Security Budget Sun Aug 15 04:47:59 MDT 1999 There you are, a highly paid professional administrator for a large Information Technology (IT) shop. Responsible for dozens, sometimes hundreds or thousands of machines that process company business; business in the form of vital correspondence between Research and Development, financial transactions for your countless customers. Perhaps your systems also manage the entire payroll system of a fifty-thousand employee outfit: all things deemed important and sensitive by everyone from the janitor all way up the food chain to the management. So if management considers those resources and income so valuable, why won't they allocate more than a couple rolls of pennies for you to secure the networks you are there to run and protect? Worse, why do you receive the brunt of all heat when any security mishap occurs? The age old Corporate 22 (AKA, Catch-22): secure all of our networks, but you get no resources to do so, yet you will be blamed when something goes wrong. Good luck! The Trick So how do you get the budget or resources required to do your job? The trick is to provide hard evidence of insecurity that you can readily show to your boss. Often times administrators are given a small budget to achieve their goals. The trick is not necessarily using that limited budget to work miracles on your systems. The trick is turning that limited budget into real money. This is a gamble of sorts, but it is a safer bet than most. Despite what you may have heard, penetration testing/auditing serves several good uses. Many people already know it can be a valuable method of testing network security and showing weaknesses in a corporation's access points. However, this audit doesn't need to come in the form of a six figure/six month ordeal. Hiring a team to do a quick audit can be much more effective. Secure a reliable and talented penetration team. Define the scope of their test to include ONLY the resources you are responsible for, lest other administrators in the company deem the probes as genuine attacks. Further qualify that the team's goal is to take some kind of trophy from the servers rather than leave a fingerprint. (1) Suggest a trophy such as a portion of a restricted database, headers to your CEO's email, or your customer's credit cards. There are two qualifications to this advice: 1) Make sure this measure is approved by management in advance. Sniffing the CEO's email before it reaches him could prove risky to your career. 2) Make sure the CEO will recognize the trophy as sensitive. CEO's don't care about theory or technology; they care about concrete, quantifiable items. Company assets and company secrets rank high on that list. And handing your CEO his own words written to his senior management will certainly open his eyes. If this is within the realm of your existing budget, explain to the team your goal. Their report should be written in a clear and concise manner as usual and indicate nothing about your secret agenda. The report should be accompanied by your own letter or paper introducing the team's report. Who they are, why they performed the penetration audit, and the results. And should your CEO not comprehend the ramifications of the report, your letter should go one step further and qualify the report; particularly how it specifically applies to your company. It is important that your letter and the audit team's report do not exaggerate the problem. As much as possible, let the facts demonstrate the issues and their severity. Most importantly, keep the report positive. Management does not like doomsday prophets and whiners! Make proactive security a more-bang-for-the-buck sale. CEOs understand revenue; they understand revenue loss; and they understand revenue enhancement. Pitch security as that canonical ounce-of-prevention that will save them untold dollars in the long run. If you must, give them a "you-can-pay-me-now-or-pay-me-later" pitch. Nothing drives home the point of how small the cost of a full security makeover pales in comparison to the recovery from an institution-wide intrusion. Your friends Security Professionals as Validators: If your current budget is too tight to allow a penetration audit, you still have another option. The same security team can fulfill the same role by writing an assessment report based on information provided by you and your staff. Instead of having the team find all of the information on their own, give them vital information about your network, trust relationships, firewall rules and more. From these details, the team can piece together a good idea of the security posture of your network. From that picture, recommendations and concerns may be addressed. In many cases, your technical staff can write up the paper detailing the network. At that point, use your small budget to get outside professional validation of your own assessment report. Be careful, though. Politically-entrenched know-nothings in the CIO's office may not take kindly to your actually consulting with people who actually know their Information Technology. There's a fine line to walk in securing your system and burning as few bridges as possible. Corporate Legal Staff: Yes, lawyers can be your friend! Approach the company lawyers with your intentions. Illustrate your concerns and your goals as a basis for their help. Quote examples of how insecure networks can lead to corporate liability lawsuits (2). At this point, the legal staff should be quite interested in what you have to say. In essence, you are making the legal staff part of the responsibility for maintaining a secure network. Cover Your Assets: Document EVERYTHING. Write memos, file reports, issue advisories, the works. If you don't write it down, it didn't happen. Keep a record of where you're right and where you're wrong. You can bet your detractors will keep the latter record, so you're going to have to be your own champion. Even the most stern resistance from upper management can be worn away when a history of correct conclusions is brought to the fore. In short: nothing speaks like being right. If you see something dire coming down the pike, document it. If your cautions are ignored, keep hold of the documents until you're vindicated. (I have a way of re-issuing memos authored years before, prefacing them only with a one line note which indicates that the attached document is a reiteration of cautions issued years prior. That has an unusually powerful effect.) If All Else Fails... Sometimes you may not have the resources to hire an audit team to help prove your point. In that case, fall back on the same tactics I use to attempt to help everyone else out there. Use your creative writing to persuade your boss you need more resources. Rather than a technical audit report, resort to at least a two-page paper outlining the same things the report normally would. The advantage to this method is that you get to use a bit more flare, a bit more creativity and scary proposed situations to help get your point across. It's not a matter of stretching those few dollars to accomplish the impossible. We all know that most IT shops are not given adequate resources to fulfill the requirements placed on them. With security becoming an ever popular buzzword thrown around by management, it will continue to come down on you.
Brian Martin Copyright 1999 Brian Martin Thanks: Carole Fennelly, Jay Dyson, Dale Coddington and Space Rogue for suggestions and editing. Thanks to B.K. Delong for the URL and reference material. Footnotes 1. Many penetration teams will touch a file owned by root/administrator in a restricted directory in order to prove they gained access. 2. http://www.idg.net/crd_1998_9-70162.html German Court Ruling Another Blow to U.S. Encryption Standard