lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F7AC227.9050900@opengroup.org>
From: capegeo at opengroup.org (George Capehart)
Subject: Soft-Chewy insides (was: CyberInsecurity: The
 cost of Monopoly)

Michael Scheidell wrote:

>><cynical grin>  Would that that would really help.  I guess maybe in the 
>>long run it might, but I'm not holding my breath.  There's still the 
>>small matter of connecting cause with effect and then implementing a 
>>program that will function appropriately at all levels of the 
> 
> 
> Just did a presentation to a bunch of AeA CFO's (AeA is American
> Electronics Association) where the fist slide I gave them a piece of
> paper that has to go with their 10K reports and said:
> 
> Ok, as the CFO of a public company, would you sign this:
> (a bunch of legal gook I got from our SEC lawyer).
> 
> Went through a high(board level) presentation with lots of pretty color
> pictures, talked about jail time and fines and informed them that the
> CFO is the one who will sign it.. 
> then when done, said 'ok, NOW who will sign this.  You KNOW for a FACT
> that your IT department has taken care of this, right? you don't need an
> outside/third party audit to make sure the IT or internal security guys
> did their job, right?
> 
>  NO ONE. wanted to sign it then.

Heh.  That's great.  Wish I could have been there to see that.  Sounds 
like you really got their attention.  But this brings me back to the 
original concern:  It's one thing to realize that you have a problem. 
It's something else to fix it.  And my experience has been that the 
people who have the problem don't have a clue how to fix it.  Clueful 
organizations have a strong Information Security/Assurance *program* in 
place.  CFOs of those organizations *will* sign the document because 
there *is* a formal risk management process in place which includes some 
kind of certification and accrediation process.  They are *very* likely 
to be the approving authority on some of the systems.  They are also 
part of the governance process.  If there is no Information Security / 
Assurance *program*, there is a huge problem.  This is the one I 
continue encounter:  When an external audit/assessment shows many 
deficiencies, the response of the clueless organization is to; a) (try 
to) patch the holes, and b) maybe offer up a sacrificial lamb.  However, 
the _root_cause_ of the existence of the problems in the first place is 
the absence of a real program.  In the absence of a program, even if the 
holes are patched, within a year they will return or be replaced by 
others.  So the *real* solution to the problem is to patch the holes 
*and* the organization . . . by implementing an effective program.  One 
would hope that, having had their attention focused on the existence of 
symptoms, the CFOs will conclude that their organization is sick.  Some 
will.  Some won't.  Of those that will, how many will know what "the 
cure" is, or how to go about getting it?  *This* has been my 
frustration:  having enough time with the right people to educate them 
on what the options are and what the solution is . . .

Cheers,

George Capehart
--
George W. Capehart

"We did a risk management review.  We concluded that there was no risk
  of any management."  -- Dilbert




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ