Thursday, April 4, 2013

"Badges? We don't need no steenking badges!"

All too often I've encountered a certain type of person in an enterprise, business or personal setting who questions the need for a secure network environment. Actually the word "questions" is too weak; this type of person actively opposes network security measures. And very often they're in a decision-making position for their organization. One otherwise intelligent manager that I once worked with recommended that we discontinue our enterprise antivirus and disconnect our firewalls.

What reasons are given for their opposition? "Security is too inconvenient." "We don't have anything a hacker would want." "Security is a waste of money." "I use (a Mac / Linux / Microsoft Security Essentials) and I'm not vulnerable." Despite all evidence to the contrary, such persons throw up obstacles to even the most basic of security measures. How does one deal with such deliberate, even prideful, ignorance?

IT supports business, and IT decisions must be made in the context of the needs of the business. The primary need is profitability. IT is a cost center, not a revenue generator. So IT expenses must be carefully evaluated against the cash flow of the business. However business is also about evaluating risk, and weighing the cost of threat mitigation against the likelihood and consequences of its occurrence. Which is a long way of saying that you must speak "dollars and cents" when discussing IT security with the business principals.

Stakeholders will sometimes focus just on the cost of security. But let's flip that around, and talk about the dollars and cents of the risk. Why? Because the hackers exploiting these risks do it for the money. Whether one considers the information in their network to be of value or not, there are many ways to generate cash from an unprotected PC connected to the Internet. Brian Krebs, a security blogger who focuses on breaking down threats in ways that everyone can understand, published an interesting article and accompanying chart that together illustrate the many ways your PC can be turned into cash.

Aside from harvesting your social security number, bank account numbers and credit card numbers - which can all be immediately resold on the Internet, how about gathering your email contact list for sale to spammers? What about using your compromised PC to serve child porn on the web? Or grabbing your login credentials for any number of websites, including access to your business servers? Or adding your PC to an army of thousands of zombie bots used to launch distributed attacks on high-value Internet targets?

The antidote to ignorance is knowledge. And while you may not convince those who proudly cling to their ignorance, you just might change the minds of those whose job it is to keep an eye on the dollars and cents.