RE: A Rallying Cry to Executives?



Only 1 problem with this.

Its too long for "regular" employees to read. Most people will get to
"proliferation of viruses" and pause wondering what the heck that means.

You have to keep these things short and sweet and use terminology that
people will understand. Of course these are all words that any educated
employee should be required to know, however in general, employees
prefer not to read a "boring" technical article filled with IT Jargon.

Other than that, I think its right on point and well put.

************
Average Joe Employee says: "Uh...what's a Sasser"
"What's proliferated mean?"
"What's all this about "bots"
wearing Trojans?"
"Kill Bill.. That was a cool
movie."
"0-day? Is that like D-Day?"

-Right Click => Delete.
************

Scrape the mold off and publish this in some sort of Acceptable Usage
Policy.

JMB
| -----Original Message-----
| From: admin@xxxxxxxxxxxxxxx [mailto:admin@xxxxxxxxxxxxxxx]
| Sent: Friday, March 31, 2006 2:34 PM
| To: security-basics@xxxxxxxxxxxxxxxxx
| Subject: A Rallying Cry to Executives?
|
| Our network engineering staff recently came across
| some old documents left molding in a closet. An
| interesting note from the, at the time, CIO outlined
| a communication to our executive management. This
| is what was said:
| -------------------
| "With the growing proliferation of viruses, worms
| and malicious code in the wild, it is imperative we
| take proactive measures to ensure confidentiality,
| integrity and availability of our data. As it has
| been stated before, we cannot assess our true
| vulnerability until we have assessed our current
| state. Current state of our network reveals our
| weakest points are most vulnerable to attack. The
| recent outbreak of Sasser and Netsky should have
| taught us all a grave lesson. Something tells me we
| have yet to fully, "get it"."
|
| "Information Security cannot do it alone. Nor should
| they be expected. The greatest type of security
| breach reported for 2004 was the Denial of Service
| attack. DOS attacks account for almost double the
| amount of money lost last year due to a particular
| genre of attack, targeted DDOS attacks proliferated
| through hidden "bots" found in Trojan code. Denial
| of Service can be over used as a broad term,
| however, when access to any type of data is
| prohibited by either an exploited system flaw or
| introduction of malicious code it is referred to as
| a denial of service."
|
| "This paradigm we operate in today is constantly
| changing. We should take a more macro approach when
| scrutinizing security within our network. By using a
| complete and trustworthy assessment of our hardware,
| in-house software and software provided by our
| vendors, we should readily be able to identify gaps
| in security, unauthorized access points and
| unnecessary redundancy."
|
| "It will take a change in the corporate culture
| itself to rid ourselves of unnecessary access such
| as gateway devices into the network and directed ATM
| access provided by large vendors. To date, we as a
| company have enjoyed large successes and have reaped
| the rewards. Unfortunately we have practiced little
| restraint and have been even less frugal."
|
| "In order to remedy the problem, we must attack it
| head on. The movie Kill Bill's leading character
| did not wait for her victims to appear before her.
| Nor did she wait until one or more of them created
| the opportunity. Her problem was attacked head on.
| There still is a challenge present and we as a
| company must be strong enough to accept it."
|
| "End User training should be at the forefront of
| every line level manager in this corporation. This
| should also include good Information Security
| practices, such as secure coding initiatives and
| robust password management, as well as daily job
| function Security Awareness duties. We can only get
| better at combating unwanted downtime and lost
| revenue due to poor security if we take a top-down
| approach to teaching and promoting good data
| security practices. The recent Sasser outbreak could
| have been prevented if users simply deleted
| offending messages. In addition, the 0-day exploit
| is upon us. Communication and remediation efforts
| must be proactive or at least as close to the
| release of malicious code as possible. Information
| Security stewards simply must continue work on
| enhancing their methods of communication to all
| areas of the company. For this is no longer strictly
| a technological problem. It is a survival issue."
| --------------------
|
| Maybe these executive types are starting to understand.
|
| -PM, IS Director
| I Flip You Off dot Com
| San Mateo, CA
|
|
| -----------------------------------------------------
| ----------------------
| EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE -
| ONLINE The Norwich University program offers
| unparalleled Infosec management education and the
| case study affords you unmatched consulting experience.
| Tailor your education to your own professional goals
| with degree customizations including Emergency
| Management, Business Continuity Planning, Computer
| Emergency Response Teams, and Digital Investigations.
|
| http://www.msia.norwich.edu/secfocus
| -----------------------------------------------------
| ----------------------
|
|

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------