Establishing Digital Trust: Don't Sacrifice Security for Convenience
Unfortunately for the rest of us, a good story line can make for a bad work day.
I'm writing this at about 35,000 feet, jetting from the right edge of the U.S. to the Left Coast. A client called at 4 p.m. yesterday in serious need of help after something took down the company's key servers and left them offline. Their system administrators know how to rebuild and get things running again, but they need a systems security review to so they can make the changes necessary to keep this from happening again.
I didn't even get past the first call with senior management before the communication issue surfaced.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i At that point, I'd already discussed with colleagues and company reps the basic problem. We had gone over plans, and made flight and hotel reservations. I was calling to let company execs know I'd be there in about 12 hours.
During this call, I started to ask for network or system logs to read while on the plane, but stopped myself, realizing that the people who would get that for me were already stressed and busy. I had a hundred questions racing through my head, but paused and suggested that the next morning would be soon enough.
And that's when the manager said, ''Don't worry about the logs. I'm not interested in catching a hacker. I just need the system back up and secured.''
We were not communicating.
First, I wanted to know what kind of attack it was, when it had happened, and what malware was used or planted on the servers. I wanted to see a network diagram with tick marks on the hosts that had been compromised and by which bugs. I wanted to know what exploit had been used and what bugs might still be inside the network.
For me, this is the point where Sherlock Holmes barks, ''Quick, Watson. The game's afoot!''
But that's not what they were thinking.
The client doesn't want to dwell in the past. He needs (and I mean needs, not wants) this system back online yesterday. He wonders why the geeks always want to play with the toys and figure out why things happened, as if it's another lab exercise. I could almost sense a sigh and the thought, 'Why don't these guys understand business?'.
I realized I was contributing to this failed communication.
I was interjecting my ideas and goals as someone else's thinking. The chances that I was wrong were good.
This was, after all, a tech company, and the manager had been one of the founders. Trouble is, we each come at any situation from our own current perspectives. In our press for speed, we sometimes forget to look at the bigger picture. A lot of my consulting is translating geek-to-business and business-to-geek, but I'd just found myself caught in the same trap.
I knew I had to listen first. I mean actively listen, like I had learned to do a long time ago -- ask questions to clarify and get at what they need to have done.
I need to help them see the problem from, perhaps, several perspectives. But I need to help them solve their problem and not accidentally turn it into the type of problem I like solving.
So, what this means is that I'll meet folks and find out what they have for a current network map and what they think happened. We'll work together to find out what hit them, but if it's not quickly apparent, we'll move on to securing the general network risks. We'll spend less time now with the cool stuff.
Like I said in the last column, a network can be secured against many possible attacks by simply reducing what is allowed through a firewall. We'll be looking at this sort of approach to improve security, get patches up-to-date, and add intrusion detection and prevention systems to defend the network.
It's all about business. The actions this firm have taken are the right ones.
The measure of security in a company isn't whether or not they get hit with a worm, but how they react when it -- almost inevitably -- happens. We sometimes forget that IT is a support function. Without revenue and customer confidence -- the business -- the geeks don't get to play. On the other hand, IT isn't a 'cost center' as much as it is a business enabler. Without IT, there would often be no business in any highly competitive market.
Both the primary managing groups and the primary IT groups need to learn more about each others' jobs and remember those perspectives. None of us can afford to have the business slump because something was, well, lost in translation.
Bob Hillery, a former computer and security manager for the U.S. Navy, is a founder of Intelguardians, LLC, a security consultancy. With experience in the corporate, military and academic worlds, he now also is an instructor with the SANS Institute.