Senior execs are the biggest risk to IT security

[Permalink]

I guess some raises and bonuses are in order.

9 Likes

Well, you have to attract and retain the right sort of peopleā€¦

4 Likes

Thatā€™s probably the biggest unintentional risk to IT securityā€¦

Nobody outguns the insider-threat-IT-guy; but if you want people who have access to juicy information in the normal course of employment, are freqently unsavvy enough to open dubious attachments and the like, and often have enough institutional clout to flout onerous restrictions placed on lesser cube drones, just look at HQ.

4 Likes

yes, MBAs are Master Bullshit Artists, look what happened when we elected one president.

its not just internet security theyā€™re oblivious to.

4 Likes

What part of ā€œThe rules donā€™t apply to usā€ donā€™t you get?

8 Likes

Not mentioned in that article - the Cs and Vs will often insist on actively downgrading company security measures for their convenience, sometimes to the point where it actively puts everyone else at risk (not just indirectly when they get infected).

I remember one who just turned off the companyā€™s gateway firewall because it was interfering with his music pirating.

2 Likes

Iā€™d be the last to argue that institutional IT isnā€™t (in some locations) infested with incompetent, hidebound, obstructionists who really shouldnā€™t be in the industry and/or are basically fucking with you; but one reason why the ā€˜enterpriseā€™ IT user experience is so comparatively miserable is that the ā€˜homeā€™ IT experience takes some crazy risks in the service of ease and convenienceā€¦ Also, backwards compatibility and legacy systems integration.

2 Likes

ā€œEveryone has to pass through the eye of the needle.
ā€¦
Except these people.ā€

2 Likes

Oh, yea. Thatā€™s one of my faves. In fact, I was at a place one day when there was a big meeting and some asshole decided that he HAD to have this fucking Elvis song as his ā€œintroā€ - no one had a copy of it they could find quickly, so the infrastructure IT director became the pussy of all pussies and told the network guy to open the firewall so he could grab it from Lime Wire or whatever. Clearly this story pre-dates itunes/amazon, etcā€¦
That was the day I lost all respect for that schlub.
I was in a roundtable meeting at one company where the CEO bitched about security being too tight - in a company regulated by the FDA of all things.
This thread could go on for weeks if just a handful of BB IT readers dropped a few stories. Sometimes itā€™s a damn wonder some companies still function at all.

3 Likes

Seems pretty common. Long ago I was an intern in the office of a universityā€™s president. She didnā€™t like dealing with email or other computer based tasks, so Iā€™d read her emails to her and let her dictate responses. This gave me access to all of her email. She also didnā€™t like using the universityā€™s enrollment management system, so I was tasked with that too. Since IT wouldnā€™t give me more than the most basic access, she gave me her account credentials, which allowed me full access to all records for all students and alumni. While I never got up to any hijinks, it would have been easy to do on a massive scale undetected.

Many systems I set up during my consulting years had tons of exceptions built in for executives and their administrative staff. When CEO Bob is out of town, you canā€™t have an approval holding everything up, so secretary Sam had an exception that let him do unlimited approvals. Since CEO Bob might be out of town or just out on the golf course at any moment, there was no restrictions on secretary Samā€™s ability to be CEO.

Often the problem is that the systems are initially designed with the theoretical way people think a company operates rather than the reality of how it operates. Once the system goes in place and the difference is discovered, holes are poked all over the place so those actually doing work can get it done. If youā€™re a poor slob who isnā€™t well connected in the company, good luck on getting one of those holes poked for you. Near the executive suite? Poke away!

1 Like

This happens everywhere. For years I worked in a bank, preparing the cash that went straigt to ATMā€™s all over the state. On one hand, they would drill into us how important that being the last line of defense in counterfeit detection, itā€™s important that we scruitinize every bill thatā€™s flagged by the machines; on the other hand, if weā€™re not keeping up production, we must be slacking off.

If a supervisor ran a currency counter that beeped too much, she would turn off all of the detectors so that she wouldnā€™t be iconvenienced. If anything bogus got through to the ATMā€™s, all they cared about was that it came through my office.

Every time you get cash out of an ATM, check the bills on the spot, no matter what the PR department tells you.

3 Likes

Can I flag a comment TIL?

The same basic principle is at play with national security. It has ever been that the ā€œpurchasersā€ of national security information (kings, queens, politicians, etc) were/are able to play fast and loose with the information they obtained (even - and especially - when doing so explicitly risked ongoing national security) in ways that got/gets peons executed, or at least sent to the Tower.

A number of years ago, I was working to stand up a SOC team, for an organization that was just standing up IDS/IPS and SIEM (obviously, now that you have it, you need people to interpret it. ā€¦ )

I had noticed that some of the brute-force SSH assaults were coming so hot and heavy, that they approached saturating some of our smaller circuits and firewalls. So I noted the fact, and included it as part of an argument to enable rate-limitation on the firewalls (a fairly standard measure for dealing with DDOSs and brute force attackers. . . )

I then get called onto the carpet at end of day, a day or two later, where manglement is fretting over my ā€œadmissionā€ that we were nearly DDOSed. I told them, no, I saw a potential problem, and wanted to fix it BEFORE it rose to DDOS levels. They would not let me leave until I added nearly a page of weasel-words, to the already-plain statement that this was a PREVENTATIVE measure because I saw the POTENTIAL for some occasional DDOSā€™s in the future.

The same group INSISTED that I had not detected a trojan, that the workstation in question had tested clean, etc.

Until an outside audit group found the Trojan I had detected, AND the email chain of them denying what I had found.

Now, in a NORMAL world, I would have gotten a small bonus and a promotion. . .but what REALLY happened was at the end of the option year, they dropped the SOC Lead position, saying it was un-needed. . . . and so, once again, I found that no good deed goes unpunished. . .

2 Likes

Thinking about this some more, it seems that once people get to a certain level - be it in politics, intelligence, or business - they cease to think that they are part of the organisation (be it government, spook city, or corporation) and that the organisation is theirs, their plaything, to do with as they will. They donā€™t have to follow the rules, because they set the rules, and itā€™s effectively impossible for them to ā€œbreakā€ the rules, because the rules are whatever they deem them to be. ā€œWhen the President does it, that means it is not illegalā€ is the most public example, but far from the only one. Enron is another excellent example.

So, senior execs arenā€™t a threat to IT security at all. IT security is exists to serve them, so if they deem that IT security is an embuggerance, well, letā€™s not forget which is the horse and which is the cart. IT security can go to hell. And if the senior exec should royally screw the pooch ā€¦ shrug the next senior exec position is only a golden parachute away.

No surprises here. Iā€™ve seen this so many times I couldā€™ve just screamed. But, I didnā€™t. I just turned into a mega-bitch diva. Working as a consultant for many years showed me the horror show that exists many times.

Perhaps the worst company-company abuse was a company I worked for that charged a well-off Native American tribe close to a half million to install their new accounting system - which was a beta. And no back-ups of the original data was done! And yet, they love to say ā€˜risk-managementā€™ in their round table meetings.

Or, a federal agency that had accounts existing for workers who hadnā€™t been there is as much as 7 years, plus current accounts with killer access to sensitive information. Why? Because despite having hundreds of IT people on staff, theyā€™d happily pull them off-task at any time to do special favors for execs until there was nothing left for the essentials. And then, they fell in love with their Blackberries - one of the crappest platforms I have ever encountered. More manpower lost.

I think the very worst were the 2 federal employees who harrassed a contractor so heavily that one day, he just went home and blew his brains out. Literally. They neither knew nor cared that the guy already had a history of depression and was being treated, but it wasnā€™t enough to get past what he had to deal with every day. It does happen. Kind of made all the rest of the malware and virii and executive entitlement pale in comparison.

I suppose I could chime in with some of the silliness Iā€™ve seen over the years, but instead Iā€™ll give props to my boss: she doesnā€™t insist on any special treatment or IT privileges. She doesnā€™t even have local admin on her laptop, and doesnā€™t ever whine about it, either.

tl;dr: not everyone with ā€œPresidentā€ on their business card is a clue-free moron; just most of them.

1 Like

Does it strike you that, due to the vast majority of clueless idiots, the type of boss like you have now becomeā€¦I dunno, almost saintly to us in a way?

As someone in IT Iā€™ve got to say; ā€œTell me something I donā€™t knowā€.