Undercover

The CSO's First Security Assessment

The first security assessment at my new employer wasnt supposed to be personal. It just ended up that way.

By Anonymous

Page 2

At that point, I felt good about things. I thought that my manager must be feeling like they had made a good hire, and that he was going to look good by moving this information forward. It turned out that what I took for giddiness was in fact the nervous expression of a passive-aggressive personality. He had neither a clue of what was before him nor an idea of what it meant to our overall security posture.

Like Arlo Guthrie making his case in "Alice's Restaurant," I thought of preparing 27 8x10 color glossy photographs with circles and arrows and a paragraph on the back of each one. Instead, I throttled my enthusiasm to a 10-slide presentation. I thought the meeting went extremely well. The CIO asked questions about how to fix the problems. We talked about patches and configuration issues. Emboldened by my success, I headed out to delve deeper into the bowels of the IT organization, moving toward ring zero.

Circling In

The next phase of my security assessment focused on the flow of data and on application security issues. My team and I looked at the data leaving the company in every available protocol, and what we found was astounding. Personal information, including Social Security numbers and credit card numbers, was leaving the company unencrypted and in violation of regulatory requirements. We found unprotected account codes and routing information, legal documents and arguments, merger and acquisition information. We found discussions about sex, drugs and country music, and other unsavory activities of which I would rather not speak.

Then there were the findings about vulnerabilities on the mission-critical applications that drive the business. The applications were riddled with holes that could provide an ambitious script kiddie with a downhill slide to the company's mother lode of sensitive information.

I packaged the information in the approved format (findings, threats, vulnerabilities, potential impact to the business, remediation strategies, time frames, relative costs and overall recommendations) and printed a copy to hand deliver to my manager. Again, he seemed excited and gave me the go-ahead to meet with the CIO. I delivered a sampling of application vulnerability scans, describing their potential impact on the business.

Proud in my efforts, I ventured to a security conference. I thought the CIO would welcome the discoveries because they would allow us to organize and prioritize a list of fixes. Why would I feel otherwise after my previous success?

The difference was where I was focusing. If you were to look for the virtual home of the CIO, you would find him nestled within the hills and valleys of these highly complex applications. Standing proudly upon the mountaintop of his layered stack of code, SQL calls and integrated messaging, the CIO was much like the master control program (MCP) in the movie Tron. Months later, I can still hear the words of the MCP echoing in my head: "I can't afford to have an independent program monitoring me."

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors