The Six-Figure Software Licensing Mistake

It was late on a Friday afternoon and I was getting ready to go home for the weekend when the telephone rang. We all know that a phone call late on Friday is never a good thing. I hesitated for a moment then grudgingly picked up the phone.

“Mr. Smith?” the voice inquired.

“Yes…”

“My name is John Jones and I’m the mar­keting manager for MuchoLocoSecurity Inc. [All names have been changed to protect the innocent and the guilty.] We are a security software development company on the East Coast. I’m sitting here with our chief legal counsel and company president. This call is to advise you that one of your employees has illegally downloaded one of our software applications onto your network and it is currently installed on 8,441 workstations and 106 servers. The appli­cation in question retails for $39.95 per copy but we’ve decided to allow you to purchase all 8,547 licenses for $12.00 per copy for a total of $102,564. How would you like to pay?”

Gulp!

After establishing that this was legitimate and not an elaborate prank call from a deranged colleague, I told the marketing manager I’d be in touch early the next week. The weekend wasn’t shaping up well. I called my boss and advised him of the situation. The next step was to call my lead incident response guy to determine the validity of the company’s accusations. We have a fairly formal process for approving software so when they called back 15 minutes later and said the software in question was indeed installed, I wasn’t surprised. I was, however, dismayed to discover that the suspected culprit was one of my best guys—someone I wouldn’t have normally have suspected.

My next call was to legal. Do you know how hard it is to find a government attorney on a Friday evening? After interrupting several family dinners, I found an attorney and relayed my conversation with MuchoLocoSecurity. She absently said that we’d address it on Monday but I should spend the weekend gathering information. OK, how many of you have had a perfectly planned weekend ruined by a Friday afternoon phone call?

Perhaps some of you have already figured it out, but guess who was responsible for running the internal auditing tools we used for detecting unauthorized software in our environment? Yep…the same guy who had downloaded the hacked license key and illegally installed the software in question. Lest you think that I had a black hat on my staff, that was not the case. This was one of my best and most loyal security engineers. The whole incident started innocently and legally enough with him working with a sales engineer from MuchoLocoSecurity and getting an evaluation copy and license for the software. Things got very confusing after that. My guy claimed that the SE was aware of everything he had done, while the company sales guy claimed something completely different. The bottom line was that MuchoLocoSecurity knew, and had supporting evidence, that their software was installed on a specific date using an illegal license key in our IT environment.

This is all background to get the juices flowing and get you thinking. I could bore (or entertain) you with how this whole incident played out but let me just say that it was painful and professionally damaging to more than one staffer, and when it was finally resolved a couple of months later, my budget was magically smaller by about $100K. While this might hurt in a private sector company, in a government organization like mine, it ruined the year. While many of you have already started going through your mental checklist, there are probably others hyperventilating at the thought that this could happen to you too! Since this article is intended to enlighten you, my CSO colleagues, here are some of the things I learned from this experience.

Have a Policy

You must have a security policy that specifically addresses the use of noncompany issued or approved software and that defines roles and responsibilities so that everyone understands who can and cannot download software and for what reasons. If your security staff is like mine, they can get creative and will play fast and loose unless there are specific policy guidelines for downloading and using “productivity software.” Don’t get me wrong. I love the fact that my gals and guys are always looking for ways to do their job better. The problem is, there are so many cool tools that many times they think there’s no harm in downloading and installing the latest version of an application. Unfortunately, the harm may not be known until the damage has already been done. I know. I’ve done it and had my hands slapped, as many of you have!

While we had a good policy regarding the use of legal software, it was a little loose on the use of illegal software. It’s critical to ensure your policy is unequivocal in identifying what types of licensed or unlicensed software can be installed. Is software licensed under GPL, LGPL or FSF approved? What about Copyleft? What does all this mean? Check out this helpful background . And read all licenses thoroughly.

A good policy should also state that only software that has been approved by your governing control board can be installed in your network environment. In addition to your working “software tools,” this policy should include encryption, PDA, MP3 and peer-to-peer software, as well as screen savers and browser plug-ins. Your policy should also address media and external devices that are personally owned. Not only are these a huge source of malware but they can compromise the integrity of your software environment, and the last thing you want is an unexpected knock on the door by the Business Software Alliance.

Have an acceptable use guideline defined in your policy and require your staff to sign on to it. Make sure it specifically calls out the IT and security team members so that no employee feels above the rules. You should also have a change control policy. Good change control processes ensure your staff understands how and when it is acceptable to introduce new software and changes into your computing environment. A change control policy should require that, among other things:

• Any system changes, including new software installations, are documented and approved
• Configuration management documentation is updated to reflect the new state
• Changes are applied only by authorized personnel
• Changes made by one person to security appliances and devices must be reviewed by another qualified staff member.

This separation of duties keeps a potential bad apple from having both keys to the nuclear missile. The military calls it Two-Person Integrity, and the purpose is to keep people honest. I’m not equating an illegal software incident with something as critical as nuclear weapons, but we all take a hit in credibility when people start wondering who’s watching the watchers.

Finally, make sure you have a policy to conduct background checks on all your new hires and annual checks for your existing staff. If you don’t, you are asking for trouble. You’d think that in a large government organization this would be standard policy, right? Wrong! One of the first questions I was asked about this employee was if he’d had a background check.

Run Good Auditing Tools

You need to run security tools that audit and identify when unauthorized software is installed. Symantec Altiris, LANDesk, Microsoft Systems Management Server and Novell ZENworks are some of the representative tools that establish the heart of software asset management in a Windows environment. In addition to tracking what software is installed and uninstalled, these tools track licensing and report on inventory management and usage. Need metrics? These tools give you all you need.

Establish a Training Program

Make sure that your folks get regular refreshers on what it means to be a security professional. As most of us have heard, “The only difference between a security professional and a bad guy is permission.” Even good people need to hear this every now and then. It reminds them not to cut corners. I’ve seen people get so caught up in resolving a problem or putting something new together that they forget their overall responsibilities and jeopardize their careers by circumventing policy. When people get caught driving drunk, their insurance rates go up and they have a police record. It doesn’t matter if they are solid citizens with no prior records. The same goes for information security professionals. It’s awfully hard to get a job with the black mark of unprofessional conduct on your résumé.

Develop a Code of Ethics

Establish a code of ethics for your security staff and have them read and sign it annually. I do this so that my security team will internalize the fact that they are held to a higher standard. They have access and authority that few other IT people have. I set the bar high so that my staff recognizes that it’s a privilege to work on the security team. It also helps us hold each other accountable. No one wants to have his credibility stained by a team member exceeding his privileges and bringing discredit upon the organization. We all believe that we have smart and dedicated people, but an annual refresher goes a long way in brushing away the cobwebs on a forgetful memory.

So there it is. Save yourself some heartache and make sure your people understand your organization’s policies, but perhaps more important, what it means to be a security professional.

CSO Undercover is written anonymously by a real CSO. Send feedback to csoundercover@cxo.com.