Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Elevator pitch for explaining security risks to executives

Published: 2008-06-05
Last Updated: 2011-08-10 16:31:00 UTC
by Lenny Zeltser (Version: 2)
1 comment(s)

How to catch the attention of a busy executive, to highlight an important security risk? An elevator pitch is a persuasive statement delivered verbally in the time you would share with the listener in an elevator--about 60 seconds. It is often used by entrepreneurs to convince a potential investor to learn more about the start-up. We can use an elevator pitch to highlight the importance of a security risk to a business or IT executive.

If you've never given or heard a traditional elevator pitch, take a look at the Elevator Pitches website at TechCrunch, which presents many videos from hopeful entrepreneurs. (Consider pitches for SmugMug, Ugobe, Framr.) You may notice that those pitches that catch your attention have a few characteristics in common:

  • They are brief. The listener has a limited attention span.
  • They are specific. The issues they bring up are easy to understand and visualize.
  • They differentiate. The speaker clarifies what his issue different from the rest.
  • They empathize with the listener. The listener needs to know why he should care.
  • They have a clear ending point. The speaker clarifies at the end what he wants the listener to do.

Let's say you are concerned about a security risk no one is paying attention to. Maybe it's a web server everyone is afraid to patch. Maybe its the practice of allowing visitors to plug into your LAN. Use an elevator pitch to convince management to pay attention and support you.

Here are my hypothetical examples that may inspire you to explain your security risks. Remember: be brief and specific, differentiate the concern from other similar issues, clarify why the executive should care, and state what you want.

Example 1: "Our extranet website is missing dozens of critical security updates. The site could crash or become infected at any minute, and it may take us weeks to recover. This will prevent us from communicating with our supply chain partners, and will lead to thousands in losses. The challenge is that the app running on the server was written years ago by people who left the company, so everyone is afraid to touch the server. Yet, if we do nothing, we're sitting on a ticking time bomb. I need your help to get the right people together so we can make a decision. Could I invite you to a 30-minute meeting I'm organizing for tomorrow?"

Example 2: "Have you noticed that every vendor who visits us plugs into our LAN as soon as they unpack their laptop? If their system has a virus, the infection will likely spread to our internal systems. This is a significant threat we have not considered, as our patching practices rely heavily on the effectiveness of our network perimeter. As a result, our internal servers could get compromised, severely disrupting operations. I evaluated a few products that would let us control who can plug into the LAN. Could we speak next Monday about this issue--I think I have a solution you might like, but I need your feedback before continuing with the project."

An ISC reader emphasized the importance of speaking with the right executive. The person should have enough decision-making power to affect the desired outcome. Further, the person must be able to grasp the technical essence of the problem, and understand the business implications. The goal of the pitch might be to obtain the executive's sanction to take a certain action. Armed with a formal authorization from an influential person, you will be more likely to get the right people's attention. The reader also noticed the power of including compliance reququirements in the pitch, which can be very powerful as long as you do not make use of its powers too often.

An important point to consider with elevator pitches: Their aim is not to explain everything you want to say about the issue. Instead, the goal is to catch the listener's attention, so he would give you the additional time needed to explore the issue more carefully. Also, remember that preparation is critical, because you only have a minute to deliver your pitch. Don't memorize your statement, because then it may sound fake and rehearsed, but definitely consider what you will say before approaching the executive.

-- Lenny

Lenny teaches a SANS course on analyzing malware.

1 comment(s)

Investigating fraudulent email and another Nigerian scam twist

Published: 2008-06-05
Last Updated: 2008-06-05 17:50:13 UTC
by Lenny Zeltser (Version: 2)
0 comment(s)

"THOSE PEOPLE YOU ARE DEALING WITH ARE FAKE." So starts the Nigerian-style scam email submitted to us by Daniel Sefton. In such schemes, the sender attempts to swindle the recipient out of money, often by convincing the victim to pay some fee to transfer a prize, an inheritance sum, or money from another unexpected source.

Contents the Fraudulent Email

The message we received offers an interesting twist on the scam by warning the recipient to be careful when receiving such messages. The email claims to come from Susan Walter, a US citizen living in Texas. "Susan" writes, "I am one of those that executed a contract in Nigeria years ago and they refused to pay me, I had paid over $70,000 trying to get my payment all to no avail."

The message explains how "Susan" traveled to Nigeria in an attempt to collect the funds owed to her. There, she met with Barr. Mat Oto, a "member of CONTRACT AWARD COMMITTEE." He then "took me to the paying bank, which is Zenith Bank, and I am the happiest woman on this earth because I have received my contract funds of $4.2Million USD."

"Susan" also explains that she saw documents that listed the recipient of her email as a victim of such a fraud. She advises the recipient to contact Barr. Mat Oto via the supplied contact details. This will allow the recipient to retrieve the money that might be owed to him or her, at the mere cost of $1,200 payable to the Internal Revenue Service (IRS).

A web search revealed that such messages began circulating in late April, 2008. April's message I encountered used a specified a different name for the helpful Nigerian official, "Barrister Afam Richardson Esq," and used the subject "Your happiness is my concern." A message sent in May used "Susan Walter" as a sender. One specified the amount paid to IRS as $980; another as $1,200.

Investigating Fraudulent Messages

If you receive a suspicious message, consider searching for its elements on This website archives and indexes spam messages of fraudulent nature. The most interesting feature of the site is the correlation it performs across contact details specified in the messages, such as names, email addresses, and phone numbers. This helps you find related messages to understand the scope and history of the scam.

Consider the diagram the website generated for "Susan's" message described above:

The diagram on the website is clickable. Clicking on "Susan's" email address brought me to a page that showed a related message and additional elements worth investigating:

Very handy!

Additional Notes

ISC reader Peg shared with us a link to FraudWatchers--a website that tracks scams and educates the public about them. The site also has an active discussion forum. Per also pointed to a story on scam-baiters, who respond to fraudulent emails to waste the scammer's time. This can be dangerous, so I don't advise our readers to partake in this guilty pleasure. (The scam-baiting practice reminds me of the La Brea tar-pit for slowing down network worms and scans, except the technique works at the human level.)

To understand the trends bahind Internet fraud, take a look at the 2007 Internet Crime Report, published by FBI's Internet Crime Complaint Center (IC3). According to the report:

"During 2007, Internet auction fraud was by far the most reported offense, comprising 35.7% of referred crime complaints... In addition, during 2007, the non-delivery of merchandise and/or payment represented 24.9% of complaints... Confidence fraud made up an additional 6.7% of complaints.... Credit and debit card fraud, check fraud, and computer fraud complaints represented 17.6% of all referred complaints. Other complaint categories such as identity theft, financial institutions fraud, threats, and Nigerian letter fraud complaints together represented less than 8.3% of all complaints."

Do you have your favorite tools or websites for investigating fraudulent emails? Let us know, and we'll share your tips with our readers.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.


0 comment(s)
Diary Archives