Cyber Security Awareness Month - Day 17 - What a boss should and should not have access to

Published: 2010-10-17
Last Updated: 2010-10-18 02:52:55 UTC
by Stephen Hall (Version: 1)
7 comment(s)

On day 17 of our yearly Cyber Security Awareness Month, we enter into the thorny subject area of your Boss. Today, we'll look at what a boss should, or indeed should not have access to.

Bosses are interesting people. The don't do what you and I do, they do different things, go to different places, mix with different people (most with new shiny technology), and face different day to day challenges.

Lets look at those day to day challenges, or risks as we call them.

You boss most likely holds the 'keys to your business'. They will know what your company is going to do next, they have information that could move your share price such as the date of launch for a new product, move on a new take over. All of that information is valuable. So, we all think about the risks to our bosses, but do they think about the risks they enter every day. Given that most CxO level bosses are not the most tech savvy people in the world how do we educate them to work in an online world where people want that information, and are willing to try and take it?

What do you do when you boss wants to go to a country where not just crossing a geographical boarder has the potential for having technology confiscated, but how about copied when they are in their hotel room? Spyware loaded onto their laptop they take with them so that e-mails are read, documents copied, and so on. 

When you boss comes to you and they want the latest iShiny technology, how do you show the risks associated with them using it?

Do you have a special executive group on your web proxy which gives these high value targets boarder access than the people in the offices they control? If you do, should you?

If you can pass on some tips on how you can educate CxO level executives to the risks they face, and how that impacts the services, and IT resources they should have access to, I'll add them to the bottom of the diary during today, and into next week.

Steve Hall
ISC Handler

 

7 comment(s)

Comments

I usually start with "It's really easy to click the wrong thing and take everything offline for a few hours...."

Then I start talking about a story about an old friend who, on a Friday afternoon, deleted a seemingly unimportant temporary DFS share, but which cased a cascade fault, killing access for millions of customers to dozens of websites, until the entire team, working around the clock with IBM's best, got them back.

Oh, and the story of how changing a number, from 8 to 9, caused another cascade fault, resulting in loss of internet for millions of customers for hours, and hundreds of thousands for days.

Then "It's just a formality, but can you email me authorisation to breach company policy and give untrained staff access to the system? Thanks."

...then tends to work a treat. :-)
Dom, if you delete .rw its the end of the world ;)

My version of that story always starts with, "Once, when i was on holiday....."

Thanks for the smile, and the comment.

Steve
I *AM* the boss. Its my company. It is a consulting firm. I frequently have not only my own company's confidential information on my laptop, but also the confidential information of a number of clients as well. They would sue me for any breach of their confidentiality, as great damage could be done to them by such a thing.

My laptop runs Linux, and boots using 2-factor identification: a usb boot key, and a long secret passphrase. If I do any web browsing other than to my own servers, or a small group of selected and trusted servers, it is done from within the wlled garden of a disposable virtual machine with minimal softwatre loaded into it.

When at the home office, backups are made every night automatically as long as my laptop is connected to the corporate network. The backup raid array is aes265 encrypted, and regularly a drive is pulled and taked to an off-site secure site where it is stored.

When I am on the road, backups are made to a removable drive, also using aes256 encryption.

What else should I be doing?
If you come at this issue with a view to denying your boss access to something, then you will not win the day. You need to remember that within a company "the boss" (CEO's, CIO's, CFO's, Owner's, etc..) are essentially mini gods and are entrusted by the owners of the business to do whatever they think is right. So you, as a lowly risk person, shouldn't even attempt to say "you can't" at any point.

The best way to deal with this situation is simply to advise. Advise the boss in question that whilst their actions are their's to choose, there may be consequences due to a number of risks. Advise the boss what the risks are, what the likelihood is of those risks coming to fruition is, and what the impact might be on the organisation. But always reinforce that you understand it is their decision as to whether they think the risk is worth it or not.

If there are things you can suggest, very minor behavioral changes or technology solutions, that can allow them to do what they want and address the risks, then make those suggestions. But again recognize and accept that it is up to the boss to decide, not you.

If you try and present yourself as knowing what is best for the company, even if you do, you will get ignored. Bosses are used to being in charge and do not respond well to relative juniors (relative to their company position) telling them what to do.
I tried the chicken little "sky is falling approach" for years with little success. Now I take a more sophisticated approach of regular risk meetings and providing metrics with executive eye candy. I present risks and they can choose to provide me resources to mitigate them or accept them. I crafted a nice "risk acceptance form". It is funny how now that they agreed to sign off on acceptance of risk items that risk items get more attention. Well, I thought I was getting more sophisticated until my CIO/VP told the attendees of a pen test review meeting that I "scare the $h1t out of senior management". He meant it in a good way (I think).
I handled this approach by restricting my bosses online options. Configured his laptop to have access only to the Citrix Xenapp Environment (works of course with simmilar solutions too) of the company. For VIP customers (like my Boss) we have a spezial Xenapp setup, where we are able to make changes within a few hours. So the data never leaves the company and malware could not submit any to the internet. So everybody can feel safe.
I find having someone stick to the security guidlines to be very important. Making sure all end users are kept aware of security policy changes and tought on a regular basis can solve many of the simple issue. Becoming more restricked on end user permissions could also help.


Diary Archives