Stopping Computer Crime, Part 2
Date: September 30, 2004Source: Microsoft Certified Professional Magazine
By:
* Contact information for local FBI offices can be found at www.fbi.gov. Many offices have their own Computer Crime Task Force.
* The State Attorney Generals Office for your state can provide you with guidance. The National State Attorney Generals' Web site, www.naag.org, provides contact information by state. They're also building a Computer Crime Point of Contact List, www.naag.org/issues/20010724-cc_list.php, comprised of prosecutors and agencies that work on computer crime law enforcement.
* The Internet Cyber Crimes Complaint Center, www.ic3.gov, serves as a vehicle for criminal complaint referral regarding cyber crime. A partnership between the FBI and the National White Collar Crime Center, it has an online reporting form.
Like any project, security can be easily killed by two things: Lack of support from the executive suite, and lack of support from the average employee. Both are important to avoid.
Getting Executive Buy-in
Start with executive management. You've got to get them on board; without the support of the guys in high places, your offensive security program is doomed. They're the ones whose support will pull other managers into the fold, and who will back you when other managers question your wisdom.
Now don't misunderstand me; I'm not asking you to go around your boss. I'm suggesting that you get the support of someone higher up. You may need your boss's help to do that.
So how do you get management support for security initiatives? How do you get them to agree to report crime and support security awareness within the ranks? The same way you get bucks for defensive programs like firewalls and anti-virus. You talk money–a language management can understand.
If management fears the company's stock price will fall if a crime is reported, point out the cost of getting caught hiding a security incident. If they don't want to pay for security awareness training, show the costs involved in cleaning up after a Code Red-type disaster, then explain how they'll save money by practicing good patch management, a far less expensive task. Detail how much money is lost in sales when an attacker brings down the e-commerce site vs. the cost of training for Web developers. Give them some statistics on how well you resisted the last brute force attack on your remote access servers after users were trained to create strong passwords.
Don't spin your wheels railing at users for doing stupid things like clicking on attachments. Instead, create security awareness training that teaches them safe computer practices. And respect employees. They may be clueless when it comes to good computer security practices, but it's ignorance–not stupidity. Ignorance can be fixed if there's a willingness to educate, instead of berate.
Teamwork is the Key
There's a lot of talk these days about how well the bad guys communicate and collaborate, teaching each other and benefiting from each new attack, and how the good guys should learn from that example. Actually, I think we are communicating more; we're just not collaborating as well as we might.
There's now a strong supply of really smart people who know technology and know something about information security. If we can all get together, we can win the game. end article
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is an MCP Magazine contributing editor and the owner of Have Computer Will Travel, Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems. You can contact Roberta about "Stopping Computer Crime, Part 2" at [email protected].
Original article
Add comment
Email to a Friend
