[SoCoSA/discuss] Making a business case (was Re: Sys Admin group forming)

[Steve S.]

On 1/23/06, Susan Baur <susan at cdl.edu> wrote:

> Hi Steve,
> Just saw this last week on the SANS NewsBites list. Thought it might
> be a place to start building your business case from.

Hi Susan.  Thanks for this!  It looks useful indeed...


>  From SANS NewsBites Vol. 8 Num. 6
> >  --Privacy Rights Clearinghouse List of Data Security Breaches
> > (17 January 2006)
> > The Privacy Rights Clearing house has compiled a list of known data
> > security breaches that have occurred since ChoicePoint's data breach
> > acknowledgment on February 15, 2005.
> > http://www.privacyrights.org/ar/ChronDataBreaches.htm

Interesting.  The vast majority of them fall into one or more of:
 - Schools (mostly universities)
 - Financial/banking houses.
 - Physical data-loss (data lost because tapes/computers/etc were stolen).
 - Medical places (hospitals/etc).
We are none of these (except, I suppose, laptops), though I do see that "no
target is too small" here, & that the 4 general categories above aren't all of
the hits.  I note that the Air Force(!) got hacked(!) for 33K
identities!  Yowza...
Hitting the military feels more "old school" to me -- doin' it to count coup
against "the Man," and/or for the online rep among other hackers/crackers.
These days, many/most of this stuff is actually done for profit.



> Also, don't forget to point out California's disclosure laws as they
> relate to security breaches and personal information. I don't know
> how large your place is, but perhaps an estimate of what it would
> cost to send a mailing to every customer and every employee,
> former employee and contractor letting them know that there'd
> been a breach,

We're a small-ish house.  The cost of such notification "shouldn't" be
prohibitive; checking with our accounting & HR folks, they ballpark
about 500 (probably fewer) notifications we'd have to send.


> combined with a conservative
> estimate of how much damage it would do to your business' name,

This is potentially a big one.  The "Good Name" of the company is, I
believe, one of the most-prized assets we have.  If someone hurt us
there, that would be a Very Bad Thing.


> and I think
> you should be able to get funding to start down the "Do it Right" path.

I need to figure out what the biggest "direct" downside is -- how much
damage could an adept and ill-willed hacker *DO*?  What's the WORST
they could do... and how bad would that be?

In many ways, there *isn't* a big (direct) downside, I believe.  We're not
a financial or personal-info house, and most of our stuff is, eventually,
destined for public consumption anyhow (we mostly work in a field that
is heavily regulated, and our documentation is produced to meet those
regulations, usually including publication/availability to any interested
parties, both public and private).

We could get hit by a competitor, maybe (looking to underbid us)...?

If we get sued (everyone in heavily-regulated industries is subject to
lawsuits alleging that they "did it wrong" (i.e. didn't comply with those
regulations governing our work)), someone might try to hack us in the
belief that we're hiding something; but frankly, even if we DID want to
do something like that, we don't have the staffing needed to produce
falsified documents for court, so we're going to have to disclose it all
anyhow -- such a hacker wouldn't get much, so far as I can see; and
because we work in the expectation that we may have to disclose in
court, company policy is that, even in internal-only documents, we
can't refer to such-an-such an "incompetent A55H0L3" (whom we
have to work with) *as* an "incompetent &c" -- if the I.A.'s work has
to be revised at our expense, we neutrally note that such-and-such
a regulatory agency required so-and-so changes, etc.

Most of our work is "on behalf of" other organizations, & the way the
regulations work, they bear the chief legal/financial liability: mostly,
we CAN'T be sued for $$$.  The worst thing there is if our work were
found to be so lacking that our client took a big hit in court; as I say,
our "Good Name" (that we DON'T leave our clients exposed that way)
is our biggest asset.

Frankly though, such "hostile lawyer" type scenarios really feel like
I'm starting to reach!

Maybe a Warez or a pr0n distributor might want to use our disk &
bandwidth... Spammers might want to turn us into an open relay for
mail (either permanently, or every night when they do their stuff..).

<sigh>
What's a "reasonable" threat-evaluation, and what's sheer paranoia?
I guess, though I need to ask it for business-case purposes, that's a
question for another thread entirely.

Thanks again, however!  All data is meat for me... ;-)


- Steve S.