Often there is a distinct delineation established between the financial elements and the information security elements of an audit or assessment. During a recent engagement with the United States Office (USO) of an Italian marketing firm, my company, CQUR IT, leveraged financial data to extend the value of the IT assessment. I’ll show you how we identified imprudent management activities, poor control mechanisms, and incompetent business activities that threatened the viability of the organization.
Concerns at the top
In all assessments, I prefer to gather information regarding the business goals first and foremost, so that’s where we began with the USO’s assessment. The USO’s business manager informed us that in deference to the advertising/marketing downturn of the last few years, headquarters (HQ) named a new a managing director for the USO at the start of 2002 with the mandate of growing revenues by 20 percent annually for a three-year period and returning the operations to profitability in his first year.
The new director began his quest for profitability by slashing costs. The workforce was slashed by 50 percent and old vendor relationships were nullified as cheaper solutions were implemented. Thirteen months into the director’s tenure, HQ ordered a business assessment due to his failure to reach the revenues and profitability goals mandated.
Our kickoff meeting with the director left us with three predominant IT-impacting business observations:
- The director was a sales/marketing professional—not a seasoned business executive. The business manager the director had hired described himself as being “IT ignorant.” This combination created a complete lack of IT governance, which was most notable in the absolute lack of control mechanisms.
- Despite rapidly escalating IT costs, the reliability and availability of the IT infrastructure was a major impediment to the achievement of organizational goals. Several major contracts had been lost based on IT problems, which included the loss of key files relating to a major proposal and the propagation of viruses that caused the disruption of a potential client’s business operations.
- IT was being fully outsourced—predominantly to a local independent consultant. In light of the controls and governance problems detailed, this was an area of concern.
Before meeting with the IT consultant, we performed a quick overview of the nine computers on site. We found a Windows 98 peer-to-peer network with an odd mishmash of computer configurations, including an old Pentium II (circa 1998) with a 1-GB hard drive and 512 MB of new RAM. Further, the network had a DSL Internet connection with no firewall and spotty deployment of antivirus software.
We asked the accountant to run an accounts-payable report for all transactions to the main IT consultant. The support costs were not well documented due to the consultant’s poor invoice detail—but the net IT costs for the previous year had totaled over $36,000, or more than $4,000 per PC.
Back to the future
By encompassing the financial data, we were fully prepped to interview the consultant. After covering the basics, I queried the consultant on the high support costs. He blamed it on the high cost associated with maintaining old PCs, a particularly troublesome computer, and poor user practices. The following dialogue is illustrative of the interview:
CQUR IT: You indicated the maintenance costs for the old PCs were very high. Have you given any consideration to replacing them?
Consultant: They don’t have the money here for that.
CQUR IT: Are you aware they spent nearly $30,000 this year upgrading the machines and paying for your support?
Consultant: I wouldn’t have expected it to be quite that high. But I suppose you are right.
CQUR IT: Wouldn’t it have been less expensive to put in all new machines, printers, etc.?
Consultant: I guess so—I just never thought of that.
CQUR IT: Tell me about the troublesome computer.
Consultant: Sure. The director got a new computer. We had all kinds of problems with it. It was always crashing and freezing up. But I finally got it resolved.
CQUR IT: How?
Consultant: I uninstalled the Windows 2000 that came installed on the computer and installed Windows 98. Funny, I know Microsoft thinks XP and 2000 are better—but I have had nothing but problems with them. In my opinion, Windows 98 is the most reliable OS they have ever produced. I reinstalled Windows 98 on all machines.
CQUR IT: Who specified a white box instead of a brand name like Dell?
Consultant: I did.
CQUR IT: Was the computer HCL’d for Windows 2000?
Consultant: What’s that?
It was particularly troubling to us that the director and business manager were allowing a clearly incompetent IT consultant to set (or, more appropriately, not set) the technical direction of the organization. After meeting with the IT consultant, we decided to revisit with the business manager.
Beware the "business colleague"
The business manager was beginning to look a bit concerned when we revisited him. We determined from further conversation that the IT consultant was a long-time “business colleague” of the business manager’s who worked at a discounted rate and that the business manager “implicitly trusted” the IT consultant. Therefore, he felt there was no need for third-party validation of the consultant’s recommendations. We also determined that the Web site developer who just completed the USO’s new site was also a long-time “business colleague” that the business manager implicitly trusted.
Accordingly, not only was his work not independently validated, but he had been given the Web design project ($6,000) without any other firms being considered. Our interest was piqued by the @aol.com e-mail address on his invoices. On further analysis, we were dismayed to learn the company had contracted with a Web design/development firm that didn’t even have its own Web site.
Just when we thought it was safe to go back in the accounting office
The accountant noticed us leaving the business manager’s office and directed us into her office. “I just thought you might like to see this,” she said with a surreptitious smile. It was a $7,000 invoice from the IT consultant for a new phone system.
After we validated the existence of a new Northern Telecom phone system, we decided to revisit with the IT consultant. Although the following excerpt seems implausible, I assure you that it is accurate:
CQUR IT: Sorry, forgot to ask you before: What kind of phone system do you have running?
Consultant: Northern Telecom. I don’t remember the model number, but I can get it for you.
CQUR IT: No, that’s okay. Do you know how old it is?
Consultant: It’s only a few months old.
CQUR IT: Do you know whom they bought it from?
Consultant: Verizon, I think.
CQUR IT: From Verizon directly?
Consultant: Well, actually I think it was from a Verizon employee. I’m not sure.
CQUR IT: I thought Northern Telecom sells only through authorized distributors.
Consultant: Well, this was a special deal. You see, the Verizon guy had bought it for his mother—but she didn’t want it, so he could sell it at a really good price.
(This was a 12-line, music-on-hold, voicemail-equipped phone system.)
CQUR IT: So the USO bought it directly from this Verizon employee. We’ll pull the invoice to find out who he is.
Consultant: Well, not directly through the Verizon guy. Actually, I sold it to them as a favor, because they wanted to cut costs. But I swear I didn’t make any money on the deal.
Balancing business efficiency and reasonable and appropriate control mechanisms is a security challenge that we often see in smaller organizations. In this case, however, efforts to cut costs failed to provide the appropriate control mechanisms needed to ensure that the efforts of independent consultants were appropriate, properly aligned with the strategic objectives of the organization, and provided the necessary levels of security.
Unfortunately, this resulted in a plethora of business-impacting problems, including: unreasonably high costs, unreliable network architecture, endangerment of the corporate image by acquiring equipment through inappropriate channels, and exposing parent and client organizations’ networks via multiple viruses/backdoors/zombies identified on their systems.
Our assessment report to HQ contained a number of tactical recommendations, including the replacement of outdated infrastructure components, the installation of a firewall, and the dismissal of the IT consultant. However, the most significant IT recommendations addressed more strategic- and control-related issues relating to appropriate levels of IT governance.
This IT assessment illustrates a basic maxim that is too often forgotten when it comes to IT security: Good business (or common) sense is good IT security. It also illustrates the all-too-common “cost of insecurity,” which is the failure of an organization to achieve its business goals.