General discussion

  • Creator
  • #2179048

    Why Your Security Investigation Is Going To Fail


    by securitymonkey ·

    People have a tendancy to work on their own cars, even if they aren’t ASE certified mechanics. You can’t talk them out of it. They drive their cars every day, they know every vibration, noise and sputter. They know where all the parts are located, and by golly – they just bought a new Craftsman toolset that needs used.

    What would normally take an ASE certified mechanic an hour to do turns into several days for Joe Schmo. That water pump IS going to come off, whether it likes it or not.

    After about 5 days, Joe gives up on the water pump and decides that the car isn’t that important anyway. He pulls the car into the backyard, puts a TV and a few plants on the hood, and whistles while he walks back into the house.

    Nothing to see here, just move along.

    And so goes the great majority of internal security investigations in today’s corporate world. Far-fetched you say? Allow me to take my combat boots off and show you some mud. Those battlefields are always wet for some reason…

    Walking in to a business and finding the smoldering corpse of a mishandled security investigation seems to be all too common lately. Some can be resurrected, patched up, and even supported in a court of law.

    Others, well – I just hand them a shovel and encourage them to keep digging. Try not to get any more dirt on the carpet (that is, not as much as there is swept under the rug).

    Your security investigation that you’re conducting right now is going to fail for a number of reasons. Let’s look at some of the top reasons over a cup of coffee:

    1) You’re over your head, but can’t admit it to your management for fear of looking unqualified and possibly ignorant. You know you should bring in a consultant, but money is scarce – and management wants answers NOW. The internal auditors are wanting data from you – before lunch. Pass the aspirin.

    2) Your security staff is so small, and your case load is so large that you’re routinely cutting corners on investigations – whether they be forensic analysis of machines, background investigations, interviews, due diligence work, etc. Noone is ever going to request a copy of your investigation notes, right? Nobody is actually going to expect that you followed proper chain-of-custody procedures, right?

    3) Your documentation is an afterthought. You followed this investigation through from start to finish – if anyone needs information, they’ll just ASK you, right? They don’t actually expect you to type something up when you’re performing 80-hour investigations in 16 hours! Pa-shaw!

    4) Your support from management can be summed up as “we need better coffee in the breakroom – can we let another security staffer go?”. Your head of security has long given up trying to justify your department to senior management, and worries more about making her golf swing *that much better*. Staff meetings don’t happen. Communication? That’s why we have these super cool Nextel phones, right? *chirp* RIGHT? *chirp*

    5) You don’t care. The paychecks are hitting the bank on time. Management leaves you alone. None of these cases ever get looked at past the HR department. All this work is really cutting in to your Doom III time.

    Sound outlandish? Sound familiar? My sympathies, because I’ve just summed up the last five companies that I’ve assisted with case work.

    Now would be a good time to take an inventory of your work, your staff, your coworkers and your management. Are we setting ourselves up for failure? Or as the last CISO I spoke with put it: “We WERE set up to fail. Our mission is to prove them wrong.”

    Call a towtruck, and let’s get those cars towed to the garage. While you’re there, make a few appointments for some routine manufacturer-recommended maintenance. By all means keep the Craftsman toolset polished and ready to go. Take some automobile repair courses at the local college – tinker a little here and there.

    Just don’t give up.

    You might want to remove that patch from your shirt though.

    The one that has your first name on it.

All Comments

  • Author
    • #3120442

      My firm hired consultants

      by jkameleon ·

      In reply to Why Your Security Investigation Is Going To Fail

      IMHO, it was a good decision. As far as I can tell, guys did a pretty good job. They found & pointed out all the security holes we knew about, but had no time to fix them. Apart from investigation, they also held a couple of courses about security. They concluded the last, and most important one with “OK, that was about all I can tell you about security now. Before I end this lecture, there is one last thing I want to say, which is also the most important about your security: Use your brains. I can’t emphasize that enough. All the money you spent on your security equipment will be for nothing, if you don’t use your brains.”

      Now former CIO, and soon to be former security guy (“What!? Are you trying to say that our xxx$$$ SuperSecurePro(TM) solution is not enough!? Give me a break! Nobody can get past that! It’s super secure, why don’t you read an ad once for a change? You should follow technological progress more closely ya know!”) visibly flinched. The look of horror on their faces really made my day.

Viewing 0 reply threads