Chapter 20: Ten Tips for Getting Upper Management Buy-In 321
Show How Ethical Hacking Specifically Helps the Organization
Document benefits that support the overall business goals:
U Demonstrate how security doesn’t have to be that expensive and can actually save the organization money long-term.
· Security is much easier and cheaper to build in up front than to add on later.
· Security doesn’t have to be inconvenient and can enable produc-tivity if it’s done properly.
U Talk about how new products or services can be offered for a competi-tive advantage if secure information systems are in place.
· Certain federal regulations are met.
· Managers and the company look good to customers.
· Ethical hacking shows that the organization is protecting customer and other critical information.
Get Involved in the Business
Understand the business — how it operates, who the key players are, and what politics are involved:
U Go to meetings to see and be seen. This can help prove that you’re con-cerned about the business.
U Be a person of value who’s interested in contributing to the business.
U Know your opposition. Again, use The Art of War and the “know your enemy” mentality — if you understand what you’re dealing with, buy-in is much easier to get.
Establish Your Credibility Focus on these three characteristics:
U Be positive about the organization, and prove that you really mean busi-ness. Your attitude is critical.
U Empathize with managers, and show them that you understand the busi-ness side.
322 Part VII:The Part of Tens
U To create any positive business relationship, you must be trustworthy. Build up that trust over time, and selling security will be much easier.
Speak on Their Level
No one is really that impressed with techie talk. Talk in terms of the business. This key element of obtaining buy-in is actually part of establishing your credi-bility but deserves to be listed by itself.
I’ve seen countless IT and security professionals lose upper-level managers as soon as they start speaking. A megabyte here; stateful inspection there; packets, packets everywhere! Bad idea! Relate security issues to everyday business processes and job functions. Period.
Show Value in Your Efforts
Here’s where the rubber meets the road. If you can demonstrate that what you’re doing offers business value on an ongoing basis, you can maintain a good pace and not have to constantly plead to keep your ethical hacking pro-gram going. Keep these points in mind:
U Document your involvement in IT and information security, and create ongoing reports for upper-level managers regarding the state of security in the organization. Give them examples of how their systems will be secured from known attacks.
U Outline tangible results as a proof of concept. Show sample vulnerability-assessment reports you’ve run on your own systems or from the security tool vendors.
U Treat doubts, concerns, and objections by upper management as requests for more information. Find the answers, and go back armed and ready to prove your ethical hacking worthiness.
Be Flexible and Adaptable
Prepare yourself for skepticism and rejection at first — it happens a lot — especially from such upper managers as CFOs and CEOs, who are often com-pletely disconnected from IT and security in the organization.
Don’t get defensive. Security is a long-term process, not a short-term product or single assessment. Start small — with a limited amount of such resources as budget, tools, and time — if you must, and then build the program over time.
Ten Deadly Mistakes
In This Chapter
© Obtaining written approval
© Assuming that you can find and fix everything © Testing only once
© Having bad timing
everal deadly mistakes — when properly executed — can wreak havoc on your ethical hacking outcomes and even your job or career. In this
chapter, I discuss the potential pitfalls that you need to be keenly aware of.
Not Getting Approval in Writing
Getting approval for your ethical hacking efforts — whether it’s from upper management or the customer — is an absolute must. It’s your get out of jail free card.
Obtain documented approval that includes the following:
U Explicitly lay out your plan, your schedule, and the affected systems.
U Get the authorized decision-maker to sign off on the plan, agreeing to the terms and agreeing not to hold you liable for malicious use or other bad things that can happen unintentionally.
U Get the signed original copy of the agreement.
No exceptions here!
324 Part VII:The Part of Tens
Assuming That You Can Find All Vulnerabilities During Your Tests
So many security vulnerabilities exist — some known and just as many or more unknown — that you can’t find them all during your testing. Don’t make any guarantees that you’ll find all security vulnerabilities. You’ll be starting something that you can’t finish.
Stick to the following tenets:
U Be realistic.
U Use good tools.
U Get to know your systems, and practice honing your techniques.
Assuming That You Can Eliminate All Security Vulnerabilities
When it comes to computers, 100 percent security has never been attainable and never will be. You can’t possibly prevent all security vulnerabilities. You’ll do fine if you
U Follow best practices.
U Harden your systems.
U Apply as many security countermeasures as reasonably possible.
Performing Tests Only Once
Ethical hacking is a snapshot in time of your overall state of security. New threats and vulnerabilities surface continuously, so you must perform these tests regularly to make sure you keep up with the latest security defenses for your systems.
Chapter 21: Ten Deadly Mistakes 325
Pretending to Know It All
No one working with computers or information security knows it all. It’s basi-cally impossible to keep up with all the software versions, hardware models, and new technologies emerging all the time — not to mention all the associate security vulnerabilities! Good ethical hackers know their limitations — they know what they don’t know. However, they certainly know where to go to get the answers (try Google first).
Running Your Tests without Looking at Things from a Hacker’s Viewpoint
Think about how an outside hacker can attack your network and computers. You may need a little bit of inside information to test some things reasonably, but try to limit that as much as possible. Get a fresh perspective, and think outside that proverbial box. Study hacker behaviors and common hack attacks so you know what to test for.
Ignoring Common Attacks
Focus on the systems and tests that matter the most. You can hack away all day at a stand-alone desktop running MS-DOS from a 51⁄4-inch floppy disk with no network card and no hard drive, but does that do any good?
Not Using the Right Tools
Without the right tools for the task, it’s almost impossible to get anything done — at least not without driving yourself nuts! Download the free tools I mention throughout this book and list in Appendix A. Buy commercial tools if you have the inclination and the budget. No security tool does it all. Build up your toolbox over time, and get to know your tools well. This will save you gobs of effort, plus you can impress others with your results.
nguon tai.lieu . vn