topic Re: Ethical dilemma in Tech Talk

Ethical dilemma

iluom — Thu, 10 Jan 2019 11:55:31 GMT

Consider the scenario

If executive management choose to pay fines instead of bringing the organization into compliance with the laws and regulations because the fines cost them lesser than the actual implementation of the controls

What would be the stance of a security manager/professional? 2 & 3 are in conflict, though you want to follow 2 you can't in this situation..what is the best possible solution?

Code of Ethics Canons

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

Cheers

Re: Ethical dilemma

CISOScott — Thu, 10 Jan 2019 12:23:26 GMT

@iluom wrote:

Consider the scenario

If executive management choose to pay fines instead of bringing the organization into compliance with the laws and regulations because the fines cost them lesser than the actual implementation of the controls

What would be the stance of a security manager/professional? 2 & 3 are in conflict, though you want to follow 2 you can't in this situation..what is the best possible solution?

Code of Ethics Canons
1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

Cheers

At the end of the day it is management's decision if they want to accept the risk (paying fines) of not getting into compliance. You really didn't provide enough details to show how it is an ethical dilemma.

In number 3 you provide management with the risk of not getting into compliance (paying fines) and the cost of getting into compliance. It is up to them to do what they think is best for the business. You are not violating number 2 (the legally part) by not being in compliance. The law/regulations clearly states that if you are not in compliance, you will be fined. They are complying with the part of the law that says they will be fined for not being in compliance.

Remember what being a CISSP is all about. You would not fight really hard to convince management to spend a million dollars to protect a thousand dollar asset. It is your job as a CISSP/InfoSec professional to point out the costs of compliance, the costs of not meeting compliance, what not protecting the assets causes (risks, bad reputation, etc.), if there are any mitigating factors, other options, etc. so that MANAGEMENT can make the best decision as they see it.

Re: Ethical dilemma

ro83 — Thu, 10 Jan 2019 17:47:27 GMT

A brief and concise summary of risk management - https://www.youtube.com/watch?v=9IG3zqvUqJY 🙂

Re: Ethical dilemma

rslade — Thu, 10 Jan 2019 18:27:22 GMT

> iluom (Newcomer II) posted a new topic in Tech Talk on 01-10-2019 06:55 AM in

> If executive management choose to pay fines instead
> of bringing the organization into compliance with the laws and regulations
> because the fines cost them lesser than the actual implementation of the
> controls What would be the stance of a security manager/professional? 2 & 3
> are in conflict

Easy answer. Canon 1 says to protect society, and paying fines rather than fixing
the problem definitely doesn't.

> though you want to follow 2 you can't in this situation..what
> is the best possible solution?

If you can't follow 1 and 2, then quitting is the best solution. (Yes, I know you're
going to say that's easy to say. I've actually had to do it ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I lost interest in `blade servers' when I found they didn't throw
knives at people who weren't supposed to be in your machine room.
- Anthony de Boer
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Ethical dilemma

dreastans — Thu, 10 Jan 2019 19:06:37 GMT

There's two differing answers here, both with valid points. Without enough information it's hard to say. How does the lack of fixing things violate ethics? It's enough to violate your own sensibility and what you hold to be true, so there's something to be said about that. If it's enough to warrant, find a new job.

Re: Ethical dilemma

SteveHardwick — Thu, 10 Jan 2019 20:30:37 GMT

If the management team believes that fines are the only financial exposure of noncompliance, I would suggest that you have an incomplete risk analysis. I would suggest listing the risks that have been accepted in this approach. For examle an loss of customer confidence leading to lost sales, civil litigation etc.. I would also suggest you have a record of the risks and the fact the management team has accepted them.

Re: Ethical dilemma

iluom — Fri, 11 Jan 2019 02:54:54 GMT

I believe it's definitely ethical dilemma.

if the professional code of conduct requires them to obey the law then security professionals may feel that they are in an ethical dilemma, that was the situation in this case.

ethics is something motivation based on ideas of right and wrong, The moral values and rules. The principles of right and wrong that are accepted by an individual or a social group.

If the organization is not following the rules and regulations, they are violating the law. The security manager is also the part of the organization and equally responsible for what his organization is doing.

If there is a law or regulation or an act , that is definitely for the benefit and welfare of the society, not to collect the fines. Most often, laws are based on ethics and are put in place to ensure that others act in an ethical way.

However, laws do not apply to everything, that is when ethics should kick in. Some things may not be illegal, but that does not necessarily mean they are ethical

The fines are to enforce the law and order. Break the law and pay the fine is ethically incorrect, may be right from business point of view. Therefore it's a dilemma for the professionals who want to stick to code of ethics.

canon 2 precedes canon 3

canon 2 says:

Integrity is essential to the conduct of our duties. We cannot carry out our duties effectively if others within our organization, the security community, or the general public have doubts about the accuracy of the guidance we provide or the motives behind our actions.

Then it seems quitting is the best solution based on code of conduct in this situation

Re: Ethical dilemma

Caute_cautim — Fri, 11 Jan 2019 02:56:26 GMT

There are organisations, who actively have a "slush" funds for such situations - they would rather have the penalty, and pay the fine, rather than do anything about it. This is a decisions they have taken, especially when the size of the penalty is not sufficient enough for them to believe they have to take action. They just weather it, by ensuring they have contingency put aside i.e. the "Slush" fund. Often this happens within the Small to Medium Businesses or SMBs.

Regards

Caute_cautim

Re: Ethical dilemma

CISOScott — Fri, 11 Jan 2019 13:57:22 GMT

Consider speeding laws. If you go 1 MPH or KPH over the posted speed limit should you immediately drive yourself to the police station to turn yourself in and demand that you be arrested because you broke the law? No, most people do not and in fact many people have a built in cushion of speed that they are OK with exceeding. In fact most police departments will not pursue the law breaker until they exceed a certain limit above the posted limit. Why? Because it is not worth their effort to track down and try to argue about whose equipment is more correct, the law breakers speedometer or their radar equipment. What is the penalty for exceeding the speed limit? Usually a fine, unless the speed was considerably over the limit. Most people are not going to hurt anyone by exceeding the speed limits a little. However, people who exceed the speed limit excessively do pose a risk to the other motorists (what the law was intended to protect) so the penalties should be stiffer.

Now there are other violations of driving laws, such as driving while intoxicated, that are much more dangerous. If your company was doing the exceeding the speed limit and pay the fines I would not be so worried; however if they were doing more of the driving while intoxicated type of law breaking, then I would be much more concerned. If their non-compliance with the laws would place the finger of blame on the security person, then I would clearly document (which required management's signature) that you had apprised them of the risks of non-compliance of continuing operations in the current manner. If they refuse to sign then document it through emailing them and ensure you keep backup copies of your emails for your records.

Of course if you are ever at a work place that is blatantly disregarding the laws and are asking you to violate your own morals and ethics, then yes, you prepare your exit plan and you leave.

Is it an ethical or moral dilemma because they "broke" the law? Remember it is not you that is breaking the law, it is them. Your duty is to inform them, provide competent advice backed up with documentation, and then they can make their business decision. If their business decision doesn't sit well with you, then you make your career decision based off of that.

I also look at 2 things: 1) The letter of the law vs 2) The intent of the law. With the speeding example above the intent of the law is to reduce deaths due to excessive speeding. The letter of the law says that the speed limit is X, so anything over X is a violation of the letter of the law. If you hold people to the letter of the law 100% of the time it can have undesired consequences. If the law is: Killing a person is illegal, and you hold everyone to the letter of the law then you eliminate self-defense, accidental deaths, justified shooting (i.e. police killing someone to prevent the person from killing others), etc. from being valid reasons why a person "broke" the law. This is the reason we have court systems to bridge the gap that is there between the intent of the law and the letter of the law.

So is the situation you are facing a clear intent to harm others or just the fact that the penalty is not stiff enough to warrant compliance? (If you rather not say I understand).

Re: Ethical dilemma

rslade — Fri, 11 Jan 2019 17:42:22 GMT

Since we are discussing ethics, I should mention that Patrick and I will be doing
"Ethics of Active Defence" next month (Feb 8, 2-4 pm PST) at the Vancouver
Chapter ( http://www.infosecbc.org/ ). The presentation will be live-streamed
(Internet permitting) and archived.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Originality is the fine art of remembering what you hear but
forgetting where you heard it. - Laurence J. Peter
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Ethical dilemma

Caute_cautim — Sat, 12 Jan 2019 04:00:19 GMT

Sounds good, I would certainly like to catch a copy of the archive.

No I agree in principle, what you are stating, but the closer we get to having AI (Augmented Intelligence) not Artificial Intelligence; authorities over the Festive season, gave fair warning to and sundry there would be a 4 KM speed gap over the normal speed limits, so watch your speed. The authorities gave fair and proper warning this would occur - but there are still people, who will not obey these warnings, believe they can risk it and hope they don't get spotted by the road side cameras or overhead cameras on gantries etc. The camera capabilities are increasingly becoming far more accurate and augmented, rather like the difference between an officer sitting on the side of the road, watching one or more pass, with radio transmission to the waiting patrol car up front. But instead, use the camera technology with Augmented Intelligence and enhanced recognition technology to collect, sift and analyse the information, and then pass it back to control, who then issue the speeding tickets, because parameters have been exceeded.

Still over 8 road deaths over 9.6 days over 2018/2019 festive period in New Zealand - this does not sound like many against USA, Australia etc, for 4 million period plus many many visitors. Over the same period in 2017/2018 over 11.6 days and only 2 road deaths.

The most commonly cited contributing factors for crashes over the Christmas holiday period were; losing control (29 percent of reported crashes), travelling too fast for conditions (19 percent), alcohol or drugs (18 percent), inattention (16 percent), too far left (15 percent), failed to give way or stop (14 percent), inexperience (12 percent), did not see other party (10 percent), failed to keep left (10 percent), and fatigue (9 percent).

Regards

Caute_cautim

Re: Ethical dilemma

russellnomer — Thu, 22 Aug 2019 17:50:52 GMT

As I think about this topic, I remember the quote that the only thing necessary for the triumph of evil is that all good people do nothing. So let’s expand on this scenario. Hypothetically speaking, let’s say the aforementioned situation is a publicly traded financial services company that does business in every state and internationally. The company also willfully lacks DLP. Let’s say they just learned they had threat actors with administrative rights in their environment for 5 years through a threat intelligence vendor’s sales inquiry and an IR investigation. In the vendor’s report they further learn accounts from active directory (including privileged accounts) with passwords have been dumped to Pastebin.

In this scenario, the company’s management insists a breach disclosure is not necessary because their lack of DLP prevented the collection and logging of evidence that PII was exfiltrated. They only see credentials and passwords, not what additional data can be accessed by using them . In house legal backs management because “no evidence is available as to what else got out besides the credentials and passwords, so proving any tangible harm with hard evidence is not possible. In such a hypothetical situation, if management’s position is “shut up and say nothing about this ever again; How does this get addressed properly in the professional opinion of the ISC2 community?

Re: Ethical dilemma

CISOScott — Fri, 23 Aug 2019 20:56:45 GMT

@russellnomer wrote:
As I think about this topic, I remember the quote that the only thing necessary for the triumph of evil is that all good people do nothing. So let’s expand on this scenario. Hypothetically speaking, let’s say the aforementioned situation is a publicly traded financial services company that does business in every state and internationally. The company also willfully lacks DLP. Let’s say they just learned they had threat actors with administrative rights in their environment for 5 years through a threat intelligence vendor’s sales inquiry and an IR investigation. In the vendor’s report they further learn accounts from active directory (including privileged accounts) with passwords have been dumped to Pastebin.

In this scenario, the company’s management insists a breach disclosure is not necessary because their lack of DLP prevented the collection and logging of evidence that PII was exfiltrated. They only see credentials and passwords, not what additional data can be accessed by using them . In house legal backs management because “no evidence is available as to what else got out besides the credentials and passwords, so proving any tangible harm with hard evidence is not possible. In such a hypothetical situation, if management’s position is “shut up and say nothing about this ever again; How does this get addressed properly in the professional opinion of the ISC2 community?

I am reminded of the philosophical thought experiment of: If a tree falls in the forest and no one is around, does it make a sound? We can say that "Of Course it makes a sound!" when we hear this argument because we know when we are around a falling tree or other object and it hits something, we hear the sound. However sound is the vibration which is then transmitted to our senses in our ears and is recognized as sound only at our nerve centers. So if there are no ears to translate the vibrations, does the falling tree really make a sound?

You are assuming that data was exfiltrated but have nothing to prove it other than it was possible for it to have been done so. Just the possibility of it happening does not mean that it actually happened. Another way to think of it is like this: Some prosecutors are very hesitant to bring up a murder charge against someone if there is no dead body found. How can you prove the person died if you can't prove the person is dead? Just that they disappeared? It may very well be likely that they are dead because they disappeared without a trace. Here in the US we had 3 girls that were kidnapped and held for years with one girl being held 10 years. She finally escaped and the girls were rescued. I am sure that many people thought they were dead.

How do you handle it as a CISSP? You go looking for the body (any details that would support your theory that files were in fact exfiltrated). Are you able to prove if the exfiltrated accounts accessed any files containing PII? Can you determine last accessed file dates? Can you gather evidence of file access outside normal hours?, etc.

If you can find no evidence to support your theory that files were possibly exfiltrated then you do have to stop looking after you have given it your best effort. If someone eventually releases the data, then you have a breach. Remember the term information disclosure means that information was actually disclosed.

Re: Ethical dilemma

denbesten — Fri, 23 Aug 2019 22:09:12 GMT

@russellnomer wrote:
“no evidence is available as to what else got out besides the credentials and passwords, so proving any tangible harm with hard evidence is not possible.

So, they had evidence of a credential leak, leading to an internal investigation which found no evidence of a PII leak. At this point, It seems like the appropriate "disclosure" is to advise/require the credential holders to change their passwords and maybe recommend MFA.

We also have to focus on the fact that "breach disclosure laws " fundamentally are a legal concept. As much as we may understand the "security" side of things, we are amateurs when it comes to the "legal" side. Unless mandated-reporting is involved, Our appropriate course of action is to to bring our legal concerns to the lawyers for analysis. If they do not feel we have met the "burden of proof", we find more evidence or we accept the status quo.

If you feel that your personal legal exposure differs from the Company's, then you need your own lawyer. It is just as easy to get in hot water for "disclosing corporate secrets" as it is for "failure to report".

Oh, and there probably needs to be a risk analysis on "willfully lacks DLP". Is there a legal or contractual requirement for it? Does not having one raise to the level of professional incompetence? Does the cost-benefit tilt in your favor? etc.

Re: Ethical dilemma

Shannon — Sun, 25 Aug 2019 11:16:53 GMT

@iluom wrote:

Consider the scenario

If executive management choose to pay fines instead of bringing the organization into compliance with the laws and regulations because the fines cost them lesser than the actual implementation of the controls

What would be the stance of a security manager/professional? 2 & 3 are in conflict, though you want to follow 2 you can't in this situation..what is the best possible solution?

Code of Ethics Canons
1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

@iluom, I don't really see any conflict between 2 and 3 in the scenario you provided.

At work, I follow canon 2 to the best of my ability within the scope of my responsibilities, taking the 'principals' mentioned in canon 3 to be the senior management in my own organisation.

With what you described, if you've done your research, notified senior management of the risks of non-compliance, given them all options with your recommendations, have been totally transparent, & haven't been sleeping over things, then you've followed 2 and 3 well enough.

Of course, if your organization's actions are clearly harming others / violating laws and you can't do much about what's happening, it's probably best to resign. (Ironically, to strictly adhere to canon 1, you might have to violate canon 4 )

Also let your moral compass guide you --- no matter how much money you make, you can't buy a clear conscience to replace a guilty one. (Okay, that's probably debatable)

Re: Ethical dilemma

denbesten — Mon, 26 Aug 2019 17:21:12 GMT

For what it's worth, I just got around to reading the July/August InfoSecurity Professional. Turns out that it has two articles which further this discussion.....

IMPROVE YOUR INCIDENT RESPONSE
Ways to leverage your legal team and others prior to a cyber event"

and

"DO TELL
Fuzzy ethical guidelines can lead to a breakdown in protecting data"