cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

Ethical dilemma

 

Consider the scenario

 

If executive management choose to pay fines instead of bringing the organization into compliance with the laws and regulations because the fines cost them lesser than the actual implementation of the controls

 

What would be the stance of a security manager/professional? 2 & 3 are in conflict, though you want to follow 2 you can't  in this situation..what is the best possible solution?

 

Code of Ethics Canons

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

 

Cheers

Chandra Mouli, CISSP, CCSP, CSSLP
15 Replies
Caute_cautim
Community Champion

Sounds good, I would certainly like to catch a copy of the archive.  

 

No I agree in principle, what you are stating, but the closer we get to having AI (Augmented Intelligence) not Artificial Intelligence; authorities over the Festive season, gave fair warning to and sundry there would be a 4 KM speed gap over the normal speed limits, so watch your speed.   The authorities gave fair and proper warning this would occur - but there are still people, who will not obey these warnings, believe they can risk it and hope they don't get spotted by the road side cameras or overhead cameras on gantries etc.   The camera capabilities are increasingly becoming far more accurate and augmented, rather like the difference between an officer sitting on the side of the road, watching one or more pass, with radio transmission to the waiting patrol car up front.   But instead, use the camera technology with Augmented Intelligence and enhanced recognition technology to collect, sift and analyse the information, and then pass it back to control, who then issue the speeding tickets, because parameters have been exceeded. 

 

Still over 8 road deaths over 9.6 days over 2018/2019 festive period in New Zealand - this does not sound like many against USA, Australia etc, for 4 million period plus many many visitors.   Over the same period in 2017/2018 over 11.6 days and only 2 road deaths. 

 

The most commonly cited contributing factors for crashes over the Christmas holiday period were; losing control (29 percent of reported crashes), travelling too fast for conditions (19 percent), alcohol or drugs (18 percent), inattention (16 percent), too far left (15 percent), failed to give way or stop (14 percent), inexperience (12 percent), did not see other party (10 percent), failed to keep left (10 percent), and fatigue (9 percent).

 

Regards

 

Caute_cautim

russellnomer
Reader I

As I think about this topic, I remember the quote that the only thing necessary for the triumph of evil is that all good people do nothing. So let’s expand on this scenario. Hypothetically speaking, let’s say the aforementioned situation is a publicly traded financial services company that does business in every state and internationally. The company also willfully lacks DLP. Let’s say they just learned they had threat actors with administrative rights in their environment for 5 years through a threat intelligence vendor’s sales inquiry and an IR investigation. In the vendor’s report they further learn accounts from active directory (including privileged accounts) with passwords have been dumped to Pastebin.

In this scenario, the company’s management insists a breach disclosure is not necessary because their lack of DLP prevented the collection and logging of evidence that PII was exfiltrated. They only see credentials and passwords, not what additional data can be accessed by using them . In house legal backs management because “no evidence is available as to what else got out besides the credentials and passwords, so proving any tangible harm with hard evidence is not possible. In such a hypothetical situation, if management’s position is “shut up and say nothing about this ever again; How does this get addressed properly in the professional opinion of the ISC2 community?
CISOScott
Community Champion


@russellnomer wrote:
As I think about this topic, I remember the quote that the only thing necessary for the triumph of evil is that all good people do nothing. So let’s expand on this scenario. Hypothetically speaking, let’s say the aforementioned situation is a publicly traded financial services company that does business in every state and internationally. The company also willfully lacks DLP. Let’s say they just learned they had threat actors with administrative rights in their environment for 5 years through a threat intelligence vendor’s sales inquiry and an IR investigation. In the vendor’s report they further learn accounts from active directory (including privileged accounts) with passwords have been dumped to Pastebin.

In this scenario, the company’s management insists a breach disclosure is not necessary because their lack of DLP prevented the collection and logging of evidence that PII was exfiltrated. They only see credentials and passwords, not what additional data can be accessed by using them . In house legal backs management because “no evidence is available as to what else got out besides the credentials and passwords, so proving any tangible harm with hard evidence is not possible. In such a hypothetical situation, if management’s position is “shut up and say nothing about this ever again; How does this get addressed properly in the professional opinion of the ISC2 community?

I am reminded of the philosophical thought experiment of: If a tree falls in the forest and no one is around, does it make a sound? We can say that "Of Course it makes a sound!" when we hear this argument because we know when we are around a falling tree or other object and it hits something, we hear the sound. However sound is the vibration which is then transmitted to our senses in our ears and is recognized as sound only at our nerve centers. So if there are no ears to translate the vibrations, does  the falling tree really make a sound?

 

You are assuming that data was exfiltrated but have nothing to prove it other than it was possible for it to have been done so. Just the possibility of it happening does not mean that it actually happened. Another way to think of it is like this: Some prosecutors are very hesitant to bring up a murder charge against someone if there is no dead body found. How can you prove the person died if you can't prove the person is dead? Just that they disappeared? It may very well be likely that they are dead because they disappeared without a trace. Here in the US we had 3 girls that were kidnapped and held for years with one girl being held 10 years. She finally escaped and the girls were rescued. I am sure that many people thought they were dead.

 

How do you handle it as a CISSP? You go looking for the body (any details that would support your theory that files were in fact exfiltrated). Are you able to prove if the exfiltrated accounts accessed any files containing PII? Can you determine last accessed file dates? Can you gather evidence of file access outside normal hours?, etc.

 

If you can find no evidence to support your theory that files were possibly exfiltrated then you do have to stop looking after you have given it your best effort. If someone eventually releases the data, then you have a breach. Remember the term information disclosure means that information was actually disclosed.

denbesten
Community Champion


@russellnomer wrote:
“no evidence is available as to what else got out besides the credentials and passwords, so proving any tangible harm with hard evidence is not possible. 

So, they had evidence of a credential leak, leading to an internal investigation which found no evidence of a PII leak.  At this point, It seems like the appropriate "disclosure" is to advise/require the credential holders to change their passwords and maybe recommend MFA.  

 

We also have to focus on the fact that "breach disclosure laws " fundamentally are a legal concept.  As much as we may understand the "security" side of things, we are amateurs when it comes to the "legal" side.  Unless mandated-reporting is involved, Our appropriate course of action is to to bring our legal concerns to the lawyers for analysis.  If they do not feel we have met the "burden of proof", we find more evidence or we accept the status quo.  

 

If you feel that your personal legal exposure differs from the Company's, then you need your own lawyer.  It is just as easy to get in hot water for "disclosing corporate secrets" as it is for "failure to report".    

 

Oh, and there probably needs to be a risk analysis on "willfully lacks DLP".  Is there a legal or contractual requirement for it?  Does not having one raise to the level of professional incompetence?  Does the cost-benefit tilt in your favor? etc.

Shannon
Community Champion

@iluom wrote:

 

Consider the scenario

 

If executive management choose to pay fines instead of bringing the organization into compliance with the laws and regulations because the fines cost them lesser than the actual implementation of the controls

 

What would be the stance of a security manager/professional? 2 & 3 are in conflict, though you want to follow 2 you can't  in this situation..what is the best possible solution?

 

Code of Ethics Canons

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.


 

@iluom, I don't really see any conflict between 2 and 3 in the scenario you provided.

 

At work, I follow canon 2 to the best of my ability within the scope of my responsibilities, taking the 'principals' mentioned in canon 3 to be the senior management in my own organisation.

 

With what you described, if you've done your research, notified senior management of the risks of non-compliance, given them all options with your recommendations, have been totally transparent, & haven't been sleeping over things, then you've followed 2 and 3 well enough.

 

Of course, if your organization's actions are clearly harming others / violating laws and you can't do much about what's happening, it's probably best to resign. (Ironically, to strictly adhere to canon 1, you might have to violate canon 4   Man Wink)

 

Also let your moral compass guide you --- no matter how much money you make, you can't buy a clear conscience to replace a guilty one. (Okay, that's probably debatable)

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
denbesten
Community Champion

For what it's worth, I just got around to reading the July/August InfoSecurity Professional.  Turns out that it has two articles which further this discussion.....

 

IMPROVE YOUR INCIDENT RESPONSE
Ways to leverage your legal team and others prior to a cyber event"

 

and 

 

"DO TELL
Fuzzy ethical guidelines can lead to a breakdown in protecting data"