We in information security know that confidentiality, integrity, and availability are the cornerstones of our business and the basis for our livelihood. Even so, how many of us can say that we abide by these principles in every area of our lives?
Some of us have come up the ranks of information technology, starting as an information systems analyst, perhaps, installing Windows 3.1 or managing a Novell 2.0 LAN. Possibly even earlier than that we were "good" hackers in high school – helping our friends pass the programming assignment for math class. We set ourselves apart from others by proving that we had skills that we could put to good use – skills someone else could possibly use as well.
Some of us took advantage of the gift we learned or acquired by making deals with people. We would say: "I'll write this program for you if you can get me a date with that girl" or, "I'll hack into the school computer and modify your grade in math if you can get me tickets to the concert and get the rest of the guys to stop harassing me." You get the picture, and if you are thinking: "How high school!" then try the next scenario.
You're working late (as usual), scandalously underpaid for the hours you put in and the contribution you make to the company. You are reviewing IDS logs and firewall activity and, as you tidy up the server ACLs, you notice something unusual. It's unusual only because it's 11p. m. and you'd assumed that everyone else had gone home for the night.
There is a spike of activity on the network in the accounting VLAN and the accounting department's server is experiencing a large amount of data transfer. Someone is accessing the data for the company payroll and looks to be moving quite a bit of information off the server to a system in the office down the hall.
Delving deeper, you see it is actually your boss, the IT director, copying the entire payroll database onto his laptop. Not only that, but he has also accessed the HR files and made significant inroads into moving that data to offline storage as well.
Now, is it ethical to even be monitoring this activity to the point of knowing one colleague's hire date? Or learning that another was not laid off, but fired for surfing casino sites five hours a day? Your boss, who might have already known this information because of the nature of the data, is illegally copying it to an unsecured location for reasons yet unknown. You're facing a dilemma.
Do you approach your boss to discuss the matter, possibly getting into a problem area in your own professional growth because of this catch-22? Can you work the system from the other direction, digging deeper into this foray of information exchange, even possibly determining a bargaining point with which to blackmail your boss? Maybe there is a middle ground – where he makes a deal with you – something that is mutually beneficial for you both?
Sometimes, we make agreements with ourselves for future reference. We tell ourselves that if we happen to get into a particular situation, this is how we will approach it. When that situation arises, though, if we look one way and see something we don't like, what happens if we look at it another way? Will the offending sight be changed enough to be tolerated? Is being tolerant enough in most circumstances? Don't some of us require some kind of action from ourselves to accept that what we think is right or wrong is in fact "that way"?
At what point do we let our sense of self-preservation take over? When do we turn away from what we know is the responsible course of action in order to ensure our own survival? Do you stop to help at an accident scene, or just pass slowly by and stare, endangering others?
When you're at a co-worker's desk and her username and password are on a sticky note on the monitor, do you remove it and throw it away? Do you reproach her, or instruct her in the proper use of username and password management, ensuring that at least the next time you come to her desk, the sticky note will be inside the drawer instead of on the monitor?
Or do you take a mental picture of the offence at the "accident scene" and hope that someone else will take care of it? Do you smile wryly and think: "Oh well, they'll learn someday," as you continue on your way?
We in the infosec industry should pride ourselves on our moral and ethical standards to promote the good use of proper security techniques in the workplace.
However, we mustn't let our pride in our professional activities stagnate the way we behave during the rest of our lives, outside of work.
When it is safe to do so, stop and help people when they need it. Contact someone else to help them if you are unable to do so. Don't assume someone else will clean up after an accident, and take precautionary measures to prevent the next one. Make active efforts to improve everyone's experience, and remember that even though things are not just black and white, there are not that many shades of grey.
Andy Infante is project manager and lead engineer of network security systems for military health systems at SPAWAR