Slashdot Mirror
Should Security Officers Be Network Admins?
A Nameless Submittor asks: "I work as a network administrator for a large organization. Recently our security officer has demanded from our management that she be a network administrator on every system in our environment. Currently she is not an administrator on most of our systems, although she does have enough administrative power to do auditing, manage resource accesses, and manage users. Should security officers have unrestricted access to everything on a network? A security officer with the ability to shut down servers, disable services, etc. scares the hell out of me and my coworkers. Can I fight this or am I fighting a losing battle? What is done in the rest of the world?"
Under NO circumstances should any individual with auditing power be individually IN power of all the systems protected by auditing. In my own organisation the auditing is performed by a three team-member group. Network admin's are not permitted to be in that group.
Network administrators have more than enough power to falsify audit trails in any network environment - add professional auditing skills to that person is effectively making them GOD or SATAN (and that distinction may be found only the hard way.)
I strongly advise that this individual's powers be curtailed - this person can be your worst nightmare. Demotion, promotion beyond hands-on or termination may become your hardest choices.
Beware a power-hungry (ab)user.
Aside from all this rant, Your auditor may in fact be 'legitimately' concerned and really be looking out for your company. In my experience that is a very rare occurence.
"Who will watch the watchers?" goes back to the ancient Greeks or Romans, I'm just too lazy to dig up the exact details at the moment.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
You are SO right it's not funny. I've done a bunch of development work for a couple of banks. I'll tell you a typical setup
We had three identical systems
The Development group had Read/write to the development server, and full read, and VERY limited write permissions to test - we could put stuff in a drop box. We had LIMITED read privileges on the production servers - like WHO was on the server, and what the bin files looked like, so that we could audit the system, but NOT the data - we could NOT read the data
The Production admins had read only permissions on the development server (again, admin reasons), could read/write to the test server, BUT had read only to the drop box, and were full admins on the production box.
ANY changes made to the software were tested fully on the development box, and a script was written to apply these changes to the test/development boxes. A copy of the production database from the PREVIOUS month was loaded on the test database, and the script applied. ALL the transactions for the previous month were entered, and if the results on the test box matched the results for end of month on the production server, THEN, and ONLY then would the production admins take the script from the test box, and apply it to the production server. We would then audit production against test, to make sure that no one changed the script.
You know, it's fairly easy to talk bosses into this when they know that if they screw up, they will be spending time behind bars
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
It sounds like your "security" officer got the job without any formal training in a true security background. In any large organisation, no person should have absolute power. Powerful functions should be divided up between different people to prevent any lone individual from harming too much of the system.
One of the basic rules of security, whether it is handling cash or running a network, is the separation of duties. I don't know of any bank which allows any person, even the president, full access to everything. There has to be a system of human checks and balances whenever there is something of high value to be protected. If she doesn't understand this, try to make it clear to her superiours that her request is so completely off the scale it makes her the biggest threat to the company.
I'm going to spread some follow-up comments around other threads about the competency of a security officer. The only people with root/admin/enable access should be those who have demonstrated a strong skill and professional understanding of each system. Your unix admins should not have router passwords, and so on.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
If you did not sound so serious, this almost seems like a test you would be given by your security people. Who will you give access to...?
I hope you said "Sorry. No can do..." Giving the security office access to everything implies that "security" will not be a risk. This goes with the same logic that police don't commit crimes. While generally true, there are exceptions and they are caught by the process. The process says one person cannot do everything or there is no security.
Perhaps she does not understand enough to know what permissions she may need. Find out what she thinks sysadmin will give her that cannot be done in some other fashion.
Tell her that's fine as long as you get keys for every lock, schematics for all the surveillance and alarm systems, et cetera. Tell her you wouldn't *dream* of abusing your new powers.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Should security officers have unrestricted access to everything on a network? A security officer with the ability to shut down servers, disable services, etc. scares the hell out of me and my coworkers.
I envy your problem. I really do. Because I have similar problems, but I think the scope may be a little different.
My boss, the General Manager of my company, has entrusted me with ensuring that we having Internet access. Mail, website, connectivity for users, etc.
We have some accounting software running on the Windows machines around the office that requires a $60 license fee every time you reinstall it. Criminal, okay. But that's the agreement that was made (by him) with the software vendor.
Most of the machines around the office are aging Dell Optiplex Pentium 133s. 1 gig hard disk drives, mass-installed Windows 95A. Flakey to begin with, downright unusable with several years of OS decay.
So, the machine that belongs to our receptionist went down. Windows has done its trademark self-corruption. And Pat's the ultimate do-it-yourselfer. Rather than calling me, he figured he'd fix her machine. Instead, he managed to make it blue screen and halt on startup. Then he spent 10 hours - I counted - playing with the machine, copying files, copying even the entire registry off another machine, back and forth until the thing started up with a minimum of accusatory dialog boxes.
Now, Pat makes over $150/hour. So, minimum, it's cost the company $1,500 to not have to pay a $60 license fee. And the machine is still running Windows 95A, it's still as unstable as all hell. And now, there are ten "Missing File" warnings when the system starts up. At this point, I flatly refuse to touch it until I'm given permission to format the drive and reinstall Windows (95B this time).
And now Pat wants root access on our Linux server. Why? Because no one should have root except him. No one should be able to read his private e-mail but him. (Like I care to read his private e-mail.)
An IT guy from our (former) head office was visiting one day as our division of the company was sold and we were being disconnected from the WAN. While we were talking, Pat decided to show me up in front of the other IT guy.
"Do you really think that the President of this fucking company has an e-mail account that can be looked at by any junior IT person?"
Steve, the corporate head office IT guy, had had enough. He didn't care, Pat was no longer his boss. He just cracked up at Pat, and told him that he'd extricated choking attachments from the president's e-mail account a couple of times. Even so, Pat remained unconvinced.
To shut him up, I gave him a shell account. Evidently, I didn't give him root, but I told him that I did. Of course, the dollar sign at the prompt wasn't a tip-off; I didn't think it would. A couple of days later, I checked his history file. The results were predictably amusing:
1 dir2 dir c:
3 win
4 cd windows
5 scandisk c:
At approximately this time, the log files show that the filesystems were forcibly unmounted and the system rebooted. A minute after the reboot, Pat logged in again:
6 dir7 win
8 WIN!
9 what the fuck is wrong with this piece of shit!
10 WINDOWS
11 sCANDISK
After this, the system went down again, and remained down because it was "broken", until I arrived back in the office from a meeting with some of our customers. When I walked into the office, he started screaming at me about how unreliable the computer was.
In fact, there was no problem with it at all, it had been working fine; our ISP had gone down briefly, and when our service was therefore interrupted, it was assumed that the server was at fault.
It had already been explained to Pat that this machine was neither running DOS, nor was it running Windows, and that commands for those didn't work.
Now, not knowing how your security officer is, I don't know how I'd feel about giving anyone access. If I'm the one who is gonna take the fall if the system goes down, no one gets administrator access but me. Period.
Fire and Meat. Yummy.