Slashdot Mirror
Security Responsibility Without the Authority?
Slashdot reader jamie submits this story about security administration. If you have the responsibility for security without the authority to make changes, your only role is to be the fall guy when something goes wrong.
On the other hand, having the authority without the responsibility is a much larger disaster waiting to happen.
http://alternatives.rzero.com/
I think that would be time to start looking for another job... FAST!
Absolutely no good can come out of this situation except as a blurb on your resume. i.e. Was responsible for network security at firm with more than 500 computers for the last 6 months.
Chaos will always win out over order because chaos is more organized
The phenomenon isnt specific to IT security admins; its the (sad) consequence of corporations with 'false priorities' ('one hand doesn't know what the other is doing' thing). Management ask you to do something they don't have a clue about (in this case, improving security on a network). Then you ask for resources to do the job, and the Finances guys refuse for budget (priorities) reasons.
Basically, you're stuck in a bad position : management yell at you if anything goes wrong, Finance is annoyed by your constant demands they see no 'use' for.
Of course, not every business works this way. But it tend to when the company gets too large...
Eureka Science News - automatically updated
But what happens when one can set rules and enforce them at the same time? That'll be too much power.
Usually in a company, IT department takes care of the adminstration of IT-related stuff, and HR takes care of the rules/policies.
If these two departments don't compliment each other, that's the problem to be fixed, instead of mixing two different roles together.
That's my personal experience anyway, I find it easier to tell the users to take to HR (or vice versa) than having to deal with (punish) or explain certain policies to users.
Rock that crushes, Paper & Scissors that don't matter.
as with any job where you might be in a delicate .. do your due
position or 'the target' should things go wrong
that are beyond your control ( whether due to
lack of authority or lack of omniscience ),
Document, Document, Document
diligence, report any possible vulnerabilities,
suspicions of attack and recommended changes to
your immediate boss, your IT/CIS team and their
managers. Be public, but don't be patronizing.
This 'paper trail' will help you immensely should
you be terminated over some security breach should
you be able to prove that, were your suggestions
implemented, the breach could have been prevented.
Security work is ridden with chance : if there is
a flaw in the hardware or software that had not
been documented at the root of a breach, report
that this is a new issue with that particular
system and that a patch is available and has ( or
should, if you lack even the authority to patch )
be applied immediately, or that a patch is not
yet available. I'm not a litigious person by
nature but I wouldn't hesitate to sue on the
grounds of wrongful termination if i could present
evidence that i had made those in power aware of
the problem and had not received authorization
to make the changes that would have prevented the
breach.
If you're the security guy, you Are the fall guy
by default, but if you don't leave a document
trail behind to show due diligence you will have
no cushion for your fall.
Follow the same basic guidelines that the medical
profession uses - document anomalies, perform
frequent monitoring, document changes. All of
this will help greatly should you be in the
unfortunately position of having to take legal
action against a former employer.
That this is necessary is sad, but it Is
necessary.
It isn't about getting anything out of Microsoft. It isn't about the EULA.
It's about being able to say that it isn't YOUR fault. You did what EVERYONE ELSE was doing. Then you pull out the magazines and articles about how whatever just happened to you has been happening all over to other companies.
In many companies, it is more important to not be blamed for a problem than it is to be the one who solved a problem.
anyone ever had to use their own property to band-aid something within the company about ready to explode?
Don't ever do that. If you do, then they think their current budget is fine, so they won't pony up the next time, and, should you ever leave, how are you ever going to retrieve your property?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
That's like working for free...and probably about as legal. You need to suck it up and tell the boss "we need this piece, and if we don't get it, Bad Things(tm & C ) will happen."
And document it to within an inch of its life.
that way, when the witch hunt starts, you can whip out those docs from your own personal Pearl Harbor file and show that you knew what you needed, and were told to sod off.
Holloway's laws of business...
- Always document everything, even the slightest move. that way you have a paper trail to cover your ass.
- If your employer is asking you to do dodgy things to keep them running, tell them what the bill will be. If they threaten your employment, its time to hit the silk anyway. they are going to make a smoking crater in the sand...
My two centisols
"It may just be that there is something fundamentally unworkable about government itself" -H. Beam Piper
...your only role is to be the fall guy when something goes wrong.
Any time security goes amuck... look to management as the culpret. If anyone points fingers at anyone else but management they really don't know too much.
Management has the political power, the money and the fudiciary responsibilty.
And if they don't know the assessed level of their security and security requirements, this then means they aren't doing their job.
Politics happen in companies. Politics happen anytime you get 3 or more people working together.
It all comes down to different people having different agendas working together in a company with limited resources.
The sad thing is that once your technical skills are at the "minimally competent" level, you'd be better advised to learn corporate politics to further your career.
A technical genius without political skills can be used and abused by a mediocre technologist with good political skills.
I used to work at a major financial services company. This was just as commercialism was just discovering the existance of the internet, so I was hired to design and deploy their high speed redundant connectivity. One thing this company did right, I think, is that all of their security was focused through the VP of Auditing, who reported to the CFO. And the guy who had this position was smart enough to know he knew very little about security and had to learn. I actually got to teach him more about it. We formed a group of people (at my suggestion), including another network engineer, two accountants, and one of the staff lawyers, as the security committee. His original mandate was network security. But in our first group meeting I gave a presentation on one of my long long ago hacking efforts (back in the mainframe days) that successfully broke into a major insurance company's three mainframes. I explained to them how I did it using entirely social engineering. Of course I had knowledge of the system, but I didn't utilize any bugs in the system to get in. With this I was able to get the group to change the focus of security from one strictly focusing on computer technology, to one that would be applied to everything the company did. Software bugs and misconfigured servers are, of course, important, but people are the weakest link in security, and this is even more so the larger a corporation is. Every operation of a company must consider security across the board.
now we need to go OSS in diesel cars
If you're responsible than you make the recommendations. If they aren't followed you warn of the consequences. If the consequences result your ass is covered. This is BASIC employee CYA.
If you do your CYA bit well your boss will follow with his CYA bit and eventually someone will sign a check or the memos will stop with someone stupid enough to take the fall. Otherwise you don't want to be working there. Works no fun if you can't do your job.
If you don't like the CYA game, spend the time and effort you would put into implementing your recommendations into finding another job.
Life's not that difficult!
When I was in the army 20 years ago I had the "responsibility" to get a bunch of guys to move some furniture. Unfortunately I did not have authority over these troops since they belonged to another division.
Engineering is the art of compromise.
Interesting.
I'd say more often the exact opposite is true. People choose Linux because of the general perception that it is the more stable, more secure choice. After a rooting the security admin can proclaim "All the press and the community said it was the greatest thing since sliced bread...I don't know what went wrong!"
Given all the bad publicity Microsoft has (deservedly) received, it is a huge risk for architects and security admins to choose Windows -- when things go wrong everyone can immediately claim "duh! You picked Windows you idiot!" (see the Navy fiasco with the dead-at-sea warship, or the recent LAX fiasco. Both were application layer faults but that didn't stop the routine presumption that the core fault was the idiots that chose to base them on Windows).
In other words reapply the old "no one got fired for choosing IBM" onto Microsoft, which is who I'm presuming you're implying, is a false comparison. People choose Windows at great peril, and when their line-level admin doesn't bother with patches or basic security practices, instead it's the guy who chose Windows that gets the blame.
I have a client, however, who's IT security policy is so strict (14 characters, alpha, numeric, plus special) that each and every employee has taken to write down their user/password on a post it note and taping it to their monitor or under their keyboard. Just walking through the office you can pick up at least 6 user/passwords. I've tried to argue with the head dick in charge, and all I get is BS. Why put together a security policy so strict that it keeps employees from doing their jobs, or forces them to write down their passwords out of ignorance. Nothing worse than that.
Relate this back to the industry. You're either at the top-level or you're in the trenches. A good security admin will bridge the two as best he/she can. Security fundamentally affects (and is affected by) almost every facet of an organization. I've seen through personal experience a "silo-like" mentality to security policy execution. The secadmins were in their own private bubble that attempted to be dictatory and impervious to external influence. This is wrong, wrong, wrong!
Unfortunately, the needs of the job amount to being a little political. The decisions must be participatory, or at least giving the appearance of being participatory. That is what gives you buy-in from your users. You might say, "Why should I?" Well, if you're saying that, then you might want to find another job. Its a necessary evil if you care about keeping your org secure. If not, you might be the one complaining after the fact, "They never listened to me". Even if you're merely sitting there explaining why you are doing what you're doing - at least people are involved. You might even be giving them bad news, but at least you're telling them that you're giving them bad news before you change their lives. The real challenge here is finding the right people to involve. :-)
Good security as much depends on the "how" of security versus the "what" of security. If your methodology is technically correct, cheap, and does the job, but you've dumped it on the organization, then guess what. It ain't gonna fly!
The article, in its efforts to be concise, has not really justified its claims. Trying to sway the course of one of the largest governments in the world indeed sounds like a recipe for frustration, but does not necessarily map back to the industry in general. Those seem like radically different things. I remember Richard Clarke seeming positively perky during the days of his assumption of cyber-security czar role. Look at him now.
Or, alternately, they've already been 0wn3d and don't bloody realize it. That's a fairly common result of complacency.
-30-
But what exactly does that get you? If it goes down, do you plan on suing the vendor for damages despite the gibberish in the license? If the vendor is microsoft, do you expect to be successful in suing one of the world's richest companies? I don't think any software company has ever been successfully sued for damages before.
I just don't get how being able to blame Microsoft is any different from being able to blame Joe Blow OSS author. You can't reasonably sue either one for anything. The former will fight you tooth and nail (costing lots of money in the processes) and the later has nothing worth suing for.
Circumstances like these often accomplish something very important in politics, it gives the illusion of doing something to solve the problem, when in reality they have done nothing.
as it addresses the wrong problem.
The US thinks that taking nail clippers from passengers makes air travel more secure. It doesn't but it looks as though it might.
Most computer security looks outwards to the internet, forgetting that the biggest threat is sitting inside the firewall.
We are all surrounded by pretend security that is in position just because it looks good. Real security is a pain in the backside. It is disruptive to the people who have to work with it and it's very expensive. It's also complex and difficult to implement.
If the security officer in a company cannot overrule EVERY single person in the company on a matter of security, the job is a joke and exists merely as a butt-covering operation.
Interesting how the whole thing revolves around placing blame instead of being blameless. Speaks volumes to me, anyway.
C|N>K
You try to place the blame on misconfigured systems. But when you demonstrably create an adversarial relationship with the users you're supposed to be supporting it proves you're part of the problem. Over and over, IT throws its weight around by not allowing anything useful. Anything IT doesn't understand is disallowed behind the "security" bogeyman and there's no effort to work with the users. When IT does get authority it's a power position, not a technical position. Automatic dictatorship.
It's about playing by the company's rules. They set the rules. If they wanted to succeed they would operate as a meritocracy and give the power to the most capable people. Instead, they just want to make some money and move onto the next corporation, which takes the fall instead of them, so they set it up so that the people who will support them are in positions of power so they can do whatever they want and get away with it :P
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
This doesn't just apply to security, it applies to IT in general. The sysadmin is always the guy who has to implement all of the stupid shit managers promise to people, and rarely has any input on how it will be done. I finally knew that my IT career was about to end the when, on a Friday morning, I was asked to work at least 12 hours on Saturday AND Sunday because the director of a federal agency I was working for (as a contractor) has promised that we would have a certain system working by a certain date which just happened to be Monday morning. This was the first time that ANYONE on the team responsible for the implementation had heard about it.
I refused -- not that it mattered, because the coders needed time to adapt beta code from a different project to this one--, and dropped by for a few hours on Sunday just to check on the status of things. Two weeks later we had a semi-functional prototype. Three months later it was still a lame cycle of the same crap.
Now I'm going to art school and painting full-time. The money sucks, but I never have to come in at three AM to cleanup after someone else's dumbshit idea.
I'm not allowed to run the Train
The whistle I can't blow.
I'm not allowed to say how far
The Train's allowed to go.
I'm not allowed ot blow off steam,
Or even clang the bell.
But let the Damn Thing jump the track,
And see who catches HELL.
Nothing changes but the names and places. I have no doubt this, or a local variation thereof, is scribed on a rock somehwere in the Great Pyrimad
Garry AKA -Phoenix- Rising Above the Flames
Si hoc legere scis nimium eruditionis habes
I understand what you said, but I believe you're setting yourself up for a big fall on the promotion bit:
"In an IT department with only five people, myself included, an IT manager really isn't needed."
You think the manager's position will be eliminated. But then you say:
"In the past there have been talks of cutting his dedicated position and giving the manager responsibility to someone else in the department."
You then believe it will not be eliminated, but be reallocated to an underling.
"Since I have been there the longest I would be the most likely to get the manager responsibility."
And hopefully it will be you.
I hate to burst your bubble, but do the math. There are two possible situations here, and you won't benefit no matter what:
1) The managerial position will be eliminated. That means NO promotion. There won't be a managerial position to fill. You won't get squat and you'll have to answer to the next higher boss, who will likely know LESS and have you do MORE stupid things.
2) If a managerial position gets eliminated, then refilled by a promotion, guess what? The company doesn't save the managerial salary, they save the admin's salary. So, the net effect is one admin is eliminated. And if one IT guy has to go, you know for damn sure it won't be the manager. He'll nominate an underling. Watch your back.
My advice is to start looking for another job. You won't get any notice if/when the axe falls.
But you can always look on the bright, cheery, optimistic side and hope that your manager really will be lousy enough at politicking, won't be friends with his boss, and lack enough foresight to dodge the bullet.
Good luck there.
Your manager shouldn't have access to the servers in the first place. It is not his job to logon to systems and change stuff, he is a manager not a tech.
On a long enough timeline, the survival rate for everyone drops to zero.