Slashdot Mirror
Security Responsibility Without the Authority?
Slashdot reader jamie submits this story about security administration. If you have the responsibility for security without the authority to make changes, your only role is to be the fall guy when something goes wrong.
I work at a Large Bank, and more often than not, we'll implement an expensive, suboptimal product because a) Someone Else Did It or b) Gartner Said It Was Good. It's all about preconfiguring the blame, it is always someone else's fault - this way, if there's ever a problem and the Gubmint comes looking for tail, we can always point the finger. On a small scale, this reduces to individual admins being force to do stupid things, because Thats What The Project Requires.
I want to delete my account but Slashdot doesn't allow it.
Doesn't matter that Redhat and everyone else offer support.
CSO had an article about this a few months back, and talked about how many corporations have taken the teeth out of the CSO position.
I've seen this first hand in our midwest US city, where the requirements for most security positions are a MCSE and a CISSP with little to no interest in management and policy-level expertise. IT security has very quickly become a janitorial position. Senior management has punished IT for excessive spending by gutting it of senior level representation (to the benefit of other empire building projects, typically).
Curiously enough, these companies are sitting ducks for your run-of-the-mill script kiddie. From putting unencrypted backup tapes on the top of file cabinets in highly trafficed hallways (at one database company that I've worked with) to believing a firewall and antivirus is perfect security (to several of the larger banks I've met with on security projects), they're complacent and believe IT security is just another IT "dot-com money wasting project." Better to spend the money in the profit centers and ignore defensive protections as the lack of a serious attack means they'll never experience one. Little do they realize, the only reason they haven't been attacked is that there aren't enough hackers to take all the easy pickings.
From the article,
Upper management often issues orders such as "Clean up the system at any cost!" Yet when these same managers get recommendations for pre-emptive security implementation, too often chief information security officers are told, "The budget for this quarter has been exceeded. Ask me again later in the year."
Information security is a challenging and technologically rewarding profession. Unfortunately, those responsible for carrying out information security often are not given the authority and budget to get the work done.
http://www.gao.gov/new.items/d02627t.pdfTHere is the definition(pdf) of the Homeland security Dept's responsibility charter, for want of a better word
From another source, possibly not popular in these circles, is a paper on "Security Considerations for Information Security"http://www.microsoft.com/technet/security /bestprac/bpent/sec2/seconaa.mspx
An excerpt:
In one mid-sized US Government program, I can (and do) perform the following actions:
- Each application's owner is advised of the CIO dictums and regulations covering their application and its interface. If they don't abide by them, the application doesn't go online. They comply.
- If the application is not certified, the application does not go online. This means an extensive sheaf of documentation about its form and function. While this is not foolproof, it is very effective at getting stupid errors out of the way.
- The network itself is accredited. Once again, a lengthy process based on standardized criteria that is redone every three years. This accreditation is called DITSCAP and can be googled.
- OS and common application patches (called IAVAs and generated by ACERT, the 'Army Computer Emergency Response Team', which would give a link for but it's Army-only with authentication required) are required to be applied. If an application owner declines to be patched, it's the CIO's judgement if we want to unplug their server or not. Generally we will, and the application owner relents.
Mind you, we just host applications. There are several layers of border security beyond us on the network, controlled by different organizations, that we have to justify things like port opens to. The list is kept to an utter minimum.
This is only the big picture of what we do, and the details would take more writing than i'm likely to do on a Sunday afternoon.
I have no idea what's going on at DHS, but what I know is that they share installations with my branch of the government, and they have to comply with the same rules when they do.
Security IS taken seriously. This guy has a political problem and that's why he resigned. Everyone wants to make a big splash when they don't get along with their cohorts. Only the classy ones keep their mouths shut. This guy isn't one of those, apparently.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
The way we have started facing this problem is confronting the end user and the people that setup the misconfigured equipment saying: "you must work with us in fixing this problem, or we will disconnect you from the network and you can find your own ISP". That pretty much gets their attention and allows us to set security policies, firewalls, system/application patches, and virus protection.
Yeah, its not the optimal solution. We really need a single head person who can enforce security policies totally over every section, but that is difficult in the open environment of higher-ed.
Keep track of all of the times that you couldn't do something important, especially things legally necessary, because the powers that be didn't want to let you take the risk or rock the boat. Then when the police come in to investigate, if the higher ups decide to make you take the fall, take them with you by dropping all of your documentation about their ordering you to not do your job, onto the cops' lap.
There is nothing that police at all levels love more than taking down big rich guys.
Click here or a puppy gets stomped!
I'm sorry. Where I work it's the other way around. Our security department has all of the authority and none of the responsibility.
What the result is, anyone can guess: password rules so byzantine that no one can log onto production systems when sev1 issues occurr, sysops waiting three days for product tapes to be logged in and mounted, security changes being made willynilly with no change control management instituted, gateways which serve no data being loaded with full blown virus scanning software, bleeding edge maintenance being forced onto hardware and users not ready for it because it included some security fix of doubtful worth, managers not knowing the IP addys of their own *&#@ servers.
What else is the result: passwords being taped to the bottom of keyboards, users being covertly supplied administrator rights to databases and servers, sushi programs installed by everyone, hacks programmed into apps to slip data through firewalls, and entire job streams running under one userid.
Pity the poor security admin.
That's what having a fall guy is all about. Someone has the authority to fix the problem, but no real clue or budget. Enter the fall guy. Upper management "concentrates on the company's core business" while the fall guy eats the blame.
It's not something that can work forever. How many years can you go to the share holders with bloated IT budgets? Wall Street replaced their core infrastructure with Linux and other free software years ago after the some of the first big M$ worms. They will soon run out of patience for big dumb companies that flush millions down the upgrade toilet and are still prone to data loss and worm breakouts that resemble those of four years ago.
This eweek stuff is pathetic for ignoring the core problem. M$ makes an OS that has no place on a network. It is used, without the owner's knowledge, to send more than 80% of the world's spam and for all sorts of other crimes. Their data models are the roach motel of the digital world and they proudly remind their customers of the costs of migration while lying about the benefits their competitors have to offer. Until Eweek gets it, they are part of the problem.
Friends don't help friends install M$ junk.
I'd also recommend "The Prince" by Machiavelli. Also, take a few MBA courses. It helps to know how they think and what their phrases actually mean.
But no book will ever be able to replace the insights gained from person-to-person interaction. You have to learn how to be "friends" with people who annoy you and how to manipulate them into supporting your agenda. That takes practice and you shouldn't practice it at work. They probably already know it better than you do and will be able to spot your amateur attempts. Instead, look at non-work groups. Your local church is a great place to start. They are usually packed with inter-personal relationships and petty politics. A friend once gave me this bit of insight: "The politics are so vicious because the stakes are so small".
Politics is about manipulating people to achieve your agenda. Before you become good at politics, you have to be comfortable with that.
Authority (who's the boss) is usually assigned for political reasons. Reponsibility has more to do with ethics and capabilities.
When the boss is incapable of doing a task, then clearly, some underling bears the responsibility when things go wrong.
Conversely, the people with highly developed sense of ethics and professionalism step up to the plate, work to make the project work and essentially take responsibility.
Theoretically, it is possible to give authority to the people who take responsibility.
This might cause problems for a company...it usually doesn't tarnish the teflon coat of the people in charge. For that matter, when a company sees a manager with authority and no responsibility, they generally respond by expanding his authority.
Sadly I am the blame guy at my job, AKA, the bitch.
It goes like this at my job. I am "in charge" of network security and maintaining our Microsoft and Linux servers. You would think that my office would be located at the central office where all the servers are. This is not the case. Instead my boss, the IT manager, is located at the central office. Whenever he thinks something is not working right he makes changes to our production servers during business hours. My boss has no training in IT security. He's an MBA that has limited knowlege in security but thinks he knows more than he does.
Here's how most situations go. One person calls and complains that the finance database is slow or our inventory database is not working correctly. My boss then logs into the server and makes changes without documenting anything or telling me. You can image what happens next. Yeah, I get blamed for problems that occured after he changed something. I then have to go back and try to trace what he did. I know I can't ask what changes he made since that might seem like I am blaming him for the problem he created.
After going through this senario four times I decided to remove his login to our production servers. Big mistake.
I got a call from my boss two days later asking why he couldn't login to our production servers. I had prepared ahead of time and had a story made. I told him that I had noticed someone was logging in to our production servers and making changes during business hours which is against our IT policy. I went on saying that the changes made during these logins were responisble for the problems. I then told him for better security I should keep his account off the production servers so that the person who was making changes could no longer do so. He then said, "In the future could you please let me know when you make changes so we can be on the same page." I told him that I always documented the changes I made in the server logbook. I told him that I would reactivate his account with a different password. Since then he has not made any changes to the system.
You know I started thinking about what you said and something occured to me.
If reading slashdot is any indication there are an awful lot of companies in the US making decisions based of really stupid and irrational criterea. I have heard many times "we didn't go with X because there was nobody to blame" and "we didn't go with Y because SCO might sue us" type of totally idiotic reasons. Why is that? Is Harvard business school or joe blow MBA mill really producing management that is unable to assess risk and intelligently apply reason to their decision making process? Think about it.
I wonder if this is some sort of an American thing. Are people in Europe and Asia making decisions like this? If not we are about to get our assess kicked awfully hard.
evil is as evil does
I knew an admin who put a password on a sticky on his monitor. The password didn't work, and he logged all attempts to get into his account, and dealt with people who tried to do so appropriately. (Usually with a warning and cutting their print quota in half for the first attempt.)
Kierthos
Mr. Hu is not a ninja.
The university (right across the street from me) recently (last summer) and finally implemented a system where if students want to use the university's connection/bandwidth, they have to install certain software (AV stuff mostly) and adhere to the guidelines stated by the university. (Which mostly boils down to "No file sharing programs" and "No spam servers".) They also set the firewall settings on the student's computers, and tell the students not to change them.
They've had a bunch of students complain, but to no avail (thank God, as these students aren't bright). The CS department loves the fact that the number of calls for dealing with virus-infected computers has dropped by like 85% or more.
Kierthos
Mr. Hu is not a ninja.
Done that.. Pissed off more than a few clients with the security policies, blown a couple of budgets by a little bit. But it's still secure by overbuilding, securing the systems with personal passwords, set to expire in 30 day intervals. Education, education, education... The current headache with the 'wares was simply resolved by implementing a HOSTS file into each terminal via administrative batching. This was done within a hour and the infected machines were then reimaged with clean OS's. No slouch this nut is. As I said, i've pissed off a few folks, but they learned lessons the hard way not to break the NSA's rules and you don't wind up with a blank computer, or worse, a letter in your docket for the security violation. I'm not in the business to make friends, both personally or politically, which irks some of the suits. They pay me the big bucks to keep their business secure as Fort Knox, and they get what they pay for.
First rule of holes; When in one, stop digging.
One way to decrease users tendencies to download crap might be to publish a web page harvested from the firewall logs (you do have a firewall, right ?) and allow general access to see what users have been downloading.
:
;-)
This would favorably impact the following
o Porn searching
o Cosmetic surgery searching
o Perv searching
o Joke searching
o Browsing slashdot at -1
The Slashdot model of moderating/censoring web page accesses would also be driven by the curiosity to see what your dodgy co-workers have been downloading.
One thing that one of my previous companies also emphasized was ensuring that machines have a password protected screensaver whenever a user is away from his/her desk. Another co-worker being able to hit porn from an open desktop would be a great motivation to lock up your desktop on restroom trips, coffee etc.
Most companies have policies on non-business use of machines, though these are seldom enforced with any vigor. Enforcing them through a peer mechanism like that described above might help to keep users and company networks safe from themselves.
--
-- "It's not stalking if you're married!" My Wife.
It may also be worth noting that your boss going in and making undocumented changes may very well be illegal now, under Sarbanes-Oxley (assuming you're in the U.S.).
I will share the last IT security administrator's tactics....
He saw that he was being set up for the "fall guy" position... you know it when it happens, "you are responsible for all security", ":Oh, we have no money for your department, you can not impliment that security policy, no not that either,...."
for his last year he recorded all conversations with superiors, printed out and kept (against company policy) all communications with superiors and even kept recordings of voice mails on his company phone and personal cellphone.
well it collapsed, we were rooted hard, and when they looked for the fall guy, hew was ready and took 7 of the companies managers and executives with him flaming to the ground.
BTW, his tactics earned him quite a bit in a court settlement with the company. be sure to give all that information to your lawyers also... they love that kind of crap.
basically, document everything, and under NO circumstances trust your bosses.
Do not look at laser with remaining good eye.
I use a multi-pronged approach to keep the other admins under control:
- sudo logs their actions
- tripwire tells me what files they change
- firewall prevents them from starting new services
Overall, it works pretty well. (I think) I know about every change that happens to my systems. At least, strange stuff doesn't happen without an audit trail to figure out who was responsible.Disclaimer: if you're one of my cow-orkers, please assume this was written in regard to one of my other systems.
Heh, here is a clue, check and see if perhaps it applies to your area too: The single biggest section in my local Yellow Pages is for...lawyers.
Ciao.
Everything in the Universe sucks: It's the law!
The adversarial relationship is natural. IT tends to involve an inverse relationship between functionality and security. The easier something is to use, the less secure it is likely to be. And likewise, attempting to put in security restraints will tend to impact ease of use. This applies to people too.
Users' primary interest is having widgets to do their work. Infosec's interest is about protecting existing widgets. The adversarial relationship tends to come in place when deploying new widgets, or making widgets easier to use and access, impacts the security of all widgets (and information in general) already deployed.
It might be interesting to note that this exists within IT too. IT departments tend to be held responsible for deploying widgets. And since widgets are easier to deploy in less-secure configurations, the natural temptation is to cut corners on security for the sake of easing deployment. This conflicts with Infosec who's goal is to keep widgets secure, not necessarily to ensure more widgets are deployed.
The challenge is to recognize this inverse relationship and take advantage of it. Use the natural inverse and work it in to your organization as a check-and-balance.
First and foremost, an organization should have their security policies well documented and those policies should be applicable to most common access requirements without interpretation. When Infosec notes something is dangerous, it shouldn't be a judgment call - it should be based on documented policy.
Secondly, Infosec's role is not to be a road block. It's there to help conform (and modify) existing policy. If a policy is unworkable, fix it. But more likely the policy is functional and it will simply take some working with the end user / developer to modify the system design to properly conform with that policy.
Finally, there will be times when the policy is valid and the project simply can't be modified. This is where Infosec helps define to level of risk. Meanwhile, project developers define a business case for their architecture. Both cases are presented to higher management who ultimately weight risk against business case. And if the business case outweighs the risk, that risk is well documented.