Security Responsibility Without the Authority?
Slashdot reader jamie submits this story about security administration. If you have the responsibility for security without the authority to make changes, your only role is to be the fall guy when something goes wrong.
I work at a Large Bank, and more often than not, we'll implement an expensive, suboptimal product because a) Someone Else Did It or b) Gartner Said It Was Good. It's all about preconfiguring the blame, it is always someone else's fault - this way, if there's ever a problem and the Gubmint comes looking for tail, we can always point the finger. On a small scale, this reduces to individual admins being force to do stupid things, because Thats What The Project Requires.
I want to delete my account but Slashdot doesn't allow it.
Doesn't matter that Redhat and everyone else offer support.
CSO had an article about this a few months back, and talked about how many corporations have taken the teeth out of the CSO position.
I've seen this first hand in our midwest US city, where the requirements for most security positions are a MCSE and a CISSP with little to no interest in management and policy-level expertise. IT security has very quickly become a janitorial position. Senior management has punished IT for excessive spending by gutting it of senior level representation (to the benefit of other empire building projects, typically).
Curiously enough, these companies are sitting ducks for your run-of-the-mill script kiddie. From putting unencrypted backup tapes on the top of file cabinets in highly trafficed hallways (at one database company that I've worked with) to believing a firewall and antivirus is perfect security (to several of the larger banks I've met with on security projects), they're complacent and believe IT security is just another IT "dot-com money wasting project." Better to spend the money in the profit centers and ignore defensive protections as the lack of a serious attack means they'll never experience one. Little do they realize, the only reason they haven't been attacked is that there aren't enough hackers to take all the easy pickings.
From the article,
Upper management often issues orders such as "Clean up the system at any cost!" Yet when these same managers get recommendations for pre-emptive security implementation, too often chief information security officers are told, "The budget for this quarter has been exceeded. Ask me again later in the year."
Information security is a challenging and technologically rewarding profession. Unfortunately, those responsible for carrying out information security often are not given the authority and budget to get the work done.
http://www.gao.gov/new.items/d02627t.pdfTHere is the definition(pdf) of the Homeland security Dept's responsibility charter, for want of a better word
From another source, possibly not popular in these circles, is a paper on "Security Considerations for Information Security"http://www.microsoft.com/technet/security /bestprac/bpent/sec2/seconaa.mspx
An excerpt:
In one mid-sized US Government program, I can (and do) perform the following actions:
- Each application's owner is advised of the CIO dictums and regulations covering their application and its interface. If they don't abide by them, the application doesn't go online. They comply.
- If the application is not certified, the application does not go online. This means an extensive sheaf of documentation about its form and function. While this is not foolproof, it is very effective at getting stupid errors out of the way.
- The network itself is accredited. Once again, a lengthy process based on standardized criteria that is redone every three years. This accreditation is called DITSCAP and can be googled.
- OS and common application patches (called IAVAs and generated by ACERT, the 'Army Computer Emergency Response Team', which would give a link for but it's Army-only with authentication required) are required to be applied. If an application owner declines to be patched, it's the CIO's judgement if we want to unplug their server or not. Generally we will, and the application owner relents.
Mind you, we just host applications. There are several layers of border security beyond us on the network, controlled by different organizations, that we have to justify things like port opens to. The list is kept to an utter minimum.
This is only the big picture of what we do, and the details would take more writing than i'm likely to do on a Sunday afternoon.
I have no idea what's going on at DHS, but what I know is that they share installations with my branch of the government, and they have to comply with the same rules when they do.
Security IS taken seriously. This guy has a political problem and that's why he resigned. Everyone wants to make a big splash when they don't get along with their cohorts. Only the classy ones keep their mouths shut. This guy isn't one of those, apparently.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
The way we have started facing this problem is confronting the end user and the people that setup the misconfigured equipment saying: "you must work with us in fixing this problem, or we will disconnect you from the network and you can find your own ISP". That pretty much gets their attention and allows us to set security policies, firewalls, system/application patches, and virus protection.
Yeah, its not the optimal solution. We really need a single head person who can enforce security policies totally over every section, but that is difficult in the open environment of higher-ed.
I'm sorry. Where I work it's the other way around. Our security department has all of the authority and none of the responsibility.
What the result is, anyone can guess: password rules so byzantine that no one can log onto production systems when sev1 issues occurr, sysops waiting three days for product tapes to be logged in and mounted, security changes being made willynilly with no change control management instituted, gateways which serve no data being loaded with full blown virus scanning software, bleeding edge maintenance being forced onto hardware and users not ready for it because it included some security fix of doubtful worth, managers not knowing the IP addys of their own *&#@ servers.
What else is the result: passwords being taped to the bottom of keyboards, users being covertly supplied administrator rights to databases and servers, sushi programs installed by everyone, hacks programmed into apps to slip data through firewalls, and entire job streams running under one userid.
Pity the poor security admin.
I'd also recommend "The Prince" by Machiavelli. Also, take a few MBA courses. It helps to know how they think and what their phrases actually mean.
But no book will ever be able to replace the insights gained from person-to-person interaction. You have to learn how to be "friends" with people who annoy you and how to manipulate them into supporting your agenda. That takes practice and you shouldn't practice it at work. They probably already know it better than you do and will be able to spot your amateur attempts. Instead, look at non-work groups. Your local church is a great place to start. They are usually packed with inter-personal relationships and petty politics. A friend once gave me this bit of insight: "The politics are so vicious because the stakes are so small".
Politics is about manipulating people to achieve your agenda. Before you become good at politics, you have to be comfortable with that.
Sadly I am the blame guy at my job, AKA, the bitch.
It goes like this at my job. I am "in charge" of network security and maintaining our Microsoft and Linux servers. You would think that my office would be located at the central office where all the servers are. This is not the case. Instead my boss, the IT manager, is located at the central office. Whenever he thinks something is not working right he makes changes to our production servers during business hours. My boss has no training in IT security. He's an MBA that has limited knowlege in security but thinks he knows more than he does.
Here's how most situations go. One person calls and complains that the finance database is slow or our inventory database is not working correctly. My boss then logs into the server and makes changes without documenting anything or telling me. You can image what happens next. Yeah, I get blamed for problems that occured after he changed something. I then have to go back and try to trace what he did. I know I can't ask what changes he made since that might seem like I am blaming him for the problem he created.
After going through this senario four times I decided to remove his login to our production servers. Big mistake.
I got a call from my boss two days later asking why he couldn't login to our production servers. I had prepared ahead of time and had a story made. I told him that I had noticed someone was logging in to our production servers and making changes during business hours which is against our IT policy. I went on saying that the changes made during these logins were responisble for the problems. I then told him for better security I should keep his account off the production servers so that the person who was making changes could no longer do so. He then said, "In the future could you please let me know when you make changes so we can be on the same page." I told him that I always documented the changes I made in the server logbook. I told him that I would reactivate his account with a different password. Since then he has not made any changes to the system.
I knew an admin who put a password on a sticky on his monitor. The password didn't work, and he logged all attempts to get into his account, and dealt with people who tried to do so appropriately. (Usually with a warning and cutting their print quota in half for the first attempt.)
Kierthos
Mr. Hu is not a ninja.
I will share the last IT security administrator's tactics....
He saw that he was being set up for the "fall guy" position... you know it when it happens, "you are responsible for all security", ":Oh, we have no money for your department, you can not impliment that security policy, no not that either,...."
for his last year he recorded all conversations with superiors, printed out and kept (against company policy) all communications with superiors and even kept recordings of voice mails on his company phone and personal cellphone.
well it collapsed, we were rooted hard, and when they looked for the fall guy, hew was ready and took 7 of the companies managers and executives with him flaming to the ground.
BTW, his tactics earned him quite a bit in a court settlement with the company. be sure to give all that information to your lawyers also... they love that kind of crap.
basically, document everything, and under NO circumstances trust your bosses.
Do not look at laser with remaining good eye.