Slashdot Mirror
Security Responsibility Without the Authority?
Slashdot reader jamie submits this story about security administration. If you have the responsibility for security without the authority to make changes, your only role is to be the fall guy when something goes wrong.
On the other hand, having the authority without the responsibility is a much larger disaster waiting to happen.
http://alternatives.rzero.com/
I work at a Large Bank, and more often than not, we'll implement an expensive, suboptimal product because a) Someone Else Did It or b) Gartner Said It Was Good. It's all about preconfiguring the blame, it is always someone else's fault - this way, if there's ever a problem and the Gubmint comes looking for tail, we can always point the finger. On a small scale, this reduces to individual admins being force to do stupid things, because Thats What The Project Requires.
I want to delete my account but Slashdot doesn't allow it.
On the other hand this can be very good if you are *not* the guy with the responsibility. This means that when you fuck up there is a 'blame him' guy near by. :)
Slashdot Sig. version 0.1alpha. Use at your own risk.
I think that would be time to start looking for another job... FAST!
Absolutely no good can come out of this situation except as a blurb on your resume. i.e. Was responsible for network security at firm with more than 500 computers for the last 6 months.
Chaos will always win out over order because chaos is more organized
The phenomenon isnt specific to IT security admins; its the (sad) consequence of corporations with 'false priorities' ('one hand doesn't know what the other is doing' thing). Management ask you to do something they don't have a clue about (in this case, improving security on a network). Then you ask for resources to do the job, and the Finances guys refuse for budget (priorities) reasons.
Basically, you're stuck in a bad position : management yell at you if anything goes wrong, Finance is annoyed by your constant demands they see no 'use' for.
Of course, not every business works this way. But it tend to when the company gets too large...
Eureka Science News - automatically updated
Doesn't matter that Redhat and everyone else offer support.
But what happens when one can set rules and enforce them at the same time? That'll be too much power.
Usually in a company, IT department takes care of the adminstration of IT-related stuff, and HR takes care of the rules/policies.
If these two departments don't compliment each other, that's the problem to be fixed, instead of mixing two different roles together.
That's my personal experience anyway, I find it easier to tell the users to take to HR (or vice versa) than having to deal with (punish) or explain certain policies to users.
Rock that crushes, Paper & Scissors that don't matter.
Anyone else want to share some of their favorite overused phrases with IT security?
My favorite phrase is "... working hard to ensure this never happens again". We usually hear that within 4 hours of a customer calling and using the phrase "you people". "You people lost my database again!" "We can assure you we are working hard to ensure this never happens again". We've had a 0 dollar buildout and maintenence budget for 4 years. They actually get MORE surprised each time something breaks, cause we're supposed to be getting better at using the tools we have.
Ok here's a different question -- anyone ever had to use their own property to band-aid something within the company about ready to explode?
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
CSO had an article about this a few months back, and talked about how many corporations have taken the teeth out of the CSO position.
I've seen this first hand in our midwest US city, where the requirements for most security positions are a MCSE and a CISSP with little to no interest in management and policy-level expertise. IT security has very quickly become a janitorial position. Senior management has punished IT for excessive spending by gutting it of senior level representation (to the benefit of other empire building projects, typically).
Curiously enough, these companies are sitting ducks for your run-of-the-mill script kiddie. From putting unencrypted backup tapes on the top of file cabinets in highly trafficed hallways (at one database company that I've worked with) to believing a firewall and antivirus is perfect security (to several of the larger banks I've met with on security projects), they're complacent and believe IT security is just another IT "dot-com money wasting project." Better to spend the money in the profit centers and ignore defensive protections as the lack of a serious attack means they'll never experience one. Little do they realize, the only reason they haven't been attacked is that there aren't enough hackers to take all the easy pickings.
It's all about preconfiguring the blame
In the field of enviornmental compliance, the person 'in charge' is known as the 'designated inmate.'
as with any job where you might be in a delicate .. do your due
position or 'the target' should things go wrong
that are beyond your control ( whether due to
lack of authority or lack of omniscience ),
Document, Document, Document
diligence, report any possible vulnerabilities,
suspicions of attack and recommended changes to
your immediate boss, your IT/CIS team and their
managers. Be public, but don't be patronizing.
This 'paper trail' will help you immensely should
you be terminated over some security breach should
you be able to prove that, were your suggestions
implemented, the breach could have been prevented.
Security work is ridden with chance : if there is
a flaw in the hardware or software that had not
been documented at the root of a breach, report
that this is a new issue with that particular
system and that a patch is available and has ( or
should, if you lack even the authority to patch )
be applied immediately, or that a patch is not
yet available. I'm not a litigious person by
nature but I wouldn't hesitate to sue on the
grounds of wrongful termination if i could present
evidence that i had made those in power aware of
the problem and had not received authorization
to make the changes that would have prevented the
breach.
If you're the security guy, you Are the fall guy
by default, but if you don't leave a document
trail behind to show due diligence you will have
no cushion for your fall.
Follow the same basic guidelines that the medical
profession uses - document anomalies, perform
frequent monitoring, document changes. All of
this will help greatly should you be in the
unfortunately position of having to take legal
action against a former employer.
That this is necessary is sad, but it Is
necessary.
It isn't about getting anything out of Microsoft. It isn't about the EULA.
It's about being able to say that it isn't YOUR fault. You did what EVERYONE ELSE was doing. Then you pull out the magazines and articles about how whatever just happened to you has been happening all over to other companies.
In many companies, it is more important to not be blamed for a problem than it is to be the one who solved a problem.
In one mid-sized US Government program, I can (and do) perform the following actions:
- Each application's owner is advised of the CIO dictums and regulations covering their application and its interface. If they don't abide by them, the application doesn't go online. They comply.
- If the application is not certified, the application does not go online. This means an extensive sheaf of documentation about its form and function. While this is not foolproof, it is very effective at getting stupid errors out of the way.
- The network itself is accredited. Once again, a lengthy process based on standardized criteria that is redone every three years. This accreditation is called DITSCAP and can be googled.
- OS and common application patches (called IAVAs and generated by ACERT, the 'Army Computer Emergency Response Team', which would give a link for but it's Army-only with authentication required) are required to be applied. If an application owner declines to be patched, it's the CIO's judgement if we want to unplug their server or not. Generally we will, and the application owner relents.
Mind you, we just host applications. There are several layers of border security beyond us on the network, controlled by different organizations, that we have to justify things like port opens to. The list is kept to an utter minimum.
This is only the big picture of what we do, and the details would take more writing than i'm likely to do on a Sunday afternoon.
I have no idea what's going on at DHS, but what I know is that they share installations with my branch of the government, and they have to comply with the same rules when they do.
Security IS taken seriously. This guy has a political problem and that's why he resigned. Everyone wants to make a big splash when they don't get along with their cohorts. Only the classy ones keep their mouths shut. This guy isn't one of those, apparently.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
That's like working for free...and probably about as legal. You need to suck it up and tell the boss "we need this piece, and if we don't get it, Bad Things(tm & C ) will happen."
And document it to within an inch of its life.
that way, when the witch hunt starts, you can whip out those docs from your own personal Pearl Harbor file and show that you knew what you needed, and were told to sod off.
Holloway's laws of business...
- Always document everything, even the slightest move. that way you have a paper trail to cover your ass.
- If your employer is asking you to do dodgy things to keep them running, tell them what the bill will be. If they threaten your employment, its time to hit the silk anyway. they are going to make a smoking crater in the sand...
My two centisols
"It may just be that there is something fundamentally unworkable about government itself" -H. Beam Piper
...your only role is to be the fall guy when something goes wrong.
Any time security goes amuck... look to management as the culpret. If anyone points fingers at anyone else but management they really don't know too much.
Management has the political power, the money and the fudiciary responsibilty.
And if they don't know the assessed level of their security and security requirements, this then means they aren't doing their job.
Politics happen in companies. Politics happen anytime you get 3 or more people working together.
It all comes down to different people having different agendas working together in a company with limited resources.
The sad thing is that once your technical skills are at the "minimally competent" level, you'd be better advised to learn corporate politics to further your career.
A technical genius without political skills can be used and abused by a mediocre technologist with good political skills.
Keep track of all of the times that you couldn't do something important, especially things legally necessary, because the powers that be didn't want to let you take the risk or rock the boat. Then when the police come in to investigate, if the higher ups decide to make you take the fall, take them with you by dropping all of your documentation about their ordering you to not do your job, onto the cops' lap.
There is nothing that police at all levels love more than taking down big rich guys.
Click here or a puppy gets stomped!
I'm sorry. Where I work it's the other way around. Our security department has all of the authority and none of the responsibility.
What the result is, anyone can guess: password rules so byzantine that no one can log onto production systems when sev1 issues occurr, sysops waiting three days for product tapes to be logged in and mounted, security changes being made willynilly with no change control management instituted, gateways which serve no data being loaded with full blown virus scanning software, bleeding edge maintenance being forced onto hardware and users not ready for it because it included some security fix of doubtful worth, managers not knowing the IP addys of their own *&#@ servers.
What else is the result: passwords being taped to the bottom of keyboards, users being covertly supplied administrator rights to databases and servers, sushi programs installed by everyone, hacks programmed into apps to slip data through firewalls, and entire job streams running under one userid.
Pity the poor security admin.
I used to work at a major financial services company. This was just as commercialism was just discovering the existance of the internet, so I was hired to design and deploy their high speed redundant connectivity. One thing this company did right, I think, is that all of their security was focused through the VP of Auditing, who reported to the CFO. And the guy who had this position was smart enough to know he knew very little about security and had to learn. I actually got to teach him more about it. We formed a group of people (at my suggestion), including another network engineer, two accountants, and one of the staff lawyers, as the security committee. His original mandate was network security. But in our first group meeting I gave a presentation on one of my long long ago hacking efforts (back in the mainframe days) that successfully broke into a major insurance company's three mainframes. I explained to them how I did it using entirely social engineering. Of course I had knowledge of the system, but I didn't utilize any bugs in the system to get in. With this I was able to get the group to change the focus of security from one strictly focusing on computer technology, to one that would be applied to everything the company did. Software bugs and misconfigured servers are, of course, important, but people are the weakest link in security, and this is even more so the larger a corporation is. Every operation of a company must consider security across the board.
now we need to go OSS in diesel cars
...on how much one can ask for being a scapegoat. Make me an offer I can't refuse and I'm your man ! (paid in advance, please...)
That's what having a fall guy is all about. Someone has the authority to fix the problem, but no real clue or budget. Enter the fall guy. Upper management "concentrates on the company's core business" while the fall guy eats the blame.
It's not something that can work forever. How many years can you go to the share holders with bloated IT budgets? Wall Street replaced their core infrastructure with Linux and other free software years ago after the some of the first big M$ worms. They will soon run out of patience for big dumb companies that flush millions down the upgrade toilet and are still prone to data loss and worm breakouts that resemble those of four years ago.
This eweek stuff is pathetic for ignoring the core problem. M$ makes an OS that has no place on a network. It is used, without the owner's knowledge, to send more than 80% of the world's spam and for all sorts of other crimes. Their data models are the roach motel of the digital world and they proudly remind their customers of the costs of migration while lying about the benefits their competitors have to offer. Until Eweek gets it, they are part of the problem.
Friends don't help friends install M$ junk.
I'd also recommend "The Prince" by Machiavelli. Also, take a few MBA courses. It helps to know how they think and what their phrases actually mean.
But no book will ever be able to replace the insights gained from person-to-person interaction. You have to learn how to be "friends" with people who annoy you and how to manipulate them into supporting your agenda. That takes practice and you shouldn't practice it at work. They probably already know it better than you do and will be able to spot your amateur attempts. Instead, look at non-work groups. Your local church is a great place to start. They are usually packed with inter-personal relationships and petty politics. A friend once gave me this bit of insight: "The politics are so vicious because the stakes are so small".
Politics is about manipulating people to achieve your agenda. Before you become good at politics, you have to be comfortable with that.
If you're responsible than you make the recommendations. If they aren't followed you warn of the consequences. If the consequences result your ass is covered. This is BASIC employee CYA.
If you do your CYA bit well your boss will follow with his CYA bit and eventually someone will sign a check or the memos will stop with someone stupid enough to take the fall. Otherwise you don't want to be working there. Works no fun if you can't do your job.
If you don't like the CYA game, spend the time and effort you would put into implementing your recommendations into finding another job.
Life's not that difficult!
When I was in the army 20 years ago I had the "responsibility" to get a bunch of guys to move some furniture. Unfortunately I did not have authority over these troops since they belonged to another division.
Engineering is the art of compromise.
"From my perspective, if a corporation deliberately stores my personal information using a server OS that is known to have more security holes than the Moon has craters, when that info is stolen the people that made that decision should be up on charges of negligence or worse"
If it is a company you do business with, send them a letter-snail mail, registered, notarized whatever, in advance to that effect. Not a threat, just a reminder that they have alternatives, and it's in their best interest business-wise and liability-wise to look at ALL the options. then they can't claim down the road that they "didn't know". Send an identical copy to their CEO, CFO and CIO/CTO. It's a +1 bonus if you can have several people on your side with simjilar viewpoints sign it as well, all customers of theirs.
Another thing you can do is to buy stock in the company, that gives you an additional legal edge should something "go wrong", and also let's you offer suggestions and/or complain at shareholders meetings, or give you another avenue for a potential lawsuit.
I have a client, however, who's IT security policy is so strict (14 characters, alpha, numeric, plus special) that each and every employee has taken to write down their user/password on a post it note and taping it to their monitor or under their keyboard. Just walking through the office you can pick up at least 6 user/passwords. I've tried to argue with the head dick in charge, and all I get is BS. Why put together a security policy so strict that it keeps employees from doing their jobs, or forces them to write down their passwords out of ignorance. Nothing worse than that.
Relate this back to the industry. You're either at the top-level or you're in the trenches. A good security admin will bridge the two as best he/she can. Security fundamentally affects (and is affected by) almost every facet of an organization. I've seen through personal experience a "silo-like" mentality to security policy execution. The secadmins were in their own private bubble that attempted to be dictatory and impervious to external influence. This is wrong, wrong, wrong!
Unfortunately, the needs of the job amount to being a little political. The decisions must be participatory, or at least giving the appearance of being participatory. That is what gives you buy-in from your users. You might say, "Why should I?" Well, if you're saying that, then you might want to find another job. Its a necessary evil if you care about keeping your org secure. If not, you might be the one complaining after the fact, "They never listened to me". Even if you're merely sitting there explaining why you are doing what you're doing - at least people are involved. You might even be giving them bad news, but at least you're telling them that you're giving them bad news before you change their lives. The real challenge here is finding the right people to involve. :-)
Good security as much depends on the "how" of security versus the "what" of security. If your methodology is technically correct, cheap, and does the job, but you've dumped it on the organization, then guess what. It ain't gonna fly!
The article, in its efforts to be concise, has not really justified its claims. Trying to sway the course of one of the largest governments in the world indeed sounds like a recipe for frustration, but does not necessarily map back to the industry in general. Those seem like radically different things. I remember Richard Clarke seeming positively perky during the days of his assumption of cyber-security czar role. Look at him now.
Circumstances like these often accomplish something very important in politics, it gives the illusion of doing something to solve the problem, when in reality they have done nothing.
as it addresses the wrong problem.
The US thinks that taking nail clippers from passengers makes air travel more secure. It doesn't but it looks as though it might.
Most computer security looks outwards to the internet, forgetting that the biggest threat is sitting inside the firewall.
We are all surrounded by pretend security that is in position just because it looks good. Real security is a pain in the backside. It is disruptive to the people who have to work with it and it's very expensive. It's also complex and difficult to implement.
If the security officer in a company cannot overrule EVERY single person in the company on a matter of security, the job is a joke and exists merely as a butt-covering operation.
Done that.. Pissed off more than a few clients with the security policies, blown a couple of budgets by a little bit. But it's still secure by overbuilding, securing the systems with personal passwords, set to expire in 30 day intervals. Education, education, education... The current headache with the 'wares was simply resolved by implementing a HOSTS file into each terminal via administrative batching. This was done within a hour and the infected machines were then reimaged with clean OS's. No slouch this nut is. As I said, i've pissed off a few folks, but they learned lessons the hard way not to break the NSA's rules and you don't wind up with a blank computer, or worse, a letter in your docket for the security violation. I'm not in the business to make friends, both personally or politically, which irks some of the suits. They pay me the big bucks to keep their business secure as Fort Knox, and they get what they pay for.
First rule of holes; When in one, stop digging.
One way to decrease users tendencies to download crap might be to publish a web page harvested from the firewall logs (you do have a firewall, right ?) and allow general access to see what users have been downloading.
:
;-)
This would favorably impact the following
o Porn searching
o Cosmetic surgery searching
o Perv searching
o Joke searching
o Browsing slashdot at -1
The Slashdot model of moderating/censoring web page accesses would also be driven by the curiosity to see what your dodgy co-workers have been downloading.
One thing that one of my previous companies also emphasized was ensuring that machines have a password protected screensaver whenever a user is away from his/her desk. Another co-worker being able to hit porn from an open desktop would be a great motivation to lock up your desktop on restroom trips, coffee etc.
Most companies have policies on non-business use of machines, though these are seldom enforced with any vigor. Enforcing them through a peer mechanism like that described above might help to keep users and company networks safe from themselves.
--
-- "It's not stalking if you're married!" My Wife.
It may also be worth noting that your boss going in and making undocumented changes may very well be illegal now, under Sarbanes-Oxley (assuming you're in the U.S.).
You try to place the blame on misconfigured systems. But when you demonstrably create an adversarial relationship with the users you're supposed to be supporting it proves you're part of the problem. Over and over, IT throws its weight around by not allowing anything useful. Anything IT doesn't understand is disallowed behind the "security" bogeyman and there's no effort to work with the users. When IT does get authority it's a power position, not a technical position. Automatic dictatorship.
This doesn't just apply to security, it applies to IT in general. The sysadmin is always the guy who has to implement all of the stupid shit managers promise to people, and rarely has any input on how it will be done. I finally knew that my IT career was about to end the when, on a Friday morning, I was asked to work at least 12 hours on Saturday AND Sunday because the director of a federal agency I was working for (as a contractor) has promised that we would have a certain system working by a certain date which just happened to be Monday morning. This was the first time that ANYONE on the team responsible for the implementation had heard about it.
I refused -- not that it mattered, because the coders needed time to adapt beta code from a different project to this one--, and dropped by for a few hours on Sunday just to check on the status of things. Two weeks later we had a semi-functional prototype. Three months later it was still a lame cycle of the same crap.
Now I'm going to art school and painting full-time. The money sucks, but I never have to come in at three AM to cleanup after someone else's dumbshit idea.
"If you have the responsibility for security without the authority to make changes, your only role is to be the fall guy when something goes wrong."
Oh.
Great.
"Ah yes, Bernard. Responsiblity without power - the prerogative of the eunuch throughout the ages." - Sir Humphrey Appleby
"Life is like a sewer - what you get out of it depends on what you put into it" - Tom Lehrer