Security Basics mailing list archives
RE: "It's ok we're behind a firewall"
From: Chris Santerre <csanterre () MerchantsOverseas com>
Date: Mon, 24 Feb 2003 13:20:16 -0500
I fight this issue a lot here. Disgruntled employees who have access to important data. There are a million ways for this stuff to get out. Hell they have to have access because it is there job. So it is a tightrope walk on what to do. I also have the opposite. Data that people have access to a piece at a time. Giving them a quick spreadsheet of all of it will make there job 300000X easier. But I'm not allowed to because the info put together in such a way could be lost, or stolen or whatever. But they have access to the same info one piece at a time. Drives me insane! :) Internal security is definitely different, and very gray.
-----Original Message----- From: Chris Travers [mailto:chris () travelamericas com] Sent: Saturday, February 22, 2003 10:00 PM To: security-basics () securityfocus com Subject: Re: "It's ok we're behind a firewall" My own perspective is this--- Internal security is just *different.* This is one of the reasons for the firewall. If a company didn't have a firewall, I am still convinced that they would be at *far greater* risk to external rather than internal threats. But that doesn't address the following issues: 1: Many companies have sensitive documents that need to be protected-- controlling access to these minimizes the chance of leaks. 2: Would any executive want everyone in the company to have unlimited access to sensitive information like corporate bank account numbers, credit card numbers, etc? So we can establish the need for internal security. My own preference is to divide up areas into security zones and determine how each zone (logically or preferably physically) is to be secured. Are ethernet ports in conference rooms a good idea? Is the risk that they bring in acceptible? What about wireless LAN? What are the business benefits? What are the risks? Also it is extremely important to remember that the entrepreneurs or execs are the ones responsible for defining acceptable risk. It never hurts to keep people thinking about that-- and rather than saying "you have a security problem." I usually say "Is this risk acceptible? How does ___ benefit your business? Whould ___ work for you as well?" Anyway, this is my $.02 worth. Best Wishes, Chris Travers
Current thread:
- "It's ok we're behind a firewall" John Brightwell (Feb 20)
- RE: "It's ok we're behind a firewall" Duane H. Hesser (Feb 22)
- Re: "It's ok we're behind a firewall" Gene Yoo (Feb 24)
- Re: "It's ok we're behind a firewall" Alessandro Bottonelli (Feb 22)
- Re: "It's ok we're behind a firewall" Chris Travers (Feb 24)
- <Possible follow-ups>
- re: "It's ok we're behind a firewall" H C (Feb 20)
- RE: "It's ok we're behind a firewall" Ben Schorr (Feb 22)
- Re: "It's ok we're behind a firewall" David Vertie (Feb 24)
- RE: "It's ok we're behind a firewall" James Liddil (Feb 24)
- RE: "It's ok we're behind a firewall" Chris Santerre (Feb 24)
- RE: "It's ok we're behind a firewall" Duane H. Hesser (Feb 22)