Security Basics mailing list archives

Re: Network Engineer vs. Network Security Engineer

From: ron () gmail com
Date: 12 Jan 2010 00:23:36 -0000

Other's have already mentioned "Separation of Duties".

So sure it would be easier if you had update access to the equipment, but do you really need it? Maybe Read Only
access would be adequate? Do you have a change control/management process in place that can implement your change
requests in a timely fashion. Maybe you could be added to the change approval process for anything that impacts
security. Of course that would require you to clearly define what constitutes a "security change". Actually the list
can be quite extensive.

Another consideration, you say that the other guy is the only person who has full access to that part of the system.
Haven't you been paying attention to the "adventures of Mr Childs of San Francisco". He was the lone person with
access to part of the city network. He refused to hand over the passwords to "the wrong people", in his opinion. Last
I heard he had spent over 14 months in jail, WITHOUT a trial, because he could not raise $5 million in bail. Google
it. Here are a few links:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=322438

http://www.pcworld.com/article/165950/accused_rogue_admin_terry_childs_back_in_court.html?tk=nl_dnx_h_crawl

http://www.pcworld.com/businesscenter/article/148951/san_francisco_da_discloses_citys_network_passwords.html

http://www.computerworld.com/s/article/9137318/Judge_won_t_lower_5M_bail_for_SF_IT_administrator?source=CTWNLE_nlt_securityissues_2009-09-02

At the VERY least that other admin should be REQUIRED to provide the current userids and passwords to an escrow
location. Sealed envelope in a company safe or with a corporate lawyer. Company has to be prepared for him "to be hit
by the proverbial bus" or to quit in a snit.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Re: Best firewall applience, (continued)
- - - Re: Best firewall applience Chris Brenton (Jan 18)
    - RE: Best firewall applience Scott Race (Jan 19)
    - Re: Best firewall applience Jeremy Nenadal (Jan 13)
    - Re: Best firewall applience David Gadoury (Jan 13)
    - Re: Best firewall applience Asaf Maruf (Jan 13)
    - RE: Best firewall applience Quark Group - Hilton Travis (Jan 13)
    - Re: Best firewall applience Stephen Mullins (Jan 18)
    - Re: Network Engineer vs. Network Security Engineer Johnathan (Jan 12)
- RE: Network Engineer vs. Network Security Engineer (UNCLASSIFIED) Natividad, Victor E Mr CTR USA (Jan 11)
- Re: Network Engineer vs. Network Security Engineer gig (Jan 11)
- Re: Network Engineer vs. Network Security Engineer ron (Jan 12)