Security Basics mailing list archives
Re: New workplace security measures. Are they usual?
From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 20 Jul 2010 14:34:14 -0500
<securityfocus () aldomedina com> writes:
I'm two levels below the CEO, so I'm not worried about my personal activities, but what if I discuss the recruitment or dismissal of some personal, the purchase of expensive equipment or other sensitive matters?
Assume they can read it.
Can a fake buy-recommendation come from my PC?
Certainly. Or could be forged to look like it's from your email address and originate from entirely outside the organization.
Maybe I should reformulate the question to address how can we trust the informatics personal? (they're not specialized information security personal, just IT engineers who care for anything computer/electronic related)
Unfortunately, you can't trust them entirely, but you have to. When hiring into such roles, organizations are well advised to do background checks, and do all they can possibly do to ensure they're hiring trustworthy individuals. Checks and balances to this administrative power give orgs a chance to detect malicious activity, strong audit logging gives them a chance to see the scope of activities on demand or in post mortem fashion, as another poster said "watching the watchers" is something that would be a best practice. A malicious insider with administrative privileges is indeed a significant threat in most environments. If you need to communicate via email and ensure that a confidentiality, integrity, and authentication is maintained, you've discovered why private key cryptography (PGP, GPG) has some profoundly good use cases, and why so many attorneys I know avoid commiting anything to email and prefer dealing in person or on the phone. With private key crypto, and assuming you've exchanged public keys securely with the individuals you're communicating with, and you've signed the message you're sending with your private key, and encrypted it with the recipient's public key, you have fairly strong assurance that: - only the recipient can read your message - no one else can read or tamper with it - and the recipient has strong assurance that it was really you who sent it. http://en.wikipedia.org/wiki/Pretty_Good_Privacy However, even with PGP... your message could be viewed by a malicious admin if they VNC in to your desktop while you're composing it and it's on the screen. And so, you're unfortunately back to having to trust anyone with admin control over a computer you use. And, no more than you'd be rude to anyone at a restaurant who's involved in your dinner's chain of custody, it's ill advised to anger the IT admins. :-) -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- New workplace security measures. Are they usual? securityfocus (Jul 19)
- Re: New workplace security measures. Are they usual? Andy Colson (Jul 19)
- Re: New workplace security measures. Are they usual? Todd Haverkos (Jul 19)
- RE: New workplace security measures. Are they usual? Murda (Jul 20)
- RE: New workplace security measures. Are they usual? Boyd, Chad (Jul 20)
- RE: New workplace security measures. Are they usual? securityfocus (Jul 20)
- RE: New workplace security measures. Are they usual? Erik Soosalu (Jul 20)
- Re: New workplace security measures. Are they usual? Todd Haverkos (Jul 20)
- RE: New workplace security measures. Are they usual? Murda (Jul 20)
- Re: New workplace security measures. Are they usual? Marc-André Laverdière (Jul 21)
- <Possible follow-ups>
- Re: New workplace security measures. Are they usual? tim (Jul 19)
- RE: New workplace security measures. Are they usual? Murda (Jul 20)
- Re: New workplace security measures. Are they usual? Todd Haverkos (Jul 21)
- RE: New workplace security measures. Are they usual? Murda (Jul 21)
- RE: New workplace security measures. Are they usual? Murda (Jul 20)
- Re: New workplace security measures. Are they usual? daniel . diaz (Jul 19)