Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New workplace security measures. Are they usual?

From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 20 Jul 2010 14:34:14 -0500
<securityfocus () aldomedina com> writes:


I'm two levels below the CEO, so I'm not worried about my personal
activities, but what if I discuss the recruitment or dismissal of some
personal, the purchase of expensive equipment or other sensitive
matters?


Assume they can read it. 


Can a fake buy-recommendation come from my PC? 


Certainly.  Or could be forged to look like it's from your email
address and originate from entirely outside the organization. 


Maybe I should reformulate the question to address how can we trust
the informatics personal? (they're not specialized information
security personal, just IT engineers who care for anything
computer/electronic related)


Unfortunately, you can't trust them entirely, but you have to.  When
hiring into such roles, organizations are well advised to do
background checks, and do all they can possibly do to ensure they're
hiring trustworthy individuals.  Checks and balances to this
administrative power give orgs a chance to detect malicious activity,
strong audit logging gives them a chance to see the scope of
activities on demand or in post mortem fashion, as another poster said
"watching the watchers" is something that would be a best practice.

A malicious insider with administrative privileges is indeed a
significant threat in most environments. 

If you need to communicate via email and ensure that a
confidentiality, integrity, and authentication is maintained, you've
discovered why private key cryptography (PGP, GPG) has some profoundly
good use cases, and why so many attorneys I know avoid commiting
anything to email and prefer dealing in person or on the phone.  

With private key crypto, and assuming you've exchanged public keys
securely with the individuals you're communicating with, and you've
signed the message you're sending with your private key, and encrypted
it with the recipient's public key, you have fairly strong assurance
that:
       - only the recipient can read your message
       - no one else can read or tamper with it 
       - and the recipient has strong assurance that it was really you
         who sent it.  

http://en.wikipedia.org/wiki/Pretty_Good_Privacy

However, even with PGP... your message could be viewed by a malicious
admin if they VNC in to your desktop while you're composing it and
it's on the screen.  

And so, you're unfortunately back to having to trust anyone with admin
control over a computer you use.  And, no more than you'd be rude to
anyone at a restaurant who's involved in your dinner's chain of
custody,  it's ill advised to anger the IT admins.  :-) 

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: