Securing Staff (was Re: Internet Security Review)

[sedayao () orpheus sc intel com (Jeff Sedayao)]

> > In broad outline, they started by hitting me with a series of
> > ``scenarios''. 
 
> WOW! A security audit that actually takes humans into account
> rather than just mechanism and software!! Fancy that!
 
> Since social engineering is such a huge (potential) problem,
> I think it's vital to consider the way people in the organization
> are going to react under stress of attack/failure/confusion. This
> is what scares me most about security, BTW -- I don't think it
> is possible, for an organization of reasonable size, to adequately
> secure the staff.
 
In the case of large enough organizations, I think it is good to
assume that the staff:

1)  can and will be socially engineered
2)  have some bad apples within the staff

It is just probability that #1 and #2 are true for big organization (and
sometimes small ones).  If there is a chance greater than 0 that #1 
and #2 are true, you just need a big enough staff and they will happen.

If you assume #1 and #2 above, then you end up doing things like putting 
firewalls internally to minimize damage, doing scans internally, hardening,
internal hosts, and really start looking at your logs.  This doesn't mean 
that you don't try to train people to resist social engineering (it reduces 
the probability of #1 happening) or do employee screening (reduces the 
probability of #2).  It does mean that you expect these things and try to 
engineer around them.  That being said, I have to say that it is much easier 
said then done putting in internal firewalls, especially if the users and 
management are accustomed to not having those barriers there.

> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr

-- 
Jeff Sedayao
Intel Corporation
sedayao () orpheus sc intel com