Firewall Wizards mailing list archives
Securing Staff (was Re: Internet Security Review)
From: sedayao () orpheus sc intel com (Jeff Sedayao)
Date: Tue, 14 Oct 1997 11:14:09 -0700 (PDT)
In broad outline, they started by hitting me with a series of ``scenarios''.
WOW! A security audit that actually takes humans into account rather than just mechanism and software!! Fancy that!
Since social engineering is such a huge (potential) problem, I think it's vital to consider the way people in the organization are going to react under stress of attack/failure/confusion. This is what scares me most about security, BTW -- I don't think it is possible, for an organization of reasonable size, to adequately secure the staff.
In the case of large enough organizations, I think it is good to assume that the staff: 1) can and will be socially engineered 2) have some bad apples within the staff It is just probability that #1 and #2 are true for big organization (and sometimes small ones). If there is a chance greater than 0 that #1 and #2 are true, you just need a big enough staff and they will happen. If you assume #1 and #2 above, then you end up doing things like putting firewalls internally to minimize damage, doing scans internally, hardening, internal hosts, and really start looking at your logs. This doesn't mean that you don't try to train people to resist social engineering (it reduces the probability of #1 happening) or do employee screening (reduces the probability of #2). It does mean that you expect these things and try to engineer around them. That being said, I have to say that it is much easier said then done putting in internal firewalls, especially if the users and management are accustomed to not having those barriers there.
mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
-- Jeff Sedayao Intel Corporation sedayao () orpheus sc intel com
Current thread:
- Re: Small company question was Re: Firewall administration., (continued)
- Re: Small company question was Re: Firewall administration. Bennett Todd (Oct 10)
- Re: Firewall administration. Larry J. Hughes Jr. (Oct 09)
- Re: Firewall administration. Ted Doty (Oct 07)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Ted Doty (Oct 12)
- Re: Firewall administration. Bennett Todd (Oct 12)
- Re: Firewall administration. Ted Doty (Oct 12)
- Internet Security Review Mark Teicher (Oct 13)
- Re: Internet Security Review Bennett Todd (Oct 13)
- Re: Internet Security Review Marcus J. Ranum (Oct 14)
- Securing Staff (was Re: Internet Security Review) Jeff Sedayao (Oct 15)
- Re: Internet Security Review Steve Kruse (Oct 13)
- Message not available
- Re: Policy and administration was Re: Firewall administration. Ted Doty (Oct 13)