RE: Rights

["Lane, Jim" <Jim.Lane () CIBC com>]

Dan,
A lot of things about security that, as you rightly say, should be
business decisions are often not dealt with as such. There seems to be a
common unexamined assumption that security is like your paycheque, more
is better:-) This leads to a lot of things being done "just because". To
give full credit I think much of this is because the risk assessment
side of the equation is difficult, if not impossible, to do properly.
It's one thing to know there is a risk or exposure out there but quite
another to know the potential impact of it in real terms. People
dutifully apply endless streams of security patches without any notion
of how likely they are to be impacted by the exposures they're fixing.
This is then justified by the "soft money" cost of some supposed number
of hours that would have been spent cleaning up, this based on the
further assumption that the staff involved would have had something
useful to do with all that time they saved. Plenty of fuzzy thinking at
all steps in the process, I say. Not that I have an answer to it, mind
you. If I did I suppose I'd be rich by now:-) 

Regards,
Jim Lane   

-----Original Message-----
From: Dan Bogda [mailto:dan.bogda () kintera com] 
Sent: June 30, 2006 2:57 PM
To: Lane, Jim; I Freecycle
Cc: security-basics () securityfocus com
Subject: RE: Rights

Jim,
Only your company can tell you how much time and effort it is worth.
Risk acceptance and mitigation are both business decisions. As you
mention, if you can't do a task someone else has to. The cost is extra
personnel and decreased productivity, the benefit is improved security.
Likewise, in your environment the cost is security and the benefit is
less fuss and bother ;)

I.Freecycle.Too,
Since this is a security mailing list, I would think our interests lie
in restricting rights in favor of increased security. As Jim mentions
though, it's a balancing act. Pick your poison if you will. My only
suggestions if you have to provide power user or local admin rights make
sure you have a simple backup and restore process, good auditing,
minimize the valuable data on the desktops and provide other external
security controls to mitigate anything that can happen. 

Giving local admin rights is not as costly if you can easily rebuild a
desktop due to user negligence, infection or corruption. I really like
Jeffrey Adams' Deepfreeze implementation, nothing is easier than simply
rebooting the system. Other tools that make life easier are an IDS to
watch for malicious traffic, a file server with regular backups to
provide a single point of file management and recovery, scheduled scans
to catch infections and regular virus def updates and scans.

Good luck, hope this helps,
Dan

-----Original Message-----
From: Lane, Jim [mailto:Jim.Lane () CIBC com] 
Sent: Friday, June 30, 2006 8:25 AM
To: I Freecycle
Cc: security-basics () securityfocus com
Subject: RE: Rights

I've just started work for a large bank as a sysadmin supporting a group
of developers. It seems that the custom here is to grant local admin
rights to developers and I was able to get myself so designated with a
minimal amount of fuss and bother.
To my mind this is a classic "pick your poison" sort of choice. The more
hard nosed you are about this is the more difficult it is for some
people to do their jobs, myself being one such. One size doesn't fit
all. Some people really are "power users" and tightening up security
controls doesn't change that. If users can't make necessary changes then
somebody else has to do it for them. How much time and effort is it
worth to devote to desktop security. You tell me. 

Regards,
Jim Lane 

-----Original Message-----
From: I Freecycle [mailto:i.freecycle.too () gmail com] 
Sent: June 28, 2006 1:02 PM
To: security-basics () securityfocus com
Subject: Rights

Hello,

I'm wondering how others deal with allowing users rights on work
computers.

At our school, users aren't normally given Administrator or Power User
rights unless it's absolutely necessary.  Occasionally we
encounter employees and students that don't understand how easily a
system can be messed up and the security issues involved nor why we
feel it's necessary to operate like this.


I would like to know what others do, and what policies they have in
place to address these issues.

Thanks,

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---



------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------