RE: Getting security back from the sys admin

["Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>]

I think the main concern might be a perception mismatch.
You mention that you (security) has maintained root in Unix but lost it in Windows.

It seems you think you need root across the board to do your job? If you achieve this you will need to hire someone to 
monitor you.

I may be wrong, but it is my belief that IT and IS can work together by having IT be responsible for the 
servers/workstations and any changes while IS provides the knowledge and direction needed to maintain a secure 
environment. You cannot have IS build the logging mechanism, the IDS/IPS, the anything because their role will lose 
integrity.
You have IT build according to your design perhaps, and then you audit their job.

So, my comment on how you regain a foothold in your company is by creating the foundation you wish to build your goal 
on. And that is policies and standards.
You write a standard on how backups, encryption, logging,  email, etc is secured and then you design or assist IT in 
implementing this.
Once in place then you verify once a month.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Rivest, Philippe
Sent: Friday, December 07, 2007 10:06 AM
To: Franck Vervial; lowney
Cc: security-basics () securityfocus com
Subject: RE: Getting security back from the sys admin

Thanks for the 2 very good ids (work together to implement IDS, and the report one).

For our responsibility, we basically only manage user access right now. We lost all of our "responsibility" over the 
last few years due to lack of knowledge on the security team part. Having changed this situation, my director wants us 
to take some responsibility back (in a controlled way).

Basically, I can't even log on to Windows servers but I have root access to the unix servers (managed by the unix 
team). That shows that we didn't have knowledge over Microsoft, but on unix we were good enough to keep stuff.
That is one of the many example and exception that we have to manage with.
We also have full access to SQL, but not the windows machine on witch its running..


So on every situation; I can only secure 1 part and not the whole. And since we are the one answering the auditors we 
need to AT the very least see how things are set up.


As for your help, I already added your ids to my document im writing. That with separation of duties did help a lot.

If anyone has other IDs, example or hints, please help :)

Merci

Philippe Rivest, Certified Ethical Hacker
Analyste en sécurité de l'information
Métro Richelieu
514-662-3300x3115
P Est-ce vraiment nécessaire d'imprimer cette page ?

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Franck Vervial
Envoyé : vendredi 7 décembre 2007 04:30
À : lowney
Cc : security-basics () securityfocus com
Objet : Re: Getting security back from the sys admin

  Hi,

Does security team have operational responsability or only
control/audit responsability ?
I have known the same situation and I think every body is winner if
the two teams work
together.
You will always need expertise of system guy in system and security application.
And they need help of security team for the things for which they
don't have the time for :
security survey, audit and risk analysis methods, etc.
A good thing to know in order to keep good relations is to not
under-estimate their skills
and understand the production contraints.

An example :
you have to install a security audit tool to product reports about
security level of systems
they manage. Instead of just install it and make a report that is very
red because of a lot of
security weaknesses. Give them the referential with which this tool
works (like CIS security), so they can make a effort to increase the
systems security level before reports.
That is good because two teams have the same aim : increase security.
Anyway the reports will produce some weaknesses because lack of time or other.

another argument is to justify budgets against direction (it is easier
when two differents
teams are agree that an IDS is necessary).

In clear : be dip)lomatic and works together, the kwowledge and
productivity of everybody will be better.

Hope this helps,

Franck

PS : sorry for bad english language ;-)

This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.