Re: Re: Conflict of interests

[raketomet () gmail com]

Hi Al, I am in a similar situation right now. I took the position of an IT Security Manager in a small investment 
company. From the beginning I discuss with the IT manager my application/request of access rights. By the time we 
escalated the request to the COO (and will go higher if necessary).
There are more aspects of the conflict. Just briefly:
1.      Purpose
I had to describe activities I need to perform with privileged accounts. You mention only patching, which is one of 
many. There are much more activities/controls depending on your role, I encourage you to write down risks, controls you 
perform as a countermeasure and danger, if you cannot perform controls because of missing access rights.
2.      Your role in organization / job description
I belong to the Risk department. The reason not to be part of the IT is because I perform also as control of IT! This 
is a crucial point. What are your roles? I divided roles into 4 categories – analysis (risk analysis, etc.), methodic 
(design policies, standards, procedures, but also security measures of IS), control (daily jobs starting with 
monitoring of vulnerabilities, vulnerability assessment, event monitoring, etc.) and audit (regular audits of systems, 
users, processes).
IT represents risk with high impact (mostly IT has full access to sensitive data and can do anything with them), 
hopefully with lower probability (but studies does not confirm this, see 
http://www.gartner.com/press_releases/pr29may2003a.html and newer 
http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=44812&TEMPLATE=/ContentManagement/ContentDisplay.cfm, google 
others).
If we consider IT as a risk, we can reject it (not a good idea, denied), accept it (are countermeasures = access rights 
more expensive then potential loss? no, denied), probably cannot transfer it (to whome?) and reduce it (sure we cannot 
fully avoid risk, but better than nothing). I am a former IT auditor and later IT consultant from big 4, did tens of 
audits and realized I have very limited possibilities to identify incidents without own access. If you also perform as 
the control of IT, how would you investigate incidents without access rights?
So write down activities you perform, interesting source would be IT Security EBK from USA Homeland Security 
http://www.us-cert.gov/ITSecurityEBK/ (see matrix at the end of the document).
3.      Organization (system and processed maturity)
Requirement of access is influenced by IS/IT systems and IT processes maturity. I can imagine there would be no need 
for access if there is a full test environment with the same configuration as production, IT processes are at least 
managed (CMMI level 3 and more). In my case it is not.
4.      Account privileges
Some applications and systems provide enough information even with a user account if configured accordingly. So for 
example I have only user account on Linuxes. Unfortunately the same cannot be easily done for Windows (which is mostly 
the core system and thus key risk).
5.      Usage
Under no circumstances can be account used for changes. Just view, run i.e. MBSA, save report. The same applies for 
penetration testing, only after it is approved by the head of company. The principle of least privileges applies not 
only for administrators, but also for IT Security. I know companies where the IT Security has executive role in user 
account management, and then his account can be used for this.
6.      Risk mitigation
To be fair, with privileged account anybody (and thus also IT Security) can negatively impact IT operations (to cause 
an incident). There have to be countermeasures to mitigate the risk. It is not very probable, if account is used from 
time to time, IT Security is skilled (does not click OK without reading - that's simplicity), but anyway there has to 
be proper logging and back-uping. You can also propose recording of your activities with such account with tools like 
Screen Anytime, TSRecord, ObserveIT (expensive if only for this purpose).
Generally it depends on your role, but even if you should perform only analytical and methodic role, you will need 
higher then user level access, otherwise you won’t keep the pace with changes IT does. If you do not have access, 
cannot review systems (I do not mean learning on production, but getting to know configuration), then after one or two 
years, you don't know what's going on, how does it work, and your recommendations will have no sense. That’s what 
happened to my predecessor, who was fired.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------