Re: Conflict of interests

[Aarón Mizrachi <unmanarc () gmail com>]

Hi. 

Its hard to answer this question...

First of all, i agree with you, that some security tasks need administrative 
priviledges. Task like "deploy patches" (Depends on system), requires admin 
priviledges. And massive patching, are only human possible with automated 
mechanisms.

But this depends only in the company budget.

Companies with good incomes will spend more money in their IT deparment, 
therefore, will have fine grained responsabilities by worker, and external 
security auditor will be limited to pass an inform recommending some patch, 
some automatic update system, or some security policy.

Also... big-size companies must be well-documented. Every proccess, every 
change, every installation will have a trace in documents, and will be planned 
and explained on documents and logs. If this documents dont exists, there is 
the first security vulnerability: "Systems who dont trascend to people who 
install it."

In a low-size company with reduced budget, sometimes you will need to be from 
the external consultant to patch deployer. Then you need admin. 

-----------------------------------------

Overview...

I agree that on many tasks you need to be admin (or cascade of it). This tasks 
commonly involves massive patching, massive program installation, rootkit 
detection, etc.

Then, asking for root are plaussible in such situations where the company dont 
have the personnel and the budget to carry out this tasks itself. (Remember to 
sign permissions and nda's.)

-----------------------------------------

But we have to this on mind: There is hard to give you a temporary super-user.

Temporary are not the best word to define a superuser, superuser can, in fact, 
leave backdoors and permanent access. So figure it how difficult must be give 
many supercows. Who itself represents a security risk.

On Martes 05 Mayo 2009 11:48:54 s0h0us escribió:
> Hi Richard Thanks for the feedback, I thought I had included a name in the
> original posting but I guess I didn't. You can call me Al. (like in the
> song :P ) Anyway, my role? the million dollar question. One man show,
> trying to do many things. From policy writing, to internal risk assessments
> of third party vendors, contract reviews, vendor management, etc. Somewhere
> along the line I review IT's functions as they relate to security. In this
> case I want to review their patch management process by making sure devices
> are proactively being updated as needed. Using tools like Nessus, GFI
> Languard, etc. I have a separate computer, outside the corporate AD to
> perform some of these tests. This is simply an example of a way in which
> I'm wondering if privileged access is required. I'm not so much trying to
> perform a pen test, more wanting to make sure internal devices are not
> vulnerable. hope this helps. thanks again!
>
>
>
> ----- Original Message ----
> From: Richard Thomas <austindad () gmail com>
> To: s0h0us () yahoo com
> Cc: security-basics () securityfocus com
> Sent: Tuesday, May 5, 2009 11:37:06 AM
> Subject: Re: Conflict of interests
>
> First, a request.  Please give us a name to use, even if it's false.
> To answer your question, we need to know the type of security role you
> play.  Is it operational security or more compliance related?
> Generally, you should not require either domain admin access or root.
> Most IT staff never need this level of access.  If you could provide
> us more information regarding the situation and your role, I think we
> could offer more useful input.
>
> Richard Thomas
>
> On Mon, May 4, 2009 at 1:16 PM,  <s0h0us () yahoo com> wrote:
> > As a security guy, not part of the IT department, I require a level of
> > access in order to perform my job. Certain types of tools require
> > privileged access in order to work. Like having domain admin access
> > and/or similar privileged access for unix and linux systems. Is it
> > reasonable to request this type of access without causing any type of
> > conflict of interest that internal auditors might question? I guess audit
> > trails would come in handy here. Thanks for the feedback.
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Learn all of the latest penetration testing techniques in InfoSec
> Institute's Ethical Hacking class. Totally hands-on course with evening
> Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified
> Penetration Tester exams, taught by an expert with years of real pen
> testing experience.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------