Educause Security Discussion mailing list archives
Re: Security vs. Business Process. Does Business Process trump Security Process?
From: Gary Dobbins <dobbins () ND EDU>
Date: Thu, 2 Jul 2009 14:58:07 -0400
Another interesting angle on this came out of a semi-trick interview question I recently used: "What's more important, ensuring authorized access works, or preventing unauthorized access?" While I never expected there to be any one "right" answer, the candidate responded as I'll paraphrase below. He said "You have to do both, but preventing unauthorized access has to come first, then ensure permitted access works." ...Why in that order? "Because you can always go back and fix an inadvertent blockage of authorized access; it's often far harder to clean up after you've let unauthorized access occur." (He got the job, BTW.)
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stucky, David Sent: Thursday, July 02, 2009 2:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security vs. Business Process. Does Business Process trump Security Process? Randy, In case my name seems similar, you might remember me from a SANS Security Essentials course back in March 2008. Your comments fall right in line with what I tend to struggle with. I will tell people that security should not interfere with business, but business must be appropriately secure. I stress the fact that we must work together to find the right solutions to support business needs in an appropriately secure manner. As a sysadmin/security type it is important to remember you cannot eliminate risk; but you have to work hard to manage and reduce risk. One thing I would add is the struggle with implementing responses to audits and risk assessments. You've learned where your best opportunities to improve your security posture are, but sometimes the suggested resolutions are not board or focused enough to stop the real threat they are trying to reduce and do more to interfere with business than to reduce risk. Thanks for the reminder and well put thoughts. David Stucky, Systems Security Analyst Office of Human Resources The Pennsylvania State University 503 James M. Elliott Building University Park, PA 16802 Office: 814-865-4049 Mobile: 814-404-9303 E-mail: dys5 () psu edu http://www.ohr.psu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany Sent: Thursday, July 02, 2009 12:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security vs. Business Process. Does Business Process trump Security Process? The recent thread on blocking email attachments reminds me of a discussion I had a couple of months ago on how IT sysadmins might be making our overall security posture worse by pursuing the wrong security strategy. 1. 25 years ago, I went to visit a friend of mine who worked in the HR dept. She got a brand new Mac. Of course, I geeked out marvelling at the icons, the coolness of the box, etc. She patiently waited for me to finish and told me " that's nice but as far as I'm concerned this Mac is like a stapler to me. My job is to do HR benefits. That Mac just helps me do my job. If it weren't there, I still have to do HR benefits." Those words have stuck with me ever since. Why? 2. As a sysadmin, I wound up focusing on protecting the "box" rather than the process that uses the "box". I insisted on security procedures that while they protected the actual box, actually impeded efficient USE of the box by my general user community. Things like arbitrarily preventing users from downloading programs they needed, password lifetimes, etc. that were designed to prevent ME from having to respond to a user's mistake. I justified these actions by saying our sysadmin group was short staffed (high system:admin ratio), the consequence of the action caused damage to the institution but didn't pay attention to the fact that it was user awareness not technical issues that caused most of the problems and secretly because I knew it'd be more work for me to clean up someone's mess when I have 200 other systems to manage. In other words, I clamped down for efficiency's sake. Our office does security reviews of individual depts and every now & then, I see this situation and I see the business users come up with creative ways to bypass the restrictions. When we analyze WHY they're doing that, we find it's because a security restriction prevents them from doing their job efficiently. There was always an alternative security measure that allowed the user to do their job but it was more work for the sysadmin. For example, I was visiting another EDU and we wanted to download a video that illustrated a particular security feature. We were told that the institution blocks video downloads. I understood the reasoning behind the block policy was resigned to just talking about the video but the local person said "here's what we do to get the video here". Basically, they downloaded the video (yes, it was legit) to their home computer and then used a VPN to transfer the file to the work computer. This bypassed the IPS on their campus. The dept produces videos for distribution and goes through a convoluted process to be able to distribute their videos. I asked why not get an exception and they told me their IT division said no exceptions because of the security threat such downloads would introduce. But people were still able to download videos to their computers. So what did the download block actually accomplish? I suspect each of us has run across similar situations in our environment. 3. My friend's comment on the computer being an aid to her job function reminds me that if we design security measures that impede the business process, they will bypass them somehow and thereby reduce our overall security posture. 4. When I see sites that block certain things, I ask 2 questions: - What's the purpose of the block? - Does the block introduce a worse threat? For example, my favorite example is account lockouts. I ask the following questions: - what's the purpose of the lockout policy? - do you have strong password requirements? - do you run password crackers against your password database? - does your login banner list the last login time for that account? - do you log login failures? Do you notify the attacking site? - How long does it take to reset the account? - What happens if my attack is to lock out the accounts? I can write a script that can do that quickly. In this particular example, strong password requirements in combination with log monitoring and in-house password cracking provide stronger controls against brute force password attacks without introducing a worse (IMHO) attack of account lockouts. The problem is that in order to do this, the sysadmins have to do a fair amount of work. The easy way out is account lockouts which BTW ceased to be effective when server OS provided password control features. Early Unix systems (pre 1991) had NO password control mechanism so account lockouts were the only defense. But I digress....:-) I think if we sysadmin and security types ask and get answers to the 2 questions in my point 4, we can design effective security controls that don't impede the business process. We need to spend the time to carefully analyze how the business process uses their IT assets and tailor the security steps to the business process instead of the other way around. Is it more work for the IT staff? You bet but in the long run, the institution has a much better security posture. I now return to getting the grill ready for the holiday weekend :- ). Randy Marchany VA Tech IT Security Office & Lab 1300 Torgersen Hall VA Tech Blacksburg, VA 24060 540-231-9523 marchany () vt edu www.twitter.com/randymarchany http://security.vt.edu
Current thread:
- Re: Security vs. Business Process. Does Business Process trump Security Process? randy marchany (Jul 02)
- <Possible follow-ups>
- Re: Security vs. Business Process. Does Business Process trump Security Process? Joe St Sauver (Jul 02)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Stucky, David (Jul 02)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Gary Dobbins (Jul 02)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Jesse Thompson (Jul 03)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Russell Fulton (Jul 03)