Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security vs. Business Process. Does Business Process trump Security Process?

From: Gary Dobbins <dobbins () ND EDU>
Date: Thu, 2 Jul 2009 14:58:07 -0400
Another interesting angle on this came out of a semi-trick interview question I recently used:  "What's more important, 
ensuring authorized access works, or preventing unauthorized access?"

While I never expected there to be any one "right" answer, the candidate responded as I'll paraphrase below.
 
He said "You have to do both, but preventing unauthorized access has to come first, then ensure permitted access works."
...Why in that order?
"Because you can always go back and fix an inadvertent blockage of authorized access; it's often far harder to clean up 
after you've let unauthorized access occur."

   (He got the job, BTW.)







-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stucky, David
Sent: Thursday, July 02, 2009 2:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security vs. Business Process. Does
Business Process trump Security Process?

Randy,

In case my name seems similar, you might remember me from a SANS
Security Essentials course back in March 2008.

Your comments fall right in line with what I tend to struggle with.
I will tell people that security should not interfere with
business, but business must be appropriately secure.  I stress the
fact that we must work together to find the right solutions to
support business needs in an appropriately secure manner.  As a
sysadmin/security type it is important to remember you cannot
eliminate risk; but you have to work hard to manage and reduce
risk.

One thing I would add is the struggle with implementing responses
to audits and risk assessments.  You've learned where your best
opportunities to improve your security posture are, but sometimes
the suggested resolutions are not board or focused enough to stop
the real threat they are trying to reduce and do more to interfere
with business than to reduce risk.

Thanks for the reminder and well put thoughts.

David Stucky, Systems Security Analyst
Office of Human Resources
The Pennsylvania State University
503 James M. Elliott Building
University Park, PA 16802
Office: 814-865-4049
Mobile: 814-404-9303
E-mail: dys5 () psu edu
http://www.ohr.psu.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany
Sent: Thursday, July 02, 2009 12:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security vs. Business Process. Does
Business Process trump Security Process?

The recent thread on blocking email attachments reminds me of a
discussion I had a couple of months ago on how IT sysadmins might
be
making our overall security posture worse by pursuing the wrong
security strategy.

1. 25 years ago, I went to visit a friend of mine who worked in the
HR
dept. She got a brand new Mac. Of course, I geeked out marvelling
at
the icons, the coolness of the box, etc. She patiently waited for
me
to finish and told me " that's nice but as far as I'm concerned
this
Mac is like a stapler to me. My job is to do HR benefits. That Mac
just helps me do my job. If it weren't there, I still have to do HR
benefits." Those words have stuck with me ever since. Why?

2. As a sysadmin, I wound up focusing on protecting the "box"
rather
than the process that uses the "box". I insisted on security
procedures that while they protected the actual box, actually
impeded
efficient USE of the box by my general user community. Things like
arbitrarily preventing users from downloading programs they needed,
password lifetimes, etc. that were designed to prevent ME from
having
to respond to a user's mistake. I justified these actions by saying
our sysadmin group was short staffed (high system:admin ratio), the
consequence of the action caused damage to the institution but
didn't
pay attention to the fact that it was user awareness not technical
issues that caused most of the problems and secretly because I knew
it'd be more work for me to clean up someone's mess when I have 200
other systems to manage. In other words, I clamped down for
efficiency's sake.

Our office does security reviews of individual depts and every now
&
then, I see this situation and I see the business users come up
with
creative ways to bypass the restrictions. When we analyze WHY
they're
doing that, we find it's because a security restriction prevents
them
from doing their job efficiently. There was always an alternative
security measure that allowed the user to do their job but it was
more
work for the sysadmin.  For example, I was visiting another EDU and
we
wanted to download a video that illustrated a particular security
feature. We were told that the institution blocks video downloads.
I
understood the reasoning behind the block policy was resigned to
just
talking about the video  but the local person said "here's what we
do
to get the video here". Basically, they downloaded the video (yes,
it
was legit) to their home computer and then used a VPN to transfer
the
file to the work computer. This bypassed the IPS on their campus.
The
dept produces videos for distribution and goes through a convoluted
process to be able to distribute their videos. I asked why not get
an
exception and they told me their IT division said no exceptions
because of the security threat such downloads would introduce. But
people were still able to download videos to their computers. So
what
did the download block actually accomplish? I suspect each of us
has
run across similar situations in our environment.

3. My friend's comment on the computer being an aid to her job
function reminds me that if we design security measures that impede
the business process, they will bypass them somehow and thereby
reduce
our overall security posture.

4. When I see sites that block certain things, I ask 2 questions:
    - What's the purpose of the block?
    - Does the block introduce a worse threat?
For example, my favorite example is account lockouts. I ask the
following questions:
    - what's the purpose of the lockout policy?
    - do you have strong password requirements?
    - do you run password crackers against your password database?
    - does your login banner list the last login time for that
account?
    - do you log login failures? Do you notify the attacking site?
    - How long does it take to reset the account?
    - What happens if my attack is to lock out the accounts? I can
write a script that
      can do that quickly.
In this particular example, strong password requirements in
combination with log monitoring and in-house password cracking
provide
stronger controls against brute force password attacks without
introducing a worse (IMHO) attack of account lockouts. The problem
is
that in order to do this, the sysadmins have to do a fair amount of
work. The easy way out is account lockouts which BTW ceased to be
effective when server OS provided password control features. Early
Unix systems (pre 1991) had NO password control mechanism so
account
lockouts were the only defense. But I digress....:-)

I think if we sysadmin and security types ask and get answers to
the 2
questions in my point 4, we can design effective security controls
that don't impede the business process. We need to spend the time
to
carefully analyze how the business process uses their IT assets and
tailor the security steps to the business process instead of the
other
way around. Is it more work for the IT staff? You bet but in the
long
run, the institution has a much better security posture.

I now return to getting the grill ready for the holiday weekend :-
).

Randy Marchany
VA Tech IT Security Office & Lab
1300 Torgersen Hall
VA Tech
Blacksburg, VA 24060
540-231-9523
marchany () vt edu
www.twitter.com/randymarchany
http://security.vt.edu
Previous By Date Next
Previous By Thread Next

Current thread: