Re: The value of 'least privilege'

[Matthew Wollenweber <mjw () CYBERWART COM>]

I'd add to this, "how long does it take your security staff to determine if
a host is compromised?" If the answer is longer than to image the machine,
then admin restrictions don't necessarily improve security that much. Most
users seem to be downloading fake AV, fake movies, and malicious PDFs. If
you see them downloading malware, can you ignore the alerts and trust the
the lack of admin access stopped the malware?

The only caveat I'd mention is that if users are generally frustrated that
they can't download things, they might accept less malware downloads.


On Tue, Mar 30, 2010 at 10:46 AM, randy marchany <marchany () vt edu> wrote:

> While I agree that limiting administrative rights is a good thing,
> sites need to answer accurately the following questions:
>
> 1. How long does it take your IT staff to install software that an end
> user needs?
> 2. How long does it take your IT staff to check such software for
> security issues? Presumably, this is the real reason why end user
> aren't allowed to install software. If your IT staff doesn't check
> software for security issues, they can make the same mistake. Do your
> admins even check for security problems with vendor software? I
> suspect it's not a thorough check.
>
> If the answers to the above questions are "long" and an end user needs
> the software ASAP (who doesn't?), then the end user will find ways to
> bypass this restriction in order to get the job done. Having a timely
> software installation process is critical to the success of this
> security solution. No sysadmin can anticipate what software is needed
> at any given point in time.
>
> I'm curious to see what the answers are to the above questions. My
> informal survey answers range from 1 day (ok) to 2 weeks (not ok).
>
> -Randy Marchany
> VA Tech IT Security Office



--
Matthew Wollenweber
mjw () cyberwart com
240-753-0281