Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem )

["Paul D. Robertson" <proberts () patriot net>]

On Sun, 25 Aug 2002, Dave Piscitello wrote:

>  >That's when positive
>  >authentication is necessary.  One needs to know its positively Jane Doe that
>  >went to the porn site (which is against policy) or it was someone who sat
>  >down at her authenticated workstation when she walked away without logging
>  >off (which is against policy) before disciplinary actions are initiated.
>
>
> You'll need non-repudiable authentication (evidence), as a court of law 
> would describe.

I think this is a myth that we've been conditioned to believe.  It's 
certainly possible to present evidence of wrongdoing that *isn't* 
no-repudiable.  In an administrative case (firing someone) the evidence 
really just needs to be compelling.  In a civil case, the bar isn't all 
that much higher, and in a criminal one, supporting evidence works all the 
time.  Motive and correlating other evidence works just fine.

Courts of law very rarely get non-repudable evidence, and only in the last 
10 years or so has it been possible to do things like DNA testing and 
have it admissable without the same sorts of confusing defenses that 
we're seeing in computer crime.

> How would you propose to verify Jim was at Jane's workstation at the time 
> of the porn site visit?
> In addition to "strong authentication" as we define it today, do you 
> propose cameras? Keyloggers that distinguish typing behavior?

If Jim authenticated to the porn site and there was a lawsuit involved, 
we'd get a subpoena for the porn site and find out who's credit card was 
used to get that ID, and also who's home computer was found to be using 
that account (indeed, if I had to defend from such a suit, I'd subpoena 
the home PC and spend all the EnCase time I could on it generating both 
corroboration and subpoena fodder.)  We'd also look at phone switch logs 
to see if Jim called home from Jane's phone, or answered Jane's phone 
while at her desk.  We could certainly correlate Jim's days in the office 
with the activity, and delta that from Jane's activity.  We could also 
start to match Jim's unanswered calls with the time periods in question, 
access-card logs, meeting attendance of both Jim and Jane...

However, porn sites really are the easy case- the pattern of abuse is 
normally ongoing, so you just need to log and alert on logging and it's 
trivial to either put hidden video surveilance on Jane's PC or walk over 
and catch Jim "in the act.[1]" 

> Something that's annoyed me for ages is the distinction that policy 
> violations conducted through computing and networking are so different from 
> any other medium. If an employee uses his phone card to dial a phone sex 
> number during work hours, from a business phone, is it as serious an 
> offense (granted, there's no temporary or long term cache of the "image" 
> unless he's taped the conversation). What about print media and fax 
> (although I've never heard of fax sex?)

Not quite as serious because unless the employee is saying offensive 
things, there's not the same "walk by" factor.  Also, I think implicitly 
illegal phone sex is probably pretty difficult to make.  However, in the 
US it's perfectly legitimate for a company to monitor its phone system for 
content- so catching is again a relatively easy matter.

> Content inspection is an odd business, and it seems perpetually focused on 
> computer networking. My point is that I've seen some policies that don't 
> uniformly treat all media - it's acceptable to have a sexy calendar, but 
> not to visit Victoria's Secret online, or thumb through PlayBoy during 
> lunch? I've told folks that such policies are an HR nightmare waiting to 
> happen.

Calenders are the things that have set caselaw up to now, so that's 
obviously a problem.  However, computers should have different acceptable 
use policies, you don't have things like ECPA to contend with when you 
track calender hanging.

> I wrote a paper a while ago on this subject, but I think it's still 
> accurate and hopefully relevant
> http://www.tisc2002.com/newsletters/211.html

As a note, I know quite a few companies who block 900 numbers 
(pay-per-call lines in the US) and allow specifically for "limited 
personal use that doesn't infringe upon the business," so indeed PBX 
management isn't all that different other than the level of detail (and 
most of those places print call detail logs and have employees and their 
supervisors review and sign them.)

Paul
[1] I've been involved in both types of incident, and both are effective.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards