Re: What challenges are security admins facing?

[ark () eltex net]

Being a bit offtopic on firewall security audit discussion, i'd like
to remember a paper i wrote on security management problems. Unfortunately
the paper is in Russian thus having no value for the mailing list
subscribers, but i can recite key point here: the major problem is
responsibility and serious gap between de jure and de facto computers and
network usage policy. People DO use computers at their workplace for
personal needs and its OKAY. There are some cases when it is not 
acceptable, say, processing critical data. That means instead of
declining the problem in whole (this should not happen, but.. everyone
including senior management does it) and focusing on "wide-range"
technical countermeasures like installing antivirus software everywhere
to avoid _personal_ responsibility, we should CONTROL the situation.
That means it is necessary to face the fact and, if we want an
employee not to play games and surf the web from computer that is
connected directly to sanctum sanctorum he just needs _another_
computer on his desk or maybe a public one somewhere in the office.
Enforcing a fascist set of restrictions just makes users extremely
creative to avoid it. Keeping restrictions reasonable makes it possible
to control remaining and vital ones really strict. That means, say,
if user installs an unauthorized piece of software on his computer
without consulting the administrator he is guilty as hell and
gets fscked really bad - but to make things work this way the administrator
should allow him to do it if it is really innocent. Otherwise he
just will not tell. If user gets a trojan by email and clicks on it
and gets 0wned, then 1) user should be fscked for doing it and 2)
the administrator should be fscked for allowing authomatic
attachment execution on users workstation. And it is the matter of
personal responsibility, not insurance or antivirus software.

In most cases managers are just coward morons. Thay prefer things
to look good until shit happens instead of preventing it.

Another problem is, again, management. Ever seen a big boss that
says "i need this videoconferencing software working today from my
desktop, so please poke a hole in firewall to make it work - it
is IMPORTANT! no, we do not have time for security analisys, we need
it NOW! No, i do not want to do it from dedicated notebook machine". 
The point is obvious. Why designing and implementing
crafty security policy just to have it ruined this way?


On Tue, May 27, 2003 at 09:22:55AM -0400, Paul Robertson wrote:
> On Mon, 26 May 2003, Paul Ammann wrote:
>
> > Hi
> >
> > I've working on the firewall security audit at my company, and I've been 
> > getting exposure to many different areas that I normally wouldn't. I work 
> > with the Check Point firewalls. I'm curious as to what people challenges 
> > security admin are facing.
>
> Change control is always a big issue.
>
> So are things like password managment, backups, ruleset validation, 
> physical cabling verification, and potentially important things like log 
> analysis and the legal aspects of such (for instance, do you regularly 
> review logs, or only when "something bad happens- the answer could change 
> the defensibility of using that analysis in court, are your logs set up to 
> be reported on, and will that ensure the business record exemption for 
> evidentiary submission...) [At this point, you should be asking yourself 
> "Why hasn't Legal been involved in our audits before?"  and probably 
> thinking "They might want specific things documented that aren't, and 
> that's a bigger stick than I currently have...]
>
> > I'm talking things you might not normally take into consideration. For 
> > example, lack of communication or documentation, inaccurrate network 
> > drawings of firewall locations, no formal change control procedure, 
> > tracking temporary firewall rules, limiting access to firewall policies 
> > and log information, or my favorite, no procedure for when an employee has 
> > left the company or change job functions.
>
> If you're doing user-ids, think about automatically expiring ones which 
> haven't been used for some period of time.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal opinions
> proberts () patriot net      which may have no basis whatsoever in fact."
> probertson () trusecure com Director of Risk Assessment TruSecure Corporation
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards