Re: Highlighting Security Issues

["Paul D. Robertson" <paul () compuwar net>]

On Sun, 1 Aug 2004, Victor Williams wrote:

> Policy aside...in an organization, there has to be a chain of command
> that you go up.  And there has to be a motivation and empowerment from
> higher-up (before the whistle-blowing) for this ex-employee's case to
> hold water at all.  If he didn't go through the right channels and just
> appeared to be out to get someone (because I'm sure there were others
> below him, or maybe his peers that were also *abusing* their computer
> privileges...whatever that means), for me, he's gone.  Only reason it's

There's a popular misconception that you have to get everyone if you want
to get anyone.  There's also a popular misconception that everyone has to
be given the same punishment for the same abuse.  Now, obviously you
should check with your own legal counsel (and it's good to have that
relationship anyway if you're in security)- but last time I did the lawyer
dance on this stuff, it simply wasn't so, and the lawyers were happy to go
with that.

> an issue is because he's a gov't employee.  I don't think anyone wants
> to set the precedent that if you spy on your supervisor and find that
> they are doing something wrong, you can get them written up or even
> removed.  What happens when this guy wins?

Personally, I think that the fact that it's the guy's supervisor should be
immaterial.  It's either permissible, or it's verbotten.  It's either in
the scope of his job, or it's not.  That's probably the biggest bone I
have with your reaction- politics shouldn't come into play here- either
you have the right to do it, or you don't.

> I may not like my supervisor as a person, but the thing is, if he looks
> good, I look good...

That's too self-serving for me.  I've been in the situation where I've had
all out battles with supervisors.  I've been in the situation where
supervisors and I didn't talk at all- where I did things for the good of
the organization, but never for the good of the supervisor.  I've also
been in situations where my supervisor didn't have a "need to know" the
details of some of my work.

> I thought it was pretty stupid also...so stupid I didn't think it needed
> discussion.  I dunno...on Windows-based systems, there are various other
> ways of recording what someone is doing (within the confines of the OS
> itself) than having to load a trojan.  One word for this employee:  DUH

Well, I've heard of it happening enough that it obviously does need some
level of discussion.  We're failing as an industry if people load known
malcode onto systems and they aren't bad guys.

> I might ask what the organizational goal of the dept of transportation
> is.  In my town, it's to keep the buses running, the streets repaired,
> and get the snow off the road in the winter.  I don't see how Solitaire
> affects that.  I DO see how a trojan introduced into the system by a
> dumb employee could affect it however.

That depends- if his job is to check the safety ratings on bridges, vet
safety inspections, check materials, etc., it could affect it
significantly more than a single Trojan.

> > I don't think the commercial world is all that different, unless someone
> > *cares* enough to do good policy creation and enforcement.  That's one of
> > the reasons that I'd prefer to see people channel such energy, rather than
> > letting it go off on tangents, no matter how just the cause.  I also think
> > that we need to document and policize against really stupid things like
> > downloading Trojans and installing them.
>
> I think it is very different.  I think in the commercial world, you're
> always cutting the fat off because it's costing your department, your
> company cash.  This guy would have been cut off a long time ago where I

I think you're looking at the commercial world with rose colored glasses.

> I don't think any documenting and policizing is going to do it.  I think

It's the foundation, without a strong foundation an organization is open
to interpretation.

> > I've always thought such things were stupid.  They get in the way of many
> > legitimate sites, and put you into a "if I can get at it, then it's ok"
> > sort of mode.  Better to summarize sites surfed and have the employee sign
> > the reports, like larger companies do with phone logs.  I also get the
> > stupid bounce messages from lots of e-mail content filters, which are the
> > logical extension, and I know lots of people miss otherwise important
> > messages because of some phrase, tool name, or slightly off remark.
>
> I don't see it that way...may just be the nature of the company/business
> I'm in.  They, like anything else, don't get in the way of anything if
> they're tuned correctly.  Same thing goes with the AV
> gateways/scanners...but that's a different discussion altogether...

This thread has already been bounced once by a large corporation's e-mail
filtering gateway.  Now, I'm not saying that this thread is critical, but
if this thread can be bounced, then what else of legitimate value can?

What if this thread contained critical information about a Trojan with a
"bad" word in its name?

If you can't get this discussion, then you're likely to not get everything
of value.

> Not a reason or an excuse.  It comes as an option you do not have to
> install.  If you have a halfway decent Windows network policy (and an
> admin who knows what they are doing), you don't let end-users install
> their own software...doesn't matter if they are the CEO.  And you don't
> hand them a PC or laptop with 800 things they don't need on it.  If they

For all the "chain of command" and "you look good" stuff, I'm surprised
you'd disallow a CEO whatever they wanted.

I've done it- in a ~$5B corporation.  Didn't make me any more popular than
I already wasn't.  You'd be surprised at how many layers of "You can't say
no to the CEO" there are.  Should you stick to policy, or "do what your
boss tells you?"

> > I'm not sure that follows.  If you're supposed to monitor and document,
> > it's all for nothing if the documentation doesn't go anywhere.  But then,
> > I've always been visible enough to get folks to give me their tattles and
> > let me decide what to do with them.  I've also had the "My boss isn't
> > being effective" conversation with the next person up the chain.
>
> I don't believe that at all.  I'm not one for quoting scripture, but
> there's one that says "Be sure your sins will find you out."  If you're
> doing the wrong thing, one way or another, the wrong person is going to
> find out about it...and then you're toast.  It always happens to people
> misusing the network.  Tools or no tools in place.  Misuse long enough,
> the right person finds out, then you're done.  I've been on the giving
> end of this before.  I monitor and document everything...from the CEO to
> the janitor.  I don't tattle-tale, but I let the supervisors-that-be
> know that something is going on that shouldn't.  IF they are interested,
> I tell them more.  If they are not, I go back to monitor and document
> and do what's in my power.  If you have done what's in your power, what
> more are you expected to do?  Sorry, I don't think it's worth losing
> your job over...

I haven't lost a job over it yet.  I've never been limited by that concern
though- I think my principles are worth more than any instantiation of
employment.  It's in my power to change what's in my power.  It's in my
power to try to *fix* what's broken in the organization.

> If the supervisors continue to not care and I find I cannot work in that
> environment, guess what?  The monster.com account just got reactivated
> and a call is placed to my headhunter the next day.

If you're going anyway, then why not go out with a bang?

> The problem with this situation, is this person doesn't think they have
> an ethical out.  I kind of have the same belief.  But, I don't think
> policies are enforced in any gov't agency anyway (minus the FBI and
> places like that), so it's kind of pointless.  You're paid to do what
> your boss tells you to...minus breaking the law.  If you want to make a
> difference, go work in private industry where we're trying guard our
> assets (with security policies and practices), and not for the
> department of transportation where everything is public knowledge
> anyway...right down to what people get paid, when they were arrested
> last, etc etc.

When I worked for a large media organization, the argument "It's all going
to be public information" didn't hold any water with me, it still doesn't.
Where the President will be speaking next is public information, that
doesn't make him any less guarded.

> Which brings me to my next point...just putting 1 and 1 together, what
> did this organization stand to lose by one guy playing Solitaire?

Given some of the memos where his direct reports were trying to get him
engaged, potentially lots.  Both in terms of lost productivity, and
depending on his exact responsibilities, public safety.

> Seemed to me that there was more to lose (integrity of the network for
> one) by some guy loading a trojan, than by someone else playing
> Solitaire.  That's why I said earlier it was a no-brainer.  You're using

If the network people report to this guy, then they have the whole network
to lose if his inattention happens at the wrong time.  If we take your "do
what you're told" example, and he's not telling them to do anything (as
the complaints about having regular meetings so the guy would attend seem
to indicate) they could lose quite a lot.

Personally, I think they both should have gotten canned.

> > Sure it's a management problem, *everything* is a management problem.  The
> > thing is that organizations need ways for management problems to be
> > brought into the open.
>
> I'd say this one was pretty much out there...pretty effective way to get
> it out there wouldn't you say?  =)

This is after the fact, you'd really want it earlier...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards