Firewall Wizards mailing list archives
Re: Highlighting Security Issues
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 2 Aug 2004 06:42:25 -0400 (EDT)
On Sun, 1 Aug 2004, Victor Williams wrote:
Policy aside...in an organization, there has to be a chain of command that you go up. And there has to be a motivation and empowerment from higher-up (before the whistle-blowing) for this ex-employee's case to hold water at all. If he didn't go through the right channels and just appeared to be out to get someone (because I'm sure there were others below him, or maybe his peers that were also *abusing* their computer privileges...whatever that means), for me, he's gone. Only reason it's
There's a popular misconception that you have to get everyone if you want to get anyone. There's also a popular misconception that everyone has to be given the same punishment for the same abuse. Now, obviously you should check with your own legal counsel (and it's good to have that relationship anyway if you're in security)- but last time I did the lawyer dance on this stuff, it simply wasn't so, and the lawyers were happy to go with that.
an issue is because he's a gov't employee. I don't think anyone wants to set the precedent that if you spy on your supervisor and find that they are doing something wrong, you can get them written up or even removed. What happens when this guy wins?
Personally, I think that the fact that it's the guy's supervisor should be immaterial. It's either permissible, or it's verbotten. It's either in the scope of his job, or it's not. That's probably the biggest bone I have with your reaction- politics shouldn't come into play here- either you have the right to do it, or you don't.
I may not like my supervisor as a person, but the thing is, if he looks good, I look good...
That's too self-serving for me. I've been in the situation where I've had all out battles with supervisors. I've been in the situation where supervisors and I didn't talk at all- where I did things for the good of the organization, but never for the good of the supervisor. I've also been in situations where my supervisor didn't have a "need to know" the details of some of my work.
I thought it was pretty stupid also...so stupid I didn't think it needed discussion. I dunno...on Windows-based systems, there are various other ways of recording what someone is doing (within the confines of the OS itself) than having to load a trojan. One word for this employee: DUH
Well, I've heard of it happening enough that it obviously does need some level of discussion. We're failing as an industry if people load known malcode onto systems and they aren't bad guys.
I might ask what the organizational goal of the dept of transportation is. In my town, it's to keep the buses running, the streets repaired, and get the snow off the road in the winter. I don't see how Solitaire affects that. I DO see how a trojan introduced into the system by a dumb employee could affect it however.
That depends- if his job is to check the safety ratings on bridges, vet safety inspections, check materials, etc., it could affect it significantly more than a single Trojan.
I don't think the commercial world is all that different, unless someone *cares* enough to do good policy creation and enforcement. That's one of the reasons that I'd prefer to see people channel such energy, rather than letting it go off on tangents, no matter how just the cause. I also think that we need to document and policize against really stupid things like downloading Trojans and installing them.I think it is very different. I think in the commercial world, you're always cutting the fat off because it's costing your department, your company cash. This guy would have been cut off a long time ago where I
I think you're looking at the commercial world with rose colored glasses.
I don't think any documenting and policizing is going to do it. I think
It's the foundation, without a strong foundation an organization is open to interpretation.
I've always thought such things were stupid. They get in the way of many legitimate sites, and put you into a "if I can get at it, then it's ok" sort of mode. Better to summarize sites surfed and have the employee sign the reports, like larger companies do with phone logs. I also get the stupid bounce messages from lots of e-mail content filters, which are the logical extension, and I know lots of people miss otherwise important messages because of some phrase, tool name, or slightly off remark.I don't see it that way...may just be the nature of the company/business I'm in. They, like anything else, don't get in the way of anything if they're tuned correctly. Same thing goes with the AV gateways/scanners...but that's a different discussion altogether...
This thread has already been bounced once by a large corporation's e-mail filtering gateway. Now, I'm not saying that this thread is critical, but if this thread can be bounced, then what else of legitimate value can? What if this thread contained critical information about a Trojan with a "bad" word in its name? If you can't get this discussion, then you're likely to not get everything of value.
Not a reason or an excuse. It comes as an option you do not have to install. If you have a halfway decent Windows network policy (and an admin who knows what they are doing), you don't let end-users install their own software...doesn't matter if they are the CEO. And you don't hand them a PC or laptop with 800 things they don't need on it. If they
For all the "chain of command" and "you look good" stuff, I'm surprised you'd disallow a CEO whatever they wanted. I've done it- in a ~$5B corporation. Didn't make me any more popular than I already wasn't. You'd be surprised at how many layers of "You can't say no to the CEO" there are. Should you stick to policy, or "do what your boss tells you?"
I'm not sure that follows. If you're supposed to monitor and document, it's all for nothing if the documentation doesn't go anywhere. But then, I've always been visible enough to get folks to give me their tattles and let me decide what to do with them. I've also had the "My boss isn't being effective" conversation with the next person up the chain.I don't believe that at all. I'm not one for quoting scripture, but there's one that says "Be sure your sins will find you out." If you're doing the wrong thing, one way or another, the wrong person is going to find out about it...and then you're toast. It always happens to people misusing the network. Tools or no tools in place. Misuse long enough, the right person finds out, then you're done. I've been on the giving end of this before. I monitor and document everything...from the CEO to the janitor. I don't tattle-tale, but I let the supervisors-that-be know that something is going on that shouldn't. IF they are interested, I tell them more. If they are not, I go back to monitor and document and do what's in my power. If you have done what's in your power, what more are you expected to do? Sorry, I don't think it's worth losing your job over...
I haven't lost a job over it yet. I've never been limited by that concern though- I think my principles are worth more than any instantiation of employment. It's in my power to change what's in my power. It's in my power to try to *fix* what's broken in the organization.
If the supervisors continue to not care and I find I cannot work in that environment, guess what? The monster.com account just got reactivated and a call is placed to my headhunter the next day.
If you're going anyway, then why not go out with a bang?
The problem with this situation, is this person doesn't think they have an ethical out. I kind of have the same belief. But, I don't think policies are enforced in any gov't agency anyway (minus the FBI and places like that), so it's kind of pointless. You're paid to do what your boss tells you to...minus breaking the law. If you want to make a difference, go work in private industry where we're trying guard our assets (with security policies and practices), and not for the department of transportation where everything is public knowledge anyway...right down to what people get paid, when they were arrested last, etc etc.
When I worked for a large media organization, the argument "It's all going to be public information" didn't hold any water with me, it still doesn't. Where the President will be speaking next is public information, that doesn't make him any less guarded.
Which brings me to my next point...just putting 1 and 1 together, what did this organization stand to lose by one guy playing Solitaire?
Given some of the memos where his direct reports were trying to get him engaged, potentially lots. Both in terms of lost productivity, and depending on his exact responsibilities, public safety.
Seemed to me that there was more to lose (integrity of the network for one) by some guy loading a trojan, than by someone else playing Solitaire. That's why I said earlier it was a no-brainer. You're using
If the network people report to this guy, then they have the whole network to lose if his inattention happens at the wrong time. If we take your "do what you're told" example, and he's not telling them to do anything (as the complaints about having regular meetings so the guy would attend seem to indicate) they could lose quite a lot. Personally, I think they both should have gotten canned.
Sure it's a management problem, *everything* is a management problem. The thing is that organizations need ways for management problems to be brought into the open.I'd say this one was pretty much out there...pretty effective way to get it out there wouldn't you say? =)
This is after the fact, you'd really want it earlier... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Highlighting Security Issues Paul D. Robertson (Aug 01)
- Re: Highlighting Security Issues Victor Williams (Aug 01)
- Re: Highlighting Security Issues Victor Williams (Aug 01)
- Re: Highlighting Security Issues Paul D. Robertson (Aug 01)
- Re: Highlighting Security Issues Victor Williams (Aug 02)
- Re: Highlighting Security Issues Paul D. Robertson (Aug 02)
- Re: Highlighting Security Issues Victor Williams (Aug 02)
- Re: Highlighting Security Issues Victor Williams (Aug 01)
- <Possible follow-ups>
- Re: Re: Highlighting Security Issues firewalladmin (Aug 06)
- Re: Highlighting Security Issues Victor Williams (Aug 06)
- Re: Re: Highlighting Security Issues Dave Piscitello (Aug 06)
- Re: Re: Highlighting Security Issues firewalladmin (Aug 06)
- Message not available
- Re: Re: Highlighting Security Issues Marcus J. Ranum (Aug 06)
- Re: Re: Highlighting Security Issues Christopher Hicks (Aug 12)
- Re: Re: Highlighting Security Issues Adam Shostack (Aug 12)
- Re: Re: Highlighting Security Issues ArkanoiD (Aug 25)
- Re: Re: Highlighting Security Issues Matt Dunn (Aug 12)
- Message not available