funsec mailing list archives
RE: Administrator Accounts
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Wed, 22 Feb 2006 18:30:00 -0800
Because sir, the decisions on software are not made by the geeks but by the high level folks that haven't a clue about what securely coded software is.Larger firms can do RFPs but even then the team designing the specs has to know what they are talking about. What drives software sales? Security? No, it's because someone else made the decision that they needed the program that integrates that into that and throws up cute little pie charts. Or it syncs with a cell phone, or some other thing that made it the software you just had to have.
Hang around the ActiveDir.org listserves where the folks complain about management buying something AD integrated and only after the contract has been signed does someone look to see what "it" needs to bolt onto that network or worry about the security implications of what adjustments it needs to the Active Directory environment.Right now there is not enough folks in the decision making roles that ask the tough questions from vendors.
It plays into this: RSA: Secure software is up to businesses Most businesses aren't doing enough to build and buy securely written software, according to a panel of corporate security executives, academics and professional software developers speaking at the RSA Security Conference 2006 yesterday.http://www.computerworld.com/securitytopics/security/story/0,10801,108716,00.html
http://www.securesoftwareforum.com/assets/documents/SPISSFWhitePaper.pdf We're not pushing because the people making the decisions and signing the checks do not know enough to know to ask the right questions. Right now Intuit got away with it until the SANS.org site made them their "first inductee into the Local Admin Hall of Shame", that and also the fact that Microsoft's accounting application came into the marketplace and added competition (which is ironic, isn't it?), they have since announced that they will "fix this issue" in the 2007 program. The marketplace has to care and until it does, Vendors have no incentive to fix this. This accountant thinks it's shameful that so many of my own industry's applications are lacking in the foundations of security. Back to lurking.... Susan From: Nick FitzGerald <nick () virus-l demon co uk> Subject: RE: [funsec] Administrator Accounts To: funsec () linuxbox org Message-ID: <43FDC209.9488.4D901746 () nick virus-l demon co uk> Content-Type: text/plain; charset=US-ASCII Todd Towles wrote:
My friend Susan Bradley said it in 2005 - "We need to understand that we need to protect ourselves a little bit better. At the same time, the vendors need to step up to the plate. Intuit, in particular, and other vendors that do not support limited user rights are forcing me to make security decisions. They are the ones causing insecurity on the desktop, not me." But not all applications will run if the user does not have administrative privileges, Bradley said. "The ultimate goal is that every single application that we have installed in our systems will run in user modes," Bradley said. "The Microsoft applications do run in user mode. I cannot say that for the rest of my stupid line-of-business applications. To get certified for design for a Windows XP logo, you have to run as a user mode."
So, why pray tell, is _any_ corporate system running any of these crappy apps?
If it doesn't "run in user mode" WTF was it ever get approved for use in the business?
Had corporates taken this "we actually really do care, maybe just a little though, about security" this problem would not exist _for "business use" software_ today.
The reason the problem exists is that "too many" corporate IT folk either don't have the balls to front a major s/w developer like Intuit (and all the others) and demand that they fix their crappy software, or the IT folk's advice is overidden by some security-clueless morron (probably an accountant) who decides it is cheaper (in terms of up- front dolars and cents) to stick with the app that they were using when Win9x ruled their roost (and don't get me started on the question of why that PoS was _ever_ used in a business that claims to care about security) and not face the re-training, data conversion, process conversion, etc, etc, etc costs of switching to Product X which does offer the intangible benefit of allowing a better security design for their IT system.
Thinking in the small by small-minded folk who can only see their constrained view of the world...
Regards, Nick FitzGerald --Letting your vendors set your risk analysis these days? http://www.threatcode.com
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Administrator Accounts, (continued)
- RE: Administrator Accounts Larry Seltzer (Feb 23)
- Re: Administrator Accounts Dude VanWinkle (Feb 23)
- Re: Administrator Accounts David Lodge (Feb 23)
- RE: Administrator Accounts Todd Towles (Feb 22)
- RE: Administrator Accounts Willy, Andrew (Feb 22)
- RE: Administrator Accounts Larry Seltzer (Feb 22)
- Re: Administrator Accounts Brian Loe (Feb 22)
- RE: Administrator Accounts Larry Seltzer (Feb 22)
- RE: Administrator Accounts Todd Towles (Feb 22)
- Re: Administrator Accounts Blue Boar (Feb 22)
- Re: Administrator Accounts Fergie (Feb 22)
- RE: Administrator Accounts Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Feb 22)
- RE: Administrator Accounts Todd Towles (Feb 23)