Re: Who gets your trust?

[mea culpa <jericho () DIMENSIONAL COM>]

Reply From: fennelly () wkeys com

> From: Chris Brenton <cbrenton () sover net>
>
> > They
> > just wanted to set up a root account with a different environment. That's
> > not hacking, right? Wrong. Their intention did not matter -- the security
> > of the system has been bypassed.
>
> Hummm, so I guess everyone who has ever setup a dedicated account for
> performing back-ups is now a hacker, right? ;)

Agreed - badly worded..

> I also take issue with the statement "intention did not matter". Intent
> is everything, otherwise I would consider every user who has
> accidentally deleted a file a destructive anarchist. There is a big
> difference between stupidity and malicious intent.

If a user accidentally deletes a file, you still have to restore it..  If
someone can break into a system because an admin left a hole (lets say
they stole a credit card database), does it change the end result because
the admin "didn't mean to"?

> Also, where does this author get off making the blanket statement that
> setting up an alternate account with god rights is bypassing the system
> security??? I see, its better to have everyone logon at the console as
> Admin so you have no traceability as to who does what with the account.
> At least by elevating privileges for an admin's personal account you
> have some tracability as to what they where doing. In the NT & NetWare
> world I personally like to completely disable the Admin account so
> support people are forced to use their own accounts (and thus are
> tracked and logged). So how is this bypassing security???

I'm talking about a Unix environment, not NT. In Unix, an admin logs in to
their account and su's to root (thereby creating an entry in sulog). The
console is usually kept in a locked room, hopefully with some sort of
access control. Alternatively, you can use sudo which will tie priviledge
to an admin's account but does so in a way that is easier to manage.

> > This article discusses how administrative privileges can be abused and
> > suggests some methods for countering that abuse.
>
> IMHO this sounds like "you don't have to trust your admins, just use
> these tools". So who besides the networking staff has the skill set to
> actually run these tools? Oh ya, and if the Admins have god rights
> what's to stop them from disabling the tools, humm? Either you trust
> these people or you do not. If you don't replace them.

No clue what he's talking about here...I thought I did explicitly state that any
decent admin could bypass these tools and that is why you need to establish some
sort of professional ethics. In fact, that was mostly the point..

> I know, you can bring in third party consultants to install the tools!
> Oh wait, how do you know you can trust them either? ;)

WHere did I *ever* imply that you need a third party consultant to install
something as simple as "sudo"?!

> > It is not meant to imply
> > that every administrator abuses privileges or has malicious intent -- just
> > that you shouldn't assume anything.
>
> I've also seen HR people reviewing 401K statements to estimate an
> employee's worth and accounting people digging to find out who makes
> more than they do. What's your point? *Anyone* with access to
> information or resources is capable of abusing their authority. It has
> nothing to do with whether they run the network or not.

uh..yeah - and I thought I said that..

"Professionals must establish a certain level of trust. This is especially
important for those privy to sensitive information regarding terminations
or investigations. "

I'm sorry that this person missed the point and took this so personally.
Much of this was really directed at senior administrators who increasinly
are stuck with junior level admins who have little or no experience. While
they are not maliciously "hacking" the system, the results are the same:
the system has holes that could be exploited. The senior admin needs to
establish rules for the system. I just found it pretty ironic that
management is so worried about "hiring hackers", but their wide-eyed
innocents are creating a bigger security exposure than a hacker would.

> Chris
> cbrenton () sover net

I love when flames end so friendly...Ciao!

ISN is sponsored by Security-Focus.COM