Secure Coding mailing list archives
Re: ZDNnet: Securing data from the threat within [by buying products]
From: Crispin Cowan <crispin () immunix com>
Date: Mon, 17 Jan 2005 21:23:08 +0000
Kenneth R. van Wyk wrote: Crispin Cowan wrote: I completely disagree. I find the article to be timely and informative. What Kenneth suggests (use of RBAC) will not solve the problem. First of all, RBAC is not practical to deploy in most situations; companies are still trying to cope with AV and firewalls, and just beginning to think about host and application security. RBAC is completely beyond them. Well, my main objection to the article was its advocacy for addressing the insider threat problem simply by buying security products. I brought up RBAC simply as one example that people may consider as they seek solutions. Whether it be role-based, or a plain old-fashioned, group/ACL sort of access control, coupled with good event logging and monitoring, I think that most sites would be better served by exploring the access control mechanisms that they currently have instead of just buying more security products. That's not to say that there aren't products that may be highly useful, but it is to say that the solutions should start with well designed and implemented access control and logging. I stand by that opinion. I participated in a workshop on on insider attacks several years ago. We identified 2 kinds of insider attacks: * authorized users: insiders who have access to sensitive data, and abuse their authority by leaking it outside the organization * non-authorized users: insiders who don't have explicit authorization to access sensitive data, but who take advantage of their "insider" status to exploit organizational security weaknesses. Such weaknesses would include both weak access controls (which Ken's RBAC suggestion would address) and otherwise weak system and application security (which HIPS products like Immunix would address). So we agree that more secure systems such as RBAC and Immunix do help to address the problem of insider attackers. What they don't do is address the problem of authorized insiders abusing their authority. That is where this new class of products comes in: they track the movement of sensitive organizational data by /content/ rather than by access control, and complain when content crosses a barrier that it should not. But as I wrote before, such products, especially network-based products, will fail to detect an authorized user accessing data and then dumping it to CDR or USP memory stick and walking it out of the building in their underwear. Because the end-game of covert channel prevention always leads to an anal cavity search :) Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- ZDNnet: Securing data from the threat within [by buying products] Kenneth R. van Wyk (Jan 11)
- RE: ZDNnet: Securing data from the threat within [by buying products] Michael S Hines (Jan 11)
- Re: ZDNnet: Securing data from the threat within [by buying products] Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 11)
- Re: ZDNnet: Securing data from the threat within [by buying products] Crispin Cowan (Jan 17)
- Re: ZDNnet: Securing data from the threat within [by buying products] Kenneth R. van Wyk (Jan 17)
- Re: ZDNnet: Securing data from the threat within [by buying products] Crispin Cowan (Jan 17)
- Re: ZDNnet: Securing data from the threat within [by buying products] Kenneth R. van Wyk (Jan 17)
- Re: ZDNnet: Securing data from the threat within [by buying products] Crispin Cowan (Jan 17)
- Re: ZDNnet: Securing data from the threat within [by buying products] Kenneth R. van Wyk (Jan 17)