Secure Coding mailing list archives

Re: ZDNnet: Securing data from the threat within [by buying products]

From: Crispin Cowan <crispin () immunix com>
Date: Mon, 17 Jan 2005 21:23:08 +0000


Kenneth R. van Wyk wrote:


Crispin Cowan wrote:


I completely disagree. I find the article to be timely and informative.

What Kenneth suggests (use of RBAC) will not solve the problem. First 
of all, RBAC is not practical to deploy in most situations; companies 
are still trying to cope with AV and firewalls, and just beginning to 
think about host and application security. RBAC is completely beyond 
them.



Well, my main objection to the article was its advocacy for addressing 
the insider threat problem simply by buying security products.  I 
brought up RBAC simply as one example that people may consider as they 
seek solutions.
Whether it be role-based, or a plain old-fashioned, group/ACL sort of 
access control, coupled with good event logging and monitoring, I 
think that most sites would be better served by exploring the access 
control mechanisms that they currently have instead of just buying 
more security products.  That's not to say that there aren't products 
that may be highly useful, but it is to say that the solutions should 
start with well designed and implemented access  control and logging.  
I stand by that opinion.


I participated in a workshop on on insider attacks several years ago. We 
identified 2 kinds of insider attacks:


   * authorized users: insiders who have access to sensitive data, and
     abuse their authority by leaking it outside the organization
   * non-authorized users: insiders who don't have explicit
     authorization to access sensitive data, but who take advantage of
     their "insider" status to exploit organizational security
     weaknesses. Such weaknesses would include both weak access
     controls (which Ken's RBAC suggestion would address) and otherwise
     weak system and application security (which HIPS products like
     Immunix would address).

So we agree that more secure systems such as RBAC and Immunix do help to 
address the problem of insider attackers. What they don't do is address 
the problem of authorized insiders abusing their authority. That is 
where this new class of products comes in: they track the movement of 
sensitive organizational data by /content/ rather than by access 
control, and complain when content crosses a barrier that it should not.


But as I wrote before, such products, especially network-based products, 
will fail to detect an authorized user accessing data and then dumping 
it to CDR or USP memory stick and walking it out of the building in 
their underwear.


Because the end-game of covert channel prevention always leads to an 
anal cavity search :)


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com

Current thread:

ZDNnet: Securing data from the threat within [by buying products] Kenneth R. van Wyk (Jan 11)
- RE: ZDNnet: Securing data from the threat within [by buying products] Michael S Hines (Jan 11)
- Re: ZDNnet: Securing data from the threat within [by buying products] Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 11)
- Re: ZDNnet: Securing data from the threat within [by buying products] Crispin Cowan (Jan 17)
  - Re: ZDNnet: Securing data from the threat within [by buying products] Kenneth R. van Wyk (Jan 17)
    - Re: ZDNnet: Securing data from the threat within [by buying products] Crispin Cowan (Jan 17)
    - Re: ZDNnet: Securing data from the threat within [by buying products] Kenneth R. van Wyk (Jan 17)
    - Re: ZDNnet: Securing data from the threat within [by buying products] Crispin Cowan (Jan 17)