Security Basics mailing list archives
Re: Re: Conflict of interests
From: raketomet () gmail com
Date: Mon, 11 May 2009 05:42:00 -0600
Hi Al, I am in a similar situation right now. I took the position of an IT Security Manager in a small investment company. From the beginning I discuss with the IT manager my application/request of access rights. By the time we escalated the request to the COO (and will go higher if necessary). There are more aspects of the conflict. Just briefly: 1. Purpose I had to describe activities I need to perform with privileged accounts. You mention only patching, which is one of many. There are much more activities/controls depending on your role, I encourage you to write down risks, controls you perform as a countermeasure and danger, if you cannot perform controls because of missing access rights. 2. Your role in organization / job description I belong to the Risk department. The reason not to be part of the IT is because I perform also as control of IT! This is a crucial point. What are your roles? I divided roles into 4 categories analysis (risk analysis, etc.), methodic (design policies, standards, procedures, but also security measures of IS), control (daily jobs starting with monitoring of vulnerabilities, vulnerability assessment, event monitoring, etc.) and audit (regular audits of systems, users, processes). IT represents risk with high impact (mostly IT has full access to sensitive data and can do anything with them), hopefully with lower probability (but studies does not confirm this, see http://www.gartner.com/press_releases/pr29may2003a.html and newer http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=44812&TEMPLATE=/ContentManagement/ContentDisplay.cfm, google others). If we consider IT as a risk, we can reject it (not a good idea, denied), accept it (are countermeasures = access rights more expensive then potential loss? no, denied), probably cannot transfer it (to whome?) and reduce it (sure we cannot fully avoid risk, but better than nothing). I am a former IT auditor and later IT consultant from big 4, did tens of audits and realized I have very limited possibilities to identify incidents without own access. If you also perform as the control of IT, how would you investigate incidents without access rights? So write down activities you perform, interesting source would be IT Security EBK from USA Homeland Security http://www.us-cert.gov/ITSecurityEBK/ (see matrix at the end of the document). 3. Organization (system and processed maturity) Requirement of access is influenced by IS/IT systems and IT processes maturity. I can imagine there would be no need for access if there is a full test environment with the same configuration as production, IT processes are at least managed (CMMI level 3 and more). In my case it is not. 4. Account privileges Some applications and systems provide enough information even with a user account if configured accordingly. So for example I have only user account on Linuxes. Unfortunately the same cannot be easily done for Windows (which is mostly the core system and thus key risk). 5. Usage Under no circumstances can be account used for changes. Just view, run i.e. MBSA, save report. The same applies for penetration testing, only after it is approved by the head of company. The principle of least privileges applies not only for administrators, but also for IT Security. I know companies where the IT Security has executive role in user account management, and then his account can be used for this. 6. Risk mitigation To be fair, with privileged account anybody (and thus also IT Security) can negatively impact IT operations (to cause an incident). There have to be countermeasures to mitigate the risk. It is not very probable, if account is used from time to time, IT Security is skilled (does not click OK without reading - that's simplicity), but anyway there has to be proper logging and back-uping. You can also propose recording of your activities with such account with tools like Screen Anytime, TSRecord, ObserveIT (expensive if only for this purpose). Generally it depends on your role, but even if you should perform only analytical and methodic role, you will need higher then user level access, otherwise you wont keep the pace with changes IT does. If you do not have access, cannot review systems (I do not mean learning on production, but getting to know configuration), then after one or two years, you don't know what's going on, how does it work, and your recommendations will have no sense. Thats what happened to my predecessor, who was fired. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- RE: Conflict of interests, (continued)
- RE: Conflict of interests James Flaherty (May 05)
- RE: Conflict of interests James Flaherty (May 05)
- Re: Conflict of interests David Schekaiban (May 05)
- Re: Conflict of interests Richard Thomas (May 05)
- Re: Conflict of interests s0h0us (May 05)
- Re: Conflict of interests Richard Thomas (May 05)
- Re: Conflict of interests Aarón Mizrachi (May 06)
- RE: Conflict of interests Dave Kleiman (May 06)
- Re: Conflict of interests s0h0us (May 05)
- Re: Conflict of interests Adam Pal (May 05)
- Re: Conflict of interests aaa . bbb (May 05)
- Re: Re: Conflict of interests raketomet (May 11)