Security Basics mailing list archives
Re: Conflict of interests
From: Richard Thomas <austindad () gmail com>
Date: Tue, 5 May 2009 11:33:12 -0500
Al, Based on what you have provided regarding your role, then no, it is not reasonable for you to request persistent privileged access. The information you need can be provided by the tools you mentioned and by reports generated by the IT department on a regular basis. Occasional privileged access may be in order for periodic audits to ensure the information provided by the IT department is accurate. Good luck. Richard Thomas On Tue, May 5, 2009 at 11:18 AM, s0h0us <s0h0us () yahoo com> wrote:
Hi Richard Thanks for the feedback, I thought I had included a name in the original posting but I guess I didn't. You can call me Al. (like in the song :P ) Anyway, my role? the million dollar question. One man show, trying to do many things. From policy writing, to internal risk assessments of third party vendors, contract reviews, vendor management, etc. Somewhere along the line I review IT's functions as they relate to security. In this case I want to review their patch management process by making sure devices are proactively being updated as needed. Using tools like Nessus, GFI Languard, etc. I have a separate computer, outside the corporate AD to perform some of these tests. This is simply an example of a way in which I'm wondering if privileged access is required. I'm not so much trying to perform a pen test, more wanting to make sure internal devices are not vulnerable. hope this helps. thanks again! ----- Original Message ---- From: Richard Thomas <austindad () gmail com> To: s0h0us () yahoo com Cc: security-basics () securityfocus com Sent: Tuesday, May 5, 2009 11:37:06 AM Subject: Re: Conflict of interests First, a request. Please give us a name to use, even if it's false. To answer your question, we need to know the type of security role you play. Is it operational security or more compliance related? Generally, you should not require either domain admin access or root. Most IT staff never need this level of access. If you could provide us more information regarding the situation and your role, I think we could offer more useful input. Richard Thomas On Mon, May 4, 2009 at 1:16 PM, <s0h0us () yahoo com> wrote:As a security guy, not part of the IT department, I require a level of access in order to perform my job. Certain types of tools require privileged access in order to work. Like having domain admin access and/or similar privileged access for unix and linux systems. Is it reasonable to request this type of access without causing any type of conflict of interest that internal auditors might question? I guess audit trails would come in handy here. Thanks for the feedback.
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Conflict of interests s0h0us (May 04)
- RE: Conflict of interests Ian Bradshaw (May 05)
- RE: Conflict of interests Nick Vaernhoej (May 05)
- Re: Conflict of interests Sebastien MAHIEUX (May 05)
- Message not available
- Re: Conflict of interests s0h0us (May 05)
- RE: Conflict of interests James Flaherty (May 05)
- Re: Conflict of interests s0h0us (May 05)
- RE: Conflict of interests James Flaherty (May 05)
- Re: Conflict of interests David Schekaiban (May 05)
- Re: Conflict of interests Richard Thomas (May 05)
- Re: Conflict of interests s0h0us (May 05)
- Re: Conflict of interests Richard Thomas (May 05)
- Re: Conflict of interests Aarón Mizrachi (May 06)
- RE: Conflict of interests Dave Kleiman (May 06)
- Re: Conflict of interests s0h0us (May 05)
- Re: Conflict of interests Adam Pal (May 05)
- <Possible follow-ups>
- Re: Conflict of interests aaa . bbb (May 05)
- Re: Re: Conflict of interests raketomet (May 11)