Re: Highlighting Security Issues

[Victor Williams <vbwilliams () neb rr com>]

More thoughts just on technology...

> There's enough interesting things to this that I don't think there's a
> good basis for too strong an opinion either way, though the
> whistleblower's actions seem at least a little ill-advised...

http://www.decaturdaily.com/decaturdaily/news/040629/job.shtml

When does a firewall just "crash"?  Someone explain that to me...

> The more interesting question there is how many folks who might have to
> ever monitor a system have invested in acquiring and testing the software
> they'd use to do it?  Grabbing a Trojan off the Internet and installing it
> (especially a binary) seems like the *stupidest* path one could take in
> this situation.  But I really didn't want to just push my analysis out
> there, I think it's worth some discussion in this community.

VNC Anyone?  Dameware?  In Dameware, you can push installs of software 
to other machines without the enduser knowing...and then you can display 
what's onscreen--again, without the end-user knowing.  It works on any 
Windows OS after 95.  It contains no spyware, no malware, no trojans, 
etc etc.  You can download a fully functional 30-day eval, or you can 
purchase one license for between $30 and $100 depending on the license 
you get.  Just about ANY retail software that doesn't modify the Windows 
LOCAL_MACHINE registry settings can be pushed and installed without 
rebooting the machine in question, with no interaction to the console.

> Yet, something must provide the motivation for change for the better-
> somehow organizations need to find a way to channel such energy toward
> the organizational goal, rather than lose valuable talent or even a chance
> to improve the organization...

Group policy and ghost imaging.  You get a stable image of an OS, give a 
user read/execute access, and write access only to specified directories 
( C:\Documents and Settings\%username% ), and you cease to have a misuse 
problem that would require you to single out a single user for 
monitoring.  At the network level, you could monitor the network 
destinations and payload of ALL transmissions leaving and coming into 
the network.  If you've done your work on the workstation(s) in 
question, there's no app abuse.  This should be true from the CEO to the 
mailroom clerk.  Only change should be the apps dedicated to certain 
departments--this then becomes just a granularity of policy issue...only 
PC's in the accounting department get the accounting software, only the 
mailroom gets the UPS and Fedex software, etc etc.

> I don't think the commercial world is all that different, unless someone
> *cares* enough to do good policy creation and enforcement.  That's one of
> the reasons that I'd prefer to see people channel such energy, rather than
> letting it go off on tangents, no matter how just the cause.  

I guess that's what I was trying to get across before.  If this is an NT 
 4 or later system, why don't system and group policies apply (not 
written organization policies)?  It would seem to me you could curb 
someone's app use pretty quickly if they didn't have administrative 
access to their workstation and you were deploying NT policies 
correctly.  When deployed correctly, all workstations of a domain should 
inherit them...this is not new technology, and it's pretty effective 
when done correctly.

> I've always thought such things were stupid.  They get in the way of many
> legitimate sites, and put you into a "if I can get at it, then it's ok"
> sort of mode.  Better to summarize sites surfed and have the employee sign
> the reports, like larger companies do with phone logs.  I also get the
> stupid bounce messages from lots of e-mail content filters, which are the
> logical extension, and I know lots of people miss otherwise important
> messages because of some phrase, tool name, or slightly off remark.

How does restricting stock-trading sites get in the way of legitimates 
if you're talking about a gov't agency?  I can see how this would be 
true if you work at Ameritrade...but a gov't agency?

I have had experience with SurfControl.  You flat-out deny casino sites, 
adult sites, stock-trading, and you log everything else...you never get 
locked out of sites you need access to with a well thought-out 
implementation plan and ruleset.

You then keep the logs for 12 months.  If an issue arises, you can go 
back 1 year from that date and look up anyone in the company working 
anywhere in that year time period--it's all logged by NT or AD 
username/machine name/IP address.  You are then NOT discriminating...you 
are just logging everything and everyone.  When everyone falls under the 
same umbrella, no one can complain about being singled out and 
discriminated against.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards