I'm sure you guys have had this problem before: Political issues regarding
security. Though things here are a bit out of hand ...
I am a network administrator at a branch office of a large corporation. My
situation is this: I am ultimately accountable for network security, however, I'm
not allowed to use security tools to audit my own network. However, internal
auditors are allowed to use tools to audit my network and write me up for
vulnerabilities they find.
Packet analyzer such as NT's NetMon or Ethereal are forbidden. This leaves
me no way to track down the source of any worm infected computers (much less
a plethora of quality control issues)
An IDS such as Snort to monitor suspicious activity, is also out of the
question, as IDS's are based on packet analyzer technology.
I can't use a scanner such as nmap or superscan to look for unauthorized PCs
or prohibited network services either.
Penetration testers, such as nessus or other security analyzers, are right out,
so I have no way to tell if security patches are properly being deployed to PCs.
Finally, I am denied permission and very modest budgets to upgrade insecure
services (such as upgrading an app so that it's telnet sessions are encrypted
with SSL - ugly hack with stunnel.org not withstanding)
Personally, it is the most blatant instance of responsibility and no authority
that I've ever been involved in, and auditors have a FIELD DAY taking advantage
of the free lunch of write-up's that they post like trophies, and putting my
job at risk.
But, I'm not currently cowering to the rules that set one up for discipline, and
naturally, I use all of the above tools to keep things secure. As a result
of going against the grain, my job is at considerable heightened risk.
Security is supposed to be handled externally, and, in theory, we are to be
notified of issues. For a year, I bought into this, but after being blasted
by worms and other security breaches, it became obvious that NOTHING was being
done, so I took matters into my own hands and don't intend on going back after
seeing the light.
Of course, their are ways to manually verify security of computers. It would
take approximately 8 hours on a Saturday to complete a manual check of 100
computers where an available security tool would complete the task in 5 minutes...
basically the equivalent of being instructed to use a tooth brush to clean out a
toilet instead of an availalbe Black & Decker S300 cordless Scum buster...this
is hardly a reasonable substitute when your on salary.
I believe their must be laws that would work in my favor, (especially in California)
to counter any reprimands in regards to fair use of appropriate resources. Where
can I find info to prep the comming storm? I need to do more than embaress or
black mail people, I'm looking for real laws that I can shove in their face and
say "bite me".
Of course any other thoughts and ideas are welcome.
(Or maybe you too would like to rant about the morbid imbicility that guides your company to the future. :-)