Solved

Security & Politics :: advice needed

Posted on 2004-08-25
11
480 Views
Last Modified: 2012-06-27
I'm sure you guys have had this problem before:  Political issues regarding
security.  Though things here are a bit out of hand ...

I am a network administrator at a branch office of a large corporation.  My
situation is this: I am ultimately accountable for network security, however, I'm
not allowed to use security tools to audit my own network.  However, internal
auditors are allowed to use tools to audit my network and write me up for
vulnerabilities they find.

details:

Packet analyzer such as NT's NetMon or Ethereal are forbidden.  This leaves
me no way to track down the source of any worm infected computers (much less
a plethora of quality control issues)

An IDS such as Snort to monitor suspicious activity, is also out of the
question, as IDS's are based on packet analyzer technology.

I can't use a scanner such as nmap or superscan to look for unauthorized PCs
or prohibited network services either.

Penetration testers, such as nessus or other security analyzers, are right out,
so I have no way to tell if security patches are properly being deployed to PCs.

Finally, I am denied permission and very modest budgets to upgrade insecure
services  (such as upgrading an app so that it's telnet sessions are encrypted
with SSL - ugly hack with stunnel.org not withstanding)

Personally, it is the most blatant instance of responsibility and no authority
that I've ever been involved in, and auditors have a FIELD DAY taking advantage
of the free lunch of write-up's that they post like trophies, and putting my
job at risk.

But, I'm not currently cowering to the rules that set one up for discipline, and
naturally, I use all of the above tools to keep things secure.  As a result
of going against the grain, my job is at considerable heightened risk.

<note>
Security is supposed to be handled externally, and, in theory, we are to be
notified of issues.  For a year, I bought into this, but after being blasted
by worms and other security breaches, it became obvious that NOTHING was being
done, so I took matters into my own hands and don't intend on going back after
seeing the light.
</note>

Of course, their are ways to manually verify security of computers.  It would
take approximately 8 hours on a Saturday to complete a manual check of 100
computers where an available security tool would complete the task in 5 minutes...
basically the equivalent of being instructed to use a tooth brush to clean out a
toilet instead of an availalbe Black & Decker S300 cordless Scum buster...this
is hardly a reasonable substitute when your on salary.

I believe their must be laws that would work in my favor, (especially in California)
to counter any reprimands in regards to fair use of appropriate resources.  Where
can I find info to prep the comming storm?  I need to do more than embaress or
black mail people, I'm looking for real laws that I can shove in their face and
say "bite me".

Of course any other thoughts and ideas are welcome.

(Or maybe you too would like to rant about the morbid imbicility that guides your company to the future. :-)
0
Comment
Question by:Marketing_Insists
11 Comments
 
LVL 4

Expert Comment

by:exploitedj
Comment Utility
If you have a copy of the audit, fix everything listed. You do not need to use these tools if the people who sign your check tell you explicitly not to. However, if you find the security policy is not appropriate or prohibits you from doing your job effectively, bring it up with your manager. A policy is intended to be adjustable and adapted as new needs are found. Explain you are only interested in saving the company some money in downtime and increase productivity by making resources available.

Going against the grain, even with the best of intentions, is still going against the grain and can wind you up in the streets.
0
 
LVL 6

Expert Comment

by:bloemkool1980
Comment Utility
I partly agree with exploited. But I have seen it before I would think that I work for the same company as you do.
Now what I do is just wait till you got results from the audit report. Fix those things and make a document why these things where left open and attach all evidence that your good intensions to fix it were denied. That way you have established the CMA (cover My ass) procedure.
Now you should get it up to higher level of management as it seems that Head IT is not interested in spending a dime to security. IT is impossible that security will work if it is not pushed by the Senior management.
Now if they really like to they fire you anyway, I have been in that same position and I got booted together with the Head of IT. I won the case after 8 months of court and they had to pay me 1 year salary but ofcource getting booted is never good.
My impression of today's security is that managers only implemented if they come out good. They will call it best practise but that is something that is impossible.
To give you an idea, our LAN runs on a firewall cluster without maintenance and the hardware is end-of-life for almost 2 years :)
0
 
LVL 34

Assisted Solution

by:PsiCop
PsiCop earned 75 total points
Comment Utility
I would go to my supervisor, write-ups and audits in hand.

Say that you agree there are problems and you want to take corrective action (the write-ups should have included an action plan for correction - if they didn't, then ask for such an action plan, and if its not forthcoming, you have - IMHO - grounds for grievance). Find some articles in industry publications concerning tools for network admins to fix their security. Ask for those tools to assist you in making corrective actions.

If there's no specific action plan or if you make what you feel is a solid case and management still refuses, start looking elsewhere. Seriously. The people you're working for would obviously be morons in that case, and you're being hung out to dry with no way to defend yourself. Get out before they dream up some pretext to fire you.
0
 
LVL 8

Expert Comment

by:RLGSC
Comment Utility
Marketing Insists,

The earlier posters all raise good points, in addition:

 - get literature about what are good practices
 - there is, in a very real way, no such thing as "security is an external problem", see my chapters in the Computer Security Handbook, 4th Edition (or some of my speeches, see my www site at http://www.rlgsc.com/presentations.html)
 - make sure that you have off-site copies of all relevant documentation (specifically, the documentation prohibiting you from
  using the tools (if something happens, an offsite copy of your instructions is a good defense).
 - build a trail, and keep copies of it at home

I know that may sound overcautious and distrusting to keep copies of correspondence at home, but if there are problems, it is amazing how fast you can loose access to your files at the office. It is a sad commentary, but exculpatory information (e.g., the memo that proves you were following orders), is often the hardest items to gain access to.

I hope that the above is helpful.

- Bob (aka RLGSC)
0
 
LVL 4

Expert Comment

by:syn_ack_fin
Comment Utility
I am not a lawyer (but will play one on TV if given the chance), but do have experience with corporate policy and enforcement.

Irregardless of the inadequacy of their safeguards, the laws are not on your side. If you are breaking signed agreements regarding the computer use policy at your organization you are at greater risk than just losing your job. Using tools that are specifically denied by your policy could wind you up with fines or even jail.

Now there are laws that would pertain to their lack of safeguards and would mostly relate to 'due diligence'. You would have to contact a lawyer with specifics, but from what I understand you would have to prove flaugrant disregard. An example of this would be putting an unprotected server on the internet without a firewall. In addition, you would have to prove loss, not to just the company but to a 3rd party, for example if someone took control of the unpatched system and attacked Microsoft, Microsoft could theoretically sue the company for lack of due diligence in securing their systems and collect damages.

I would recommend trying this:
Go to your immediate supervisor with a list of fairly benign tools and get permission to use them. Start with the likes of LanGuard and MBSA. If you don't get permission you have too options: 1) Get zen about it and just do what you can when you can. 2) Look for a new position.

Good Luck.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 4

Accepted Solution

by:
WerewolfTA earned 225 total points
Comment Utility
The previous posters have done a pretty good job addressing your post.  I don't know of any laws that would back you up in violating your computer policy.  You may need to sell administration on the idea that you should be involved in the security of the organization.  Proactive security is far less costly than reactive security, whether you're talking about trying to recover from a worm attack that could have been prevented by having patched systems or trying to recover compromised data because you weren't monitoring your firewall.  Because that's about all that technically illiterate administrators care about: saving money and avoiding fines, and that's what you want to sell them on, saving money by letting you do what you're trained to do and proactively prevent problems instead of reacting to what a bunch of untrained auditor-monkeys tell you to do.  Follow your own conscience here, but it might be worth it to expose the auditor-monkeys as idiots and yourself as the hero-saviour who will protect and guide the company to security salvation (can I get an amen?).

I was thinking that CA has been coming out with a bunch of IT-related legislation, but I haven't stayed on top of it because it doesn't affect me.  However, depending on the industry you're working in, you may be affected by some new federal regulations.

HIPPA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996).  If your organization deals with health care, medical records, or is self-insured for medical, this should cover you.  As an IT pro, you'll be mostly interested in the Security Standards, available from here:
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp
Some of the rules are very specific, some are very general.  Big time fines and possible prison time for noncompliance.

Sarbanes-Oxley Act of 2002 & Gramm-Leach-Bliley Act of 1999.  These suckers cover you if you deal with financial records.  Don't know too much about them, as we've just been concentrating on HIPAA thus far, but I believe there's at least a general level of security required and fines.

End User License Agreements (EULA).  Often overlooked, but if you can't monitor your users, I'm guessing you probably don't have them secured very well.  And users will install crap left and right.  If the BSA shows up, there could be some serious fines for the company if you have a bunch of unlicensed or improperly licensed software.

It was mentioned about the suits for your network attacking someone else's.  There have also been hostile work environment suits filed (look around, I don't remember any specifics) if the organization doesn't take proper precautions to prevent its workforce from being exposed to objectionable material, like what might arise if a bho is redirecting browsers to porn sites, etc.

Keep your resume up to date, because it sounds like you're working for a bunch of <Red_Foreman_voice>dumbasses</Red_Foreman_voice>.  Auditors are there to see that you're doing your job, not confirm that you're not because you're not afforded the opportunity to and can't.  If you're interested in burning your bridges on the way out, I understand the BSA provides financial incentives for whistleblowers.  A few well-placed phone calls to a couple of government agencies and M$ could really make some changes after your departure I'd bet, if they're in heavy noncompliance with the above.  Just make sure they can't implicate you in the situation.  Good luck!
0
 
LVL 1

Expert Comment

by:acidious
Comment Utility
There is a program that I use to check out our pcs that you might want to try. Languard Security Scanner from www.gfi.com.

0
 
LVL 1

Assisted Solution

by:Robnhood
Robnhood earned 125 total points
Comment Utility
I agree with everything that has been posted so far.  I would also add that I would take the time to deploy a means of detecting their audits.  Something such as a cleverly placed machine with a software based firewall.

I would also try to establish a policy that clear dictates the parmeters of their testing:  Who is going to do the test?  What is going to be tested?  When is it going to be tested?  How it is going to be tested?  This is not to stop them from testing, but to quantify their security audits.  I would imagine that this is going to be a major headache, because they are going to say that hackers don't do this, but it is like software quality assurance.  When you write software you just don't give it to someone to break, but have policies and procedures on how they try to break it.  This is because when you are doing software quality assurance you want to clearly document what is tested, and how it is tested to make sure possible function is tested. Another reason that you want this policy is so that you have to fix something that they inadvertantly took down during normal working hours.

Now I will agree that this policy isn't going to be easy to implement, but I think that it might help the situation.  Security Auditing is not just the running this tool or that tool, and looking to see what pops up, but is a process.
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 75 total points
Comment Utility
One  point....

It is NOT you whom is ultimately resonsible for security - it is whomever above you who has decided you cannot use these tools !

Vulnerability assessment and patch management are pretty big chunks of the information security jigsaw.  If you're not allowed to check these things out, then who is ??

What's to stop you using Etherreal, Nessus or Snort anyway ?  Is it in writing that you're not allowed to use these ?  

Are you on speaking terms with the CTO or CIO ?  They are the ones who would be ultimately responsible if a virus got into your network and took everything down, and are evidently negligent in not permitting use of vital analysis tools.
0
 
LVL 1

Expert Comment

by:Robnhood
Comment Utility
good point tim
0
 

Author Comment

by:Marketing_Insists
Comment Utility
Lots of Great stuff.  Thanks
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now