• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 503
  • Last Modified:

Security & Politics :: advice needed

I'm sure you guys have had this problem before:  Political issues regarding
security.  Though things here are a bit out of hand ...

I am a network administrator at a branch office of a large corporation.  My
situation is this: I am ultimately accountable for network security, however, I'm
not allowed to use security tools to audit my own network.  However, internal
auditors are allowed to use tools to audit my network and write me up for
vulnerabilities they find.


Packet analyzer such as NT's NetMon or Ethereal are forbidden.  This leaves
me no way to track down the source of any worm infected computers (much less
a plethora of quality control issues)

An IDS such as Snort to monitor suspicious activity, is also out of the
question, as IDS's are based on packet analyzer technology.

I can't use a scanner such as nmap or superscan to look for unauthorized PCs
or prohibited network services either.

Penetration testers, such as nessus or other security analyzers, are right out,
so I have no way to tell if security patches are properly being deployed to PCs.

Finally, I am denied permission and very modest budgets to upgrade insecure
services  (such as upgrading an app so that it's telnet sessions are encrypted
with SSL - ugly hack with stunnel.org not withstanding)

Personally, it is the most blatant instance of responsibility and no authority
that I've ever been involved in, and auditors have a FIELD DAY taking advantage
of the free lunch of write-up's that they post like trophies, and putting my
job at risk.

But, I'm not currently cowering to the rules that set one up for discipline, and
naturally, I use all of the above tools to keep things secure.  As a result
of going against the grain, my job is at considerable heightened risk.

Security is supposed to be handled externally, and, in theory, we are to be
notified of issues.  For a year, I bought into this, but after being blasted
by worms and other security breaches, it became obvious that NOTHING was being
done, so I took matters into my own hands and don't intend on going back after
seeing the light.

Of course, their are ways to manually verify security of computers.  It would
take approximately 8 hours on a Saturday to complete a manual check of 100
computers where an available security tool would complete the task in 5 minutes...
basically the equivalent of being instructed to use a tooth brush to clean out a
toilet instead of an availalbe Black & Decker S300 cordless Scum buster...this
is hardly a reasonable substitute when your on salary.

I believe their must be laws that would work in my favor, (especially in California)
to counter any reprimands in regards to fair use of appropriate resources.  Where
can I find info to prep the comming storm?  I need to do more than embaress or
black mail people, I'm looking for real laws that I can shove in their face and
say "bite me".

Of course any other thoughts and ideas are welcome.

(Or maybe you too would like to rant about the morbid imbicility that guides your company to the future. :-)
4 Solutions
If you have a copy of the audit, fix everything listed. You do not need to use these tools if the people who sign your check tell you explicitly not to. However, if you find the security policy is not appropriate or prohibits you from doing your job effectively, bring it up with your manager. A policy is intended to be adjustable and adapted as new needs are found. Explain you are only interested in saving the company some money in downtime and increase productivity by making resources available.

Going against the grain, even with the best of intentions, is still going against the grain and can wind you up in the streets.
I partly agree with exploited. But I have seen it before I would think that I work for the same company as you do.
Now what I do is just wait till you got results from the audit report. Fix those things and make a document why these things where left open and attach all evidence that your good intensions to fix it were denied. That way you have established the CMA (cover My ass) procedure.
Now you should get it up to higher level of management as it seems that Head IT is not interested in spending a dime to security. IT is impossible that security will work if it is not pushed by the Senior management.
Now if they really like to they fire you anyway, I have been in that same position and I got booted together with the Head of IT. I won the case after 8 months of court and they had to pay me 1 year salary but ofcource getting booted is never good.
My impression of today's security is that managers only implemented if they come out good. They will call it best practise but that is something that is impossible.
To give you an idea, our LAN runs on a firewall cluster without maintenance and the hardware is end-of-life for almost 2 years :)
I would go to my supervisor, write-ups and audits in hand.

Say that you agree there are problems and you want to take corrective action (the write-ups should have included an action plan for correction - if they didn't, then ask for such an action plan, and if its not forthcoming, you have - IMHO - grounds for grievance). Find some articles in industry publications concerning tools for network admins to fix their security. Ask for those tools to assist you in making corrective actions.

If there's no specific action plan or if you make what you feel is a solid case and management still refuses, start looking elsewhere. Seriously. The people you're working for would obviously be morons in that case, and you're being hung out to dry with no way to defend yourself. Get out before they dream up some pretext to fire you.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Marketing Insists,

The earlier posters all raise good points, in addition:

 - get literature about what are good practices
 - there is, in a very real way, no such thing as "security is an external problem", see my chapters in the Computer Security Handbook, 4th Edition (or some of my speeches, see my www site at http://www.rlgsc.com/presentations.html)
 - make sure that you have off-site copies of all relevant documentation (specifically, the documentation prohibiting you from
  using the tools (if something happens, an offsite copy of your instructions is a good defense).
 - build a trail, and keep copies of it at home

I know that may sound overcautious and distrusting to keep copies of correspondence at home, but if there are problems, it is amazing how fast you can loose access to your files at the office. It is a sad commentary, but exculpatory information (e.g., the memo that proves you were following orders), is often the hardest items to gain access to.

I hope that the above is helpful.

- Bob (aka RLGSC)
I am not a lawyer (but will play one on TV if given the chance), but do have experience with corporate policy and enforcement.

Irregardless of the inadequacy of their safeguards, the laws are not on your side. If you are breaking signed agreements regarding the computer use policy at your organization you are at greater risk than just losing your job. Using tools that are specifically denied by your policy could wind you up with fines or even jail.

Now there are laws that would pertain to their lack of safeguards and would mostly relate to 'due diligence'. You would have to contact a lawyer with specifics, but from what I understand you would have to prove flaugrant disregard. An example of this would be putting an unprotected server on the internet without a firewall. In addition, you would have to prove loss, not to just the company but to a 3rd party, for example if someone took control of the unpatched system and attacked Microsoft, Microsoft could theoretically sue the company for lack of due diligence in securing their systems and collect damages.

I would recommend trying this:
Go to your immediate supervisor with a list of fairly benign tools and get permission to use them. Start with the likes of LanGuard and MBSA. If you don't get permission you have too options: 1) Get zen about it and just do what you can when you can. 2) Look for a new position.

Good Luck.
The previous posters have done a pretty good job addressing your post.  I don't know of any laws that would back you up in violating your computer policy.  You may need to sell administration on the idea that you should be involved in the security of the organization.  Proactive security is far less costly than reactive security, whether you're talking about trying to recover from a worm attack that could have been prevented by having patched systems or trying to recover compromised data because you weren't monitoring your firewall.  Because that's about all that technically illiterate administrators care about: saving money and avoiding fines, and that's what you want to sell them on, saving money by letting you do what you're trained to do and proactively prevent problems instead of reacting to what a bunch of untrained auditor-monkeys tell you to do.  Follow your own conscience here, but it might be worth it to expose the auditor-monkeys as idiots and yourself as the hero-saviour who will protect and guide the company to security salvation (can I get an amen?).

I was thinking that CA has been coming out with a bunch of IT-related legislation, but I haven't stayed on top of it because it doesn't affect me.  However, depending on the industry you're working in, you may be affected by some new federal regulations.

HIPPA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996).  If your organization deals with health care, medical records, or is self-insured for medical, this should cover you.  As an IT pro, you'll be mostly interested in the Security Standards, available from here:
Some of the rules are very specific, some are very general.  Big time fines and possible prison time for noncompliance.

Sarbanes-Oxley Act of 2002 & Gramm-Leach-Bliley Act of 1999.  These suckers cover you if you deal with financial records.  Don't know too much about them, as we've just been concentrating on HIPAA thus far, but I believe there's at least a general level of security required and fines.

End User License Agreements (EULA).  Often overlooked, but if you can't monitor your users, I'm guessing you probably don't have them secured very well.  And users will install crap left and right.  If the BSA shows up, there could be some serious fines for the company if you have a bunch of unlicensed or improperly licensed software.

It was mentioned about the suits for your network attacking someone else's.  There have also been hostile work environment suits filed (look around, I don't remember any specifics) if the organization doesn't take proper precautions to prevent its workforce from being exposed to objectionable material, like what might arise if a bho is redirecting browsers to porn sites, etc.

Keep your resume up to date, because it sounds like you're working for a bunch of <Red_Foreman_voice>dumbasses</Red_Foreman_voice>.  Auditors are there to see that you're doing your job, not confirm that you're not because you're not afforded the opportunity to and can't.  If you're interested in burning your bridges on the way out, I understand the BSA provides financial incentives for whistleblowers.  A few well-placed phone calls to a couple of government agencies and M$ could really make some changes after your departure I'd bet, if they're in heavy noncompliance with the above.  Just make sure they can't implicate you in the situation.  Good luck!
There is a program that I use to check out our pcs that you might want to try. Languard Security Scanner from www.gfi.com.

I agree with everything that has been posted so far.  I would also add that I would take the time to deploy a means of detecting their audits.  Something such as a cleverly placed machine with a software based firewall.

I would also try to establish a policy that clear dictates the parmeters of their testing:  Who is going to do the test?  What is going to be tested?  When is it going to be tested?  How it is going to be tested?  This is not to stop them from testing, but to quantify their security audits.  I would imagine that this is going to be a major headache, because they are going to say that hackers don't do this, but it is like software quality assurance.  When you write software you just don't give it to someone to break, but have policies and procedures on how they try to break it.  This is because when you are doing software quality assurance you want to clearly document what is tested, and how it is tested to make sure possible function is tested. Another reason that you want this policy is so that you have to fix something that they inadvertantly took down during normal working hours.

Now I will agree that this policy isn't going to be easy to implement, but I think that it might help the situation.  Security Auditing is not just the running this tool or that tool, and looking to see what pops up, but is a process.
Tim HolmanCommented:
One  point....

It is NOT you whom is ultimately resonsible for security - it is whomever above you who has decided you cannot use these tools !

Vulnerability assessment and patch management are pretty big chunks of the information security jigsaw.  If you're not allowed to check these things out, then who is ??

What's to stop you using Etherreal, Nessus or Snort anyway ?  Is it in writing that you're not allowed to use these ?  

Are you on speaking terms with the CTO or CIO ?  They are the ones who would be ultimately responsible if a virus got into your network and took everything down, and are evidently negligent in not permitting use of vital analysis tools.
good point tim
Marketing_InsistsAuthor Commented:
Lots of Great stuff.  Thanks

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now