Security & Politics :: advice needed

Posted on 2004-08-25
Medium Priority
Last Modified: 2012-06-27
I'm sure you guys have had this problem before:  Political issues regarding
security.  Though things here are a bit out of hand ...

I am a network administrator at a branch office of a large corporation.  My
situation is this: I am ultimately accountable for network security, however, I'm
not allowed to use security tools to audit my own network.  However, internal
auditors are allowed to use tools to audit my network and write me up for
vulnerabilities they find.


Packet analyzer such as NT's NetMon or Ethereal are forbidden.  This leaves
me no way to track down the source of any worm infected computers (much less
a plethora of quality control issues)

An IDS such as Snort to monitor suspicious activity, is also out of the
question, as IDS's are based on packet analyzer technology.

I can't use a scanner such as nmap or superscan to look for unauthorized PCs
or prohibited network services either.

Penetration testers, such as nessus or other security analyzers, are right out,
so I have no way to tell if security patches are properly being deployed to PCs.

Finally, I am denied permission and very modest budgets to upgrade insecure
services  (such as upgrading an app so that it's telnet sessions are encrypted
with SSL - ugly hack with stunnel.org not withstanding)

Personally, it is the most blatant instance of responsibility and no authority
that I've ever been involved in, and auditors have a FIELD DAY taking advantage
of the free lunch of write-up's that they post like trophies, and putting my
job at risk.

But, I'm not currently cowering to the rules that set one up for discipline, and
naturally, I use all of the above tools to keep things secure.  As a result
of going against the grain, my job is at considerable heightened risk.

Security is supposed to be handled externally, and, in theory, we are to be
notified of issues.  For a year, I bought into this, but after being blasted
by worms and other security breaches, it became obvious that NOTHING was being
done, so I took matters into my own hands and don't intend on going back after
seeing the light.

Of course, their are ways to manually verify security of computers.  It would
take approximately 8 hours on a Saturday to complete a manual check of 100
computers where an available security tool would complete the task in 5 minutes...
basically the equivalent of being instructed to use a tooth brush to clean out a
toilet instead of an availalbe Black & Decker S300 cordless Scum buster...this
is hardly a reasonable substitute when your on salary.

I believe their must be laws that would work in my favor, (especially in California)
to counter any reprimands in regards to fair use of appropriate resources.  Where
can I find info to prep the comming storm?  I need to do more than embaress or
black mail people, I'm looking for real laws that I can shove in their face and
say "bite me".

Of course any other thoughts and ideas are welcome.

(Or maybe you too would like to rant about the morbid imbicility that guides your company to the future. :-)
Question by:Marketing_Insists

Expert Comment

ID: 11900254
If you have a copy of the audit, fix everything listed. You do not need to use these tools if the people who sign your check tell you explicitly not to. However, if you find the security policy is not appropriate or prohibits you from doing your job effectively, bring it up with your manager. A policy is intended to be adjustable and adapted as new needs are found. Explain you are only interested in saving the company some money in downtime and increase productivity by making resources available.

Going against the grain, even with the best of intentions, is still going against the grain and can wind you up in the streets.

Expert Comment

ID: 11900336
I partly agree with exploited. But I have seen it before I would think that I work for the same company as you do.
Now what I do is just wait till you got results from the audit report. Fix those things and make a document why these things where left open and attach all evidence that your good intensions to fix it were denied. That way you have established the CMA (cover My ass) procedure.
Now you should get it up to higher level of management as it seems that Head IT is not interested in spending a dime to security. IT is impossible that security will work if it is not pushed by the Senior management.
Now if they really like to they fire you anyway, I have been in that same position and I got booted together with the Head of IT. I won the case after 8 months of court and they had to pay me 1 year salary but ofcource getting booted is never good.
My impression of today's security is that managers only implemented if they come out good. They will call it best practise but that is something that is impossible.
To give you an idea, our LAN runs on a firewall cluster without maintenance and the hardware is end-of-life for almost 2 years :)
LVL 34

Assisted Solution

PsiCop earned 300 total points
ID: 11903349
I would go to my supervisor, write-ups and audits in hand.

Say that you agree there are problems and you want to take corrective action (the write-ups should have included an action plan for correction - if they didn't, then ask for such an action plan, and if its not forthcoming, you have - IMHO - grounds for grievance). Find some articles in industry publications concerning tools for network admins to fix their security. Ask for those tools to assist you in making corrective actions.

If there's no specific action plan or if you make what you feel is a solid case and management still refuses, start looking elsewhere. Seriously. The people you're working for would obviously be morons in that case, and you're being hung out to dry with no way to defend yourself. Get out before they dream up some pretext to fire you.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.


Expert Comment

ID: 11904708
Marketing Insists,

The earlier posters all raise good points, in addition:

 - get literature about what are good practices
 - there is, in a very real way, no such thing as "security is an external problem", see my chapters in the Computer Security Handbook, 4th Edition (or some of my speeches, see my www site at http://www.rlgsc.com/presentations.html)
 - make sure that you have off-site copies of all relevant documentation (specifically, the documentation prohibiting you from
  using the tools (if something happens, an offsite copy of your instructions is a good defense).
 - build a trail, and keep copies of it at home

I know that may sound overcautious and distrusting to keep copies of correspondence at home, but if there are problems, it is amazing how fast you can loose access to your files at the office. It is a sad commentary, but exculpatory information (e.g., the memo that proves you were following orders), is often the hardest items to gain access to.

I hope that the above is helpful.

- Bob (aka RLGSC)

Expert Comment

ID: 11907046
I am not a lawyer (but will play one on TV if given the chance), but do have experience with corporate policy and enforcement.

Irregardless of the inadequacy of their safeguards, the laws are not on your side. If you are breaking signed agreements regarding the computer use policy at your organization you are at greater risk than just losing your job. Using tools that are specifically denied by your policy could wind you up with fines or even jail.

Now there are laws that would pertain to their lack of safeguards and would mostly relate to 'due diligence'. You would have to contact a lawyer with specifics, but from what I understand you would have to prove flaugrant disregard. An example of this would be putting an unprotected server on the internet without a firewall. In addition, you would have to prove loss, not to just the company but to a 3rd party, for example if someone took control of the unpatched system and attacked Microsoft, Microsoft could theoretically sue the company for lack of due diligence in securing their systems and collect damages.

I would recommend trying this:
Go to your immediate supervisor with a list of fairly benign tools and get permission to use them. Start with the likes of LanGuard and MBSA. If you don't get permission you have too options: 1) Get zen about it and just do what you can when you can. 2) Look for a new position.

Good Luck.

Accepted Solution

WerewolfTA earned 900 total points
ID: 11913029
The previous posters have done a pretty good job addressing your post.  I don't know of any laws that would back you up in violating your computer policy.  You may need to sell administration on the idea that you should be involved in the security of the organization.  Proactive security is far less costly than reactive security, whether you're talking about trying to recover from a worm attack that could have been prevented by having patched systems or trying to recover compromised data because you weren't monitoring your firewall.  Because that's about all that technically illiterate administrators care about: saving money and avoiding fines, and that's what you want to sell them on, saving money by letting you do what you're trained to do and proactively prevent problems instead of reacting to what a bunch of untrained auditor-monkeys tell you to do.  Follow your own conscience here, but it might be worth it to expose the auditor-monkeys as idiots and yourself as the hero-saviour who will protect and guide the company to security salvation (can I get an amen?).

I was thinking that CA has been coming out with a bunch of IT-related legislation, but I haven't stayed on top of it because it doesn't affect me.  However, depending on the industry you're working in, you may be affected by some new federal regulations.

HIPPA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996).  If your organization deals with health care, medical records, or is self-insured for medical, this should cover you.  As an IT pro, you'll be mostly interested in the Security Standards, available from here:
Some of the rules are very specific, some are very general.  Big time fines and possible prison time for noncompliance.

Sarbanes-Oxley Act of 2002 & Gramm-Leach-Bliley Act of 1999.  These suckers cover you if you deal with financial records.  Don't know too much about them, as we've just been concentrating on HIPAA thus far, but I believe there's at least a general level of security required and fines.

End User License Agreements (EULA).  Often overlooked, but if you can't monitor your users, I'm guessing you probably don't have them secured very well.  And users will install crap left and right.  If the BSA shows up, there could be some serious fines for the company if you have a bunch of unlicensed or improperly licensed software.

It was mentioned about the suits for your network attacking someone else's.  There have also been hostile work environment suits filed (look around, I don't remember any specifics) if the organization doesn't take proper precautions to prevent its workforce from being exposed to objectionable material, like what might arise if a bho is redirecting browsers to porn sites, etc.

Keep your resume up to date, because it sounds like you're working for a bunch of <Red_Foreman_voice>dumbasses</Red_Foreman_voice>.  Auditors are there to see that you're doing your job, not confirm that you're not because you're not afforded the opportunity to and can't.  If you're interested in burning your bridges on the way out, I understand the BSA provides financial incentives for whistleblowers.  A few well-placed phone calls to a couple of government agencies and M$ could really make some changes after your departure I'd bet, if they're in heavy noncompliance with the above.  Just make sure they can't implicate you in the situation.  Good luck!

Expert Comment

ID: 11914989
There is a program that I use to check out our pcs that you might want to try. Languard Security Scanner from www.gfi.com.


Assisted Solution

Robnhood earned 500 total points
ID: 11935377
I agree with everything that has been posted so far.  I would also add that I would take the time to deploy a means of detecting their audits.  Something such as a cleverly placed machine with a software based firewall.

I would also try to establish a policy that clear dictates the parmeters of their testing:  Who is going to do the test?  What is going to be tested?  When is it going to be tested?  How it is going to be tested?  This is not to stop them from testing, but to quantify their security audits.  I would imagine that this is going to be a major headache, because they are going to say that hackers don't do this, but it is like software quality assurance.  When you write software you just don't give it to someone to break, but have policies and procedures on how they try to break it.  This is because when you are doing software quality assurance you want to clearly document what is tested, and how it is tested to make sure possible function is tested. Another reason that you want this policy is so that you have to fix something that they inadvertantly took down during normal working hours.

Now I will agree that this policy isn't going to be easy to implement, but I think that it might help the situation.  Security Auditing is not just the running this tool or that tool, and looking to see what pops up, but is a process.
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 300 total points
ID: 11968376
One  point....

It is NOT you whom is ultimately resonsible for security - it is whomever above you who has decided you cannot use these tools !

Vulnerability assessment and patch management are pretty big chunks of the information security jigsaw.  If you're not allowed to check these things out, then who is ??

What's to stop you using Etherreal, Nessus or Snort anyway ?  Is it in writing that you're not allowed to use these ?  

Are you on speaking terms with the CTO or CIO ?  They are the ones who would be ultimately responsible if a virus got into your network and took everything down, and are evidently negligent in not permitting use of vital analysis tools.

Expert Comment

ID: 11969087
good point tim

Author Comment

ID: 12040438
Lots of Great stuff.  Thanks

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Spectre and Meltdown, how it affects me and my clients?
The onset of year 2018 has been a usual business for IT teams still struggling to find their way out in terms of strengthening their cloud security.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question