Link to home
Start Free TrialLog in
Avatar of Marketing_Insists
Marketing_Insists

asked on

Security & Politics :: advice needed

I'm sure you guys have had this problem before:  Political issues regarding
security.  Though things here are a bit out of hand ...

I am a network administrator at a branch office of a large corporation.  My
situation is this: I am ultimately accountable for network security, however, I'm
not allowed to use security tools to audit my own network.  However, internal
auditors are allowed to use tools to audit my network and write me up for
vulnerabilities they find.

details:

Packet analyzer such as NT's NetMon or Ethereal are forbidden.  This leaves
me no way to track down the source of any worm infected computers (much less
a plethora of quality control issues)

An IDS such as Snort to monitor suspicious activity, is also out of the
question, as IDS's are based on packet analyzer technology.

I can't use a scanner such as nmap or superscan to look for unauthorized PCs
or prohibited network services either.

Penetration testers, such as nessus or other security analyzers, are right out,
so I have no way to tell if security patches are properly being deployed to PCs.

Finally, I am denied permission and very modest budgets to upgrade insecure
services  (such as upgrading an app so that it's telnet sessions are encrypted
with SSL - ugly hack with stunnel.org not withstanding)

Personally, it is the most blatant instance of responsibility and no authority
that I've ever been involved in, and auditors have a FIELD DAY taking advantage
of the free lunch of write-up's that they post like trophies, and putting my
job at risk.

But, I'm not currently cowering to the rules that set one up for discipline, and
naturally, I use all of the above tools to keep things secure.  As a result
of going against the grain, my job is at considerable heightened risk.

<note>
Security is supposed to be handled externally, and, in theory, we are to be
notified of issues.  For a year, I bought into this, but after being blasted
by worms and other security breaches, it became obvious that NOTHING was being
done, so I took matters into my own hands and don't intend on going back after
seeing the light.
</note>

Of course, their are ways to manually verify security of computers.  It would
take approximately 8 hours on a Saturday to complete a manual check of 100
computers where an available security tool would complete the task in 5 minutes...
basically the equivalent of being instructed to use a tooth brush to clean out a
toilet instead of an availalbe Black & Decker S300 cordless Scum buster...this
is hardly a reasonable substitute when your on salary.

I believe their must be laws that would work in my favor, (especially in California)
to counter any reprimands in regards to fair use of appropriate resources.  Where
can I find info to prep the comming storm?  I need to do more than embaress or
black mail people, I'm looking for real laws that I can shove in their face and
say "bite me".

Of course any other thoughts and ideas are welcome.

(Or maybe you too would like to rant about the morbid imbicility that guides your company to the future. :-)
Avatar of exploitedj
exploitedj
Flag of United States of America image

If you have a copy of the audit, fix everything listed. You do not need to use these tools if the people who sign your check tell you explicitly not to. However, if you find the security policy is not appropriate or prohibits you from doing your job effectively, bring it up with your manager. A policy is intended to be adjustable and adapted as new needs are found. Explain you are only interested in saving the company some money in downtime and increase productivity by making resources available.

Going against the grain, even with the best of intentions, is still going against the grain and can wind you up in the streets.
Avatar of bloemkool1980
bloemkool1980

I partly agree with exploited. But I have seen it before I would think that I work for the same company as you do.
Now what I do is just wait till you got results from the audit report. Fix those things and make a document why these things where left open and attach all evidence that your good intensions to fix it were denied. That way you have established the CMA (cover My ass) procedure.
Now you should get it up to higher level of management as it seems that Head IT is not interested in spending a dime to security. IT is impossible that security will work if it is not pushed by the Senior management.
Now if they really like to they fire you anyway, I have been in that same position and I got booted together with the Head of IT. I won the case after 8 months of court and they had to pay me 1 year salary but ofcource getting booted is never good.
My impression of today's security is that managers only implemented if they come out good. They will call it best practise but that is something that is impossible.
To give you an idea, our LAN runs on a firewall cluster without maintenance and the hardware is end-of-life for almost 2 years :)
SOLUTION
Avatar of PsiCop
PsiCop
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Marketing Insists,

The earlier posters all raise good points, in addition:

 - get literature about what are good practices
 - there is, in a very real way, no such thing as "security is an external problem", see my chapters in the Computer Security Handbook, 4th Edition (or some of my speeches, see my www site at http://www.rlgsc.com/presentations.html)
 - make sure that you have off-site copies of all relevant documentation (specifically, the documentation prohibiting you from
  using the tools (if something happens, an offsite copy of your instructions is a good defense).
 - build a trail, and keep copies of it at home

I know that may sound overcautious and distrusting to keep copies of correspondence at home, but if there are problems, it is amazing how fast you can loose access to your files at the office. It is a sad commentary, but exculpatory information (e.g., the memo that proves you were following orders), is often the hardest items to gain access to.

I hope that the above is helpful.

- Bob (aka RLGSC)
I am not a lawyer (but will play one on TV if given the chance), but do have experience with corporate policy and enforcement.

Irregardless of the inadequacy of their safeguards, the laws are not on your side. If you are breaking signed agreements regarding the computer use policy at your organization you are at greater risk than just losing your job. Using tools that are specifically denied by your policy could wind you up with fines or even jail.

Now there are laws that would pertain to their lack of safeguards and would mostly relate to 'due diligence'. You would have to contact a lawyer with specifics, but from what I understand you would have to prove flaugrant disregard. An example of this would be putting an unprotected server on the internet without a firewall. In addition, you would have to prove loss, not to just the company but to a 3rd party, for example if someone took control of the unpatched system and attacked Microsoft, Microsoft could theoretically sue the company for lack of due diligence in securing their systems and collect damages.

I would recommend trying this:
Go to your immediate supervisor with a list of fairly benign tools and get permission to use them. Start with the likes of LanGuard and MBSA. If you don't get permission you have too options: 1) Get zen about it and just do what you can when you can. 2) Look for a new position.

Good Luck.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
There is a program that I use to check out our pcs that you might want to try. Languard Security Scanner from www.gfi.com.

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
good point tim
Avatar of Marketing_Insists

ASKER

Lots of Great stuff.  Thanks