OK, I [well, my blogspot scheduler, rather :-)] am releasing another fun presentation that I've been "hoarding" for a while to keep my readers "entertained" while I am enjoying Siberia.
This presentation is about using logs for tracking insiders as well as about "insider-proofing" you logs and making them more useful for that purpose.
It is also embedded below:
Enjoy!
Possible related posts:
Showing posts with label insiders. Show all posts
Showing posts with label insiders. Show all posts
Wednesday, October 15, 2008
Tuesday, July 29, 2008
Admins , Good Guys or "I am NOT an Idiot!"
This is a follow-up to this ("On Doomsaying (Terry Childs case)") and this ("So ... Am I? Maybe I Am!"), both related to Terry Child case, as well as a response to this post by Paul Venezia ("The anti-admin stance and the Childs case").
First, let me disclose something - my frantic efforts with the Paint allow me to proudly proclaim: I am a certified, trusted "Good Guy":
Good guys, let me tell you, do not need any controls placed on them; they are "trusted." Don't you have to trust somebody? Why not trust a sysadmin, for example?
So, what about controls? Ah, glad that you asked! "Controls" are for the bad guys; they are in place to prevent the bad guys from doing "an unspeakable evil" (tm) :-) on you. On the other hand, good guys are doing "the right thing" every time - why monitor them? It goes without saying that nobody ever moves between these groups, especially, not from "good guys" to "bad guys."
As I am rambling about this, many of my security-minded readers are wondering "what is Anton up to? Isn't it kind of OBVIOUS that controls are for everybody?" Controls know no good/bad! For example, a network control, say a NIPS, will block malicious web access due to a typo in a URL (by - gasp! - a good guy) or due to determined malicious hacking.
I think a few of my readers have watched one too many "Batman" movies and have acquired the dark side of the "IT hero" mentality." How about getting an "IT employee" mentality? If your boss is an idiot (and Terry's managers definitely seem pretty far gone in that direction...), than your "heroic duty" is to let them impale themselves on a sword of their idiocy, not to commit crimes (even if cybercrimes) to prevent that idiocy. Really, go find another job if you do not like the environment; good admins are needed in many places. For example, if your boss insists on posting all VPN passwords for all users publicly out of his sheer and unfathomable stupidity, it is your duty to tell him that it is "a very bad idea" - and not to change all passwords and not let him see it. "Doing you job" despite your boss and despite the law just doesn't work...
In other words, I want a banker making policy decisions at a bank, not a sysadmin. If a banker makes a wrong decision, his will suffer. If he is an idiot, he will most likely make the wrong decision. However, it is NOT the admin's decision to make - he does not "own" the business. BTW, the fact that it is a city, not a bank, and it is taxpayer funded, does not change it.
Am I "anti-admin" for saying that admins should not run the business? Am I "anti-admin" for saying controls (at least logging/auditing) on administrator activities are needed? You call it "anti-admin", I call it common sense!! Pray tell me, what makes admins float above accountability, control and IT governance?
Please also read what Randy Smith said about this issue; a lot of good thoughts that I agree with.
Now I would like to respond to specific comments from my readers:
Bad boss + admin out of control =/= right :-)
Finally, this and my other posts about the case are inspired by on the media reporting; I possess no "insider knowledge" on this case whatsoever.
UPDATE: Terry Childs found guilty.
Possibly related posts:
First, let me disclose something - my frantic efforts with the Paint allow me to proudly proclaim: I am a certified, trusted "Good Guy":
Good guys, let me tell you, do not need any controls placed on them; they are "trusted." Don't you have to trust somebody? Why not trust a sysadmin, for example?
So, what about controls? Ah, glad that you asked! "Controls" are for the bad guys; they are in place to prevent the bad guys from doing "an unspeakable evil" (tm) :-) on you. On the other hand, good guys are doing "the right thing" every time - why monitor them? It goes without saying that nobody ever moves between these groups, especially, not from "good guys" to "bad guys."
As I am rambling about this, many of my security-minded readers are wondering "what is Anton up to? Isn't it kind of OBVIOUS that controls are for everybody?" Controls know no good/bad! For example, a network control, say a NIPS, will block malicious web access due to a typo in a URL (by - gasp! - a good guy) or due to determined malicious hacking.
I think a few of my readers have watched one too many "Batman" movies and have acquired the dark side of the "IT hero" mentality." How about getting an "IT employee" mentality? If your boss is an idiot (and Terry's managers definitely seem pretty far gone in that direction...), than your "heroic duty" is to let them impale themselves on a sword of their idiocy, not to commit crimes (even if cybercrimes) to prevent that idiocy. Really, go find another job if you do not like the environment; good admins are needed in many places. For example, if your boss insists on posting all VPN passwords for all users publicly out of his sheer and unfathomable stupidity, it is your duty to tell him that it is "a very bad idea" - and not to change all passwords and not let him see it. "Doing you job" despite your boss and despite the law just doesn't work...
In other words, I want a banker making policy decisions at a bank, not a sysadmin. If a banker makes a wrong decision, his will suffer. If he is an idiot, he will most likely make the wrong decision. However, it is NOT the admin's decision to make - he does not "own" the business. BTW, the fact that it is a city, not a bank, and it is taxpayer funded, does not change it.
Am I "anti-admin" for saying that admins should not run the business? Am I "anti-admin" for saying controls (at least logging/auditing) on administrator activities are needed? You call it "anti-admin", I call it common sense!! Pray tell me, what makes admins float above accountability, control and IT governance?
Please also read what Randy Smith said about this issue; a lot of good thoughts that I agree with.
Now I would like to respond to specific comments from my readers:
"What rankles your readers is how blithely you imply this problem has a simple or effective solution. It doesn't, all the processes or tools you advocate can do is speed up the time it takes to detect the lock-out, but not actually prevent it - i.e. they are ineffective at tackling the primary problem."That is correct; the rogue admin problem has NO simple solution. You might prevent some (few, really) things, you might log some of them and then figure what happened, but there is no simple solution (it goes without saying that "just trust them" is NOT a solution...)
"We all know companies run without sane risk management all the time and are rarely held accountable in America. What makes you think anyone is "screwed"?"Well, this is a good point; maybe I let my idealistic side take over. But, come on, just the fact that bad IT governance is somewhat common, doesn't make it right!
"Now ask yourself who is "screwed" by one person at a small company having all access and no accountability on a network. That's how I run my home network. Big deal."Nobody is. I addressed it here. The risk is acceptable for smaller environments, usually. I don't have an overseeing body set up to control my home passwords :-)
"You seem to forget that sometimes the management just has to trust somebody. "Addressed above.
"Chuvakin, you're a tool. Given the recent idiocy of the releasing of the VPN names and codes, it obviously shows that any sort of detest that Childs had against his superiors at the city were justified."The fact that his bosses are idiots (which seems fairly well established!) does not make him right!
Bad boss + admin out of control =/= right :-)
"This is not a private organization. His superiors don't own the company and are NOT entitled to the data. We are, the taxpayers. And as a California taxpayer I fully support someone with the paranoia and technical skill of Terry Childs over a group of bureaucrats who release secure information to the public."Properly evaluating this statement requires a law degree. Thus, no comment. Bureaucrats suck, but rogue admins are not a solution to that. Really!
"The guy was doing his job and doing it incredibly well, and keeping it out of the hands of those who, given their most recent choices, would bring potential disaster to the city."He was NOT, unless crime is part of his job :-) Also, see comments on "IT heroes" above. If your boss is an idiot AND you don't like it, quit.
"Anton Chuvakin seems to think that all admins should be kept underneath management's boot at all times. [...] Managers can't and don't understand what we do, and thus eventually come to the conclusion that we can't be trusted with our own knowledge. [...] Perhaps it's human nature to fear what you don't know or understand -- and that's why management can develop a fear of their own employees."You say 'fear of employees', I say "insider risk management." You say "trust employees", I say "trust but [be able to] verify (=log)"
"his blog leads the casual reader to infer that their businesses are in danger of being hijacked by disgruntled Sys Admins and that isn’t the case." (from here)Eh, not all businesses, but some businesses - definitely (hmm, see Terry Childs story or other published insider attack cases, all the way back to Omega Engineering case and maybe all the way back to ancient history)
"I despise people like Terry Childs, but despise Chicken Little’s like Anton Chuvakin even more." (from here)You say I am 'chicken little', I say "if your boss ignores insider risk management, he is stupid and deserves his business to fail." I also add "if you think admins are 'above the law', you have a good chance of 'turning rogue' yourself AND then ending in jail."
Finally, this and my other posts about the case are inspired by on the media reporting; I possess no "insider knowledge" on this case whatsoever.
UPDATE: Terry Childs found guilty.
Possibly related posts:
Tuesday, November 06, 2007
Insider Mom Musings
This has some interesting musings on insider attacks and risks, for example: "... my mom is really not capable of launching an internet based attack against a F500 enterprise. However, when she was an office manager, I am reasonably sure she had the ability to do lots of bad things."
Things of that sort help keep the insider angle at the center of attention. It leads me to a scary thought sequence:
a. Is the percentage of unethical people at a major F500 company any different than the entire world? Probably not - or not by much...
b. Thus, for every million of script kiddiez, you have, say, 10 "bad apples" at your org
c. Also, your firewalls/IDS/IPS/NBA/whatever will stop 99%-100% of the above millions
d. Your defenses will probably stop NONE of the 10 "insiders" (and they know where everything is...)
So, who is the bigger risk? I bet on the "evil mom."
Things of that sort help keep the insider angle at the center of attention. It leads me to a scary thought sequence:
a. Is the percentage of unethical people at a major F500 company any different than the entire world? Probably not - or not by much...
b. Thus, for every million of script kiddiez, you have, say, 10 "bad apples" at your org
c. Also, your firewalls/IDS/IPS/NBA/whatever will stop 99%-100% of the above millions
d. Your defenses will probably stop NONE of the 10 "insiders" (and they know where everything is...)
So, who is the bigger risk? I bet on the "evil mom."
Monday, November 05, 2007
More Insider Threat Fun :-)
Interesting post from Richard AND very interesting comments related to insider threat (and also on why so few care about 0nwned boxes on their network - my favorite subject of fascination ...)
"The bottom line is that aside from separation of duties, enforcement of LUA, and monitoring there is not much you can do for an insider threat. Its an almost wholly reactive situation. Of course, vendors don't see it that way :-)"
"The bottom line is that aside from separation of duties, enforcement of LUA, and monitoring there is not much you can do for an insider threat. Its an almost wholly reactive situation. Of course, vendors don't see it that way :-)"
Tuesday, October 30, 2007
Logs vs Insiders
Fun tip from SANS on insider attacks. What is the first item? This:
"keep good logs. Logs should show who is doing what to your data. In particular, if insiders use admin level access to change data or review users data."
Of course! While people continue the futile search for the ultimate anti-insider technology (free tip: it doesn't exist!), logs, which sit right under their noses, contain the records of all activities. Such info is extremely useful for investigating insider behavior today as well as - in the future, I hope - predicting their transgressions.
BTW, I wrote this great piece on using logs vs insiders (to be published in ISSA Journal in November - check it out when it hits the shelves)
"keep good logs. Logs should show who is doing what to your data. In particular, if insiders use admin level access to change data or review users data."
Of course! While people continue the futile search for the ultimate anti-insider technology (free tip: it doesn't exist!), logs, which sit right under their noses, contain the records of all activities. Such info is extremely useful for investigating insider behavior today as well as - in the future, I hope - predicting their transgressions.
BTW, I wrote this great piece on using logs vs insiders (to be published in ISSA Journal in November - check it out when it hits the shelves)
Tuesday, November 28, 2006
Revisiting 80% Mystery
So, everybody heard that "80% of something bad is due to insiders;" moreover, many just hate this mystery statistic. Here are a few common and different versions:
1. "80% of security attacks are due to insiders."
2. "80% of security loss is due to insiders."
3. "80% of statistics are made up." :-)
Should we completely scrap this 80% beasty or is there any truth in it, after all? Recently I've seen a discussion on one mailing list where some pretty darn smart folks swore that they can personally attest that one or the other version of the above is "absolutely true."
So, any defenders/attackers of the above?
1. "80% of security attacks are due to insiders."
2. "80% of security loss is due to insiders."
3. "80% of statistics are made up." :-)
Should we completely scrap this 80% beasty or is there any truth in it, after all? Recently I've seen a discussion on one mailing list where some pretty darn smart folks swore that they can personally attest that one or the other version of the above is "absolutely true."
So, any defenders/attackers of the above?
Tuesday, September 05, 2006
On Insider/Outside Mini-Closure :-)
So it's been "in vogue" to write about insiders/outsiders (aka internal/external attacks) lately - see Pete Lindstrom, DarkReading, etc. Overall, this issue is known to be extremely confusing and I hereby admit to propagating the "80% internal" myth in the past...
However, I think Chris Walsh has nailed this one via his "Outsiders! Insiders! Let's call the whole thing off" post where he calls it a "marketing-generated distraction."
So check it out...
However, I think Chris Walsh has nailed this one via his "Outsiders! Insiders! Let's call the whole thing off" post where he calls it a "marketing-generated distraction."
So check it out...
Subscribe to:
Posts (Atom)
Dr Anton Chuvakin
