Should Security Officers Be Network Admins? 37
A Nameless Submittor asks: "I work as a network administrator for a large organization. Recently our security officer has demanded from our management that she be a network administrator on every system in our environment. Currently she is not an administrator on most of our systems, although she does have enough administrative power to do auditing, manage resource accesses, and manage users. Should security officers have unrestricted access to everything on a network? A security officer with the ability to shut down servers, disable services, etc. scares the hell out of me and my coworkers. Can I fight this or am I fighting a losing battle? What is done in the rest of the world?"
Re:Hmm... (Score:1)
The metamoderators [slashdot.org], of course ;^)=
--Robert
I am the Security guy (Score:1)
That is why I love this job so much. I have to know it all to be able to secure it. If I couldn't get access to everything, I wouldn't touch the box at all. I can't be sure things are secure if I can't check all processes or users or whatever else I need.
The security role seemed natural to me after being a sysadmin, network engineer, etc. I like beign involved.
Re:Working as Security Engineer (Score:1)
If you're running a UNIX variant, why not consider giving this person sudo access with read only privs (assuming this is possible with sudo)? Then, like the previous poster mentioned, have them come to you when they need changes made to the system.
Beware! (Score:1)
Well, she needs that kind of access if she is to become a proper BOFH [theregister.co.uk].
Juvenal (Score:1)
Failure to look this up makes you a Juvenal delinquent.
Re:Security officer be _the_ network admin? (Score:1)
And i have to agree with the following: Your auditor may in fact be 'legitimately' concerned and really be looking out for your company. In my experience that is a very rare occurence.
If you are the manager in charge of the admin group or have influence on the decision, vote against having the security people have the admin privs.
Password usage (Score:1)
Re:Security Officer? How about General Manager? (Score:1)
I feel your pain.
Policy (Score:1)
Good network administrators however should have some fundamental skills regarding security procedures and how to implement them without the need for a seperate security engineer, however not all security flaws on a network are network or geek related. Social engineering plays a huge part as does law, encryption, etc., which is something most network administrators don't have time for.
A security engineer should never though as stated in a post above have full blown access to everything as this itself compromises the security policy altogether should that security engineer become an enemy at some point.
In essence their like comparing oranges and tangerines, almost the same but not quite.
Re:Security Officer? How about General Manager? (Score:1)
Re:Security Officer? How about General Manager? (Score:1)
Division of Responsibilities (Score:2)
Is it so they can perform audits independent of the System Administrators? This presumes that the SysAdmins et al are covering up something. Unfortunately the same twisty logic makes a full-access Security Officer also a candidate for cover-ups.
Stalemate.
Or is it for quick response? "Lock that sucker out *now*!"
If this is the case then there needs to be some sort of hotline set up where an on-duty/on-call SysAdmin is always reachable and is always able to respond quickly. This should satisfy the need-for-speed without compromising overall security.
Or is there a reason to expect a large number of IS folks will be disappearing very soon? If that's the case then yes, the Security Officers may need to be able to lock many or all of you out of your (former) systems.
In my past experience we've had a number of solutions. Security Officers were generally given access to any limited-rights "account creation/activation/suspension" accounts we had. This sort of thing is only available on some OS's in some configurations but it did solve a number of problems.
I've also had emergency-strategies in place where anyone could call for a lockout. This was usually done via a call to the IS Help Desk where they would hand-run it to the appropriate SysAdmin (empowered to barge into meetings etc.) I've also had a backup strategy where an innocuous all-building PA message could be made to move a car with an unlikely-state's license plate. Upon hearing this every SysAdmin was to report in.
Of course to expedite quick-response/quick-decision-making in off-hours the Security Office had access to our shift-coverage schedules, a quick-check responsibility-list and the departmental home-phone list.
Aside from all of this bringing in outside folks to audit our systems was done irregularly, as was using new-hires as ad-hoc auditors before giving them extensive contact with their peers. Furthermore the folks assisting Security Officer in security audits were rotated randomly so there less possibility of collusion or diversion.
Honestly there are no good answers to the questions you poise. Any answers have to lie with why your company is *really* doing this and which eggs they wish to place in which baskets.
Re:Security Officer? How about General Manager? (Score:2)
There's been a breakdown in communication. IS is on one track, management is on another, the general staff may be on a third.
IS is oftentimes overworked / underpaid / has no time to recover from one crisis before lurching into another / feels they have no support from Sr. Management / starved for resources-training-staff-whatever / subject to unreasonable demands.
On the other side IS oftentimes perceived as chaotic / unresponsive / a source of problems / often times their cure is worse then the cause / prima-donna whiners / poor customer-service.
My job is to then come in, get folks talking, get folks talking constructively, get folks listening, get folks listening productively, identify communications problems and fix/work-around them, set policies, get folks to commit to those policies, get Sr. Management to commit to supporting IS, get IS to support the business needs, get everyone to be responsive to the users, ensure that SR. Management makes adequate resources available to IS, ensure that IS is and respects that it is accountable for it's needs and responses, drum in to Sr. Management that if they want "world-class" (or whatever buzzword they're using) IS then they have to support it properly, drum in to IS that while critical to the business there are other priorities and yes things will not be perfect but folks have to work together and finally to bring peace to the world/get rid of the nasty fluorescent lighting.
How's that for a run-on sentence?
So yes, I've seen lots of bad situations and may have some insight into yours.
Am I shocked by some of your responses: Yes. It's my job to build places that run well - yours is a great example of one gone bad. I just rarely hear someone quite so explicitly detail their problems while making it clear how unrealistic they've become.
I'm not going to go through paragraph by paragraph how I disagree with some of your positions or with what you've done, there's no point to that and besides, I'm not getting paid. I'm not there, I've only heard one side of the situation and really, how could it matter?
My advice? Get out.
Seriously, you're not helping yourself or anyone else by staying. Don't go the martyr/loyalty route: They'd dump you in an attosecond if it made business sense, you do the same.
Get the place in order. Document everything. Don't put it in files where other IS folks *should* find them, put the material in a single marked directory and printed out in a binder.
Start looking for a new position and explain to your employer that you feel the time has come to move on, you're committed to making this a smooth transition both out of respect for them and your professional pride.
Bring with you to the meeting your binder and explain that you've begun documenting systems & procedures and will need a series of regular meetings to ensure that the materials are clear and appropriate (this is to both remind your employer that cutting you loose today would be unwise and to demonstrate your integrity in how you're handling it.)
DO NOT attempt to justify your actions, lay blame where it is due, point out the causes that brought you to this point, etc. You're now in effect interviewing for your next job; these folks don't mean anything to you beyond a good recommendation, a fine record to show your next employer and your own dignity. Attempting to change things now would just sabotage your own graceful exit and besides, probably wouldn't have much effect anyhow.
The reality is you're angry, bitter, and burnt-out. They could send your for a month on an all-expanse paid vacation to a tropical paradise, give you a corner office and a staff of a half dozen, the truth is you're at the point when you walk in the door you're gonna grit your teeth and when you meet with folks you're going to have bitter memories.
Get out, start fresh somewhere else, expand your horizons. After a month somewhere else you'll be amazed you stayed in your old place as long as you did.
I know is sounds rash, my telling a stinger to quit their job but re-read your posting; you know you have to get out of there. The best thing you can do for yourself is escape the place, the best thing you can do for them is make way for someone else to fight the battles, highlight the problems, sink or swim.
Save yourself.
Good luck.
Re:Security Officer? How about General Manager? (Score:2)
Of course this person needs copies of every password and every account if only for the day you're not there (fired / quit / hit by a bus.)
Sure they may screw up. Sure they may break things. You explain to them what's wrong and try to work it out. If they can't keep their fingers out of things then yeah, mebbe you should move on.
In the meantime so what it the place is full of 133MHz boxes with 1GB HDs and Win95a: Do they get the job done? Would 150 spankin new 750MHz boxes with 20BG HDs and Win2K be worth the extra money right now?
Can the company even afford the new boxes and the licenses and the rollout costs? Will it be cheaper then keeping what they've got in place for another year?
Next what were you doing putting a *nix box in this environment without having some backups trained? There was a problem and your boss tried to fix it using the tools he knew. Yeah they were wrong, the question is does this technology belong there in the first place?
Again we run into the fired / quit / hit by a bus problem. Sounds like without you they're screwed. Frankly that's a stupid position to put any company in and for that alone your employer should consider replacing you (and themselves too.)
They need Windows skills - they've got 150 boxes of it and run the company on it. Then there's the one *nix box. Sure it required less cash investment up-front but it's odd-ball-out and apparently only one hostile employee knows how to run it.
Most folks would replace that with some other Win-type box & solution to use the skills & technologies in-house. Then they'd get you to spend the next few weeks documenting the hell out of everything, including all passwords & accounts. Next bring a third party in to audit the place and come up to speed on your systems. Finally train someone else as the Jr.-Admin in case you're gone & to ease any future transitions.
Frankly with your attitude you're not long for this place. If you don't quit it sounds like you'll soon be fired. You sound burnt out and hostile as well as overly-posessive of the companies assets. It's likely your boss was just doing all of this to prepare for the day your key-card no longer works.
Re:Juvenal (Score:2)
Of course it'll have to be taken away from you again as "pun"-ishment for the second line.
Working as Security Engineer (Score:2)
So when I do an audit I usually ask for a "supervised admin access". This is root access (usually a SUed shell) opened for me with a regular admin sitting behind my back, watching me. This way he can learn where to look and dig for security issues - and I can always ask about the whys and hows that usually crop up during an audit of a system.
On the other hand a company-internal security officer will want to be able to "stop things" because of security reasons. Simple solution: the security (wo)man gets the okay from company management to give you orders to shut down this or that service or system, or to disable users because of security problems.
This way security problems can be solved quickly (admins usually know the systems better than the security guy), and without further interfering with standard operations.
Isolate and Audit (Score:2)
It is best to isolate various tasks, so failures at one level don't propagate through everything. One example of a failure is a network administrator deleting PC files, server files, and the backups are missing [computerworld.com] (verdict later set aside [computerworld.com]).
Look at accounting procedures: the amount on checks compared to amount on deposit slip, compared to totals from clerks opening bill-paying envelopes, compared to amounts credited to people's accounts for payments, compared to number of envelopes given to the clerks who open the envelopes, compared to the total number of envelopes from the bill-payment P.O. box. Confirmations of confirmations.
Find yourself a CISSP (Score:2)
Security officers are good resources, in most cases. Problem is, they generally don't directly understand computing.
So find yourself an Information Security expert. Get him to set some policy. Make him a display admin, at least - the ability to see anything out there.
Be sure to find someone who knows how everything fits together, not just someone who is an auditing expert or an administration expert.
Re:Hmm... (Score:2)
Who shall guard the guards?
Re:Juvenal (Score:2)
OUCH GROAN BAD
Re:No Such Access (Score:2)
Either way, there is only one correct response:
fuck off and die you ^W^W^W^W^WNo! Nobody gets full access to everything, and the only people with dangerous access have to prove themselves competent enough not to be dangerous.
At some point in the future, you will be asked to justify your refusal. Start making a list of reasons, with a carefully written justification for each one. Cite some good examples. Ensure you don't have anyone in your org with unlimited access. Clean up your own act, in case this power crazy CSO tries to ream you for refusing. Make the justifications part of your written security policy.
the AC
You're right (Score:2)
1. Set policy as to whom can access what.
2. Monitor compliance with access policies.
3. Have full access to anything.
All three is a recipe for abuse, and 3 is questionable, period. There should, and must be, checks.
For example, at the company I work for, the only people who should have full access to the network are the System Administrators. As a consolation, by policy they have no control over what the network equipment and servers do.
Full access and full decision-making is a dangerous concept that should be avoided by policy. Not because it will or might be abused, but because it can, and without detection.
Your security people have a right to full access to security logs and to have them be accurate. This is not the same thing as full access, which should not be required to have the what they need. If they are not getting what they need, short of access, work to correct that, but you're right to resist this.
--
Hmm... (Score:2)
There are words written on the wall here. They read "Who watches the watchmen?"
Re:Security Officer? How about General Manager? (Score:2)
Sounds more to me like he's sick of fixing problems caused by other people's ignorance rather than overly-possessive of company assets. And that is a rather common complaint in my experience.
Thank you. That's right. But there are a couple of other points:
I get blamed when he screws up the system, so it's an act of self-preservation to help prevent him from doing so. For example, when our ISP went down, the Linux box would have automatically reconnected when our ISP came back up - if he hadn't decided it was broken and turned it off.
While the horrified poster to which you're replying is right - I'm tired of him and my attitude does suck - I still like the guy enough to try to look out for him and do what's best for him. Giving him a placebo root is honestly best for him.
Re:Security Officer? How about General Manager? (Score:2)
You know, I really can't get over how offended you are by this. I appreciate your concern for this; however, please give me, a fellow Slashdot reader, the benefit of the doubt.
This is your freakin' BOSS! Heck, he's now part-owner of the company! Of course this person needs copies of every password and every account if only for the day you're not there (fired / quit / hit by a bus.)
Yes. But Pat also feels that he can do anything, and frequently attempts to.
We have a manufacturing facility in the rear of our building. And this is a man who decided that he could machine a part for one of our products faster than our expert machinist - just to prove to our machinist how things are done. Pat didn't remove his tie while standing at the lathe. Fortunately, after the lathe dragged him in by his tie, the tie tore before he got sucked into the lathe. His only injury was a bruise on the back of his neck.
Two weeks later, wearing a tie again, he was trying to show Renzo how to use the lathe.
The same sort of thing occurs around here with industrial electrical control systems, accounting systems, record keeping systems and computer systems.
This is what I am dealing with.
Sure they may screw up. Sure they may break things. You explain to them what's wrong and try to work it out. If they can't keep their fingers out of things then yeah, mebbe you should move on.
I'm working on it. (Moving on.)
Under Litton, there was stability: Pat couldn't do more than a given amount of damage without the corporate structure coming down on him. Pat was controlled. But because he now owns the company, he's outta control.
When we were Litton, the company was fun to work for. I was travelling all over. There were opportunities for promotion. I was proud to tell people the name of the company that I worked for. Now all that's gone: I have no reason to grin and put up with Pat. Except a bizarre loyalty towards the guy. I do like him. He is, honestly, a good guy, with nothing but the best of intentions, a great work ethic, but no ability to delegate, or know when he's in over his head. I've had enough.
There's more, but it involves information of a proprietary nature, specificially related to Pat, that I'm sure Litton wouldn't want me to talk about.
In the meantime so what it the place is full of 133MHz boxes with 1GB HDs and Win95a: Do they get the job done?
If they didn't crash all the time, absolutely. We have a couple of machines that run AutoCAD and Mechanical Desktop, but those are the only higher-end machines that we need.
As for them crashing all the time, yeah, well, as you use Windows, you install applications. You uninstall applications. You crash the computer and damage the filesystem. You mix versions of system DLLs. And you're dealing with a version of Windows that's not known for the dubious honor of being Microsoft's most reliable.
Formatting and reinstalling the operating system (with the imperfect but far more stable Windows 95B) and reinstalling all the applications would be a low cost boost to productivity. It could easily be done everytime a position turns over, and since the machines are mostly standardized, could even be done with a script like OEMs use.
Would 150 spankin new 750MHz boxes with 20BG HDs and Win2K be worth the extra money right now?
Hell, no.
Will it be cheaper then keeping what they've got in place for another year?
Hell no. Besides, you don't depreciate computers as a capital expense over one year, unless you're doing something that needs a hell of a lot of power. You depreciate them out over two or three years, and then pat your IT guy on the back when he nurses 5 years and counting out of them.
Even so, with a simple format and reinstall of Windows 95B and the existing applications, they'll do the job for the forseeable future. They're great little Dell Optiplex machines, reliable, never seem to need anything more than a new power supply fan every now and then. Most of our applications are fairly old, and a lot of them are proprietary and were written in the early days of the 486, so there's not much upgrade path.
Next what were you doing putting a *nix box in this environment without having some backups trained?
Small company. No backup admin. Hell, the man's too cheap to buy anything more than a P100 as his domain server. (But it performs flawlessly, despite the slow CPU.) The guy won't even let me spend the time to set up a separate 486 machine that we have kicking around as our firewall: currently, the firewall (ipchains) and mail/DNS/webserver/etc. are in the same machine and are therefore relatively vulnerable.
The problem would have been the same if we'd been using Windows NT/2000/etc. as our server. The only one he might have been able to muddle through (with reboot after reboot after reboot before figuring out that the DSL modem is unplugged) is Windows 95. And we all know what a great firewall and robust server O/S that is.
There was a problem and your boss tried to fix it using the tools he knew. Yeah they were wrong, the question is does this technology belong there in the first place?
Probably not. But while I'm going to be forced to manage that which we apparently cannot handle, and I'm going to take the blame when something goes wrong, and no one is going to provide me with a budget for assistants to be around when I'm doing my other job functions, *I* will decide who gets the root password. Because it's coming down on my neck anyway; I'd prefer to only have *real* problems come down on my neck, not those caused by a bored boss with an open telnet window.
Again we run into the fired / quit / hit by a bus problem. Sounds like without you they're screwed.
This is true. The person who would have backed me up has a lower bullshit tolerance than I do, and quit six months ago. I've asked if I can hire a replacement and had it denied many times.
Frankly that's a stupid position to put any company in and for that alone your employer should consider replacing you (and themselves too.)
Linux was chosen over the only O/S Pat or the other staff could have handled, Windows 95, for the obvious reason that Windows 95 isn't much of a server. At the time, it wasn't a problem, there was someone else in the building who knew Linux. And, as it is, we chose Linux over FreeBSD because it's relatively easier to support.
Things have changed. The server is up and running. Replacing the server at the whim of staff turnover is not practical or wise.
Finally, I'm not irreplaceable. Virtually anyone who is likely to read this reply to you could probably sit down in front of the machine, hit the reset button on the front panel, and type "linux 1" just after the LILO prompt. So if I'm hit by a bus and someone puts in a DOS diskette and fdisks the hard drive, it's not my fault. I haven't done anything that requires any more than basic Linux skills to adjust.
Similarly, if your network card is halting the system when Windows 95 is starting up, and you format the hard drive because you don't know that you could have hit F8 to start up in safe mode and repair the problem, are you at fault for attempting to administer a system with which you're unfamiliar, or is it the IT guy's fault for choosing the wrong O/S?
They need Windows skills - they've got 150 boxes of it and run the company on it. Then there's the one *nix box. Sure it required less cash investment up-front but it's odd-ball-out and apparently only one hostile employee knows how to run it.
Right. And a Netware fileserver. No one here knows anything about Netware. (I can set up the Netware client in my sleep, but the server was not to be touched.) The Litton guys administered it remotely, and very protectively, before we were sold off. And, as I indicated, the other guy who knew *NIX wrote his resignation (which was exactly four words long and faxed in) six months ago, just a couple of weeks after Litton sold us off and the place went to hell.
Most folks would replace that with some other Win-type box & solution to use the skills & technologies in-house.
That issue has been broached when I've suggested that I hire someone else to serve as my backup and assistant. However, if I can't even get funding for a copy of Windows 2000 and a fast enough box upon which to run it, am I gonna get the assistant? Sadly, it's all moot: no one knows Windows 2000/NT. Except me. It would be exactly the same problem as the Linux box.
Hell, I'm probably one of only two people in the whole building who knows what DHCP stands for, though I'm sure most of them could set their computers not to use it if I instructed them how.
Does that give you some idea?
Then they'd get you to spend the next few weeks documenting the hell out of everything, including all passwords & accounts.
That's done. I keep it hidden in a place where Pat won't find it, so that I can give it to him when I leave.
However, it's well enough hidden that Pat won't find it in the unlikely event that I get hit by a bus: that will require someone with the skills to type "linux 1" at the LILO prompt. Not tough. All the usernames and passwords are in a clearly labelled text file in /root/. That information is part of my backup cycle as well, so it's duplicated elsewhere. And yeah, passwords in plain text in my machine are probably a bad idea, but a "l337 hax0r" still needs root access to get at them. By the time someone's broken in and gotten root access, I think my user accounts will be the least of my worries.
Next bring a third party in to audit the place and come up to speed on your systems. Finally train someone else as the Jr.-Admin in case you're gone & to ease any future transitions.
Yup.
I grow weary. You know, by now, why that ain't happening.
Frankly with your attitude you're not long for this place.
That's true. My attitude sucks. I've been under incredible pressure, working like a magician pulling increasingly large rabbits out of decreasingly large hats, staying with the company out of a bizarre loyalty to the source of my torment, despite the fact that I get better offers every day.
I finally got my first facial tick this week. Some muscle above and a little to the side of my left eye ticks spontaneously whenever I think of the office.
I get pounding migraine headaches on Sunday nights. I experience feelings of euphoria as Friday appears closer on my calendar.
Though I'd managed to quit smoking, I've been buying John Player Specials. JPS. Black death. Health Canada advises that they have 1.5mg of nicotine per cigarette. I've been chain smoking them. One after another. I detest my own personal odor and the yellow stains all over my hands and teeth.
How would you feel?
If you don't quit it sounds like you'll soon be fired. You sound burnt out and hostile
Yup.
You're perceptive enough almost to be a personnel manager; however, your overall tone this entire time has been that the source of my problems is me. In my experience, personnel managers are more savvy and experienced in office politics than that. So, what do you do; what is your angle that gives you the bizarre viewpoint that doesn't understand that the position that I am in is, in fact, possible?
as well as overly-posessive of the companies assets.
Yeah. Well, I'm responsible for keeping them working. I get blamed when they don't work. Therefore, I will protect them, until I will no longer be blamed for downtime.
It's likely your boss was just doing all of this to prepare for the day your key-card no longer works.
He still hasn't read the book on Linux that I gave him for Christmas.
Re:Security Officer? How about General Manager? (Score:2)
Oh, that's Pat, all right. But I don't attribute that to Litton at all: he was acquired almost accidentally by Litton.
I loved working for Litton - my experience with the company was basically the polar opposite of yours. I had the priviledge of working with some of the best people you could imagine. Leaders in their fields, who accepted and embraced my unique and eclectic skills and talents.
Pat was always there, but his influence was diluted by other people.
No sir, I'd be back at Litton in a second, even in a less interesting capacity than what I had. There's always something exciting happening at that company - like the current Northrop-Grumman potential merger.
And, I've been around electronics all my life; computers and analog electronics have always been passions of mine. Litton is one of the most prestigious names in the industrial/military electronics field, so every time I'd pull into the parking lot and look up at the big blue letters, it made me feel good. I couldn't wait to start my day.
I feel your pain.Ugh. You know it, all right. Thank you.
Re:Security Officer? How about General Manager? (Score:2)
Please... tell me you got the zeros wrong... This stupid being I really hope I'll never meet - tell me he doesn't make 'over $150/hour' for being a lowly receptionist..
Oops. No, I'm sorry, I guess I was unclear.
Pat is the general manager of the company.
Actually, to be entirely correct, since we got sold off from Litton, he's the president and owns a sizable percentage of the business.
And while I like the guy, my respect for him is waning: though he's a take-charge kind of guy, has no idea how and when to delegate, and will instead spend hours tinkering with crap like the receptionist's computer instead of getting someone cheaper (and more qualified) to take care of the situation.
Re:Security Officer? How about General Manager? (Score:2)
I know is sounds rash, my telling a stinger to quit their job but re-read your posting; you know you have to get out of there.
I know. But woah, I agree 100% with everything that you have said there... actually, I didn't expect that.
The best thing you can do for yourself is escape the place, the best thing you can do for them is make way for someone else to fight the battles, highlight the problems, sink or swim.I agree. I doubt my successor's failures will change the modus operandi at all, but one can only hope.
One of my personal weaknesses is that I have a very hard time walking away from an unsolved problem. And yet, there are times when a given problem can't be solved and you can ruin yourself by trying obsessively.
Case in point: you know those little computer-generated stereoscopic images that you stare at and eventually an image allegedly jumps out at you?
Not kidding, I once spent 9 hours staring at one. Wasted a Saturday: I never saw the image.
This is like one of those.
Save yourself.Thank you. I will. I'm sure that I'll be fine. As it is, this is taking years off my life. Fortunately, I have loads of professional references and accolades.
Good luck.I'm going for an interview tomorrow. Looks like a promising prospect, only a few minutes from Church and Wellesley(yay!), and 15 minutes from home. I interview well, so I expect that it's mine if I want it (ie. if I like the people).
Re: (Score:2)
Not really (Score:2)
Now those with multiple certifications are the good ones, e.g. CCNA + CISSP = Security Engineer with Networking Experience, CISSP + CISA = nice security auditor.
There are a lot of variables to consider with this question, but the best solution would be for the Network Admins to work along with the security engineer to facilitate the scope of security and engineering on the correct level, not just security and not just networking.
Security officer be _the_ network admin? (Score:3)
Network administrators have more than enough power to falsify audit trails in any network environment - add professional auditing skills to that person is effectively making them GOD or SATAN (and that distinction may be found only the hard way.)
I strongly advise that this individual's powers be curtailed - this person can be your worst nightmare. Demotion, promotion beyond hands-on or termination may become your hardest choices.
Beware a power-hungry (ab)user.
Aside from all this rant, Your auditor may in fact be 'legitimately' concerned and really be looking out for your company. In my experience that is a very rare occurence.
Re:Hmm... (Score:3)
Re:Separation of duties (Score:3)
You are SO right it's not funny. I've done a bunch of development work for a couple of banks. I'll tell you a typical setup
We had three identical systems
The Development group had Read/write to the development server, and full read, and VERY limited write permissions to test - we could put stuff in a drop box. We had LIMITED read privileges on the production servers - like WHO was on the server, and what the bin files looked like, so that we could audit the system, but NOT the data - we could NOT read the data
The Production admins had read only permissions on the development server (again, admin reasons), could read/write to the test server, BUT had read only to the drop box, and were full admins on the production box.
ANY changes made to the software were tested fully on the development box, and a script was written to apply these changes to the test/development boxes. A copy of the production database from the PREVIOUS month was loaded on the test database, and the script applied. ALL the transactions for the previous month were entered, and if the results on the test box matched the results for end of month on the production server, THEN, and ONLY then would the production admins take the script from the test box, and apply it to the production server. We would then audit production against test, to make sure that no one changed the script.
You know, it's fairly easy to talk bosses into this when they know that if they screw up, they will be spending time behind bars
Separation of duties (Score:3)
One of the basic rules of security, whether it is handling cash or running a network, is the separation of duties. I don't know of any bank which allows any person, even the president, full access to everything. There has to be a system of human checks and balances whenever there is something of high value to be protected. If she doesn't understand this, try to make it clear to her superiours that her request is so completely off the scale it makes her the biggest threat to the company.
I'm going to spread some follow-up comments around other threads about the competency of a security officer. The only people with root/admin/enable access should be those who have demonstrated a strong skill and professional understanding of each system. Your unix admins should not have router passwords, and so on.
the AC
No Such Access (Score:3)
I hope you said "Sorry. No can do..." Giving the security office access to everything implies that "security" will not be a risk. This goes with the same logic that police don't commit crimes. While generally true, there are exceptions and they are caught by the process. The process says one person cannot do everything or there is no security.
Perhaps she does not understand enough to know what permissions she may need. Find out what she thinks sysadmin will give her that cannot be done in some other fashion.
What's sauce for the goose... (Score:4)
Security Officer? How about General Manager? (Score:5)
Should security officers have unrestricted access to everything on a network? A security officer with the ability to shut down servers, disable services, etc. scares the hell out of me and my coworkers.
I envy your problem. I really do. Because I have similar problems, but I think the scope may be a little different.
My boss, the General Manager of my company, has entrusted me with ensuring that we having Internet access. Mail, website, connectivity for users, etc.
We have some accounting software running on the Windows machines around the office that requires a $60 license fee every time you reinstall it. Criminal, okay. But that's the agreement that was made (by him) with the software vendor.
Most of the machines around the office are aging Dell Optiplex Pentium 133s. 1 gig hard disk drives, mass-installed Windows 95A. Flakey to begin with, downright unusable with several years of OS decay.
So, the machine that belongs to our receptionist went down. Windows has done its trademark self-corruption. And Pat's the ultimate do-it-yourselfer. Rather than calling me, he figured he'd fix her machine. Instead, he managed to make it blue screen and halt on startup. Then he spent 10 hours - I counted - playing with the machine, copying files, copying even the entire registry off another machine, back and forth until the thing started up with a minimum of accusatory dialog boxes.
Now, Pat makes over $150/hour. So, minimum, it's cost the company $1,500 to not have to pay a $60 license fee. And the machine is still running Windows 95A, it's still as unstable as all hell. And now, there are ten "Missing File" warnings when the system starts up. At this point, I flatly refuse to touch it until I'm given permission to format the drive and reinstall Windows (95B this time).
And now Pat wants root access on our Linux server. Why? Because no one should have root except him. No one should be able to read his private e-mail but him. (Like I care to read his private e-mail.)
An IT guy from our (former) head office was visiting one day as our division of the company was sold and we were being disconnected from the WAN. While we were talking, Pat decided to show me up in front of the other IT guy.
"Do you really think that the President of this fucking company has an e-mail account that can be looked at by any junior IT person?"
Steve, the corporate head office IT guy, had had enough. He didn't care, Pat was no longer his boss. He just cracked up at Pat, and told him that he'd extricated choking attachments from the president's e-mail account a couple of times. Even so, Pat remained unconvinced.
To shut him up, I gave him a shell account. Evidently, I didn't give him root, but I told him that I did. Of course, the dollar sign at the prompt wasn't a tip-off; I didn't think it would. A couple of days later, I checked his history file. The results were predictably amusing:
1 dir2 dir c:
3 win
4 cd windows
5 scandisk c:
At approximately this time, the log files show that the filesystems were forcibly unmounted and the system rebooted. A minute after the reboot, Pat logged in again:
6 dir7 win
8 WIN!
9 what the fuck is wrong with this piece of shit!
10 WINDOWS
11 sCANDISK
After this, the system went down again, and remained down because it was "broken", until I arrived back in the office from a meeting with some of our customers. When I walked into the office, he started screaming at me about how unreliable the computer was.
In fact, there was no problem with it at all, it had been working fine; our ISP had gone down briefly, and when our service was therefore interrupted, it was assumed that the server was at fault.
It had already been explained to Pat that this machine was neither running DOS, nor was it running Windows, and that commands for those didn't work.
Now, not knowing how your security officer is, I don't know how I'd feel about giving anyone access. If I'm the one who is gonna take the fall if the system goes down, no one gets administrator access but me. Period.