Aberdeen Group: The Insider Threat Benchmark Report: Strategies for Data
Protection:
http://www.aberdeen.com/summary/report/benchmark/RA_Insiderthreat_SQ_2504.asp
For several years, enterprises have been inoculating their information systems from external attack. But now, they’re turning their attention to employees, consultants, partners, or suppliers who may inadvertently or intentionally leak confidential company and customer information.
To that end, Aberdeen believes organizations will continue to expand their use
of select technologies and processes to address the risk of insider threats.
----------
Is it the use of Microsoft products ....or the deployment of the
products on top of a traditionally backwards compatible infrastructure
that drags along behind it years of legacy bits?
It is stated that 'nix products are more secure both from the fact that
they have not 'by design' had root as their normal deployment means and
that they have more tech savvy users/admins.... are Windows admins
[obviously count me in this aggregation and leave you guys out of this
head count] less tech savvy, more GUI loving [that's me!] and thus don't
design with security from the ground up? Or is it that the foundation
they are building on, never is 'from the ground up' in the first place?
joe wrote:
No sorry, just the normal someone trusted betrays the trust. I wasn't trying
to intimate that any MS or NSA official can go in and type "Blue Cows jump
over pink moons" and be magically in. I can't authoritatively say that that
isn't in there, but I would tend to not lean towards a conspiracy theory
there.
My thoughts on the subject are that if someone truly needs something locked
down without fear of a break in that trust chain, I don't feel you are going
to get it with the MS products alone.
Obviously the number one goal is to get someone you can trust implicitely to
always do the right thing for the company and protect it at all costs.
Unfortunately it is getting harder and harder to get that as employees learn
that they can't trust the companies to do the same and at the same time they
are payed poorly until their jobs are shipped to some other country or
eliminated entirely for profit increase. Combine that with the availability
of info when some group of folks in a company do get screwed and they are
willing to share the details. This has people looking out more and more for
themselves. Depending on how they resolve that internal conflict based on
how they were raised and what is going on in their life and how mistreated
they have and a million other things, they may be ripe for corruption or
not. Hey why not, screw the company before the company can screw you. In the
last year, how many companies have dropped 10,000 or more people in layoffs
and cuts? What impact does that have on the remaining workforce?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Wednesday, January 25, 2006 11:19 AM
To: [email protected]
Subject: Re: [ActiveDir] OT: Encrypting shared folders
I agree, just as someone with ample access to a DC can access data they
should not have access to.
Any CA should be as secure ( if not more ) than a DC. This is why there are
actual hardware modules (HSM's) which use physical keys to access CA's.
This is the same reason an offline root CA is locked away in a vault with no
network access whatsoever.
Those who do not take proper precautions on sensitive data will always have
issues. I thought that Joe meant there was some other way to get at EFS in
a domain based environment. Its a common belief there is some magic
backdoor. There are issues with key management, I'll be the first to admit
that.
But to infer some level of insecurity based on vague statements .....I just
wanted some clarification.
steve
----- Original Message -----
From: "Brian Desmond" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, January 25, 2006 7:48 AM
Subject: RE: [ActiveDir] OT: Encrypting shared folders
Someone with ample access to an AD Integrated CA can issue themself a
Recovery Agent cert which will decrypt EFS stuff that they don't already
have access to.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
________________________________
From: [EMAIL PROTECTED] on behalf of steve patrick
Sent: Wed 1/25/2006 10:14 AM
To: [email protected]
Subject: Re: [ActiveDir] OT: Encrypting shared folders
Interesting viewpoint Joe,
Care to expand on this specific to EFS?
steve
----- Original Message -----
From: "joe" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, January 25, 2006 6:22 AM
Subject: RE: [ActiveDir] OT: Encrypting shared folders
One good need for this is to block out server admins from sensitive data
on
servers. In that case, it is probably best to get away from any MS tech
for
the protecting of the data due to the get out of jail cards that are inate
in most MS seurity mechanisms whether we are aware of them or not.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, January 25, 2006 3:31 AM
To: [email protected]
Subject: RE: [ActiveDir] OT: Encrypting shared folders
I would ask first - 'why do you think you need to encrypt files, when they
can be protected using NTFS permissions?'
To enter the land of PGP and/or EFS may imply the need for a PKI which is
a
huge undertaking.
neil
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA
aka Ebitz - SBS Rocks [MVP]
Sent: 24 January 2006 17:11
To: [email protected]
Subject: [ActiveDir] OT: Encrypting shared folders
Since there's more big server land people, can you indulge this question?
What do you do for encrypting files up on a share?
On standalone devices I use EFS or PGP.com but I've yet to deploy a
"ADaware" network solution.
Susan
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication
and
Nomura International plc ('NIplc') will not, to the extent permitted by
law,
accept responsibility or liability for (a) the accuracy or completeness
of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those
of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation, solicitation
or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
