Hi Daniel:
We keep making the assumption that these companies and organizations
are set up correctly, perfectly, with security policies that are air tight and
bulletproof. We keep forgetting that humans run the show.
The only place where I've worked recently that had extensive security
policies, extremely complex security requirements and a lot of personnel churn
was Afghanistan. I spent five years over there as one of those dirty, lower
than a snake's belly, money grubbing, war profiteering, unpatriotic, mercenary,
contractors and as a systems administrator, pretty much had the keys to my
portion of the kingdom.
The green suiters would rotate in and out as units for the most part
and we didn't have much trouble with their permissions as they were pretty much
assigned to one location, and one set of security groups. The other
contractors, on the other hand, were likely to bounce from location to location
around the country, or the theater. It wasn't unusual to get someone assigned
to my location that had security permissions from three locations ago still
assigned to their accounts. Sometimes it was easy to get those permissions
removed, sometimes a pain. But for the most part, having the permissions to
access a resource didn't cause a security breach since the network wouldn't
route to resource A from location B.
That's why we have multiple layers of security. It's called defense in
depth.
Then again, that doesn't stop some people from doing extremely brain
dead things, like air gapping top secret information onto a network cleared for
a lower classification of material.
Oh, to the list, you can get contractors to be key players in the
organization. You need to get them to buy into the seriousness of the mission
and how important they are to the overall success of the organization. While
assigned to a Forward Operating Base, if the comms that my team was responsible
for went down, people died. It was that simple. We made sure that comms stayed
up. Sometimes what we went through to keep them up wasn't pretty, but the comms
stayed up. And my three man team were all contractors.
John Matteson.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Daniel Chenault
Sent: Sunday, September 01, 2013 8:50 PM
To: [email protected]
Subject: Re: [NTSysADM] Re: Finally.
I find I have to side with Kurt although that is not to be seen as negating
your own valid points Ken.
The NSA is a special case as regards computing and security compared to what
the vast majority of us are used to in our work-a-day world. I do expect an
extreme level of security. I do expect a strict definition of who is allowed to
do what and account permissions being created accordingly. I do expect that the
person in charge of the computing side be an employee and well-versed in the
technology being used.
I also expect to win the lottery any day now. Man I'm tired of being
disappointed!
That latter point is likely the aspect that got violated. If I were the head
sys dude in that environment, the one with full admin rights everywhere, the
only person who would have equivalent rights would be my boss and both my
account and his would be 100% logged and archived to be examined by the
security wonks (I'd have a separate user account for my regular activities).
Every single account below me would be restricted to only what was needed for
them to accomplish their assigned tasks and not one bit more.
But that's just me. YMMV
-----Original Message-----
From: Ken Schaefer
Sent: Sunday, September 01, 2013 7:21 PM
To: [email protected]
Subject: RE: [NTSysADM] Re: Finally.
Yes, I think it does.
Small orgs are much more agile than large enterprises:
- it's easy/easier to gather requirements,
- requirements have fewer conflicts (because there are fewer stakeholders)
- they don't tend to work 24x7 or require 5 9s uptime, so things can be
shutdown, upgraded, replaced, migrated with relative ease
The bigger and the more "information heavy" the enterprise is, the less agile
it becomes in terms of remediating older systems. Many of the projects for the
bank I work for (as a touch point) register hundreds of dependencies - some
over a thousand. Just moving a data centre (as an
example) is a 42 month exercise. Sometimes things get missed.
I personally haven't run into any security architects at any of the large
accounts I've worked at that have your level of confidence in the systems and
processes that they have in-place. So, either they're incompetent (possible -
I'll give you that), or the problem is more complex than you make it out to be.
Personally, I think security in non-trivial environments is hard: how do I vet
every piece of code coming into my environment? How do I audit it continuously?
How do I make sure that no one's restored a backup somewhere?
How do I know no-one's tapped my network? A business user hasn't mis-applied
permissions to an application? Etc. How do I do all of this in a timely manner,
so that I close the holes before they're exploited? There is no silver bullet
that solves this - which is why everyone's still struggling and we still have
incidents.
Even in well run organisations, using technology largely from a single vendor,
there's still outages and things that go wrong (e.g. Microsoft's Azure storage,
or the recent O365 outage). I agree that sometimes people do stupid things -
I'm sure that happens in small environments too. But in big environments, even
with the best intentions, smart people and good processes, things still go
wrong.
Cheers
Ken
-----Original Message-----
From: [email protected] [mailto:[email protected]]
On Behalf Of Kurt Buff
Sent: Monday, 2 September 2013 9:52 AM
To: [email protected]
Subject: Re: [NTSysADM] Re: Finally.
Nope. Does that matter? Well, I suppose you think it does, but I doubt it.
With scale should come resources, and the NSA obviously does have resources,
including people with far more training, and who of whom are smarter, than me.
There are no excuses for this.
Kurt
On Sun, Sep 1, 2013 at 4:25 PM, Ken Schaefer <[email protected]> wrote:
> You've designed "more secure" systems at scale (40K+ employees) in an
> information heavy organisation (bank, accountancy etc.)?
>
> Cheers
> Ken
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Kurt Buff
> Sent: Monday, 2 September 2013 4:01 AM
> To: [email protected]
> Subject: Re: [NTSysADM] Re: Finally.
>
> Aside from reading all those Le Carre novels?
>
> I've already designed more secure systems than were obviously in
> place, as have many people on this list, perhaps including you.
>
> Kurt
>
> On Sat, Aug 31, 2013 at 7:35 PM, Ken Schaefer <[email protected]> wrote:
>> And what are your qualifications/experience, that allow you to make
>> such a call? (I’m assuming that you have no inside knowledge of how
>> the NSA works, and are relying on the public speculation/allegations
>> at el Reg etc.)
>>
>>
>>
>> Cheers
>>
>> Ken
>>
>>
>>
>> From: [email protected]
>> [mailto:[email protected]]
>> On Behalf Of Kurt Buff
>> Sent: Sunday, 1 September 2013 12:03 AM
>> To: [email protected]
>>
>>
>> Subject: Re: [NTSysADM] Re: Finally.
>>
>>
>>
>> On the evidence, absolutely.
>>
>> For an intelligence/espionage operation to be so thoroughly pwned
>> because of such amazingly poor internal operational security, there
>> can be only one conclusion - management responsible for internal
>> security should be fired.
>>
>> I'm just glad they weren't, and I hope that what Snowden took is
>> enough to bring them down, and that it's all revealed to the public.
>>
>>
>>
>> Kurt
>>
>>
>>
>> On Sat, Aug 31, 2013 at 4:20 AM, Ken Schaefer <[email protected]> wrote:
>>
>> So, you’re saying that the feared NSA, which has a bunch of
>> un-discovered rootkits, which able to undertake some of the most
>> advanced espionage in the world, is managed by idiots? Seriously?
>>
>>
>>
>> From: [email protected]
>> [mailto:[email protected]]
>> On Behalf Of Jon Harris
>> Sent: Saturday, 31 August 2013 6:17 AM
>> To: [email protected]
>> Subject: RE: [NTSysADM] Re: Finally.
>>
>>
>>
>> Generally from I have seen in state (Florida) organizations is that
>> they don't like promoting anyone but a moron into supervisory positions.
>> Occasionally someone will make a mistake and promote an intelligent
>> person but not often. I would suspect this is the case with the Feds
>> as well (worked with them too). Several times I have seen them hire
>> those with less brains and longer tongues and large lips over those
>> with brains. As long as this keeps happening then we will continue
>> to see this happen. It will be a long time before they get rid of
>> all the defective management personnel as I would think private
>> companies would have little to gain by keeping them (maybe why they
>> seem to concentrate in public jobs?) and in a government job it is
>> MUCH harder to get rid of them.
>>
>> Jon
>>
>>
>> ________________________________
>>
>> Date: Fri, 30 Aug 2013 14:34:15 -0400
>> Subject: Re: [NTSysADM] Re: Finally.
>> From: [email protected]
>> To: [email protected]
>>
>> +13
>>
>> On Aug 30, 2013 11:05 AM, "Kurt Buff" <[email protected]> wrote:
>>
>> On Fri, Aug 30, 2013 at 10:52 AM, Micheal Espinola Jr
>> <[email protected]> wrote:
>>>
>>> I accidentally hit CTRL-Enter before finishing that email... and
>>> apparently that's a shortcut to instantly-send a message in Gmail. Yay!
>>> I
>>> love learning new things... but anyways - So, yea, this Forbes article
>>> was
>>> the first I have seen that highlights the real underlying IT problem
>>> regarding Snowden - aside from other OT issues.
>> <snip>
>>>>
>>>> I may have missed some article by someone else somewhere, but Its
>>>> to see Forbes 'get it' before anyone else...
>>>>
>>>>
>>>> http://www.forbes.com/sites/timworstall/2013/08/30/if-the-nsa-reall
>>>> y -let-edward-snowden-do-this-then-someone-needs-to-be-fired/
>>>>
>>>> --
>>>> Espi
>>
>>
>> Agreed- massive failure on the part of many people in the NSA in
>> implementing security procedures.
>>
>> Of course, what Snowden showed, beyond that, is the massive failure
>> that is government policy and practices regarding
>> surveillance/espionage in general, so I'm actually quite happy
>> Snowden was able to do what he did.
>>
>> Kurt
>>
>>
>
>
