Re: High ranking lusers

From: Bennett Todd (betat_private)
Date: Thu Apr 16 1998 - 07:58:31 PDT

Next message: Paul D. Robertson: "Re: High ranking lusers"

Previous message: George J. Dolicker: "Re: how to do intrusion detection right"
Maybe in reply to: Anonymous: "High ranking lusers"
Next in thread: Paul D. Robertson: "Re: High ranking lusers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Little Boss:  The Big Boss wants a shell script to be setuid root.

If you're fighting that kind of brushfire, you're in full retreat, and
losing.

No point in even trying to tackle these head-on.

Instead, you need to get the security policy started. This would be a
fine place. Open with a section that gives the reason for the security
policy: that the organization has resources (information, tools for
manipulating it) that need to be protected from accidental and
deliberate damage and compromise. Then start a sub-section that
discusses programming risks. Since this case is motivating the effort,
introduce a sub-sub-section on setuid programming issues (Henry
Spencer's notes on setuid programming might be a good reference).

Then go back up and start rounding out the narrow and deep start, to
cover related issues, then spread out into other major topics of
security policy --- access control, software licensing, internet access
control, etc. Check out the RFC on security policy writing, any other
online resources you can find....

A few weeks or a month later, depending on how fast you read and type,
circulate the first rough draft by anyone else you work with who has a
security clue. Incorporate their changes, and with their permission list
them as co-authors. Then run the resulting draft by your immediate boss.

Trying to do security administration without a policy is a fruitless
battle.

As the policy is evolving, always examine --- and try to document in the
document --- the benefits of the risky practice in question (i.e. the
costs of finding safer ways to achieve the same end), the costs of the
security problem (easy insider root access, difficult insider root
access, difficult outsider root access, easy outsider root access) and
justify the proposed policy in terms of costs and benefits. That
language motivates management --- as it should.

Unless of course they're hopelessly and irreparable dain-brammaged, in
which case you should be tooling up your resume.

-Bennett

Next message: Paul D. Robertson: "Re: High ranking lusers"
Previous message: George J. Dolicker: "Re: how to do intrusion detection right"
Maybe in reply to: Anonymous: "High ranking lusers"
Next in thread: Paul D. Robertson: "Re: High ranking lusers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:10 PDT