mailing list archives
RE: "It's ok we're behind a firewall"
From: Chris Santerre <csanterre () MerchantsOverseas com>
Date: Mon, 24 Feb 2003 13:20:16 -0500
I fight this issue a lot here. Disgruntled employees who have access to
important data. There are a million ways for this stuff to get out. Hell
they have to have access because it is there job. So it is a tightrope walk
on what to do.
I also have the opposite. Data that people have access to a piece at a time.
Giving them a quick spreadsheet of all of it will make there job 300000X
easier. But I'm not allowed to because the info put together in such a way
could be lost, or stolen or whatever. But they have access to the same info
one piece at a time. Drives me insane! :)
Internal security is definitely different, and very gray.
From: Chris Travers [mailto:chris () travelamericas com]
Sent: Saturday, February 22, 2003 10:00 PM
To: security-basics () securityfocus com
Subject: Re: "It's ok we're behind a firewall"
My own perspective is this---
Internal security is just *different.* This is one of the
reasons for the
firewall. If a company didn't have a firewall, I am still
they would be at *far greater* risk to external rather than internal
threats. But that doesn't address the following issues:
1: Many companies have sensitive documents that need to be
controlling access to these minimizes the chance of leaks.
2: Would any executive want everyone in the company to have unlimited
access to sensitive information like corporate bank account
card numbers, etc?
So we can establish the need for internal security. My own
preference is to
divide up areas into security zones and determine how each
or preferably physically) is to be secured. Are ethernet ports in
conference rooms a good idea? Is the risk that they bring in
What about wireless LAN? What are the business benefits?
What are the
Also it is extremely important to remember that the
entrepreneurs or execs
are the ones responsible for defining acceptable risk. It
never hurts to
keep people thinking about that-- and rather than saying "you have a
security problem." I usually say "Is this risk acceptible?
How does ___
benefit your business? Whould ___ work for you as well?"
Anyway, this is my $.02 worth.