Home page logo
/

basics logo Security Basics mailing list archives

RE: "It's ok we're behind a firewall"
From: Chris Santerre <csanterre () MerchantsOverseas com>
Date: Mon, 24 Feb 2003 13:20:16 -0500

I fight this issue a lot here. Disgruntled employees who have access to
important data. There are a million ways for this stuff to get out. Hell
they have to have access because it is there job. So it is a tightrope walk
on what to do. 

I also have the opposite. Data that people have access to a piece at a time.
Giving them a quick spreadsheet of all of it will make there job 300000X
easier. But I'm not allowed to because the info put together in such a way
could be lost, or stolen or whatever. But they have access to the same info
one piece at a time. Drives me insane! :) 

Internal security is definitely different, and very gray. 

-----Original Message-----
From: Chris Travers [mailto:chris () travelamericas com]
Sent: Saturday, February 22, 2003 10:00 PM
To: security-basics () securityfocus com
Subject: Re: "It's ok we're behind a firewall"


My own perspective is this---

Internal security is just *different.*  This is one of the 
reasons for the
firewall.  If a company didn't have a firewall, I am still 
convinced that
they would be at *far greater* risk to external rather than internal
threats.  But that doesn't address the following issues:

1:  Many companies have sensitive documents that need to be 
protected--
controlling access to these minimizes the chance of leaks.

2:  Would any executive want everyone in the company to have unlimited
access to sensitive information like corporate bank account 
numbers, credit
card numbers, etc?

So we can establish the need for internal security.  My own 
preference is to
divide up areas into security zones and determine how each 
zone (logically
or preferably physically) is to be secured.  Are ethernet ports in
conference rooms a good idea?  Is the risk that they bring in 
acceptible?
What about wireless LAN?  What are the business benefits?  
What are the
risks?

Also it is extremely important to remember that the 
entrepreneurs or execs
are the ones responsible for defining acceptable risk.  It 
never hurts to
keep people thinking about that-- and rather than saying "you have a
security problem."  I usually say "Is this risk acceptible?  
How does ___
benefit your business?  Whould ___ work for you as well?"

Anyway, this is my $.02 worth.

Best Wishes,
Chris Travers



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault