mailing list archives
RE: Getting security back from the sys admin
From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Fri, 7 Dec 2007 14:26:20 -0600
I think the main concern might be a perception mismatch.
You mention that you (security) has maintained root in Unix but lost it in Windows.
It seems you think you need root across the board to do your job? If you achieve this you will need to hire someone to
I may be wrong, but it is my belief that IT and IS can work together by having IT be responsible for the
servers/workstations and any changes while IS provides the knowledge and direction needed to maintain a secure
environment. You cannot have IS build the logging mechanism, the IDS/IPS, the anything because their role will lose
You have IT build according to your design perhaps, and then you audit their job.
So, my comment on how you regain a foothold in your company is by creating the foundation you wish to build your goal
on. And that is policies and standards.
You write a standard on how backups, encryption, logging, email, etc is secured and then you design or assist IT in
Once in place then you verify once a month.
"Quidquid latine dictum sit, altum sonatur."
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Rivest, Philippe
Sent: Friday, December 07, 2007 10:06 AM
To: Franck Vervial; lowney
Cc: security-basics () securityfocus com
Subject: RE: Getting security back from the sys admin
Thanks for the 2 very good ids (work together to implement IDS, and the report one).
For our responsibility, we basically only manage user access right now. We lost all of our "responsibility" over the
last few years due to lack of knowledge on the security team part. Having changed this situation, my director wants us
to take some responsibility back (in a controlled way).
Basically, I can't even log on to Windows servers but I have root access to the unix servers (managed by the unix
team). That shows that we didn't have knowledge over Microsoft, but on unix we were good enough to keep stuff.
That is one of the many example and exception that we have to manage with.
We also have full access to SQL, but not the windows machine on witch its running..
So on every situation; I can only secure 1 part and not the whole. And since we are the one answering the auditors we
need to AT the very least see how things are set up.
As for your help, I already added your ids to my document im writing. That with separation of duties did help a lot.
If anyone has other IDs, example or hints, please help :)
Philippe Rivest, Certified Ethical Hacker
Analyste en sécurité de l'information
P Est-ce vraiment nécessaire d'imprimer cette page ?
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Franck Vervial
Envoyé : vendredi 7 décembre 2007 04:30
À : lowney
Cc : security-basics () securityfocus com
Objet : Re: Getting security back from the sys admin
Does security team have operational responsability or only
control/audit responsability ?
I have known the same situation and I think every body is winner if
the two teams work
You will always need expertise of system guy in system and security application.
And they need help of security team for the things for which they
don't have the time for :
security survey, audit and risk analysis methods, etc.
A good thing to know in order to keep good relations is to not
under-estimate their skills
and understand the production contraints.
An example :
you have to install a security audit tool to product reports about
security level of systems
they manage. Instead of just install it and make a report that is very
red because of a lot of
security weaknesses. Give them the referential with which this tool
works (like CIS security), so they can make a effort to increase the
systems security level before reports.
That is good because two teams have the same aim : increase security.
Anyway the reports will produce some weaknesses because lack of time or other.
another argument is to justify budgets against direction (it is easier
when two differents
teams are agree that an IDS is necessary).
In clear : be dip)lomatic and works together, the kwowledge and
productivity of everybody will be better.
Hope this helps,
PS : sorry for bad english language ;-)
This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged,
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please
notify the sender that this message was received in error and then delete this message.