Security's Everyman

Security's Everyman

Monday, December 18, 2006

What were they thinking?

Well, hopefully I'm back to regular postings. I still have lots going on at work and of course Christmas time is keeping me busy, but I took the CISSP test on Saturday and so I no longer have to spend my spare time studying. That should give me enough time to blog again.

I got to work this morning and noticed a "suspicious" looking individual sitting in an empty cube connecting his laptop to the network jack. He didn't really look too suspicious, but he looked like an auditor (we all know that auditors are suspicious) :). Then I noticed two others looking around for network jacks in other cubes. I didn't bother to tell them that they were not hot. I figured that if Accounting wasn't going to tell me that we had auditors coming in that would need network access I'd make them tell me when they couldn't get to the Internet. Once they asked I set them up with guest access to the Internet.

It just baffles me that this stuff still goes on. Everyone still wants free, unfettered access to do whatever they want regardless of the potential risk it puts the company at. What gets me even more is that auditors, the very people who come to tell us what we are doing wrong, bring in Wireless AP's expecting to connect them to the network, try to connect their laptops to the network and expect to be able to have access to secure resources.

Obviously there was a failure on several fronts here. First, the accounting department should have informed me that auditors were coming and would need access to the Internet. Any other resources (printers, folders, files, etc) should have also been listed so that they could be gathered and put in a secure place that the auditors could access w/o opening up the whole network to them. I also think that the auditor has some responsibility. In today's world where everyone is screaming about the importance of being compliant the auditors should do their part. Requesting Internet access would have been a good place to start. NOT attempting to connect to the network until they had been cleared to do so would have also been a good first step.

Maybe I'm the only one in the company who sees this as a big deal, but as long as I'm responsible for the security of the network they will play by the rules set forth in our policies.


Alex said...

You know, that's kind of amazing.

When I play auditor, the last thing I want to do is hook up my machine to your network. If the audit requires me to have access, I expect some flavor of workstation and account provided to me. Failing that, IF it's needed I'll ask for access.

A good trick? Spend an hour (or less) and build an "auditor interaction" checklist. Let them know what they can and can't do on your network, and have them sign a "user agreement" that states that they have read your use policies and will adhere to them should they require network access.

Michael Ramm said...

Gratz on taking the CISSP. How do you think that you did? I have been thinking of adding that to my Cert Wish List. I just learned of it recently. Just found your blog, and I have enjoyed what I have read.yd

Andy, ITGuy said...

Thanks for the feedback Alex. I may just create a "auditor checklist". If nothing else it's good for CYA.

Andy, ITGuy said...

Michael, I think I did pretty well on the test. Thanks for asking. I decided on it because from the research I did it seemed to be the one that would fit with my career goals the best. I considered the CISA and CCIE, but neither of them really give me what I wanted. Although the CCIE would be really nice to have.

CypherBit said...

I'm curious to know more about your setup for instances like these. Not only auditors, but 3rd parties having a presentation or something.

I’m curious to know what kind of measures do you usually have in place for:

1st, making sure no one brings, plugs in a laptop into one of the ports.
2nd, what kind of a routine do you have for checking the laptops that do come in (meetings, presentations,…) before they can be plugged in?

Andy, ITGuy said...

cyperbit, being a small company we don't have anything "fancy" in place yet. I keep most unused jacks disconnected. When someone does require access I either put them on our wireless VLAN which gives them internet access and printing to a specific printer. If they require access to our live network I check their AV, patches and do a quick once over on their machine to make sure nothing obvious is there. I am currently investigating some NAC solutions. I should have more details next year and will blog about the process.

CypherBit said...

Andy thank you for the quick reply.

I'm asking since I'm way behind in this department and need someone with first hand experience.

I've notified all the users that no 3rd party should connect anything to our network, before I check their machine.

Which I do pretty much the same way you do, that is check their AV, updates and have a quick look for malware.
I have no VLAN or any other method of protecting the LAN.

We don't have frequent "visits" by 3rd parties at all, but I'd still like to implement something.
Am looking forward to your articles on this and other topics.

Andy, ITGuy said...

Cypherbit, feel free to email me if you have any questions. I do what I can to help.

Alex said...

The checklist has some CYA purpose, maybe, but it's mostly perception.

I've got control over my network, not you.

Alex said...

Cypherbit, if I may make a suggestion...

Providing you have the spare IP - Just put a $30 Linksys WAP inside (outside would be better if you can swing it) your DMZ. Explain to people (maybe even in the SSID) that THIS IS LIVE UNPROTECTED RAW UNBONED NON-PROTECTED INTERNET, USE AT YOUR OWN RISK!!!

Then, make sure that network has no better access to your internal network than the raw Internet does.

Viola! Let them access all they want...

We even used this as a compromise on having wireless for our own folks. OK, you get wireless - but if you need an internal network resource, you have to VPN in.

Andy, ITGuy said...

WOW! Alex. That SSID is longer than most WPA encryption keys. :)

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.