If leaders can be humane and just, sharing both the gains and the troubles of the people, then the troops will be loyal and naturally identify with the interests of the leadership. -The Art of War, Chapter 1: On Assessment.
There are many ways to look at this quote. In regards to IT security, this immediately made me think about one of the biggest frustrations that senior management can give us: being above the policies. It is highly frustrating when people in leadership positions try to be above the security measures put in place due to their station or ego.
Likewise, as IT professionals we sometimes do have certain liberties and access above and beyond some policies, especially in testing or lab environments or on assessment systems, but by and large we also need to try our darnedest to not be exceptions.
I don’t think I could ever work for Microsoft. I would get fired for installing Linux on the first day.
I break policies. That’s what I do. I encourage as many people as possible to break them.
I run Tor to a CGIProxy in SSL only mode in order to surf the web in corporate environments. I find out ways to bypass Bluecoat proxies (e.g. SSH over SSL via Apache proxymodule). I tunnel IP over DNS when I have to. I run chownat to expose internal services (including Tor nodes) to the Internet. I poison corporate DNS caches with a wpad entry pointing to my machine.
I modify my company owned computer hardware. I create fake badges and copy/modify magnetic information. I copy internal data to personal hard drives and USB sticks. I print internal data and take it home. I use the phones and fax machines for personal use. I abuse FedEx to get my porn DVD’s sent to my workplace. I send my Netflix and bills through the company USPS pickup.
I install rogue access points. I surf pr0n at work.
I believe in defense through diversity. I do not trust networks. I do not trust people. I do not trust operating systems, applications, or compilers.
I certainly do not trust Windows XP SP2 or Vista joined to a domain. I would never allow IT to install an AV, configuration management, patch management (e.g. Windows Automatic Update), HIPS, or other enterprise agent software to my company laptop. Do you have any idea how easy it is for an adversary of the company to infiltrate every host if these methods are used?
If your company does not have a way of `managing exceptions’ like these through a standard process, then your company’s policies are as dead as the paper they are printed on. I know entire security organizations that work on exception management… and have their own CSO, budget, etc. They don’t even report to any other business unit, which isn’t really surprising given what they do.
Senior Management + Policies = IT Headache. I’m so glad it’s not just my place that this happens at! I spent weeks building, writing and testing a corp wide password policy ….. only to have Snr Management have another admin disable it for their account! :-S
Dre, I think you make good points and definitely give something to think about. I am curious, though, if your job actually supports all those actions above, or if you just do them anyway? Or was that more of a hypothetical/anecdotal thing?
Also, while I think you have good ideas, not every org has someone like yourself who can take security (and insecurity) to another level like that. And certainly, not every sales person or marketing fool should be encouraged to do those things.
hypothetical.
see http://www.matasano.com/log/676/month-of-xxx-bugs-pro-or-con-an-informal-survey/#comments
dre January 21st, 2007 3:56 pm
ivan: I write parodies; no intention to offend. I try to think of it all as one large cluestick to beat the lusers of the world with. use at your own risk.