How due diligence can get you in trouble.Locked
Well, I finally did it. I got mad. Not mad at the world, mad at the security representatives, and I told them what stop they get off. Why? Why would someone like me tell someone who is well versed in security where to go? Four reasons, really.
In our company, we have databases for everything. In fact, when someone has a new idea, they create a database. We have gotten so database centric that I simply stopped using the databases. Why? For security, we have FOUR databases, and from that list of databases came additional databases to talk about the databases that we had. Then, because of the sheer number of databases, we had databases that tracked those databases, and well, from the four, they reproduced like rabbits to 36 databases. One for the original database to track the servers, the second to ask for changes to the database, the third to track those changes in the database, and we can continue on until we now have 10 databases per database easily. Too many databases for me to track ? and then I get notification that we now have a series of databases to track information by site. And that they are documents that are auditable and that the division?s folks in another state failed against the documents. It is maddening!
One day last week the security rep for the site stopped by my office and asked me why I have not entered my systems into the database. They were. He also asked my why the rooms were in the database. And I let him have it. First, the documents that are in the database are fluid, and that they are always in constant change as with anything in life. When I put a document into the database, once I hit the submit button, my access to the document is restricted to Read only, but yet my name stays on the door. So I said that if my name is on the door and I can not go in and change the document when it needs to be changed, it is an audit failure because I can not show due diligence. So Rather than fighting over a broken database, I keep paper records in which allows me to revalidate my security every month and review each of the entries and make the appropriate changes as needed. On every occasion, since I can show that I perform the appropriate audits according to the company security document, I pass; everyone in the database has failed. Yes, I have told them on at least six occasions that it is broken and their response only backs up their lethargic ideals. It is Maddening!
My second problem is that with all of those databases, it becomes a full time job keeping track of the information that is in them. Rather than having to make one change and have it be distributed to the systems, none of the databases talk to each other. So while one of the documents is wrong because you can?t get to that database that day, all of the others may be right or wrong that day as well and you are audited against that document. So you either pass or fail due to that problem. So I have taken all of my information offline and store it in a book. That book keeps the information that pertains to us in it, and we ensure that when we have a change we update the information. It is Maddening!
Third ? Automatic scanning tools are updated once a month and never detect new problems, but always pop up false positives. When one of your false positives is high, you?re dragged in front of a consortium to explain yourself. So we no longer keep the scans in electronic format, we print them out ? since we will have to run down to the meeting room and explain our lack of action on a high return. It is maddening that you fail by a tool that is supposed to keep information current, but when they audit you they print the record out. So why keep the records? It is maddening!
Fourth ? All of the companies that we have OS?s on put out security bulletins a full two weeks before the actual patch. They get the patch the day it is released then play with it to see if it will impact systems. The fact of the matter is that any patches that come through that are considered critical should never have to go through the maddening process of testing for the sake of giving an over paid executive a warm fuzzy. When we take a look at how many companies do this versus viruses and worms that have their way through an entire enterprise, who cares? It does not take a brainiac a month to figure out if a patch is critical or not. Here is the scenario. Joe blow has an unpatched system that is under the watchful eye of the corporate big brother application. It does not patch because it is still in the testing stage. After the employee farts around on his personal access account he gets nailed with the virus. The next morning, the firestorm starts. He brings in his laptop and plugs it into the network, logs on and infests every single system in the network. Testing is good if you have a bunch of desktops on the network, but you are wasting your time when you have notebooks. Plain and simple. It is maddening!
Why am I so mad? It would seem that the company can?t find a programmer that is smart enough to program the databases properly ? even after the software manufacturer gives plenty of notice update them; can?t program the databases to talk to each other, and sure as hell can?t keep updated when anything changes.
Sorry folks ? I am taking my documentation off line ? the rest of you can fail. I have come to the crossing point now where I have to be convinced that technology has a solution, where 10 years ago I pitched that it was….