General discussion


Where is the common sense for IT security monitoring?

By nosense ·
Information Security Officers are often tempted to "monitor it all", up to the each key stroke of each employee if possible! IT departments on the other hand need to ensure the availability of secure and reliable IT resources, services, and operations to the company (with some "acceptable" performance if at all possible!).

We all know that the sky is the limit for IT security management products, suites,...etc. If these products are configured "tight" on the security side, their interaction with the operating system level security management often creates a bit of challenge. Just think of the competing monitoring traffic on the file servers... Then come the Information Security Officers (who -once again- managed to got away with their demands) asking IT department to solve the performance problems at once!

So, how and where can we put some common sense and make the senior management listen to us also? What are the possible baselines, or "industry best-practices"?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by Jaqui In reply to Where is the common sense ...

I tend to be in favour of tight securrity, but I know that if it's too tight then the system isn't working properly.

the balance would be to secure against intrusion each machine ( firewall, av ) and secure network perimeter with firewall, av, email spam control.

if using wireless, have internal aps secured with keystroke pattern matching, and to only accept from specified mac addys. the aps for corporate clients are more open to access, but in a dmz to keep them from accessing the internal network.
( tighter security on wireless as it's easier to be abused )

Collapse -

Trend analysis

by JamesRL In reply to well

The case of Air Canada versus WestJet to me indicates the need for trend analysis.

For those of you outside of Canada, Air Canada was using a website which had the schedules and traffic carried accessable via ID and password to AC employees via the internet. A former employee went to work for the competition and found their password still worked. Some genius wrote a program that would script the login. That user logged in 250,000 times in one year.

Should trend analysis have been in place, perhaps someone would have tweaked to what was going on, and shut down the site while it was reassessed.


Collapse -

Swings of the pendulum

by furl12 In reply to Where is the common sense ...

Security has been getting out of control for several years now. SOX has simply fed the madness.

But sooner or later, the fad will move on to some new area and common sense will return.

Let's just all hope that the present lunacy ends sooner rather than later. Some of us are almost unable to function in our jobs thanks to the "security" vigilantes.

Collapse -

How I done it good (for good or ill)

by markand In reply to Where is the common sense ...

There is never enough time, money or personnel to monitor every possible security hole or potential misuse. Besides, in one-person shops, you don't want to come across as the thought police.

So, once again, do whats possible and document what you do and why. Law drives corporate policy. For example, the company I work for is controlled by state privacy law, a contract with a principal government entity, and HIPAA.

We have an acceptable use policy and I enforce it. Everyone sings a piece of paper saying the acknowledge a) they have no privacy in the work place and b) they can be monitored at will, for any reason or none. No one can add, change or remove anything on company computers, periods. If you install something, sorry, it now belongs to the the company.

We use ISA on all principal servers, and XP's own firewall on all XP boxes. I keep the ISA logs on all servers forever (or at least until I run out of disk space and have to move logs to tape). I check ISA traffic logs weekly and send department heads regular reports of where their staff hang out when they should be working.

We use no filtering at all - having to explain what you do on the computer to your boss is enough to keep people in line. We have no trouble with liquor, guns, ammo, porn, gambling, shopping and the like - it gets nipped in the bud pretty quick.

As the I.T. manager, I make it public knowledge that I look at all this stuff, and I subject myself to peer review, too.

If anything questionable appears in a log file, three people are immediately notified: a staff member's immediate supervisor, the HR manager, and my boss, the executive director. I will not subject any employee's email, web use and files to a detailed probe unless the HR manager tells me to ask our executive director. We do all this in writing and document what we do and why we do it.

As for spot monitoring, I put a hub between the inside NIC on our firewall and the switch that brings the network together. I use the Debian Linux-based Remote Exploit Toolkit, and EtherAPE to see instantaneous network traffic (inbound, outbound and combined). I know exactly where people are hanging out; if I have questions about why I go ask "Why are you on Ebay, net radio, or whatever?"

In summary:
1. Have a policy. Know why it exists, especially the law behind it.

2. Educate staff about what is expected of them.

3. Keep key decision makers in the loop about what you see.

4. Be personally accountable. The I.T. manager is NEVER above the law they enforce.

5. Document, document, document what you do and why you do it.

My 2 cents worth.

Collapse -

A refreshingly reasoned approach

by Tony Hopkinson In reply to How I done it good (for g ...

Far too many internet nazis about at the moment with 99% of the emphasis on improper use of resources. Personally I'm more concerned with bidders, pornheads and music downloaders becuase the sites you get that sort of thing are far more likely to be riddled with security threats, than the fact the employee should be doing something else. At least a policy of not shining the desklight into an employees face before you are given reason to, indicates some level of respect for them as a person and a professional.

Collapse -


by gadgetgirl In reply to A refreshingly reasoned a ...

Been in current position since beginning of Feb, and was amazed at how much paperwork was NOT there. Ok, so their Security Manager never came back from long term sick, but you would have thought someone would have realised that EVERY applicable information policy was WAY out of date!

Oh, sorry. Was expecting common sense there. *Slaps wrist* won't do that again.

So, apart from 2 enforced security spot checks, I've been writing up policies every since. (Thinking of starting a new consultancy service. Policies R Us ) It's also amazing at the lack of confidentiality and security awareness out there. Users haven't a clue what they're opening up the corporate networks to.

I have one (l)user in here who doesn't check discs for virus infection.....cos the network does that. She's not on the flamin' network.... X-(

So, information security awareness is now firmly esconsed in the Induction program, and I have it included now in the mandatory training days. Lets see how long that lasts.

Still don't have the backing I need from the HR department, so all I can do is look threateningly at the infringers, and make out I'm being lenient...

The art seems to be keeping the users safe whilst allowing the network to be effective and secure. I find that if I explain everything in basic English to the users, they can normally see the common sense behind what I'm telling them they can or can't do.

Well ........... sometimes.


Collapse -

Two sides to security...

by erich1010 In reply to Agreed

There are two sides to security. First, you have to make sure that the network and computers are as secure as necessary against known vulnerabilities. This means assuming that users will download files without virus checking them.

The other side of security is determining what the risks are and getting buy-in by management on accepting that risk. Some vulnerabilities are worth the risk. Job function comes first. After all, if the company can't do it's work, then there is no income and everybody might as well go home.

To the first issue, you can mitigate risks by determining where the vulnerabilities are and isolating them. If users are downloading files, make sure that the activity of their workstations can't affect (or infect) other machines. Make sure that computers are only using the ports and protocols they are supposted to be using. And make sure the computers, themselves, are hardened. In the government, this is called "Defense in Depth". If you only worry about a secure perimeter, your network is a fragile egg, hard on the outside but soft in the middle.

To the second issue, you have to realize that job function comes before security. If the job cannot be done, it doesn't matter that the job was secure. I work in a highly secure environment, but if they wish to connect the network to the Internet with just a wire, I'll do it with the proper waivers (i.e. CYA). Of course, I'll tell them the risks and make sure there are no other feasible alternatives that are more secure. The bottom line IS the bottom line. The security officer does not dictate what can or cannot be done. They just determine the vulnerabilities, risks and mitigations so that managers can make informed decisions on the value of an implementation. Any enforcement done is on the behalf of whatever authority that set the policy. (Or, if you're the one stuck with having to write the policy, whatever authority signs off on it.)

Unfortunately, it is a continuing effort to keep people informed on security concerns so that they give it the proper attention. However, you do a lot better if you present security as an enabler than a limiter. If you present security solutions as a risk / benefit tradeoff, they can compare it more easily to their other project issues and put the right resources towards it without you coming off as the enforcer.

Collapse -

Ensure Zero Downtime First

by dennis In reply to Two sides to security...

Perhaps the top two concerns are systems availability and data security. We use Cyber Secure Hard Disk Drives,, that can instantly recover from any attack and also full disk encrypts the drive in case of theft. Just for the **** of it we set our Windows userid's to "Administrator" and the password to "password". We don't care because we know that we can simply push the reset button to make systems instantly operational again. Then again there appears to be many security officers whom are absolutely afraid to find the solutions - they are here.

Collapse -

by The Admiral In reply to Where is the common sense ...

Industry Best Practices is not the best practice for everyone. First, best practices is a culmination of what every big company is doing to make sure thaty their information technology items are secure, that does not mean that there is a lack of common sense in the practices.

Second, companies that blindly follow best practices are in for a big problem when they finally figure out that it is overkill for their systems. Like Firewalling a firewall and firewalling that firewall just for the sake of security is overkill. There are good best practices and bad best practices and each company has to make the decision as to what is a good best practice.

Lastly, When we look at how security is implemented, nine times out of ten it is implemented backwards. Rather than understanding that security is looking at the most common hole and working backwards, they implement security but don't patch the open hole! Then they wonder how they still get viruses and junk!

Collapse -

by The Admiral In reply to Where is the common sense ...

When we look at security policies that are effective when they are implemented, we have to ask a simple question that requires an answer: Are we trying to keep the bad people out, or are we trying to keep employees from performing their job. Obviously, some think that keeping an employee from performing their job would be the wrong answer, but many times, when we try to keep the bad people out, we tend to make the people who have to do their job from doing it as well.

A security policy has to be enabled where the employee is responsible for the security of their work area. Everything in that work area is includes the workstation, the chair, and what is on their desk needs to be addressed. If they have a locked door or sit in a cubicle means that there are additional processes as well to make sure that confidential information does not disappear. In the many cases where you have more than one company that shares office space, it is imperative that steps be taken in order to handle any kind of security issue.

Desktops and Laptop pose a security threat, but not as bad as you would believe. Desktops with a SYSTEM BOARD PASSWORD where a removal of a battery would not make a difference, is important. Simply placing a Power-On Password that can be removed is not sufficient. Notebooks are the same. They should have the following:

System Board Password
Power on Password
Hard Drive Password

These can be different, or they can be the same, but your employee has to manage those risks if the system does not have different passwords. Why? First, if they get past power on password, and want to make a change in the BIOS, they need the System Board Password. And in order to boot the PC, they need to know the hard drive password or they go nowhere.

They can take the hard drive out and put a different drive in it and run it if it only has a HD password, but generally, they can?t eBay the item or attempt to get the data off of it with dual passwords, which secures your investment. That is what you can do for physical security outside of cabling it to the desk and locking the zippers on laptop bags, and educating users that leaving the notebook in the back of the car is not exactly the smart thing to do.

The other part of security is the ability to be able to detect threats and deal with them at the firewall and the network level. First, A firewall rule where if someone on the network inside our out is attempting to use a particular port for a period of time gets automatically put on the ignore list. Internally, you would disable the MAC address on the network, externally, you would place the IP on a temporary or a permanent ignore list. Second, email viruses and spoofing is a problem. You can get rid of much of the spoofs if you only do business in the US by blocking the rest of the world out. Or if you do, then you can manage it by including those companies you do business with by adding subnets. Third, have a daily updated virus detection system that detects Trojans, viruses, and scripts that are harmful and disables them at the network level. Next, if you use email (and who don?t), the email servers should have anti-virus scanning software that kills the virus and don?t email that it did it to the user. Why a user needs to know that a virus was killed is silly. Why waste the bandwidth with useless information that is going to be deleted by the end user?

There is a wealth of things that can be done in a corporation. Letting users know the system is being watched, that they can be brought up for disciplinary actions for illegal activity and installing unapproved software, PLUS if the system is not to have software installed or other un-needed access, then the global security and local profile should also disable those functions (See global profile for installing software.)

Some of the common sense stuff is right in front of many peoples face, all they have to do is flip a switch or make a policy that uses the security features of the operating systems. As I have said, I do not believe that the lack of common sense is the problem. Over thinking solutions and not hitting the mark is the problem.

Related Discussions

Related Forums