Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )
From: Paul D. Robertson (proberts@patriot.net)
Date: 08/26/02
- Next message: Paul D. Robertson: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Previous message: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- In reply to: Dave Piscitello: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Next in thread: R. DuFresne: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul D. Robertson" <proberts@patriot.net> To: Dave Piscitello <dave@corecom.com> Date: Mon Aug 26 08:53:20 2002
On Sun, 25 Aug 2002, Dave Piscitello wrote:
> >That's when positive
> >authentication is necessary. One needs to know its positively Jane Doe that
> >went to the porn site (which is against policy) or it was someone who sat
> >down at her authenticated workstation when she walked away without logging
> >off (which is against policy) before disciplinary actions are initiated.
>
>
> You'll need non-repudiable authentication (evidence), as a court of law
> would describe.
I think this is a myth that we've been conditioned to believe. It's
certainly possible to present evidence of wrongdoing that *isn't*
no-repudiable. In an administrative case (firing someone) the evidence
really just needs to be compelling. In a civil case, the bar isn't all
that much higher, and in a criminal one, supporting evidence works all the
time. Motive and correlating other evidence works just fine.
Courts of law very rarely get non-repudable evidence, and only in the last
10 years or so has it been possible to do things like DNA testing and
have it admissable without the same sorts of confusing defenses that
we're seeing in computer crime.
> How would you propose to verify Jim was at Jane's workstation at the time
> of the porn site visit?
> In addition to "strong authentication" as we define it today, do you
> propose cameras? Keyloggers that distinguish typing behavior?
If Jim authenticated to the porn site and there was a lawsuit involved,
we'd get a subpoena for the porn site and find out who's credit card was
used to get that ID, and also who's home computer was found to be using
that account (indeed, if I had to defend from such a suit, I'd subpoena
the home PC and spend all the EnCase time I could on it generating both
corroboration and subpoena fodder.) We'd also look at phone switch logs
to see if Jim called home from Jane's phone, or answered Jane's phone
while at her desk. We could certainly correlate Jim's days in the office
with the activity, and delta that from Jane's activity. We could also
start to match Jim's unanswered calls with the time periods in question,
access-card logs, meeting attendance of both Jim and Jane...
However, porn sites really are the easy case- the pattern of abuse is
normally ongoing, so you just need to log and alert on logging and it's
trivial to either put hidden video surveilance on Jane's PC or walk over
and catch Jim "in the act.[1]"
> Something that's annoyed me for ages is the distinction that policy
> violations conducted through computing and networking are so different from
> any other medium. If an employee uses his phone card to dial a phone sex
> number during work hours, from a business phone, is it as serious an
> offense (granted, there's no temporary or long term cache of the "image"
> unless he's taped the conversation). What about print media and fax
> (although I've never heard of fax sex?)
Not quite as serious because unless the employee is saying offensive
things, there's not the same "walk by" factor. Also, I think implicitly
illegal phone sex is probably pretty difficult to make. However, in the
US it's perfectly legitimate for a company to monitor its phone system for
content- so catching is again a relatively easy matter.
> Content inspection is an odd business, and it seems perpetually focused on
> computer networking. My point is that I've seen some policies that don't
> uniformly treat all media - it's acceptable to have a sexy calendar, but
> not to visit Victoria's Secret online, or thumb through PlayBoy during
> lunch? I've told folks that such policies are an HR nightmare waiting to
> happen.
Calenders are the things that have set caselaw up to now, so that's
obviously a problem. However, computers should have different acceptable
use policies, you don't have things like ECPA to contend with when you
track calender hanging.
> I wrote a paper a while ago on this subject, but I think it's still
> accurate and hopefully relevant
> http://www.tisc2002.com/newsletters/211.html
As a note, I know quite a few companies who block 900 numbers
(pay-per-call lines in the US) and allow specifically for "limited
personal use that doesn't infringe upon the business," so indeed PBX
management isn't all that different other than the level of detail (and
most of those places print call detail logs and have employees and their
supervisors review and sign them.)
Paul
[1] I've been involved in both types of incident, and both are effective.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: Paul D. Robertson: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Previous message: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- In reply to: Dave Piscitello: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Next in thread: R. DuFresne: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
