Re: Paradigms II

From: Moyo Loco (bla@vla.bla)
Date: 03/04/02 

From: "Moyo Loco" <bla@vla.bla>
Date: Mon, 04 Mar 2002 21:20:13 GMT

"Lohkee" <lohkee@worldnet.att.net> schreef in bericht
news:J4vg8.12635$106.917837@bgtnsc05-news.ops.worldnet.att.net...
> Secure Systems Revisited (DRAFT)
> Copyright (C) by Lohkee
>
>
> Performing the following very basic security evaluation on your system
> should not cause any problems with regard to your continued employment.
> Conducting the experiments will not harm your system in any way, and they
> are not about trying to circumvent security. In many cases you will
already
> know the answer to a given question without having to actually conduct the
> test simply because of knowledge gained from prior experience working on
the
> system. Obviously, if there is any question at all in this regard, obtain
> the appropriate permission before proceeding.
>
> You do not need specialized technical knowledge to conduct any of the
tests.
> If you have worked on a personal computer for more than two months you
will
> have probably already performed most them without realizing it. The
> following questions assume the use of Windows NT 4.0 or 2000 Professional
> (server or workstation); however, they can be easily adapted to any other
> operating system capable of providing a rudimentary set of access
controls.
> It is very important that you conduct each test without any special
> administrative "permissions." You want to look at the system from the
same
> perspective as that of any other "normal" user.
>
> Although it is important to look at the system itself through the eyes of
> the average user, it is also very important that you contemplate your
> answers (and the issues raised by those answers) very carefully through
the
> eyes of someone who could be held accountable or otherwise impacted in the
> event of a problem arising because these issues were not dealt with.
> Sometimes this is difficult to do because we tend to think of our "stuff"
as
> being of interest only to ourselves. Unfortunately, most "outsider"
attacks
> take place because some automated hacking tool has identified your system
as
> vulnerable, not because the attacker has any particular interest in you,
or
> your organization.
>
> Speaking of stuff, have you ever stopped to consider the overall value of
> the information stored on your system? Depending on the employee's rate
of
> pay and the time it took to create a particular piece of information, the
> minimal value of any given file on your network could range from a few
> dollars for a simple memo to many thousands of dollars for a comprehensive
> report authored by a senior analyst. Regardless of your type of business
> you are in, or the size of your organization, the value of the information
> stored on your system can be quite considerable. When you start to
> contemplate the actual market value of that information, or other more
> esoteric factors, such as the potential losses caused by critical
> information not being available when needed or losses incurred because of
a
> breach in confidentiality, the value can climb very dramatically. The
> less-than-flattering employee evaluation sitting on your hard disk may not
> appear to have a lot of cash value; however, if someone (or something)
> wandering around on your network happens by chance to come across that
> document and decides to share it with the world, you may very well learn
the
> hard way that it was actually worth several million dollars. When the
> Melissa virus made its rounds, many organizations were quite happily mass
> e-mailing large amounts of confidential information to unauthorized
> individuals without ever realizing it (more on this later). Like any
other
> inventory item, information stored on a computer is a tangible business
> asset. Do you know how much you have, where it is at, what it is worth,
and
> who has access to it? Could you even answer these questions? Why not?
>
> Before conducting a basic security evaluation of your system it is
important
> to have at least a vague idea what security, and a secure environment,
> really are. Simply stated, security is about reducing risk by clearly
> defining a universe and then controlling what takes place within the
> confines of that universe. It is about knowing what you have, where it is
> at, who has access to it, and being able to recover it quickly in the
event
> of a mishap (regardless of magnitude) with minimal downtime or loss.
> Defining the universe sounds rather straightforward, and for the most part
> it is, at least until you start connecting one system to another. If you
> have two stand-alone (no modem or network connections of any kind) PCs it
is
> fairly obvious that you have two complete and isolated systems. When you
> connect those two PCs however, they cease to become systems in their own
> right and become two components of a single larger system. A machine is
> either a system, or a component of a system. It is also possible for both
> conditions to be true, for example: Unless you have built a network, your
> home PC is probably an isolated system; however, when you connect to the
> Internet, that same PC ceases to exist as a system and becomes just
another
> component in a much larger system for the duration of that connection.
>
> The most fundamental principal of a secure environment is that of "least
> privilege." This principal basically states that a user should have
access
> only to those resources necessary to perform their assigned tasks.
Nothing
> else! The basic idea is to reduce risk as much as possible by limiting
the
> number of possibilities that an adversary might be able to take advantage
of
> when launching an attack and, if an attack does take place, to limit the
> amount of damage incurred as a result of that attack. A secure system
will
> reflect this philosophy, for example: A secure system will not allow
> "normal" users to arbitrarily install software on their workstations as
this
> would violate the fundamental principal of being able to define and
control
> the universe (not to mention being an unimaginably stupid thing to do in a
> business environment). How can anyone make a rational argument for
anything
> even remotely resembling a secure system when they really have no idea of
> what might be running on a given workstation or how it might be affecting
> the network? Contrary to popular misconception, security makes no
> distinction between "insiders" and "outsiders." Once someone enters our
> universe (regardless of how they arrived or if their entry was authorized)
> they are a user and therefore subject to the rules.
>
> I have taken a position that the professional security community has and
> will continue to fail because they are operating under the same basic
> paradigm as those they try to protect, i.e., "Personal Computer Mentality"
> (PCM). You will see the acronym PCM frequently from here on out.
Consider
> it a red flag and cause to reflect. The answers you provide to the
> following questions will become the evidence that I offer in support of my
> hypothesis of mass incompetence.
>
>
> Do you routinely save information on your workstation's local hard disk?
> Information includes (but is necessarily not limited to) e-mail messages,
> documents, spreadsheets, databases, presentations, images, program source
> code, etc.
>
> If it is a common practice for users within your organization to save
files
> on their workstation's local hard drive, as opposed to storing them within
a
> personalized folder on a centralized server, it is probable that you will
> loose a great deal of valuable information in the event of even a
relatively
> minor mishap, such as a hard drive failure. In the event of a building
> fire, the losses could be quite significant. This possibility would also
> exist even if you do have a centralized file server but have configured
your
> workstations in such a way that users are still able to save information
to
> their local hard drive. From a practical perspective it is extremely
> difficult, perhaps even impossible, to guarantee in an easily provable
> manner that information stored within arbitrarily named folders, on
numerous
> machines, in numerous locations, is being properly backed up and stored
> safely offsite on a daily basis. If you are not doing this, how exactly
do
> you plan to recover quickly in the event of a disaster or other minor
> mishap?
>
> Many organizations simply rely on users to backup their personal files.
> This is PCM at its very best and generally a sure sign that the
organization
> is utterly clueless when it comes to security (and that they have no
> meaningful ability to recover an unknown quantity of unknown value in the
> event of a disaster). In this quixotic scenario the organization quite
> happily deludes itself into believing that:
>
> 1. Every one of its users is consistently and correctly backing up all of
> the information on their workstations.
>
> 2. Someone is gathering up numerous floppies, CDs, tapes, etc., and
storing
> them safely offsite each and every day.
>
> Even if by some miracle this were happening (the added and unnecessary
cost
> not withstanding), the very notion of intentionally moving information
from
> a controlled environment onto numerous removable media that will end up
> scattered about in people's desk drawers, filing cabinets, and wherever
else
> things tend to get put, is an incredibly foolish one to say the least.
You
> have no way of really knowing where all of the information is stored, if
the
> storage areas are properly secured, who has access to those storage areas,
> who has actually accessed the information (the janitor, perhaps), who may
> have made copies, etc. Simply stated, you have lost any semblance of
> control over that information. If confidential information falls into the
> wrong hands you will have little chance of demonstrating "due care" and
> could easily find yourself liable for damages. How will you account for
> sensitive information stored on hundreds of floppies scattered about in a
> pile of rubble that used to be your building? Where will that information
> eventually end up after scavengers have picked through the debris? In all
> but the smallest of organizations, the cost to provide each employee with
> the hardware and removable media necessary to back up their files can be
> quite significant. It is an unnecessary expense that ultimately serves no
> purpose other than to support a very dangerous practice!
>
> Some organizations walk the fence. They keep all of their "mission
> critical" information on a centralized server and then leave users to fend
> for themselves. While the organization may indeed be able to survive a
> disaster, the overall cost will be much higher because some portion of the
> information that was stored on the workstations will have to be manually
> re-created and much will be lost. This approach essentially says that an
> organization is willing to simply sacrifice an unknown quantity of unknown
> value in the event of a disaster. Sounds like a prudent business
decision
> to me. You can build a fairly powerful "small file" file sever (2Ghz
> processor, 2Gb RAM, 120Gb storage) for about a thousand dollars. Suppose
> you are paying ten analysts each sixty thousand dollars per year.
Whatever
> they produce during the year will have cost you six hundred thousand
> dollars. Where on earth is the logic in paying six hundred thousand
dollars
> for information that is not even worth a thousand dollars (which is
> essentially what you are doing when you position yourself to arbitrarily
> sacrifice that information in the event of a disaster). Notwithstanding
the
> loss of information, the most obvious flaw with this arraignment is that
the
> many thorny issues associated with moving potentially sensitive
information
> from a controlled environment, to one that is uncontrolled, still remain
and
> must be dealt with.
>
> What about configuration management? Allowing users to save information
> (which can also be executable code) to the workstation's local hard drive
> makes it virtually impossible to maintain a constant and known
configuration
> (or to implement any kind of automated configuration validation scheme) as
> the hard disk is in a constant state of flux. How can you hope to define
or
> control a universe when users are allowed to make unannounced and
unreported
> changes to that definition? It is easily to dismiss these types of
changes
> as being insignificant; however, in the case of a user arbitrarily loading
> executable code, you really have no idea of what might be running on a
given
> workstation or how it might be affecting your network. Aside from
copyright
> and licensing issues, or the threat posed by hostile code, the lack of
> meaningful configuration management can severely hamper your service
> technicians in their troubleshooting efforts and create unnecessary delays
> and frustration for your customers. Poor configuration management
generally
> results in a network that is considerably more expensive to maintain, far
> less reliable in terms of downtime, and much slower with regard to
response
> time.
>
> How about ensuring confidentiality? Can you guarantee that all of your
> users are consistently setting the appropriate access "permissions" on all
> of their files and folders? How can you verify and document this? Do you
> really know who has access to what information? What about folders
intended
> to store temporary information, the contents of which are generally
readable
> by everyone who has access to the workstation? Are you really positive
that
> you know who has access to the confidential information on your network?
>
> How do you know what type of information users are storing on their
> workstation's local hard drive? It is almost impossible to review files
for
> content when they are stored in arbitrarily named folders scattered about
on
> numerous machines. Copyright or software licensing issues aside, having
> even mildly pornographic images or off-color jokes stored on your system
can
> easily lead to charges of sexual harassment and some hefty financial
> settlements. Systematically preventing users from saving files on their
> workstation's local hard drive and forcing them to save those files in a
> personal directory on a centralized server where they can be easily
reviewed
> can go a long way towards solving these problems or preventing them
> altogether. The notion that users have some kind of a right to privacy
> regarding email or other files stored on a corporate computer system is no
> more than a fantasy (at least in the United States). This is as it should
> be. If the courts ever extended the right to privacy to corporate systems
> they would effectively outlaw secure systems in the process. Perhaps its
> just me, but it also seems just a little absurd to suggest that an
> organization can be held liable for the contents of their systems, if you
> are then going to turn around and prevent them from policing those
systems!
>
> Systematically forcing users to save all of their information to a
> centralized server is an effective and inexpensive means of addressing all
> of the above issues. It lends itself very well to the task of documenting
> and auditing mission critical procedures (thus ensuring they are actually
> getting done in a proper and consistent manner) and can help show that you
> have met the standard of "due care" if you ever wind up in a courtroom
> because sensitive information was somehow compromised.
>
>
> Can you save a document to a floppy diskette or other type of removable
> media?
>
> The presence of user accessible removable media on a workstation is
totally
> inconsistent with the concept of a secure environment (and a sure sign
that
> PCM is alive and well within the organization). It is like drilling
> hundreds of holes in a water bucket and then expecting that bucket to
> somehow hold water. How on earth can you expect to control the flow of
> information when any user with access to a workstation can copy whatever
> they want to a floppy diskette? How can you have security if you cannot
> control the flow of information? If users have access to removable media
on
> their workstation it is entirely possible that as you are reading this a
> great deal of sensitive information is scattered about on unprotected
floppy
> diskettes in desk drawers, automobiles, homes, purses, briefcases, and
just
> about anywhere else people tend to leave things. This is particularly
true
> if you rely on users to backup their "personal" files. The presence of
> removable media on a workstation provides the dishonest employee with a
very
> easy method of smuggling large amounts of information out of the building
> that is virtually impossible to detect (unless of course you plan on
> strip-searching all of your employees as they leave the building).
>
> The days of sneaker-net in the corporate environment are long gone. There
> is almost always a more secure network-based solution available to a user
> who may need for some reason to move information from one system to
another.
> You should therefore very carefully scrutinize, with an automatic bias
> towards denial, any request made by a user to move information from your
> network (a controlled environment), to removable media (an uncontrolled
> environment). In the rare event such a request must be granted, it should
> be accomplished in a strictly controlled manner, at a predetermined
> location, with administrative oversight and auditing (in this case a
logbook
> entry showing the type of information that was transferred to removable
> media, who made the transfer, the reason for the transfer, who authorized
> the transfer, date and time of the event, and who was given custody of the
> media).
>
>
> Can you open a document that resides on a floppy diskette or other type of
> removable media?
>
> If users are able to read from removable media on their workstations, it
is
> a safe bet they are able to install or execute programs, especially if
those
> programs do not need to modify the registry or access shared code in order
> to run. While the user may be well intentioned, the same is not
necessarily
> true of the programmer who created the software they are running. There
are
> a number of readily available programs on the Internet that appear to be
> useful or entertaining but, when loaded on the workstation by an otherwise
> innocent user, will enable an unknown third party to bypass your firewall
> and gain covert access to your network from a remote location. It is
naïve
> and foolish to believe that users are above being suckered into running a
> hostile program. Ask yourself what happened within your organization when
> the Melissa, Love Bug, or Anna Kornikova viruses made their rounds.
>
> The ability to run unauthorized programs from removable media will, in
some
> instances, enable users to easily bypass restrictions imposed by folder
and
> file permissions. There is little point in denying access to a program on
> the workstation hard drive if the user can simply run the same program
from
> a floppy diskette. While not particularly feasible for large
applications,
> there are many small administrative utilities used for network discovery
> (and hacking) resident on the workstation that fit into this category.
> There are also several small programs readily available on the Internet
that
> will grant a user administrative status on the local workstation without
> leaving a trace. A user with administrative access to the local
workstation
> is just a few simple steps away from gaining "domain admin" or being able
to
> steal other users passwords.
>
> The bottom line is that you essentially have no idea what is running on a
> given workstation or how it might be affecting your network when users can
> load programs in an uncontrolled manner. There is no security if you
cannot
> define and control your environment. It is impossible to define and
control
> the universe when any user can make arbitrarily changes to the definition.
> Eliminating removable media from your environment will greatly increase
your
> ability to control the flow of information and protect confidentiality,
will
> help to prevent users from loading unauthorized programs, and, as an added
> bonus, reduce the cost of a workstation by about one hundred dollars (not
to
> mention the money saved by not having to purchase the removable media
> itself).
>
>
> Can you boot your workstation from a floppy diskette?
>
> You can easily test this by inserting a blank diskette in the floppy drive
> and then restarting the workstation. If a message appears on the screen
> informing you that an operating system could not be found, or the floppy
> drive light stays on for more than a few seconds before finally booting,
the
> workstation has probably been configured to boot from a floppy diskette.
If
> this is the case then anyone can get to anything on that workstation
> regardless of the operating system or any file permissions by simply
booting
> to DOS and using a disk editor to search for and read (or copy to a
floppy)
> whatever may be of interest. More importantly, there will be no way to
> detect or capture an audit trail of this activity. Operating systems such
> as NT do not react well to boot sector viruses. Notwithstanding the idea
> that removable media is a very bad idea in a secure environment, CMOS
should
> be set to boot the system from the hard disk only in order to prevent
> boot-sector viruses from trashing your system.
>
>
> Do you have access to the Internet from your workstation?
>
> Security is about defining and controlling your environment. Connecting a
> mission critical production network to the Internet is inconsistent with
> this goal and is an inherently very dangerous thing to do. This is not to
> suggest that you cannot take advantage of the Internet for inter-company
> network traffic or communications, such as e-mail, with "outsiders" (which
> we will discuss later on).
>
> First of all, is there really a pressing business need for all employees
to
> have Internet access? Many organizations feel that Internet access for
all
> of their employees is critical to success. The evidence strongly
disagrees.
> I have evaluated audit trails from several very large organizations
(10,000
> plus users) and have consistently found that, on average, 90% or more of
the
> accesses made to the Internet by employees were clearly not work related.
> Essentially, these organizations were paying in a number of subtle ways,
> such as increased infrastructure costs, slow response times, lost
> productivity, and higher maintenance costs, just for their employees to
play
> on company time! Much of the work related activity was questionable in
that
> most of it could have been accomplished by setting up a web-server on the
> internal network and then placing the relevant information there.
Arguments
> in favor of Internet access for all may be well intentioned and honest, or
> they may be just another symptom of PCM. The audit trail will tell the
> truth, and one test is worth a thousand expert opinions.
>
> Letting employees play on the Internet may be a perk that you want to
offer.
> If this is the case, why not set up terminals in a break room or some
other
> place and let people access the Internet from an isolated machine via a
> company funded dial-in account? If you scrounge parts from old
workstations
> and use any one of the readily available free ISPs, you can set up ten or
> twenty workstations for very little cost (WOW, an Internet café at work,
how
> cool is that?). Removing Internet access from the privacy of a cubicle to
a
> more public place will cut down on abuse and the amount of work time
wasted.
> Another added advantage of this approach is that it helps to isolate
> inappropriate employee activity from the organization. There is no need
to
> risk your business in order to give employees a perk. The same holds true
> for computer and network technicians. Security is not about saying "NO!"
to
> new ideas and technologies. It is about finding a safe way to implement
> them and thereby minimize risk to the organization.
>
> The risks are many and the consequences can be serious. Employees are
> likely to download software to the workstation. This raises all of the
> issues outlined above when employees can load software from a floppy disk
or
> CD ROM. It also adds additional and unnecessary risks. When your
employee
> goes to an x-rated web or other inappropriate web site, that site knows
> where the request came from. If the site chooses to make your access to
> their server public knowledge, and they are entitled to do so, it can be
> very embarrassing to the organization (especially if you are in the public
> sector - "Your hard earned taxes are paying - choose your agency - feds to
> browse child pornography on the Internet - film at eleven!").
Inappropriate
> messages, posted to Usenet newsgroups by your employees, can be
> intentionally misconstrued as the "official" position of your
organization.
> This could lead to embarrassment, lawsuits, and hefty financial
settlements.
> Even well meaning newsgroup postings can have unintended consequences.
They
> can give an adversary easy access to an enormous amount of information
about
> your infrastructure. Go to "Google" and do a news group search for
messages
> originating from .gov domain. Many of the addresses are obviously forged,
> however, many are from legitimate government sites asking for help with
> various software, hardware, and operating systems. You would be surprised
> how much sensitive information is given away in the original posting, and
> how much more you can get by engaging these people in conversation, under
> the pretext of trying to help them solve their problem. The problem is
that
> most people are friendly and do not expect others to be targeting them.
> Without question, the Internet is an excellent resource for help. Protect
> yourself by asking for help using an account not connected to the
> organization.
> Can you send and receive e-mail outside of the organization?
>
> Each user with Internet access increases the risk of an attacker gaining
> covert entry to your system (or that confidential information will be made
> public). The Melissa virus, for example, infects Microsoft's Word global
> startup template (normal.dot), after which, any document created by the
user
> is infected with the virus and emailed to the first fifty recipients
defined
> in their Outlook mailing list. If any one of those first fifty entries
> happens to be a group (which could consist of several hundred people or
even
> everyone within the organization as in an "all employee" group), Melissa
> then mails the infected document to everyone within that group. If any of
> the first fifty entries belong to someone outside of the organization
there
> is no telling where the document will finally end up, how many people will
> have read it, or what they will eventually do with that information. Think
> about the documents stored on your workstation. What might be the
> consequences if they were to show up on the Internet tomorrow? You might
> think that it would never happen to you but if Melissa infected your
> organization, it probably already has. Melissa generated millions of
> e-mails and each one had a document attached. Did anyone within your
> organization even think to analyze the documents (sent items folder on
each
> infected workstation) infected by this virus to determine their contents
and
> where they may have went?
>
>
> Can you make changes to your workstation's network configuration or access
> sensitive security files?
>
> Make sure you have a few blank floppy diskettes available. If using NT
left
> click on the start button and then select RUN from the pop-up menu. Enter
> RDISK in the dialog box and then click on OK (If you are using Windows
2000
> left click on the start button, select programs, select accessories,
select
> system tools, and then select backup). Follow the instructions for
creating
> an Emergency Repair Disk.
> If the workstation does not have a floppy drive, or it has been disabled,
> Right click on the Start Button, select Explore, and then go to
> C:\WINNT\REPAIR. Highlight all of the files within this folder and try
> copying them to C:\TEMP. If either of these tests were successful you
have
> just confirmed that any user can obtain a copy of the workstation's backup
> security files. Running a password cracker (and there are some very
good
> ones freely available on the Internet) will more than likely yield the
> passwords for most, if not all, of the local accounts on the machine. Any
> user who can gain access to the administrative account on a workstation is
> but a few very simple steps away from capturing a domain administrator's
> account.
>
> Left click on the start button, select settings, select control panel.
Here
> you will find a collection of applets designed to configure many different
> aspects of the workstation's mode of operation. Some have no security
> implications while others can have a profound impact. Try clicking on
each
> these applets and wandering through whatever tabs they have to offer. If
> any of the data fields on a given page are changeable (not grayed out) by
a
> normal user, you may, depending on the application and parameter, have a
> very serious problem on your hands. I have been a little vague here
simply
> because there are significant differences between NT and windows 2000 with
> regard to the contents of the control panel folder (and I have no way of
> knowing how the workstation was configured during the installation
process).
> What you are looking for are applications that imply the ability to add or
> delete hardware, add or delete software, change network or Internet
> settings, configure the system, or access administrative tools. The
> questions you should be asking yourself as you wander around are "should a
> user be able to change this setting?" "Under normal circumstances would a
> user need to change this setting in order to accomplish their assigned
> duties?" and "have I ever needed to change this settings?"
>
> Left click on the start button and then select Run. Try executing any of
> the following programs: rdisk, rasadmin, regedit, regedt32, dcomcnfg,
> ddeshare, ginasetup, inetins, cmd or musrmgr. All of these programs have
> security implications and should be restricted to administrators unless
> there are compelling reasons to do otherwise. I should point out that
these
> are by no means the only files that you need to be concerned with, only a
> random sampling taken for the purpose of giving you an idea of what may be
> available to your users.
>
>
> Do you have an active USB port?
>
> Another commonly overlooked source of information leakage are USB ports.
> Many vendors offer devices, about the size of your thumb, that function
the
> same as a disk drive when plugged into the USB port. These drives offer
as
> much as 256Mb of storage for as little as $400.00 and provide an extremely
> difficult to detect method of smuggling large amounts of information.
>
>
> Are you using Windows 95 or 98 as the operating system of choice on your
> workstations?
>
> Many organizations use Windows 95 or 98 as the workstation client and set
it
> up to access information on a "secure" host via some type of emulation
> software. Because the host may be running a secure operating system, and
> applications on the host require identification and authentication prior
to
> granting access, they believe their network to be fundamentally secure.
> Nothing could be further from the truth. All the attacker need do is to
> download and install a keystroke logger on the workstation. This will
> enable them to easily capture any account names and passwords needed to
> access the "secure" host.
>
>
> Based on my experience over the past twenty years, I would be willing to
bet
> that you answered in the affirmative to most, if not all, of the above
> questions (you are definitely in a very small minority if you were able to
> answer "no" to all of them). From a security perspective, you are in
> serious trouble if you are not a member of that very small minority. You
> are essentially running a system that cannot ensure the confidentially,
> integrity, or availability of information or other critical resources.
Any
> security that you may think you have is nothing more than an illusion. If
> it is any consolation at all, many major corporations and government
> agencies have paid serious money for certified professional security
> analysts to perform on-site security evaluations, penetration tests, port
> scans, password cracks, etc., and are now sitting in the same boat that
you
> are! If you have recently paid for a formal risk assessment you may want
to
> compare the issues documented within the analyst's final report to the
> results of the experiments that you have just conducted. It would seem
> reasonable to expect that if I could help you identify numerous and
serious
> vulnerabilities without ever having seen your system, those same
> vulnerabilities would have been readily identified and documented by
someone
> who had performed an on-site evaluation (Unless of course my hypothesis of
> mass incompetence caused by PCM has some merit after all).
>
> Obviously I don't a thing about the specifics of your particular system
and
> a few superficial questions do not a meaningful risk analysis make. There
> may also exist within your organization extenuating circumstances of which
I
> have no way of knowing about, however, if you answered in the affirmative
to
> any of the above questions I would strongly suggest that you take a good
> long hard look at your security program. You may even want to start
asking
> yourself what exactly it is that you are paying for!
>
>
> Lohkee!
>
>
blah