Argument: Why it's not good for Executives to have IT-level access to systems/TLDNS

DeathmageDeathmage Banned Posts: 2,496
Hey guys,

Looking for some good reason from the security guru's as to why power-hungry executives should not have access to IT-based assets internally and externally.
«1

Comments

  • scaredoftestsscaredoftests Security +, ITIL Foundation, MPT, EPO, ACAS, HTL behind youMod Posts: 2,752 Mod
    because of security reasons....for one.
    Never let your fear decide your fate....
  • joelsfoodjoelsfood Member Posts: 1,027 ■■■■■■□□□□
    Because they're not IT staff and don't know what they're doing.
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,885 Mod
    SANS Critical Security Control 15: Controlled Access Based on the Need to Know.

    Do said executives have a legitimate reason to access the systems or is it just a power trip?
  • E Double UE Double U Member Posts: 1,680 ■■■■■■■■■□
    Because they break stuff!
    Alphabet soup: CISSP, CCSP, CISM, CISA, GDSA, GPEN, GCIA, GCIH, GCCC, CEH, Azure Fundamentals, etc

    2020 goals: AZ-900, AZ-500, GDSA, ITILv4

    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
  • scaredoftestsscaredoftests Security +, ITIL Foundation, MPT, EPO, ACAS, HTL behind youMod Posts: 2,752 Mod
    plus a security risk. LOL
    Never let your fear decide your fate....
  • Fulcrum45Fulcrum45 Member Posts: 605 ■■■■■□□□□□
    They can have CEO, CFO, President AND Grand Poo-bah in their job title but they still have responsibility (and accountability) to their clients/ customers. All the more reason to keep their unskilled fingers out of there.
  • scaredoftestsscaredoftests Security +, ITIL Foundation, MPT, EPO, ACAS, HTL behind youMod Posts: 2,752 Mod
    I would say, give them access..BUT very limited permissions to do damage.
    Never let your fear decide your fate....
  • jamthatjamthat Member Posts: 303 ■■■□□□□□□□
    I would say, give them access..BUT very limited permissions to do damage.

    And with a completely new and separate account that's tracked/audited
  • DeathmageDeathmage Banned Posts: 2,496
    power hungry exec of a new branch off company. Don't feel he needs the access, he only knows keywords and talks like he knows EVERYTHING. I see his 'I know enough because I'm the owner' mentality is just problematic.

    Thinking of giving him limited access like suggested above..

    This is the same exec that has the keys to TLDNS and won't give IT access that needs it. icon_wink.gif
  • Params7Params7 Member Posts: 254
    I have known owners like that. Power hungry, keeping everything close to the chest instead of delegating authorities and letting the experts handle it. The companies that they run will never really see much expansion.
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    I would say that an exec level needs access to critical areas of an org.

    Having said that what “IT based assets” are you speaking of?

    CEO and all C level execs should have role based permissions from the start.

    We would need more information to give a detailed response.
  • datacombossdatacomboss Member Posts: 304 ■■■□□□□□□□
    Some of those executives don't just want role-based access. They want "admin" access. At some point their power trumps any calls for security best practice. In the few cases that I've had to do this for clients I make sure I have them sign a disclaimer as I consider the system compromised at the point of giving them said rights.
    "If I were to say, 'God, why me?' about the bad things, then I should have said, 'God, why me?' about the good things that happened in my life."

    Arthur Ashe

  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    Some of those executives don't just want role-based access. They want "admin" access. At some point their power trumps any calls for security best practice. In the few cases that I've had to do this for clients I make sure I have them sign a disclaimer as I consider the system compromised at the point of giving them said rights.

    A CEO or C level exec with admin access is a direct threat to a company. I would procure a document that lists all of the threats associated with these types of rights (insider threat) and get it signed by all stakeholders of the company. Once that happened I would give them rights and tell them to have a blast.
  • beadsbeads Senior Member Member Posts: 1,506 ■■■■■■■■■□
    D'Mage;

    First check with audit as to what GRC frameworks you may be legally liable. Many frameworks objectives call for a separation of duties. I saw SANS critical controls listed above, that's nice. Forget SANS critical controls. Go straight to the source NIST 800 series (any and all). SANS Institute is just a rehash in this case - all information available for free. COBIT, FAIR, et. al. all have similar objectives as well as PCI-DSS. Just mention legal liabity, fines and recently added jail time as the sentencing guidelines have recently changed. Just ask the former CFO of a now defunct healthcare system in Texas. Gentlemen single handedly put a company of 2000 out of business for financial misbehavior but a fiduciary responsibility should his exorbitantly lavish credential laden hoard be compromised.

    Makes for a tempting target. What's his name again? I promise not to tell a soul this executive is hoarding credentials against "best practices". Actually this is a best practice instead of just a good one. Pet peeve of mine. Best practices are best practiced by companies wishing to soon embarrass themselves and change their names.

    Basically its a matter of time before you loose at the security casino.

    - b/eads
  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    This is very problematic. To mention a few things, not sure what type of industry or sector your company is dealing with but you should look at the compliance and regulations your industry has to comply with. That's one thing, the other thing is need to know access and separation of duties. If your job is not an IT admin, you should not have Domain admin rights. Executives are prone to phishing attacks, because of their titles and knowledge of company dealing, add to that an executive with elevated access and you have a receipt for disaster.
    Your best bet is to cite compliance, regulatory and audit issues.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■□□□
    Technically, because of lack of security knowledge in general. Specific cases could be okay and in this case, if he's the owner, he can do whatever he wants, he can even doom his own company, right?

    Regarding security knowledge...

    According to Ross Anderson, an soceng experiment was made, in which USB thumb drives were sent to a bunch of Fortune 500 c-executives in a regular mail packages, saying "your chance to attend a party of a lifetime". And 46% of those dumbasses put these thumb drives into their PCs and opened documents contained there.

    If we did the same to security personnel, I'd say, the numbers would be lower. Because security knowledge!
  • DeathmageDeathmage Banned Posts: 2,496
    Hmmm....I like the disclaimer idea.

    Might write up a document and have the executive sign it and then have something binding. I do agree that the second I give access mine as well give hackers keys to the kingdom.

    What would be some good points to point out in the disclaimer?

    I got a feeling they feel they can walk all over IT but once they have fault in the event of an issue I bet they won't sign it...

    Cover my own ass..
  • DeathmageDeathmage Banned Posts: 2,496
    Cyberscum wrote: »
    I would say that an exec level needs access to critical areas of an org.

    Having said that what “IT based assets” are you speaking of?

    CEO and all C level execs should have role based permissions from the start.

    We would need more information to give a detailed response.

    They want sa access to SQL, access to firewalls and switches, Domain administrator access to AD and full admin access to Outlook in Office 365.

    As for IT assets, they have full control of Top Level DNS at our registrar and won't give IT access. If we need to set up a private to public address for remote services we send them an email. 9 out of 10 they send us an email asking how to do it....

    Makes me want to say choice words...

    So far I just ignore them but they are power hungry but have no clue wtf to do...
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,885 Mod
    And you really think they'll sign anything? Good luck!
  • CodyyCodyy Senior Member Member Posts: 223 ■■■□□□□□□□
    Separation of duties... I don't come in your office acting like I know executive stuff, so don't come in mine acting like you know IT stuff.

    SA and DA access? And these guys aren't in an IT role at all? I can't imagine an executive caring about domain admin access(or even knowing what it is), even if they are on a power trip.
  • thomas_thomas_ CompTIA N+/S+/L+ CCNA R&S CCNP R&S/Enterprise/Collab Member Posts: 946 ■■■■■■■□□□
    cyberguypr wrote: »
    And you really think they'll sign anything? Good luck!

    If they don't sign anything then you can send them an email expressing your concerns about giving them access. If they're the slippery type they may talk to you in person instead of replying to the email, at which point you can send them another email and reference the conversation you had in person with them.

    I think anything said in an email is better than in person that way you have proof of the conversation to CYA in case they do mess something up.
  • netsysllcnetsysllc Member Posts: 479 ■■■■□□□□□□
    Another thought is that they are replacing or outsourcing IT staff, sorry to be negative but I have seen it too many times
  • DeathmageDeathmage Banned Posts: 2,496
    netsysllc wrote: »
    Another thought is that they are replacing or outsourcing IT staff, sorry to be negative but I have seen it too many times

    Wouldn't even bother me. I'd just go someplace else. I get 3+ job offers a week.

    cyberguypr wrote: »
    And you really think they'll sign anything? Good luck!

    Probably not....coming from them yesterday they said and I quote after I stated that rackspace was offline for Exchange 2013 over @ status.apps.rackspace.com.

    I quote " Since the status of Exchange is all green it should still be working, if so use other forms of getting emails other than IMAP, Outlook, and others. Have all users stop using Outlook to receive emails. Make it so and get it done in the next 15 minutes...."

    I was like um...... are they seriously trying to look smart I was saying in my head, it's making them look dumb!!!......So I was like.......sure I'll go ahead and do what would take me 4+ hours for all 750+ users to change their Exchange settings on their outlook and change it to POP3, I made it appearent to spell it out to them that IMAP has folders in Outlook and POP3 doesn't so if users freaked out when they lost there folders that I was going to be held liable....

    they didn't reply to the email....
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    As what has been said several times separation of duties also conflict of interest. We had to make some changes recently to avoid conflict of interest because the president of the company had direct access to the SQL server logs
  • JasionoJasiono Member Posts: 896 ■■■■□□□□□□
    lol
    This is why we have separation of duties. What business does he have in that area? None. If he has any questions he could ask and I'm sure someone would answer him, but to me it seems like a control freak issue.

    Also, if I were an attacker, his account would be the first I attempt to gain access to because he's up there in the ladder, which could cause some serious damage if given access to everything.

    Least privilege, in my eyes, should be in affect for every single account. Only have access to the areas that are required to do your job, nothing more, nothing less.
  • JasionoJasiono Member Posts: 896 ■■■■□□□□□□
    Deathmage wrote: »
    Probably not....coming from them yesterday they said and I quote after I stated that rackspace was offline for Exchange 2013 over @ status.apps.rackspace.com.

    I quote " Since the status of Exchange is all green it should still be working, if so use other forms of getting emails other than IMAP, Outlook, and others. Have all users stop using Outlook to receive emails. Make it so and get it done in the next 15 minutes...."

    I was like um...... are they seriously trying to look smart I was saying in my head, it's making them look dumb!!!......So I was like.......sure I'll go ahead and do what would take me 4+ hours for all 750+ users to change their Exchange settings on their outlook and change it to POP3, I made it appearent to spell it out to them that IMAP has folders in Outlook and POP3 doesn't so if users freaked out when they lost there folders that I was going to be held liable....
    they didn't reply to the email....

    Dude.
    LOL
  • OctalDumpOctalDump Member Posts: 1,722
    Jasiono wrote: »
    lol
    Least privilege, in my eyes, should be in affect for every single account. Only have access to the areas that are required to do your job, nothing more, nothing less.

    Yeah, it's a no brainer. Fundamentally, this goes to issues of governance. Governance that decides how the company is run according to its legal obligations, including obligations to shareholders not to do stupid stuff like leave the front door open and all the cash on the counter.
    Ideally, no-one should have full access, and where certain things like key recovery is needed, there should be a detailed auditable log of who has done what and accessed what and who gave them permission.

    There needs to be board oversight to ensure that the company is following its legal obligations. Take PII for example, depending on how it's acquired and where the data is held, and the company holding it, there can be extremely tight limits on who has the legal authority to access it. There's also a crapton of compliance stuff when it comes to accounting and auditing. Auditors will freak out if told that "Oh, yeah, Gary has the admin account and can just change any field or value in the books, and no we don't really have a way of ensuring that there is an audit trail for access".

    Some stupid amount of company fraud is done in house by senior execs, because they are trusted.

    And when you get hacked, which accounts are they looking for? The ones with access. Some nobody guesses CEO's password and has open slather? Or worse, the CEO has the "Administrator" account used by half a dozen IT staff, so no one is sure who did what.

    The answer is to ensure that anything CAN be accessed, but that there are clear processes for granting the access per the Security Policy approved by legal and the board. All decisions by lowly IT can then be referred back to the Security Policy.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • PristonPriston Member Posts: 999 ■■■■□□□□□□
    I could understand executives wanting access if it's a small company with a small IT department. If your whole IT department quits the same day or goes on strike. no one is left with access.

    IT "geek squad" wins $319 million Mega Millions lottery | Network World
    I wonder what would have happened if everyone in this IT department was in the lottery pool.
    A.A.S. in Networking Technologies
    A+, Network+, CCNA
  • 636-555-3226636-555-3226 Member Posts: 976 ■■■■■□□□□□
    You aren't going to win this battle, just let him have the access but send an email with some nightmare scenarios of what may happen if his account is compromised and your recommendation of least privilege and separation of duties. Save it as a PDF offsite. When the s hits the fan you're still going to be fired regardless since someone has the take the blame and it usually ends up being the low-level IT lackey who "should have known better." That's the way those kinds of guys operate.
  • Hammer80Hammer80 Member Posts: 207
    Time to do some whale huntingicon_lol.gif
Sign In or Register to comment.