Argument: Why it's not good for Executives to have IT-level access to systems/TLDNS

2»

Comments

  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Such interesting responses... Perhaps the exec has had too many run-ins with BOFHs. There is a big difference between a business owner/exec of a 100-person company and the CEO/Exec of a 10,000-person company.

    The notion that someone in senior management is incapable of having IT skills is presumptuous.

    I see no conflict with having an exec having privileged access if that individual is accountable for the outcome of the use of such access and the access is actually in-use. A typical exec or senior manager typically has little reason to need to have access to IT systems, but there could be reasonable arguments to be made that such privilege should be made available. Especially in a smaller organization where the burden of responsibility lies with the senior manager or segregation of duties is not commercially viable.

    Ultimately, if a senior manager/exec/whoever has the right to demand such access, it not the role of the IT admin to deny it unless that admin is authorized to do so. The company is not run by IT admins.

    The idea that access to IT systems should only be available to IT admins is like saying that salary information should only be available to HR, or that financial forecasts should only be available to Finance.

    If you don't like the request, then speak with your management. If the request is coming from your chain-of-command and you really don't like the idea then your option is to start your own company or get another job.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    I'd agree with sending an email confirming the request without listing anything confidential and outlining any potential risks. I'd also iterate my concerns with granting such access. BCC yourself and ask for a read receipt (in the event that you get a call instead of an email back). I'd also suggest that you speak with someone in Legal/Compliance and get them up to speed on what was requested. They have a duty to maintain the compliance and should be able to help if you're in an industry where they would need to account for this access.

    If/when the crap hits the fan, you will be able to prove due diligence and care.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • DeathmageDeathmage Banned Posts: 2,496
    Yup, I've been writing up a document on the issues involved with giving out these access levels.

    Another thing I found out today is something that is alarming; my previous IT guy either didn't know security or something or a inclination that something was flaky but I discovered a requested this morning for a VPN access to the network that was setup in the past but when the firewalls were replace before my tenure the VPN wasn't re-enabled.

    I was like ok, that seems harmless. I go and look for security measure for remote sites: none to be found.

    Basically home users where connecting without any kind of remediation and/or a rule for AV protection on these home-based clients. I nearly **** a brick and stopped what I was doing after I got the VPN working again, I found an email from the former IT guy that has this exec in the email stating he wanted it done no matter what. I got a feeling looking deeper the previous IT guy got stonewalled into doing it....

    All these years and remote users had an open door to the network for hackers to use if they knew about it.... that hole is now closed....VPN's are offline until a remediation process can be established.

    Now I work for the parent company but this exec is now the owner of the subsidiary company. I just had a long conversation with the owner of the company I was hired for and spelled it out to him security vulnerabilities and risks that were never brought up before. Low-n-behold the owner didn't like the cons vs the pros.

    On another flip of the coin the owner of the company I work for gave me a valid point, if me and my co-worker get hit by a bus where are the passwords for things. I gave him a binder with everything and he has a copy of them, outside of that fact there is no reason for the executives to have full control. Enlightened him about social engineering, phishing (had to whip out my Security + book) and other forms of engineering to gain access.

    Moral of the story, I won't be giving them much access and I will fight tooth and nail not to give it unless I get confirmation that if their account gets compromised I'm not at fault or blame.

    In either case, I finished up my CCNA next month and my Storage +, once that's done I'm probably going to keep my options open.
  • jamthatjamthat Member Posts: 304 ■■■□□□□□□□
    Curious, do you think your employer would have any issues with posting this stuff (vulnerabilities, management issues, etc..) on an open, easily searchable forum? It's great to start a discussion and talk about/through this stuff, but probably not with this much information, as it takes ~30 seconds to find your linkedin and employer...
  • DeathmageDeathmage Banned Posts: 2,496
    Well now that was interesting indeed, talk about a security loop hole, no idea my public Linkedin exposed so much. icon_razz.gif

    I do my best to keep topics are vague as possible, these general security issues are found in more organizations than many know. But from an informational standpoint from others that have overcome these types of management issues it's a good read.
  • OctalDumpOctalDump Member Posts: 1,722
    paul78 wrote: »
    Ultimately, if a senior manager/exec/whoever has the right to demand such access, it not the role of the IT admin to deny it unless that admin is authorized to do so. The company is not run by IT admins.

    This is why you need a written IT Security Policy, approved by the board. IT can refer to the policy when making the decision. It this sense the decision is actually being made by the board (on behalf of the shareholders). Sure if it's a small company, then the owner is the share holder is the board is God. In that scenario all you can do is offer your best professional advice, consistent with whatever legal/ethical obligations you might have.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    Management decides.
    Understand the company's risk appetite.


    To a small business, the impact from a security breach is about $5K loss
    To a financial institution, the impact is more than $500K as this means loss in consumer confidence and future business.

    This security vulnerability can be fixed with a $10K commercial firewall.
    The small business will not accept your solution as it is too expensive. The bank buys 2 firewalls and sends you for training.
    For the small business, you can accept the risk or minimise the impact. Perhaps a $1K monitoring solution that alerts you immediately whenever a security breach is detected. Small business accepts your suggestion.


    Now the business opens e-commerce portal and needs to compile with PCI DSS.

    One of the requirements is a certified firewall that costs $15K.
    To achieve PCI DSS, the business must go through audit process.
    The company expects compliance to increase customer confidence and generate additional 30K revenue yearly.


    From my CISM notes
    Management is about translating business requirements into measurable results while managing risks in cost-effective way
    Business always wins, but business needs compliance
    That is why we have regulations and auditors.
  • OctalDumpOctalDump Member Posts: 1,722
    Mike7 wrote: »
    Management decides.
    Understand the company's risk appetite.

    Two things. It depends on what you mean by "management". This shouldn't mean that a manager over-rules a policy decided by the executive and approved by legal and the board. A decent security policy will have a clear path on how to handle exceptions. Of course, many small organisations won't have these policies in place. If I were hired to do IT Security, I would be pushing for the policy and even write one up myself if needed. Without the policy in place, then depending on the circumstances, I would be ensuring that it is 'the business' making the decision and not one rogue executive, and at a minimum having a paper trail.

    There are also some legal obligations on all of us, so if you think that you are being asked to do something illegal "just following orders" might not get you out of trouble. And long term can seriously damage an IT security career.

    As you say, this is about understanding the risk and the company's position. It is up to "the expert" to make them aware of the risk, ideally in a quantifiable way. If you are hired to do IT Security, and you just say "sure, no problem" to whatever request without warning of the risks, then you aren't doing your job. The risk decision is made by whoever has the authority by whatever agreed process. All cogs in wheel delivering value to shareholders.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    OctalDump wrote: »
    As you say, this is about understanding the risk and the company's position. It is up to "the expert" to make them aware of the risk, ideally in a quantifiable way.

    If you are hired to do IT Security, and you just say "sure, no problem" to whatever request without warning of the risks, then you aren't doing your job.

    The risk decision is made by whoever has the authority by whatever agreed process. All cogs in wheel delivering value to shareholders.

    I may be wrong, do not think DeathImage job title is security analyst, security manager, IT auditor or anything security related. And company probably does not have a security policy per se.

    This forum discussion did not mention illegal activities or just follow orders; more of the approach we can take if we find security vulnerabilities and risks. As in my example, the small company is willing to take the risks. Not ideal but not illegal either. Your role as an engineer is to add value; say suggest a cost effective solution to minimize the risk.

    The rules change if there is a new personal data protection regulation that mandates firewall, the small company did not comply and tell you to lie to auditor. From a professional and ethics standpoint, you will do the right thing.

    So now we have regulations, auditors and IT ethics.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    @Mike7 and @OctalDump - seems to me that you are both actually agreeing but just using different words icon_smile.gif

    @Octal - you mentioned legal obligations on the individual. I'm curious if that is something specific to Australian law. In the US, that doesn't apply - there is a doctrine (can't remember the latin word) that essentially holds an employer liable for employee actions performed as part of the employees scope. It is only when a frolic/detour is committed by an employee that an employer would be released from liability.
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    ...This is interesting, tell us more ;)
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Cyberscum wrote: »
    ...This is interesting, tell us more ;)
    About respondeat superior? - I looked up the latin phrase that I couldn't remember. I glad someone else finds tort law interesting beside me - icon_wink.gif Here's a decent explanation on wikipedia for those interested - https://en.wikipedia.org/wiki/Respondeat_superior - a pretty decent explanation here - Employer Liability: Respondeat Superior Doctrine | Hoosier Litigation Blog by Pavlack Law, LLC

    I don't meant to take the thread off a tangent but @Mike7's point that "Management decides the risk appetite" is a more eloquent way of stating my original post. And it's management that bears the legal responsibility.
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    paul78 wrote: »
    I don't meant to take the thread off a tangent but @Mike7's point that "Management decides the risk appetite" is a more eloquent way of stating my original post. And it's management that bears the legal responsibility.

    Glad your join in the discussion. The example I quoted was taken right out of my CISSP and CISM study material.
    Specifically, this is the CISSP's "Security and Risk Management" and CISM's "Information Security Governance" and "Information Risk Management" domains. Assigning a dollar value to security breach loss, comparing it to the firewall implementation cost, and aligning security policy to the business strategic needs are all well covered in the chapters.

    I am glad someone pointed me in the direction of ISACA's CISM exam; it provides a perspective on the role of IT in the company. Now I know what they mean when people say IT does not understand business.
  • DeathmageDeathmage Banned Posts: 2,496
    I like asking these kind of questions, always get good answers!!!!

    To answer a statement aove, I'm not a security profesional at all. I just know common sense in terms of security from Security +.

    I just don't want to be blamed for an issue if one develops down the road and I'm held accountable since I explained to them the risks but they choice to ignore them...on the basis they are a small company and think they will never be at risk of security-based threats...

    as for firewalls, we employ the dual firewalls that are now under the Dell Umbrella and they perform well for IPS/IDS/Gateway AV/Spam, to keep that information vague.
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    paul78 wrote: »
    About respondeat superior? - I looked up the latin phrase that I couldn't remember. I glad someone else finds tort law interesting beside me - icon_wink.gif Here's a decent explanation on wikipedia for those interested - https://en.wikipedia.org/wiki/Respondeat_superior - a pretty decent explanation here - Employer Liability: Respondeat Superior Doctrine | Hoosier Litigation Blog by Pavlack Law, LLC

    I don't meant to take the thread off a tangent but @Mike7's point that "Management decides the risk appetite" is a more eloquent way of stating my original post. And it's management that bears the legal responsibility.

    hahahah no. I meant more information about the vulnerabilities of Dethmages company, but thanks for the info Paul ;)
  • DeathmageDeathmage Banned Posts: 2,496
    Cyberscum wrote: »
    hahahah no. I meant more information about the vulnerabilities of Dethmages company, but thanks for the info Paul ;)


    Needless to say there isn't many left on the network. It was so very much 'ad hoc' when I arrived back in Feb.
Sign In or Register to comment.