security for large sites

[Ted Wojcik]

In article <8611 at fy.sei.cmu.edu>, df at sei.cmu.edu (Dan Farmer) writes:
|> 
|>    Yes, it's the "S" word.  I know you don't want to think about, much
|> less talk about it.  But I'd like to hear what you do at your site about
|> security.  Problems and solutions that you have dealing with multiple
|> architectures, getting security patches out to all of your machines,
security
|> audits and auditing software, etc.
........
|> 
|>  dan
|>  df at sei.cmu.edu

Actually Dan, while I suspect that it's more of a reflection of the type of
organization that own them, IMHO large systems have more severe security
problems than small Unix systems just because of the scale.  Unfortunately,
the relative lack of security in Unix-based systems has scaled up poorly to
large installations, either mainframe or many-workstationed.  In other words,
scaling up the size has magnified the problem.  Somewhere along the line
though, there was a non-linearity that messed up the scaling so that just
doing more of what you were already doing didn't hack it anymore.  I think that
in the same way you cannot test for the absence of bugs, (only the presence)
you cannot test for a secure system.  You only get secure (or bug-free) systems
by design.  Since Unix-based systems were designed to be fairly non-intrusive
security-wise, it's damned near impossible to get any satisfactory security
added on.  In general, I've found that corporate security folks don't care
that you have no tools - they just want a secure system - whatever that is -
which you can't demonstrate to them to their satisfaction.  I've
got COPS but by itself COPS isn't sufficient.  My user community considers that
security is my problem and they aren't interested in any more security - until,
of course, we get broken into - then it hits the fan.  On the other hand, my
user community wants to give access to anyone who asks.  In a large
organization, it's a problem just to get informed when someone leaves the
company, never mind that they've been transferred to Nome, AK and won't be
needing their account.  It's also tough to get everyone to agree to allow an
inactive account's files to be deleted.  Someone usually wants to "just keep it
around, just in case".  Under these circumstances, even the best managed system
will get out of control and leave lots of windows of vulnerability open.

A couple of thoughts:  Computer accounts need to be kept track of just like
machine tools are in a machine shop.  When someone is terminated, the systems
administrator should get notified just like payroll, and the tool crib, etc.
This gets accounts closed before an angry (ex)employee can delete the payroll
database.

Second, directory trees ought to get archived when the account is closed.  This
might keep any viruses or worms from activating.  (Yes, I know that
sounds paranoid. So what?  IMHO computer security is an exercise in applied
paranoia.)  You say Joe used to work on the Payroll system?  Did anyone audit
the changes made to the payroll programs?  No?  How do you know that he didn't
put a timebomb into the payroll system that activates when his employee number
disappears from the data?  You don't.  You pays your money and you takes your
chances - a poor bet.

Network connections are difficult to control in a secure way.  My
current opinion is that security in a networked environment
is a dangerous fiction.  Show me a connection and I'll show you a loophole.
Security isn't something you add on, it has to be designed into the
organizational and computational systems we use.  Further, you've got to have
policies and procedures and those procedures have to be followed - every time,
to the letter, no exceptions or they're useless.  Unfortunately people are
human and do make mistakes - makes it tough to guarantee security.

Summary: many organizations haven't yet internalized that information systems
are just as valuable as physical things and require more care to ensure
that they continue to operate and the data contained therein is correct.

Adding many users and network connections to an organizational system without
adding additional checks and balances is a recipe for disaster - yet many
companies do - because they don't understand what the possible results might
be.  Companies who will chase a terminated employee to the ends of the earth
for a $25 hard hat will also neglect to tell the MIS folks that the employee
is gone and would they please disable the account - until something happens.

Fix the mindset - fix the problem.

Just my $.02

/Ted

--
 Standard Disclaimer:
 The opinions expressed above are those of the author and do not
 represent the official views of  Digital Equipment Corporation.

 Ted Wojcik, Systems Manager ( wojcik at crl.dec.com )
 Digital Equipment Corporation
 Cambridge Research Lab
 1 Kendall Sq. Bldg. 700 Flr. 2
 Cambridge, MA 02139, USA
 (617)621-6652