[NCLUG] Re: Who uses SUDO on production machines?

John L. Bass jbass at dmsd.com
Mon Mar 19 11:09:14 MDT 2007


Hi Bob,

The techie in me wants to agree with your post, as that is surely the
ideal working environment that we all strive for. And in fact, I've
managed most of the systems under my care that way over the last 35 years.

Some of the very good companies I have worked for have also been badly
burned by it, which has shifted some of my views, but not my spirt.

Good security, logging, and policies are a two way street when the bad
apples ruin the day. In particular, they provide solid accountable and
auditable deniability for the innocent, which becomes far more valuable
than the worry over trust when violations of company security can not
easily be pinned on the bad apples. Today, with a rampant black market
in personal data for identity theft, and insider information for market
advantage, there is considerable value in IT departments applying new
security measures on certain data and communications that previously did
not have such a high value in the market.

My first brush with this was 25 years ago, with some highly respected in
the community contractors removing valuable IP, documents, and communications
via their uucp connection. It took a few weeks of careful monitoring to
locate the particular individuals, and document the criminal case using
SAR data, filesystem metadata, phone records, and other resources. While
some of this turned out to be personal packratting of confidential files,
other of it was for clear commercial exploitation on the market.

A few years later, a similar case popped up, with an employee mining
director and VP level management emails for information to support what
was clearly illegal insider trading based on the stollen emails.

A few years later, a similar case where an employee was selling company
information to support a drug habit.

I dropped out of that part of the industry about 8 years ago, or I suspect
I would have seen a few more cases by now.

In the process, the systems I have set up since typically have tighter
security, clearly defined access, logging of most servers that contain
critical information, and network/email logging with long term archival
of the logging information. This policy has in return been VERY useful
in quickly clearing the innocent when problems occur.

As a consultant, I have been VERY happy with clients that use card access
systems INSIDE the building, as it has a number of time established the
alibi I've needed when after hours thefts have been a problem at the site.

So, I've come to believe that good physical and data logging are more than
equally valuable to the innocent, and greatly help clear the air when the
bad apples are fouling the air with distrust.

With the increase in identity theft and insider information sales, based
on corporate data, it is probably very much in most IT departments best
interest to install auditable and accountable long term archival well
placed tracking data for both physical and computer accesses.

Otherwise, you are likely to find yourself craftily framed for an information
theft with some carefully placed emails and bank accounts opened in your name.

John



More information about the NCLUG mailing list