[NCLUG] Re: Who uses SUDO on production machines?

[John L. Bass]

Sean Reifschneider <jafo at tummy.com>:
> There was a time when I probably would have thought this.  Now if I were to
> see it I would imagine that there are some sort of external auditing
> requirements due to the environment, something like sarbox.

When I started in this business nearly 40 years ago, most, if not all, critical
company records were paper. That paper had very clear controls from the mail room,
to local handling and storage (in the form of specific people, offices, and locked
files), to archival and disposal. Documented processes generally made loss pervention
and controls relatively easy, as most documents were accessable by a clearly defined
very small number of people.

For larger companies, some high volume records where computer maintained, in the form
of payroll records, inventory, sales, and customer files. Those records, and the paper
reports printed from them, still had very specific security controls designed to
protect the company from unauthorized disclosure. Common strategies included list seeding
where dummy records were inserted into the database, reports, and backups so that if
the data was stolen and used, it would trigger a response from the loss prevention
and control team, resulting in prompt injuctions and criminal action. This tagging was
necessary both to determine the source of the theft, and track the loss for each particular
theft for potential recovery. It was also not uncommon to tag high value paper reports
with a hidden serial number by coding the data and/or white space uniquely for each copy
of the report in a way known only to an IT manager and the loss control officer. Thus
when a sales or marketing person stole a customer list, it's use would likely result in
a telephone call or letter to the seeded "customer" which would trigger legal action.
Ditto for employee lists handed to an agency or competitor, as contacting the dummy
employee would trigger similar actions. Ditto for high value inventory where seeded
stock numbers would point to specially tagged inventory with loss control alarms.

Those paper records are now largely electronic, on servers, and computer media/networks/etc
and frequently lack the physical and personel controls that are easily preserved with paper.
This has unnecessarily included some, if not all, IT personel in security critical roles
that are frequently very high responsibility and risk when the electronic systems are not
designed from the ground up with broad security foundations, particularly loss pervention
and control functions, designed into both the physical and electronic systems.

The tracking systems placed on these servers are ment to track all company use, including
IT staff.

What is frequently missing in these electronic systems are equivilent electronic controls
to mirror the previous paper controls, so that disclosure is clearly limited to only the
need to know staff ... particularly NOT IT and computer operations staff. Frequently lacking
are active loss prevention and control activities enabling the identification and tracking of
specific thefts. The lack of these controls unfortunately places a unique burden on IT staff,
and offers unique opportunities for IT staff to commit thefts that were previously impossible
by those staffs.

What is needed today is for more companies to rethink security policies and practices to
remove clear text access from these staffs, and start tagging the data so that losses can
be easily noticed and tracked.

John