Kenneth R. van Wyk wrote:
Crispin Cowan wrote:
I completely disagree. I find the article to be timely and informative.
What Kenneth suggests (use of RBAC) will not solve the problem. First of all, RBAC is not practical to deploy in most situations; companies are still trying to cope with AV and firewalls, and just beginning to think about host and application security. RBAC is completely beyond them.
Well, my main objection to the article was its advocacy for addressing the insider threat problem simply by buying security products. I brought up RBAC simply as one example that people may consider as they seek solutions.
Whether it be role-based, or a plain old-fashioned, group/ACL sort of access control, coupled with good event logging and monitoring, I think that most sites would be better served by exploring the access control mechanisms that they currently have instead of just buying more security products. That's not to say that there aren't products that may be highly useful, but it is to say that the solutions should start with well designed and implemented access control and logging. I stand by that opinion.
I participated in a workshop on on insider attacks several years ago. We identified 2 kinds of insider attacks:
* authorized users: insiders who have access to sensitive data, and
abuse their authority by leaking it outside the organization
* non-authorized users: insiders who don't have explicit
authorization to access sensitive data, but who take advantage of
their "insider" status to exploit organizational security
weaknesses. Such weaknesses would include both weak access
controls (which Ken's RBAC suggestion would address) and otherwise
weak system and application security (which HIPS products like
Immunix would address).So we agree that more secure systems such as RBAC and Immunix do help to address the problem of insider attackers. What they don't do is address the problem of authorized insiders abusing their authority. That is where this new class of products comes in: they track the movement of sensitive organizational data by /content/ rather than by access control, and complain when content crosses a barrier that it should not.
But as I wrote before, such products, especially network-based products, will fail to detect an authorized user accessing data and then dumping it to CDR or USP memory stick and walking it out of the building in their underwear.
Because the end-game of covert channel prevention always leads to an anal cavity search :)
Crispin
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
