Keith As an attacker I’d go after Active Directory as my first internal thing.
Aaron So then on to users, number four of the DSD (defence signals directorate) top four is privileged user management. So you have something that’s watching the watchers. If you don’t trust your DBAs (database administrators) and don’t give them access to everything or do it unfettered or unwatched and unmonitored, you’re going one step further to protecting that as well.
Sean I’d agree with that. Police privilege computing has not got enough credibility and Windows used to make it hard. Windows doesn’t make it hard now.
Keith So should there ever be a domain wide administrator? That’s a really good question. Why does one guy have access to everything?
Sean Certainly in amongst the deployments that we do for massive encryption and PKI it’s all about separating out administrators from security officers. And even for certain circumstances having four eyes, like having a second person to authorise certain actions. Because if you don’t have the privilege to pillage everything, then you can’t pillage everything. Having said that, with modern malware there’s a lot of stuff that doesn’t rely on admin privileges. That privilege escalation is nice, but with a user computer you can actually spearfish within the organisation equally.
Keith My user ID is opposed to that, because eventually they will find out where I try to get onto a system if they’re going to be successful. If they steal mine, they can logon and once they’re in there, then they can go in there and do different things.
Sean Also the element of how many people stay logged in forever to Facebook, Twitter, Linked In, then whatever and ‘remember my credentials becoming the default. So if you’ve got that user account, then you can be that user. Every time I talk about mobile phones, the question of ‘do you lock your phone?’ and people go ‘no it’s a pain’ and so I say ‘do you ever log out of Facebook?’ No? Then when I steal your phone I will be you.
Aaron The third part about the puzzle I was talking about is data. So you need BYOD? You’ve got to look at it in terms of structured and unstructured data. Structured data is a database, and there are certain products which are designed to look at the databases, look at the privileged users, look at the SQL protocol, moving in and out of it and what’s happening or the queries you’re doing. Is there a massive select statement that’s actually trading a whole lot of data that isn’t normal?
The other side of it is actually security which follows the document. Everyone is probably familiar with Microsoft DRM. It’s a pain to link; to federate your trust with your domain and another. There are now independent products that actually bind controls to the document and then it doesn’t really matter where it goes, you can have a central console that can see where it goes and what device it’s on and which user printed it, copied it, and you can restrict those sorts of controls.
Peter Moving on with Keith’s comments as well, I also think there will be a trend to move from individual security, to more collective type security – so there’s going to be a lot more information sharing, and a lot more working effectively, not just with security services, but even governments sharing much more information together. A security social network.
Sanjay Back to SMBs, if a small business can’t have this type of conversation with their channel partner, the reseller partner, the trusted security adviser, they probably either want to encourage it or augment it, because these are the issues of today.