Thread: Cablegate
View Single Post
  #15   Report Post  
Posted to rec.crafts.metalworking
Ignoramus13150 Ignoramus13150 is offline
external usenet poster
  
Posts: 6
Default Cablegate
On 2010-12-02, Pete C. wrote:

Jon Elson wrote:

On 12/01/2010 07:36 PM, Ignoramus24652 wrote:

6. I see the theft of hundreds of thousands of confidential cables, as
an IT and computer security disaster of shocking magnitude.
Yeah, this stuff is all supposed to be on a "need to know" system.
Any decent IT department ought to be able to figure out how to track
access, and if any one person or site is downloading too many files,
they should ask what is going on. It might be legit, somebody who HAS
need to know doing some research, but it is a SURE red flag that needs
to be checked. This guy apparently downloaded WAY more than anyone
could possibly read. And, apparently, the guy did NOT have the required
clearances.

Jon

Where I work we have quarterly access reviews where the managers
responsible for a given area have to review the list of users with
access to those systems and confirm if that access is correct and still
required. This is in addition to similar required audits for various
applications.

It's not a perfect process and has some issue now and then with
independent auditors just requesting reports of the needed data be
generated by us, where we are highly privileged users and this really
violates the separation of control concept, vs. the auditors extracting
those reports themselves after we've given them sufficiently privileged
accounts to do so.

Beyond all of that there are audit logs and session logs that can be
used to identify who accessed what and when, since you can still have
instances of people who do have a legitimate access requirement doing
illegitimate things.

I would certainly agree that these leaks show a shocking level of
security issues in an environment which should have even tighter
controls than the one I deal with.

I can kind of, sort of, understand that most government IT guys were
not exactly top dogs in computer security, deterrence, audits etc.
Just being there 9-5 to collect a modest salary and good benefits.

What kind of upsets me is that apparently, no one there, of all the
employees, could not consider this and suggest improvements to their
superiors.

i
Reply With QuoteReply With Quote