Security Scenario


Recommended Posts

I ran across this fairly cheesy but possibly relevant scenario and I wanted to see how you would respond.

You are a senior network administrator at a small pharmaceutical company, ABC. Late one night you receive a call at home from the chief security officer, Mark Jones, at XYZ. XYZ is an important external partner, with whom ABC frequently collaborates. You know Mr. Jones.

Mr. Jones is requesting access to a secure ABC server that contains certain documents XYZ needs to use to prepare a proposal for a contract that could be worth several million dollars to both companies. ABC is having financial problems at this time. The contract would improve ABC?s quarterly financial report.

Describe how you would respond to Mr. Jones. Honest answers are welcome.

Note: I guess this could have went under ?Internet, Network & Security? but I thought I?d be safe and throw it under general discussion.

Link to comment
Share on other sites

Phone me at the office, tomorrow morning ... Or get the MD and the FD to phone me personally now asking me the same thing ...

If it is important, then the bog bosses will be awake !!!

Otherwise ... no go

Link to comment
Share on other sites

Phone me at the office, tomorrow morning ... Or get the MD and the FD to phone me personally now asking me the same thing ...

If it is important, then the bog bosses will be awake !!!

Otherwise ... no go

Exactly. You as a Network Administrator have no right to make this decision. If you were told previously to let them have access to any documents needed, thats one thing, but unless you were instructed to do it, don't.

Link to comment
Share on other sites

Lets say you did have permission to allow XYZ access to those highly sensitive documents. How would you go about giving XYZ access to a secure server with sensitive documents and only allowing them to see what they need???

Link to comment
Share on other sites

Lets say you did have permission to allow XYZ access to those highly sensitive documents.  How would you go about giving XYZ access to a secure server with sensitive documents and only allowing them to see what they need???

Couldn't you simply create a new account for them with unique rights?

Link to comment
Share on other sites

Couldn't you simply create a new account for them with unique rights?

exactly. Create them an account with only permissions to the files he needs, and viola, your done.

Link to comment
Share on other sites

ask your self this, do you know Mr Jones or do you know of Mr Jones, could be a bit of social engineering, if you have to verify an instruction like this, YOU should call your boss/MD on a number you already have, not accept a phone call from someone else claiming to be someone.

Link to comment
Share on other sites

Couldn't you simply create a new account for them with unique rights?

Is it easy giving someone outside of your network rights on the network? How do you let an outside person in?

Link to comment
Share on other sites

Is there a way to track whether a document has been viewed by a certain account and how many times? I do not think this would be necessary for this situation but I am just curious. What about ways to allow them to view a document but not make a copy onto their machine.

Link to comment
Share on other sites

I wouldnt do it. Tell him you need to get the OK from the owner, that way if it was something dodgy you cant be blamed.

You are only a sys admin, if someone else from outside your company wants access to confidensal documnets you should also ask someone higher up than you.

Link to comment
Share on other sites

These are some good answers. Information assurance (security) is becoming a huge industry, not that I have to tell any of you. I am thinking about getting my masters in Information Assurance from an NSA accredited university that is also a member of the FBI Infragaurd program.

I would say the same thing that first and foremost you have to have permission from all the higher-ups before giving someone from the outside access to critical information. Then there are many processes to ensure they receive the information securely and that it remains secure while it it in their hands. It's a tough unsecured world out there.

Link to comment
Share on other sites

You dont know who it is on the pnone you would need to have a meeting in person to discuss the possibilitys of letting him have access.

Link to comment
Share on other sites

Here is the response I came up with. Anything you would add or change?

As the senior network administrator, it is my duty to put aside the politics of dealing with other companies and financial situations and focus on my job of keeping the network up and running in a safe and secure manner. 

I would make an appointment to get a hold of him in the morning as soon as I talked to my boss.  If it is truly important then my boss at ABC would be contacting me in the middle of the night to give me the go ahead with something like this.  Being the senior network administrator does not give me the ability to make judgment calls with company information.  In all reality, I would be told previous to this phone call what information XYZ is allowed access to and would implement the proper network security measures to meet both companies? needs.

I would create an account for XYZ with unique rights giving them permission to only the files they need.  This would allow XYZ access to needed documents during the time of two companies are collaborating.  They would not be required to ask permission every time they needed access to certain information.  ABC would allow them rights to all needed information.  I would set up a virtual private network (VPN) connection to the server the documents are stored on.  A VPN is a ?private communications network usually used within a company, or by several different companies or organizations, communicating over a public network.?  VPN?s provide for confidentiality along with authentication features and message integrity that insures the message is received by the intended recipient the way it was meant to be sent.  ?When properly chosen, implemented, and used, such techniques can indeed provide secure communications over unsecure networks.?1  I would also log all network traffic through the virtual private network in order to track what information is being accessed and when it is accessed for keeping records on what information has been used.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.