Recently, I came across this post on DojoSec Blog:
For those who are not aware of DojoSec, I request you to know about them here -> DojoSec.
Marcus has shared his views n an email he received on the subject of Policy, Enforcement and Monitoring.
The email hits the right spot. But the observations are not really new. I believe the issue is more due to sheer Indiscipline & laxity in Top -> Down hierarchy.
The focus of mgmt & the IT in *most* (but not all orgn) is to bring in a brand product, get it configured n let it wave its magic wand to ward off attempts of all evil entities from their corporate network.
The management likes to talk a lot about how much they have sanctioned for this new f/w or that IDS and that these devices better do their jobs. But they are the same mgmt guys who ask (and get) unrestricted access for research purposes (whatever!) from the IT guys, ~off the record~,
(we know what you've been researching bout, pervs).
And it came as no surprise to me when I managed Enterprise Anti Virus solution, that I'd see frequent calls about their laptops showing errand behaviors or that li'l pop up on the corner coming up every third day in the week.
So policy planning is one thing & enforcing it from top -> down is totally different. This must get worked up from the policy makers to the ground.
This does not imply in any case, that IT admins are flawless. Minus the mgmt adherence to policy, things take shape accordingly in IT dept as well. Seldom will you ~not~ find that one system in the corner under the desk, which has its LAN port LED continuously blinking 24/7. I personally had come to know of one *large* orgn where dedicated ~research~ boxes were kept & maintained in the datacenter having a SAN storage with a direct Internet conn without any restriction (not my orgn, though).
I feel that at IT team levels, if the direction and adherence does not seep down from the mgmt, bypassing protocols in place n overlooking policies becomes a thrill n adventure. Not to mention the pride that comes with having control of the set up and being able to ~manage~ stuff. This can get *really* nasty, if you've been there, you'll know what I mean. I've been.
Hence, monitoring, rotation of duties, periodic auditing becomes essential to identify & rectify the broken processes. Which again should come as a result of osmosis from the management.
The issue is such violations continue to occur within organizations generally in the knowledge of managers, mgmt fellows etc. It is when an incident happens that everyone comes out of their trance and there the blame game starts. Of course, the information assets are hit, the damage is made & someone, usually at the IT team is going to bear its brunt, which sucks in its own way.
Not too far back, one *major* org, was breached, and the network set up for that project was all 'wr mem'd. It was not a pentest, by any chance, you'd agree. It'd been a 'getting back at ya' moment which I can't share much about. This never came to light given the whole network security team for that project was using pcAnywhere with weak passwords - from home, without any VPN!
Only when the blind, inherent belief in products - both commercial n open source - is shifted to the mentality of enforcing the policies first, it's going to make a difference & control scope of incidents n asset loss.