[TriLUG] Do Linux users have security questions?

Cristóbal Palmer cristobalpalmer at gmail.com
Thu Feb 7 10:38:57 EST 2013


I had fun writing these. I hope people have fun thinking over how they might answer using only Open Source tools/technologies. Partial credit might be given at some future TriCHUG, though I have no idea who would be doing the grading. Certainly not me.

(1)

You work for Acme Corp, and your department recently dismissed several employees, including Gorbag and Shagrat, who you have reason to mistrust. You've gone through your standard procedures to revoke access, so you are confident they won't be up to any new mischief using your resources. What were those procedures? What steps might be added to the procedure if you do not have direct evidence of a security incident but feel extra caution is called for? Please be specific about the software and standards involved.

Bonus: It appears another department is reliant on a Rails webapp that Gorbag wrote, and they are very concerned about the potential for revenue loss due to interruption or the failure to update the application to meet changing needs. How do you and your department respond?

(2)

At Acme Corp you have standard purchasing that results in highly uniform workstations and server builds from both a physical and software perspective, and employee-owned hardware is not allowed on the network. For this reason it was alarming to find that two workstations were visually nearly identical to Acme-issued workstations but were in fact outside hardware with Acme-issued NICs. This will trigger a larger incident response, but please describe steps that can be taken short of touching/examining physical hardware to confirm that Acme-issued machines are as they were deployed. In particular, please list any software used, where it would run (on end clients? on a server?), and what that software will allow you to conclude.

Bonus: An employee alerts you to the presence of a pwnplug[0] that you didn't put in that office. How is the response different from the above?

(3)

Several years have passed, and Acme was purchased by Widget Holdings. Widget has a much more open culture, so employee hardware -- arbitrary hardware, in fact -- can talk on at least some parts of the network without violating policy. How did you revise your policies to maintain trust and deal with the appearance of unexpected hardware/software in what should be trusted zones? How do you enforce those policies?

Bonus: if Shagrat came back on your network and engaged in malicious behavior, what evidence would you need to give the DA in your jurisdiction in order for her to be likely to bring a criminal suit? What about a civil suit?

Cheers,
--  
Cristóbal Palmer
cmpalmer.org

[0] http://pwnieexpress.com/products/pwnplug-elite



More information about the TriLUG mailing list