Has Corporate Info Security Gotten Out of Hand? 466
KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"
Technology (Score:3, Insightful)
It's like when cars were first introduced, there were not speed limits, cars were hardly locked and tyres were hardly threaded......
As cars become more common, more people died in car accidents, so you can't drive too fast anymore, must wear seatbelts and cannot drive drunk.
As car thefts become a norm, we must lock our cars, when that's not enough, we need to put on the steering lock, alarm, then immobalizer, and now the security datadot. However, I think overall we do benefit from the introduction of vehicles.
Seems pretty reasonable to me... (Score:4, Insightful)
I don't think this is unreasonable at all. What's the downside of enforcing a little rigor in your employees, when the alternative is having your entire corporate network become a zombie farm overnight controlled by a mob boss in Russia named Vladamir?
Re:Technology (Score:4, Insightful)
Re:one time, for security's sake (Score:5, Insightful)
Comment removed (Score:5, Insightful)
Re:one time, for security's sake (Score:5, Insightful)
Yeah, weird that they might want a machine running Windows XP to be updated. You might have Linux on the machine, but you also had Windows XP, and it sounds like it was missing security patches.
And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix.
And you apparently had a machine with Windows XP missing some (possibly significant) security patches sitting on their network.
I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.
Re:one time, for security's sake (Score:4, Insightful)
I'm guessing the problem is one of compartmentalization. The IT department doesn't talk to the production department, and so doesn't know there's some people that are running linux and not XP. The standard drone-like response of "We're sorry, but until you're machine accepts the updates we can't re-enable the port." really sounds to me like extreme compartmentalization.
Try a University (Score:3, Insightful)
Re:Technology (Score:3, Insightful)
Yet why does he need to access Hotmail from his work computer? Besides, he can just access it from his Treo, on which he has an unlimited data plan. I don't see that as onerous security, and neither does he. They're a bank for goodness sake! They have very good reasons for locking their network down tight as a drum and restricting both what goes out and comes in. Good reasons like keeping their customers' financial information safe.
You made me laugh. (Score:2, Insightful)
Of course its out of hand. Companies, as well as individuals pay alot of money for computers. If we bought a car that needed patching every week to run properly it would be called a lemon. And we have lemon laws. If we bought a TV that needed to be patched every week to work properly we have a warantee to help resolve the issues with that product.
While the computer itself works fine, its the OS and Applications that need constant patching. When the OS makers and Application sellers are held to the same standards as other products are, then maybe you will see your cost of doing buisness with computers go down.
They were right. (Score:5, Insightful)
You should have simply rebooted to the XP side and run the updates. If you want the luxury of a dual-boot system, you should be willing to maintain both halves.
My policy for dual-boot machines is this: No. You can have two machines. I'll get you two monitors you can use dual-head on each machine, a KVM, your own switch, and I'll even clean the goo off your keyboard. But I won't manage a dual boot machine, and I don't want them on my network.
Why?
Unplug, people. (Score:4, Insightful)
Why it's stupid (Score:5, Insightful)
Why are people who don't comprehend - or can't communicate - this employed in an IT organization??
Had they just explained things the way you explain them in your post, there would be no problem.
Re:Security is Good on Paper (Score:3, Insightful)
"It's the result that matters."
If you spend time on slashdot or other forums during the day that's ok (and most definitely not filtered) -- but at the end of the month you have XYZ to get done. If you get it done by working nights / weekends that's your prerogative. Flexibility like this is one of the reasons why we've had zero turnover in my department in almost 5 years.
The tighter companies restrict internet usage and employee behavior, the less personally attached to the company (and their work) the people get, at least in my experience. Companies with fanatic employees can do great things. Companies with people that feel oppressed are just places to work.
The first problem you mentioned is what we always call 'management by magazine.' Some exec saw something on cnn / in a magazine / at his country club and wants to know what it's not being run. Thankfully most executives are adverse to spending money -- and in this case it's usually a good way to end some of the ideas they bring to the table.
Speaking of the idea of 'having something just to have it' -- I think this is a problem that's being pushed along by things like SOX / PCI / CISP / and other compliance programs. "We're required to have intrusion detection" so people get out a checkbook and make rash decisions just to put a check in a column.
Re:Technology (Score:5, Insightful)
Whenever I work as a sysadmin, 90% of the solutions I apply to problems come from Google Groups.
Re:Management? (Score:2, Insightful)
Well, it seems to me that the question is really about whether corporate security policies have gotten out of hand, not about the technology itself (though a key feature of any technology, as any Mac user will be glad to lecture you about, is its usability/implementation). On this question, I can't speak much from my own personal experiences (never worked at a big corporation), but anecdotally there does seem to be a certain amount of paranoia in corporate environments beyond what is called for.
I believe that many "security measures" are actually implemented more broadly than necessary because the side effects (lessened ability to use the internet, etc.) are mostly seen as good by the people who make decisions. In business, the further the chain of underlings between the decision-maker and the regular employee, the less likely they will just trust you (the employee) to do your job and the more likely they will impose restrictions to insure you can't visit slashdot/fark/apple.com etc.
"It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees."
I think this is true (again, not from direct personal experience, so take this with plenty of salt), but part of it is due to a lack of understanding of network/security technology by many decision makers. If you are unsure about anything, and there's tons of money and/or your job riding on it, you err on the side of caution, regardless of inconveniences to your employees. Even in my very relaxed work environment, a great deal of our internet functionality has been taken away for little apparent reason.
Of course, even if all the security decisions were left to the IT people (never interfered with by less expert management types), there would still be plenty of problems for any company-wide network solutions. I look forward to hearing about what people think would be ideal (this being slashdot, there will be some good, specific answers somewhere in this thread).
Re:Management? (Score:4, Insightful)
I am pretty sure that most people agree, this is not acceptable, and 10 years ago, this would also be considered dangerous.
First off, blocking objectional sites is a good thing. There are a number of things in a work environment that are unacceptable. Sure, some good sites will be gotten as well, but the IT department should have a policy such that you can ask for sites to be allowed if they are being blocked and really shouldn't be. Considering the information on Google Groups, I think that you are looking at a site that really should be allowed.
Time to get new anti-virus software. Good AV software, will allow you to scan message in- and out- bound via POP, IMAP and SMTP.
Very poor policy. This should be handled by professional IT workers. Not because the end user doesn't know what is going on, they might, however, something could go wrong, and someone better equiped to handle those issues should be on hand for them. Like the parent said, at this point, you could even have these patches be automated.
The main message asked about other companies, so
To me you have an IT staff for a reason, they are there to handle computer issues. They should not be there to be some draconian department that weilds their power as if they are doing you a favor. They are there to handle your computer problems. They should also take some of the responsibility for that as well, which includes handling most of the issues that you listed.
RonB
Shades of stupidity (Score:4, Insightful)
The fact that he hadn't noticed the loginscripts for over a week indicates to me that the didn't use his XP installation at work alot and even then how can you assert it wasn't patched? He may even have had to wait until a patch becaeme available to qualify for a connection because his XP installation was already fully patches! Off hand I am guessing this guy probably got issued a laptop from his employer and used installed Linux on it for day to day for home as well as for work use dual booted with XP for mostly for gaming and perhaps for that once-in-a-blue-moon that he couldn't get something done at work with Wine+[Random M$ application] and for Gaming.
I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.
It is stupid because they could have exempted him from their Windows specific policy quite easily. It is stupid because they may even have given him a hard time because they didn't even know how to exempt a non Windows boxen from their MS specific setup. All it would have taken was to send somebody up stairs to check out his setup for security and if it was OK adapt the policy. If you are an IT tech that works alot around Engineers, non-MS admins or Programmers you are going to have to get used to cases like this (ie. escaped mental patients who use Linux or OS.X in a corporate environment) and unless you find out how to cater to people running non-MS Operating systems you will quickly find out that you haven't got any friends willing to do you a favor when you really need it (ie. when you have screwed up and need a quick fix from the local nerds).
Changing with the times (Score:5, Insightful)
I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.
Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.
Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.
Then MS05-039 [microsoft.com] is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.
Then Zotob.E [symantec.com] gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?
Because no one takes security seriously until it's too late.
From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.
I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."
I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF [microsoft.com], where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from.
Re:Not a problem with technology. (Score:3, Insightful)
(a) Freedom cuts both ways. People have freedom of expression, and people have the freedom of employees to prevent themselves from being exposed to porn in the workplace. If you're looking at porn at work, you're taking the latter right away from all your coworkers. Which do you take away: the right that one person enjoys, or the right that many people enjoy? Perhaps a poor explanation, but the principle is valid.
(b) The workplace is not a free environment. You are working for someone, on THEIR property. What you do on your own time is your own business. What you do on company property is very much the company's business.
Freedom does not mean "I can do whatever the hell I want, whenever the hell I want, wherever the hell I want," at least if it is to be applied to more than one person.
--S
Oh, good Lord. (Score:1, Insightful)
First: Did you buy the network infrastructure? If not, then you don't make policy.
Second: Did you buy the computer? No? Then again, you can't bitch about the way it's controlled.
Why stop SMTP mail? On a Windows network, if you're running Exchange, there is NO reason to have SMTP mail enabled. Outlook transfers its mail to Exchange for delivery. Unless, of course, you're trying to bypass the corporate mail server.
"Overzealous Proxy Servers" - ? Hardly. Deny all, explicitly allow.
In most cases, you do NOT own the computer. Even if you DO (contractor), then you don't own the network infrastructure.
Too many liabilities - including morons like the submitter - are why *real* IT staffs have to keep things under tight control and wraps, so that when the next Windows vulnerability surfaces, we can limit its impact and rampant stupidity.
However, since this is gonna be posted AC, nobody will read it anyway
Re:They were right. (Score:2, Insightful)
* One side is always down, meaning network monitors need special work
If you give the guy 2 machines, one side could still be "always" down as he may turn on only the one he needs while working. The fact that he can work now with a dual boot machine means exactly this.
* Either both sides share one IP address, or each gets its own. Either figure out which one is running, or figure out which address to use.
If you gave him 2 machines, you'd have probably 2 IPs as well. Though not necessarily if he has one in use at a time. Maybe he switched the single network cable allowed in his cube when he switches machines.
* It requires physical intervention (or extraordinary hacks) to reboot remotely to the other OS
Why would you be remotely rebooting his machine? And changing the lilo ini file (or windows boot.ini) to default to the other os before rebooting doesn't seem like an "extraordinary hack" anyway. I'm sure you're probably a couple of clicks away from a boot-to-other-OS script/tool too.
* I can't just wax the whole thing if something goes wrong
And if you gave him 2 machines, you -can- just wax the whole thing?
* Rebooting implies root access for whoever is around
But if you gave him 2 machines, you'd still need this implied root access to reboot them.
* In short, they're a PITA
I'm not quite conviced.
Re:Shades of stupidity (Score:3, Insightful)
But it wasn't ok. He had a dual boot system, with one of the OS's way behind on patches. That's not secure. Any time he rebooted into the other OS he'd be wide open for exploits that had come out since the patch was publicised. If he was admining the box properly and maintaining ALL the software on it himself it wouldn't have been an issue.
Re:Technology (Score:3, Insightful)
Yes, there are some IT folks who get a power trip over what they can keep people from accessing, but I would argue that most of us aren't like that. Every business has data that is considered sensitive, but some (financial, medical, legal, etc.) have data that is considerably more sensitive.
Before saying that IT is draconian, ask yourself how secure you want the business holding your data to be. Would feel comfortable knowing that your bank records are held at a place that doesn't do regular updates of the OSes and A/V software? Would you want your credit card info at a place that doesn't control which system can send SMTP traffic to the outside world, especially since it could be used to send your records to anywhere on the globe? Would you want your medical records held in a place that allows its normal business users to access IM servers, possilby introducing worms into the network and/or using the IM service to send out your data? Is this paranoid? Possibly. Is it a realistic view? Absolutely.
The OP talked about the way things were years ago. Ten years ago, it was also a wild west on the Internet. I personally had a Unix workstation hacked, as did a friend. The threats exist and they can be very serious, so IT has to take them seriously. The main problem that many IT shops have (my current one included) is that we still have problems with the delicate balance between security and usability. The users need to understand that what we do is done for the good of the company and our customers, but we need to understand that the job still has to get done.
Re:Technology (Score:2, Insightful)
You can't just search everyone's belongings as they enter the workplace... and simply having the materials wouldn't imply that they were going to be used at the workplace... You can't reasonably put a camera in everyone office monitoring for these sorts of activity either... It's just not a tractable problem.
However, a webpage has been requested... it is being acted upon... and it is something that can be monitored.
I've seen employment cases lost on much weaker issues...
Re:Another Stupid Kar-Komputer Komparison (Score:3, Insightful)
IT security was a bit of a joke 7 years ago. It isn't funny any more.
And you're complaining about what exactly? (Score:3, Insightful)
Looking back 10 years ago, your biggest threat was someone bringing a virus-infected floppy disk into work and taking down one of the 20 computers in your 50-person office. But hey, if you want to connect your PC to the Internet with no proxy, no firewall, and no virus protection, then be my guest. I doubt your PC lasts 24 hours before it becomes unusable.
Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups;
And also very likely thousands of hacking, piracy, virus, worm, spyware, and phishing-related sites.
our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP
If it really is a legitimate purpose, you shouldn't have any problems being granted an exception for your specific case. Everywhere I have ever worked has done so.
and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline.
Ah, now I see. Your administration is incompetent. Under no circumstances should end users be installing security patches. They should be installed by administrators (if not automatically), and there shouldn't be any concern about cutting off non-compliant PCs because there won't be any. Anything less isn't security at all.
have we become so secure that we're stifling our own ability to get things done?
We haven't, but it sounds like the folks running the show at your place may have. But it also sounds like they don't know what they're doing either.
Re:They were right. (Score:3, Insightful)
The two machine situation is much easier to deal with. Send everything a WOL packet, wait for them to boot, do your work. Or just set policy that machines don't get turned off, if you like.
Remember, that is *not* your computer. It's the company computer that they let you use. You play by their rules... complain, find other work, whatever, but if you want to mess around, do it at home.
I would rather deal with VMWare than with dual-boot. I would rather still to have two machines at the desk. It is the easiest of all available options for having two OS's at one desk.
---
You see, one of a two machine setup will not always be down, as you can have both on at the same time. With dual-boot, you have no choice, one *must* be down at all times.
You get different IPs for different ethernet addresses. You have two machines with two network cards, so you have two IPs, simple as that. This is not a problem. From administrative standpoint, two IPs is easy to deal with. You just include both in your management software and away you go. One machine with two OS's doesn't work this way.
You *would* be remotely rebooting the machine. It is absolutely asinine to think that you would go to each machine in person. It would take weeks to get a single update deployed in most corporate settings if you did that. If you have to write some silly set of scripts to do things, you now have a nonstandard setup. You can't manage that machine as a UNIX box or a Windows box; you have to make a special group for all Linux machines, BSD machines, Solaris machines, etc, and then *another* set of special groups for every combination of those.
If the person has two machines, you have the standard Windows image and the standard Linux (or whatever) image. You drop whichever is appropriate onto the broken machine. The user should never have critical data only stored on the workstation.
Re:Technology (Score:2, Insightful)
First, the reason the certs don't matter is because you can get by without learning anything. You *can*, however, learn a lot from those programs, if you want to. Getting the cert means the opportunity for organized education on the topic.
Second, if you have to use Google Groups, or whatever, for something ridiculous, like 90% of your problems, then you probably don't know what you're doing. Using all available avenues to solve your problem is certainly needed. Always needing to look for help whenever you have a problem shows lack of experience and education. This goes back to getting yourself certs to better your ability; you could also just buy a book and get a similar betterment.
Sure I look at Google for answers to problems, but for many problems, I know how to deal with it already. Most of the time that I look up something, it's a reference to the problem that I'm solving, because I don't remember the exact procedure. However, if you're dead in the water because your Internet link is broken, and you have to look 90% of your issues up on Google, you're screwed.
Re:unconvincing. (Score:4, Insightful)
Insightful? You gotta be kidding!
I have been a corporate security professional for over 10 years, and the only people that I ever get whines from like the parent are typically engineers or IT people who either believe that a) they are God's gift to computers and/or b) the rules don't apply to them. I may seem a bit pissy here, but it just burns me to read posts like this from people who clearly have never tried to think about security from the perspective of the business protecting its assets.
Contrary to what most people seem to think, companies do not exist for the convience of the employees. It is the other way around. Employees have jobs to do what the company tells them to. If the policies at your company don't allow for any way for you to do your job, talk to management. More than likely, either an alternative solution exists, or the business function you're trying to do hasn't come up before and security will have to figure out how to incorporate it. If the problem is that the official method of doing your job isn't as convenient, as cool, or as uber as what you'd like to do, then either get over it or get a different job. Corporate policies and standards are put in place to homogenize the environment, ease support, and maintain regulatory compliance. They are not put in place, at least in my company, to inconvenience employees. In fact, the point behind security efforts in my environment is to enable the business to do everything they need to do, but in a manner that doesn't put the company at risk. Some times, this means that one business unit will have to accept a less-than-optimal solution because of more pressing issues at another, but we haven't been faced yet with a situation where there's been no way to safely do a valid business function.
In large corporations, in particular, security decisions are frequently a balance between the needs of very different business units. For example, a unit that provides credit functions to customers in the US is regulated by the Gramm-Leach-Bliley Act [ftc.gov], but a manufacturing unit in the same corporation wouldn't be normally. GLBA may apply to both, however, unless there is some system in place to prevent mistakes at the manufacturing unit from affecting the credit unit. So, while encrypted, authenticated wireless access may not be convenient for an engineer at the manufacturing unit, without internal firewalls to segment security zones, encrypted, authenticated wireless is the only option.
Don't get me wrong, we do things I don't agree with. Proxy blocking, for example, seems pointless to me. Surfing porn from a company system is not a technical issue, it is an HR issue. Have a policy that states what is acceptable, give one warning per user, then fire their ass. Believe me, Internet usage reports get much cleaner when someone at a site has been fired recently, regardless of what the proxy is blocking.
Oh, yeah. The so-called draconian policies we have in place have created an environment where a really, really bad virus outbreak is 2-3 machines worldwide. Before we went down this path, there were worms that affected thousands of systems all around the world. We also have a very, very low incidence of harassment issues, we have five-nines uptime on our production systems, we've never had to completely sever our Internet connections to deal with security threats, and we've managed to balance security and business function well enough that end-users rarely have to contact the help desk because a security measure is preventing them from doing their job. Things may not work this well at other companies, but whinging on /. isn't likely to change that anyway.
Re:Management? (Score:1, Insightful)
I've moved from one camp to the other, from IT Support/Security to application development. I also relatively recently moved development jobs and found the present organisation I work for were paralysed by an outsourced security company. Not long after I started I was pulled in to help the in house IT manager site cases to our outsourced IT security why the current deployment conditions had to change. It was quite a nice change to watch the formally static outsourced IT company start to help us create solutions to problems whereas before their continued message had been straight "No" with very little room for maneuvering.
From a security professionals point of view, I guess there is nothing more frustrating then trying to educate users as to why they can't do something and move them to alternatives, then watching them just try do it again.
Back to your original post though, nice work and keep on truckin: ) Though I'm still glad I moved from support/security to development, if I'd stayed in that field I'd hope to have achieved similar things.
Either this is a troll, or you're really ignorant (Score:2, Insightful)
You do NOT have ANY rights regarding that computer, the software installed on it, how it runs, etc. You also should NOT be browsing the web for personal enjoyment or reading personal email.
Face reality - you are there to do a job and any time you spend doing something else is time you are being unethical. Do you think your colleagues on the GM assembly lines have ANY sympathy for your whining? They have every minute of their working day scripted by the timing of the line, down to how long they get in the bathroom. Most IT workers in the US spend 80% of their day surfing the web or chatting online, then go home and bitch about how the IT group cut off AOL access.
You are there to DO WHAT YOU ARE TOLD and to SERVE THE COMPANY TO EARN YOUR PAY. You are NOT there to go to websites the company doesn't ask you to visit. Do what you're told or find a better job, if you really think you can.
I am soooo sick of whiny white-collar workers who think they really work after surfing the web all day - you'd think none of those people knows a person with a real job.
You've solved your own problem... (Score:3, Insightful)
Yes, you *can* be too-secure. "Too much security" occurs when you can't get work done -- as is your case. The only *real* question facing corporate IT is "what amount of liberty is necessary to perform the duties of the employee requesting that access?" In true totalitarian style, the old computer security saying "that which is not expressly-permitted is forbidden" is the basic principle of current corporate IT security.
We have this same problem where I work. Thank shitty MSFT security for the current mess...
On a related, more-general note, security and liberty are *always* at odds. They logically must be: if you are restricted from performing action A, then you are not at liberty to perform action A. Simple as that.
For a real-world example: if you are locked-out of somebody's home, then you are not free to open the door to that home. The home is secure against your entry (at least from this particular vector).
Frankly, he who wants to be both safe and free will never have what cannot be.
Re:They were right. (Score:3, Insightful)
Realistically, it seems like there are really two ways to go here. Either build an environment in which all elements can be rigorously locked down and validated, or be prepared to contain the effects of allowing people to attach foreign equipment such as laptops or other systems that they maintain to their own standards.
Security comes down to defining the conditions of ownership and trust at each point in the computing environment. That's something agreed at the policy level, but then enforced through all the technical mechanisms we know and love.
So you're right to talk about policy, but try to step up one level of abstraction. From a policy perspective, a dual boot system and a laptop are both examples of foreign, volatile equipment. If you forbid one, it makes no sense to allow the other. If you allow either, somebody has to fund the additional risk containment.
Re:Management? (Score:3, Insightful)
2) Take the box off the new while it's doing the sim. Thus, sim gets done, box doesn't get owned, net stays secure.
3/4) These aren't evidence that your IT department values security over ease-of-use, but rather that they're totally incompetent, utterly crazy, or both.
Re:Management? (Score:4, Insightful)
Did the director tell the IT department about your specific file type, so they could just add that to the white list of allowed attachments instead of just allowing all sorts of attachments? If he did, and they refused to add that file type, it's their fault. If he didn't, then it's his fault. BTW, hand delivery is indeed crazy: If an email attachment had beed enough, surely mailing them a CD-R with the patches would have done it as well, and would surely have cost you less. But even for email, there might be solutions, like uuencode (which makes the file part of the mail text instead of an attachment, and therefore might not be detected/blocked by the automatic filters).
Did you talk to the IT department about this? Would it have been an option to take the PC from the net during the testing period, and then apply all securiy patches in one bulk before reconnecting it?
Ok, this one is clearly a stupid action from your IT department.
Re:Management? (Score:5, Insightful)
Re:Management? (Score:5, Insightful)
Re:Management? (Score:5, Insightful)
The password thing sounds bad. 8 characters is ok (though not really mush more secure these days), no repeating of old passwords is ok (again not great), but 30 days is very bad. 30 days to lead to two problems. 1) People write it down on sticky notes; B) People make easy to remember "MyFebPwd1" "MyMarchPwd1" etc.
It sounds like the person who made your password policy could do with a dose of accurate information about the usability of passwords. However, the other stuff seems reasonable to me.
The quest for the IT downsizing? (Score:4, Insightful)