Has Corporate Info Security Gotten Out of Hand? 466
KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"
Management? (Score:5, Interesting)
Most of that was assuming you are running a Windows-based network. I am not as familiar with Linux software, but I know that similar services are available for Linux as well. In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.
Re:Management? (Score:2)
In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.
Security is a moving target. What you meant by security 10 years ago and what you mean today is different in many ways. A better way to talk about security is: Security from BLAH where BLAH is som
Re:Management? (Score:2, Insightful)
Well, it seems to me that the question is really about whether corporate security policies have gotten out of hand, not about the technology itself (though a key feature of any technology, as any Mac user will be glad to lectu
Re:Management? (Score:5, Informative)
The only real problem is overzealous proxy servers, ...
Not really, often it best to deny, evaluate and permit with business cause. Provided the response is usually positive where the business need is legitimate then their is not an issue. Any security system will need to be tuned to work correctly. And often users fall into the trap of buying products that abuse protocols to circumvent security without regard to company policy.
The enemy within is in my experience a 50/50 split with the enemy outside. These tools are needed to prosecute criminal and negligent employee behaviors. Some examples I have freequently seen:
So remember this when you bitch about security. The behavior above was detected by security tools. And this type of behavior in corporate America costs companies lots and reduces the security of your job. Security is to enable you to do your job AND is there to prevent the 1/100 bad asses from getting inside to do your company harm. And the opposite is true, to prevent the 1/100 bad asses you have hired from compromising your company.
And if you don't think your threat exists from the inside, your either a very small trustworthy group or your just not looking.
Re:Management? (Score:3, Funny)
Re:Management? (Score:5, Interesting)
1) A bug in one of our products affects an important customer. Engineering works feverishly to release updated firmware to fix the problem. As soon as the fix is validated, we e-mail it to the customer, but they never get the attachment. Why? IT decided to block attachments for unknown file types. The director of my division calls IT and compains. The response: "Sorry, that's our new policy." Our solution: I fly to Germany to hand deliver the updated firmware on a CD. Cost to the company: about $4000 in travel, 2 days of my time, and a customer who thinks we're crazy.
2) We are completing the timing analysis for a new ASIC. The simulations take about a week to complete, and if they are interrupted we have to start over. The only problem is that every time we start the tests, IT deploys a new security patch and forces a reboot of the PC before the testing can complete. This happens repeatedly and results in a 2 month delay in getting the chips made. We make up some of that lost time, but the project still slips by more than a month. As a result, we were contractually obligated to refund $200,000 of the NRE we got for doing the work since we missed our dates.
3) We use ClearCase for source code control. Everyone in the company with a unix account had access to the source code and could check in and check out files. Our IT department decided this was a security risk -- reasonable, I suppose. To correct the problem, without notice they disabled access for everyone. They then sent out an email saying that anyone who needed access had to fill out a form, get it signed by a manager, and fax it to their department. They were so bombarded with these requests that it took about 3 weeks to process them all and get everyone's access restored. It took them about 2 weeks to get to mine. During that time, my company paid me a fat salary to sit at my desk and learn how to work a rubik's cube. I can now work a rubik's cube in about 90 seconds, but this is of questionable value to my company.
4) To increase password security, our IT department implemented a new password policy. All passwords must be at least 8 characters long, contain at least one uppercase character, one lowercase character, and one number or symbol. All passwords must be changed every 30 days. When changing your password, you can't use any of the last 10 passwords you have used. Every system that requires a login must use a different password (I have a windows login, a unix login, a SAP login, and a login for an internal bug tracking tool). Ironically, all of these systems use LDAP authentication which was implemented about 2 years ago so that we could use the SAME password for all our accounts. If you enter the wrong password 5 times, your account gets locked out and you have to issue a ticket to the help desk to get your account restored. This usually takes about a day. The result of
Re:Management? (Score:3, Insightful)
2) Take the box off the new while it's doing the sim. Thus, sim gets done, box doesn't get owned, net stays secure.
3/4) These aren't evidence that your IT department values security over ease-of-use, but rather that they're totally incompetent, utterly crazy, or both.
Re:Management? (Score:4, Insightful)
Did the director tell the IT department about your specific file type, so they could just add that to the white list of allowed attachments instead of just allowing all sorts of attachments? If he did, and they refused to add that file type, it's their fault. If he didn't, then it's his fault. BTW, hand delivery is indeed crazy: If an email attachment had beed enough, surely mailing them a CD-R with the patches would have done it as well, and would surely have cost you less. But even for email, there might be solutions, like uuencode (which makes the file part of the mail text instead of an attachment, and therefore might not be detected/blocked by the automatic filters).
Did you talk to the IT department about this? Would it have been an option to take the PC from the net during the testing period, and then apply all securiy patches in one bulk before reconnecting it?
Ok, this one is clearly a stupid action from your IT department.
Re:Management? (Score:3, Interesting)
I don't think blacklisting file types would have been the right solution. And I'm willing to bet that they didn't choose whitelisting because it's less work (whitelists have to be kept up-to-date as well), but because it's more secure.
However, I think the correct solution would be not to just filter the attachments, but to send a confirmation mail to the sen
Re:Management? (Score:5, Insightful)
Re:Management? (Score:5, Insightful)
Re:Management? (Score:5, Insightful)
The password thing sounds bad. 8 characters is ok (though not really mush more secure these days), no repeating of old passwords is ok (again not great), but 30 days is very bad. 30 days to lead to two problems. 1) People write it down on sticky notes; B) People make easy to remember "MyFebPwd1" "MyMarchPwd1" etc.
It sounds like the person who made your password policy could do with a dose of accurate information about the usability of passwords. However, the other stuff seems reasonable to me.
The quest for the IT downsizing? (Score:4, Insightful)
Re:Management? (Score:4, Insightful)
I am pretty sure that most people agree, this is not acceptable, and 10 years ago, this would also be considered dangerous.
First off, blocking objectional sites is a good thing. There are a number of things in a work environment that are unacceptable. Sure, some good sites will be gotten as well, but the IT department should have a policy such that you can ask for sites to be allowed if they are being blocked and really shouldn't be. Considering the information on Google Groups, I think that you are looking at a site that really should be allowed.
Time to get new anti-virus software. Good AV software, will allow you to scan message in- and out- bound via POP, IMAP and SMTP.
Very poor policy. This should be handled by professional IT workers. Not because the end user doesn't know what is going on, they might, however, something could go wrong, and someone better equiped to handle those issues should be on hand for them. Like the parent said, at this point, you could even have these patches be automated.
The main message asked about other companies, so
To me you have an IT staff for a reason, they are there to handle computer issues. They should not be there to be some draconian department that weilds their power as if they are doing you a favor. They are there to handle your computer problems. They should also take some of the responsibility for that as well, which includes handling most of the issues that you listed.
RonB
Re:Management? (Score:4, Interesting)
Being a consultant, I've seen a wide variety of security policies from my various clients. I've had countless clients that have strict restrictions on where you can get over the network out of concern that you may transmit confidential data, but then let you walk in and out the door with a laptop as you please. That same client provided vpn access for remote support, but blocked ssh over the vpn because that would allow an ftp like (scp) access while leaving telnet open. I've been to places that refused to give me internet access even though it was the prefered way to receive support for their application and the only way to search the knowledge base. I've started on a project with a team of people, and more desktops (not even counting our own laptops) than network jacks. After waiting several weeks for a couple new jacks to be installed with three of us sharing one PC, I gave up and got a cheap network hub (this was several years ago) but was told that it wasn't allowed because they couldn't be sure it hasn't been compromised. I've been places where they wouldn't give me a badge to get in the door and no one was assigned to the front desk, so the unlucky guy sitting by the side door got used to hearing the banging and letting anyone in without any idea of who they were.
Of course, for every bad client, there's one that lets me remotely connect to my home network, makes sure I have a badge with access to everywhere I need to be, and promptly makes a backup and changes the root password before providing me full access to the server that I need to configure. It's all a question of cost of security breach vs cost of security enforcement.
To me, none of these things are worth being upset about. Yes, they are annoying, but it's the clients decision to make things more difficult, and therefore, more expensive. I simply do the best I can with the resources available. Of course it would be nice if the policies considered the threat instead of only the past exploits. Then they would realize that someone trying to carrying a stack of files out the door is no worse than the guy that walked by with the flash drive in his pocket.
Technology (Score:3, Insightful)
It's like when cars were first introduced, there were not speed limits, cars were hardly locked and tyres were hardly threaded......
As cars become more common, more people died in car accidents, so you can't drive too fast anymore, must wear seatbelts and cannot drive drunk.
As car thefts become a norm, we must lock our cars, when that's not enough, we need to put on the steering lock, alarm, then immobalizer, and now the security datadot. However, I think overall we do benefit from the introduction of vehicles.
Re:Technology (Score:4, Insightful)
Re:Technology (Score:5, Informative)
Re:Technology (Score:3, Interesting)
Porn liability (Score:4, Interesting)
My understanding is the hoopola about "if you don't block pornography, you're liable" is nonsense that's heavily propogated by vendors of filtering software. The case that claims about liability are based on is the '91 ruling in Robinson v. Jacksonville Shipyards, Inc. Here, the plaintiff was being directly targeted and porn was being publically pervasively placed throughout the workplace. That's a *far* cry from someone walking in and seeing a pornographic image on someone's computer monitor. That's even *further* away from a company being liable because they actually aren't buying a product to do filtering.
My impression is that most of the people that install these packages get sold a bill of goods by the filtering people "Lawsuits! Lawsuits!" The IT people pass the possibility of a lawsuit on up, some higher-up decides that the software is cheap insurance against a lawsuit, and buys it.
Frankly, companies don't need to worry about liability from not filtering porn (IANAL and all that). They might need to worry about employees being off-task (I mean, come on -- if you're browsing porn, you are *not* doing work). However, I've been incredibly frusterated by stuff in the past (like pages containing "wine" in the URL being blocked -- when I'm trying to look up constants in WINE's header files), with information about HTTP tunneling that I needed for writing some software that had to interoperate with a firewall being blocked (as "criminal activity", impressively enough, along with anything involving a "proxy"), and so forth. Companies aren't avoiding liability at all -- they're trying to control employees, and keep them from goofing off at work. I'm not saying that there's necessarily anything wrong with that that, but it's just not really a liability issue. I've seen people blow time chatting with their friends on non-work related stuff on AIM, and I can understand that there's a desire to not let the computer be an entertainment device.
However, I've got a much better solution. Have software that skims browsing history, flags anything suspicious, and allows an employee's boss to take a gander at it (if he really wants to). Oh, and *tell* the employee that you plan to do this -- the idea is to prevent abuse. I don't have a problem with my boss seeing a complete log of my at-work browsing history -- I do have a real problem with IT blocking things. I don't abuse my work connection, and it's really irritating to be treated as if I have because someone somewhere *has* done so.
Basically, I think that it's probably unreasonable to prevent the following types of Internet usage in a regular work environment, at least from a security/liability standpoint:
* Outbound TCP connections, other than maybe to port 25. The whole world is not HTTP.
* Requests to DNS servers other than the company one (why on *earth* do people do this?)
* Outbound SSH connections (a special case of the above that's particularly annoying -- sometimes I need to get at my addressbook or something else on my home computer). (There is a small potential security issue here in that someone could set up X11 port forwarding, and have a compromised outside box keylog or screenshot their workstation machine desktop) but goddamn it, the risk is awfully small and the loss of functionality enormous. This is not James Bond, and armies of ninja hackers are not out trying to take screenshots of desktops.
* Access to webpages. Good *God*. If you have to log them, fine, but for Chrissake, do not filter. It's *so* irritating.
Real security risks? Worms, dubious software that people intentionally install, people simply taking confidential (*actually* confidentially, not doc
Re:Technology (Score:3, Informative)
Re:Not a problem with technology. (Score:3, Insightful)
(a) Freedom cuts both ways. People have freedom of expression, and people have the freedom of employees to prevent themselves from being exposed to porn in the workplace. If you're looking at porn at work, you're taking the latter right away from all your coworkers. Which do you take away: the right that one person enjoys, or the right that many people enjoy? Perhaps a poor explanation, but the principle is valid.
(b) The workplace is not a free environment. You are workin
Re:Technology (Score:3, Insightful)
Yet why does he need to access Hotmail from his work computer? Besides, he can just access it from his Treo, on which he has an unlimited data plan. I don't see that as onerous security, and neither does he. They're a bank for goodness sake! They have very good reasons for
Re:Technology (Score:5, Insightful)
Whenever I work as a sysadmin, 90% of the solutions I apply to problems come from Google Groups.
Re:Technology (Score:3, Funny)
*cough**choke*
Man - you made Coke shoot out my nose on that one. Ever think about going into stand-up?
Re:Technology (Score:3, Informative)
MCSE = Memormized Content; Secured Exam. That's exactly what it is. Those exams don't teach you a damn thing. There are so many different situations you can run into that there's no way any exam could possibly cover them all. Did you know that some EventSystem errors in the Event Viewer can be caused by a faulty disk controller? You're not
Re:Technology (Score:3, Insightful)
Re:Technology (Score:2, Troll)
I believe that CAD, CAM, robots, genetic engineering of crops, and assembly lines has much more to do with it. Well, I guess all of those things are technology. I love Linux. It has more creature features than "real" unix OSes. FreeBSD 4.9s 'ls' still does "ls -ke
ls: illegal option -- e
usage: ls [-ABCFGHLPRTWabcdfghiklnoqrstu1] [file
Thank
Re:Another Stupid Kar-Komputer Komparison (Score:3, Insightful)
IT security was a bit of a joke 7 years ago. It isn't funny any more.
It's all possible... (Score:5, Informative)
Ideally security will allow everything that's vital while not stepping on any services that are required. With most companies, what is 'required' ends up being pared down as the security net gets closed down tighter.
Nostalgia is one thing -- how many of us worked on systems that had telnet / ftp open to the outside without a firewall? I know I did back in the day. When management is behind security initiatives, being able to work on the business isses ("No, we CAN'T disable FTP!") becomes less of a problem.
Regarding individual workstations -- putting the burden on end-users doesn't seem to be a common (thankfully) configuration in the companies I've seen. Most larger places are doing automated patch management and deployment now. I know quite a few places where every single system (desktop and production) is patched within a 15 day window. While it's not bleeding edge, this relatively fast schedule combined with the concept of 'defense in depth' goes a long way to preventing issues. I know places that haven't lost a machine to a virus in YEARS.
Security that's preventing legitimate work from being done needs to be adjusted. All of the problems you've mentioned are fixable.
Comment removed (Score:5, Insightful)
Re:Security is Good on Paper (Score:3, Insightful)
"It's the result that matters."
If you spend time on slashdot or other forums during the day that's ok (and most definitely not filtered) -- but at the end of the month you have XYZ to get done. If you get it done by working nights / weekends that's your prerogative. Flexibility like this is one of the reasons why we've ha
Re:Security is Good on Paper (Score:5, Funny)
one time, for security's sake (Score:5, Interesting)
One time for security's sake my office ethernet port was turned off by IT. Figuring it to be some outage I called support (hah!), and they looked up my IP address and said yes the port had been turned off because my machine had refused to accept recent XP updates.
Hmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port. I asked why I hadn't been notified -- they said ALL XP login scripts had been posting the notice for over a week, I had been given "plenty" of warning!
Hmmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port.
Fortunately I had a dual-boot, so I was able to comply.
But, ironic that one of their (in my opinion) least vulnerable machines on the network was mine.
(And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix... so I wasn't in violation of any policy (such as they existed).)
Re:one time, for security's sake (Score:5, Insightful)
Re:one time, for security's sake (Score:4, Insightful)
I'm guessing the problem is one of compartmentalization. The IT department doesn't talk to the production department, and so doesn't know there's some people that are running linux and not XP. The standard drone-like response of "We're sorry, but until you're machine accepts the updates we can't re-enable the port." really sounds to me like extreme compartmentalization.
Re:one time, for security's sake (Score:2)
Re:one time, for security's sake (Score:2)
If enough virus writers made viruses for Linux security vulnerabilities frequently enough that it necessitated monthly or even bi-weekly kernel updates, would not the statement about Windows in your sig then apply to Linux?
Re:one time, for security's sake (Score:2)
On any Unix system, you can update anything except for the running kernel (actually, you can replace it on the disk but can't reload it). In the case of Hurd, you can update even it.
Since security updates to the kernel itself are pretty rare, you don't need to make almost any reboots. This enables
Re:one time, for security's sake (Score:2)
Re:one time, for security's sake (Score:2)
RonB
Re:one time, for security's sake (Score:2)
Re:one time, for security's sake (Score:5, Insightful)
Yeah, weird that they might want a machine running Windows XP to be updated. You might have Linux on the machine, but you also had Windows XP, and it sounds like it was missing security patches.
And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix.
And you apparently had a machine with Windows XP missing some (possibly significant) security patches sitting on their network.
I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.
Why it's stupid (Score:5, Insightful)
Why are people who don't comprehend - or can't communicate - this employed in an IT organization??
Had they just explained things the way you explain them in your post, there would be no problem.
Bureaucracy at its best. (Score:4, Informative)
You sir, need to accept the bureaucratic nature of large organizations. There have been a few times that I've had to do some really asinine things in order to keep my job. I knew it was bullshit, my coworkers knew it was BS, and the poor SOB on the other end really knew it was BS. But, if either strayed from policy it was our asses. Why was this policy in place? Because the higher ups didn't want to take the time for all of the inevitable exceptions that occur.
The solution? Acceptance - Zen practice. Or, start your own organizaton - if possible. Entrepreneurship!
There's a reason why small companies are the ones that are creating most of the jobs. There's a reason why small companies are the innovators. There's a reason ... you get the idea.
Shades of stupidity (Score:4, Insightful)
The fact that he hadn't noticed the loginscripts for over a week indicates to me that the didn't use his XP installation at work alot and even then how can you assert it wasn't patched? He may even have had to wait until a patch becaeme available to qualify for a connection because his XP installation was already fully patches! Off hand I am guessing this guy probably got issued a laptop from his employer and used installed Linux on it for day to day for home as well as for work use dual booted with XP for mostly for gaming and perhaps for that once-in-a-blue-moon that he couldn't get something done at work with Wine+[Random M$ application] and for Gaming.
I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.
It is stupid because they could have exempted him from their Windows specific policy quite easily. It is stupid because they may even have given him a hard time because they didn't even know how to exempt a non Windows boxen from their MS specific setup. All it would have taken was to send somebody up stairs to check out his setup for security and if it was OK adapt the policy. If you are an IT tech that works alot around Engineers, non-MS admins or Programmers you are going to have to get used to cases like this (ie. escaped mental patients who use Linux or OS.X in a corporate environment) and unless you find out how to cater to people running non-MS Operating systems you will quickly find out that you haven't got any friends willing to do you a favor when you really need it (ie. when you have screwed up and need a quick fix from the local nerds).
Re:Shades of stupidity (Score:3, Insightful)
But it wasn't ok. He had a dual boot system, with one of the OS's way behind on patches. That's not secure. Any time he reboot
They were right. (Score:5, Insightful)
You should have simply rebooted to the XP side and run the updates. If you want the luxury of a dual-boot system, you should be willing to maintain both halves.
My policy for dual-boot machines is this: No. You can have two machines. I'll get you two monitors you can use dual-head on each machine, a KVM, your own switch, and I'll even clean the goo off your keyboard. But I won't manage a dual boot machine, and I don't want them on my network.
Why?
Re:They were right. (Score:3, Insightful)
Realistically, it seems like there are really two ways to go here. Either build an environment in which all elements can be rigorously locked down and validated, or be prepared to contain the effects of allowing people to attach foreign equipment such as laptops or other systems that they maintain to their own standards.
Security comes down to defining the conditions of ownership and trust at each point in the computing environment. That's something agreed a
Re:They were right. (Score:3, Insightful)
The two machine situation is much easier to deal with. Send everything a WOL packet, wait for them to boot, do your work. Or just set policy that machi
Re:They were wrong and you're lazy! (Score:4, Interesting)
It is NOT trivial to try to remotely deal with a dual-boot environment.
His list of reasons were very solid, backed by experience. Your 'rebuttal' is crap. Twice the machines is HALF the cost... because MOST of the cost of a machine is maintenance. Unless the machines are just appallingly expensive, most secondary computers would pay for themselves by about the fifth manual patch visit. All the user has to do is leave both computers on all the time. Every place I've ever worked has left ALL machines on all the time.
VMWare images are easy to deal with. They look just like the other machines on the network, although perhaps not always running. You don't have to do anything special to support them; they just work. You can think of them like laptops. It's a total non-issue.
If you supervise IT employees, I feel very bad for them. If any of those theoretical employees are reading this: get the hell out. There are sane bosses in the world.
Seems pretty reasonable to me... (Score:4, Insightful)
I don't think this is unreasonable at all. What's the downside of enforcing a little rigor in your employees, when the alternative is having your entire corporate network become a zombie farm overnight controlled by a mob boss in Russia named Vladamir?
Re:Seems pretty reasonable to me... (Score:2)
I used it as the OGM for my phone and you would not believe the number of hangups I got!
-nB
Re:Seems pretty reasonable to me... (Score:2)
Breaking a single machine, or even a single application on all machines, is a lot less of a problem than EVERY machine being rendered unusable by an exploited vulnerability.
Right now I am testing an SMS install of Office 2000 SP3 with the MS06-003 patch. It's going out to thousands of desktops that are still running outdated versions of Office. Will it break something somewhere? Probably. But that's a lot less of a concern than all ten thousand of those m
Speak for yourself... (Score:5, Interesting)
But also realize how much the worms of 2003 and 2004 cost corporations. I saw it first hand when working in a plant, and it was seriously disastrous. I can understand why they don't want that to happen again.
If surfing "bad" sites is THAT important to you, perhaps its time to get your resume out to a company that trusts its employees more. Or quit complaining to a bunch of slashdotters and present a true solution that benefits everyone. There are ways to have both security and usability.
Re:Speak for yourself... (Score:2)
Sure there's a balance. Don't rely on Windows. It's quite simple. No draconian security policy needed (blocking Google Groups? Whiskey Tango Foxtrot?), AND there's but a miniscule risk of malware infection.
Re:Speak for yourself... (Score:2)
If surfing "bad" sites is THAT important to you, perhaps its time to get your resume out to a company that trusts its employees more.
How do you know he's not about to do exactly that, but first wants to know if the draconian security policies are the norm and not the exception?
Or quit complaining to a bunch of slashdotters and present a true solution that benefits everyone. There are ways to have both security and usability.
Any why isn't asking for help from peers a good way of trying to find that exact sol
Re:Speak for yourself... (Score:2)
For some companies, it is cheaper to just lockdown the network and reduce efficiency, than it is to have to spend $$$$ on playing whack-a-mole with computer problems as they show up. Or to deal with bandwidth issues because someone is leeching like crazy over the company connection.
Sorry... (Score:5, Funny)
I'd love to tell you but that would be a breach of security.
My experience is the opposite (Score:2, Interesting)
Four to seven years ago (2000-2002) getting Infobahn access was far easier, but most companies still required that you use their proxy so that they could monitor who visited which sites and who spent more time posting to
But latel
You need better sysadmins (Score:2)
- SMTP blocking would not be needed if users didn't keep clicking on emails from the "FBI" "CIA" , etc. Besides that, it's easy to configure an AV policy to exempt legitimage SMTP usage.
- Updates can and should be applied automatically and without user intervention. If a reboot is required a nightly shutdown policy will suffice.
I'd love to live in a happy land where all computers can be open and free but unfort
Re:You need better sysadmins (Score:2)
Man "sorry boss, I couldn't check your email, it was from the FBI."
FBI Head honcho: "we ARE the FBI IDIOT!"
Assistant: "That's no way to talk to the president!"
Rimshot!
Yes....and no (Score:2)
Personally (Score:2, Interesting)
my favorite from not so long ago (Score:2)
I think not... (Score:2)
Obviously it still needs work.
google: stolen customer data [google.com]
Your complaints are unconvincing. (Score:5, Interesting)
And, why, yes I am a network administrator, thanks. I'm lucky so far -- it's a small company, people are well-behaved, and I don't have to implement the policies you describe. I set up times for patches, there's no proxy yet and not too many firewall restrictions.
But if this place gets to be big enough that I can't count on collective intelligence and/or social pressure to keep people doing the right thing, I'm going to have to seriously consider policies just like the ones you describe, in order to keep things running as they need to -- because your complaints about the network not working 'cos of the latest virus outbreak are going to be a fuck of a lot louder than your complaints about your desktop machine not being allowed to be a mail server.
Re:unconvincing. (Score:4, Insightful)
Insightful? You gotta be kidding!
I have been a corporate security professional for over 10 years, and the only people that I ever get whines from like the parent are typically engineers or IT people who either believe that a) they are God's gift to computers and/or b) the rules don't apply to them. I may seem a bit pissy here, but it just burns me to read posts like this from people who clearly have never tried to think about security from the perspective of the business protecting its assets.
Contrary to what most people seem to think, companies do not exist for the convience of the employees. It is the other way around. Employees have jobs to do what the company tells them to. If the policies at your company don't allow for any way for you to do your job, talk to management. More than likely, either an alternative solution exists, or the business function you're trying to do hasn't come up before and security will have to figure out how to incorporate it. If the problem is that the official method of doing your job isn't as convenient, as cool, or as uber as what you'd like to do, then either get over it or get a different job. Corporate policies and standards are put in place to homogenize the environment, ease support, and maintain regulatory compliance. They are not put in place, at least in my company, to inconvenience employees. In fact, the point behind security efforts in my environment is to enable the business to do everything they need to do, but in a manner that doesn't put the company at risk. Some times, this means that one business unit will have to accept a less-than-optimal solution because of more pressing issues at another, but we haven't been faced yet with a situation where there's been no way to safely do a valid business function.
In large corporations, in particular, security decisions are frequently a balance between the needs of very different business units. For example, a unit that provides credit functions to customers in the US is regulated by the Gramm-Leach-Bliley Act [ftc.gov], but a manufacturing unit in the same corporation wouldn't be normally. GLBA may apply to both, however, unless there is some system in place to prevent mistakes at the manufacturing unit from affecting the credit unit. So, while encrypted, authenticated wireless access may not be convenient for an engineer at the manufacturing unit, without internal firewalls to segment security zones, encrypted, authenticated wireless is the only option.
Don't get me wrong, we do things I don't agree with. Proxy blocking, for example, seems pointless to me. Surfing porn from a company system is not a technical issue, it is an HR issue. Have a policy that states what is acceptable, give one warning per user, then fire their ass. Believe me, Internet usage reports get much cleaner when someone at a site has been fired recently, regardless of what the proxy is blocking.
Oh, yeah. The so-called draconian policies we have in place have created an environment where a really, really bad virus outbreak is 2-3 machines worldwide. Before we went down this path, there were worms that affected thousands of systems all around the world. We also have a very, very low incidence of harassment issues, we have five-nines uptime on our production systems, we've never had to completely sever our Internet connections to deal with security threats, and we've managed to balance security and business function well enough that end-users rarely have to contact the help desk because a security measure is preventing them from doing their job. Things may not work this well at other companies, but whinging on /. isn't likely to change that anyway.
As a user... (Score:2)
What does create havoc (and I jump in with this in every one of these discussions because it can't be said enough) is the insanity with multiple, long, complex, frequently-but-out-of-sync changed passwords. It causes huge hassles, prevents users from taking advantage of resources and is an absolute disaster for security.
Forcing horrible workarounds... (Score:2)
Rather than issuing in-office consultants a company e-mail address, CCing a Yahoo.com e-mail address, besides being insecure and unaudited, just looks damn unprofessional.
Don't have a document management system, SFTP, or even FTP? People clog up Exchange with huge attachments with no central control or even a sense of where the authoritative copy of something can be found.
How
Fair security poorly adminstered (Score:5, Interesting)
We operate under a standard image architecture with updates and patches pushed out across the enterprise. Proxy servers are a necessary evil, but we are very reasonable on our block lists. (North Korean sites are discouraged along with Ebay...) This is for our unclassified network...
We learned the hard way too. Our first generation of machines were issued with padlocks on the cases and no CDROM drives...
Our IT system never compromises operations for security, and it never has to. Your IT staff may need a bit of fresh air, a few customer-centered workshops, and maybe some field trips to see how others work.
I feel your pain and wish you the best.
ay
The right balance is... (Score:4, Interesting)
What is the right balance between security and productivity, in the corporate IT environment?
Simple, more security. As more secure systems tend to run more reliably (less bugs) and with lower maintenance (removing root kits)than do less secure systems. Knowing most corporate environments, security tends to be lax.
Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.
Yes, it was better more than ten years ago. If your computer was connected to the internet and caused someone problems you got kicked off for a week or two to think about it. Some were even blacklisted. And few if any ran Microsoft products as their gateways or terminals.
But the fact is with many hundreds of millions of Internet users today practicing self administration of an inherently insecure OS and trusting everything they click on -- without regard to others or their companies costs, security has had to evolve. And believe it or not, firewalls existed 10 years ago.
Then along comes the modern cowboy on an unmonitored cable connection hacking people for sport and profit. People hack computers just to send spam, and the system/ISP do nothing. They have long since abandoned kicking them off. The result is the problem is mow rampant.
have we become so secure that we're stifling our own ability to get things done?
Not at all, I have always kept important stuff on UNIX and Linux, and professionally manage them like I do at work. They haven't been hacked or wormed. I also tend to use "safe" tools as they also fail less as well are more secure.
But the optimum answer to be secure is to use securable tools and secure practices in what you do with your computer, something like safe sex.
Try a University (Score:3, Insightful)
Re:Try a University (Score:2)
Re:Try a University (Score:3, Funny)
You made me laugh. (Score:2, Insightful)
Of cours
Times Change. (Score:2)
Many of the complaints in the submission sound like bad IT or mis-directed policy. AV might block a server from sending SMTP mail, but how is it supposed to know it's legit? The IT staff should be telling it which is legit. Users shouldn't be responsible in a corporate environment for patches an
Sorry to sound Republican here (Score:2)
Any employee computer activity on the job, especially internet activity, is a potential liability for the company, and if you browse to the wrong site you can get hit with spyware, cookies, etc. that could compromise the security of the network. Get nailed with a keylogger cookie and all your int
How about accounts and passwords? (Score:2)
Unplug, people. (Score:4, Insightful)
Patches (Score:2)
Education too (Score:2)
Except for extreme overzealousness... (Score:2, Interesting)
Large defense contractor (Score:2)
Security Theatre (Score:2)
What bothers me more than the company turning down the screws to secure things is when they turn down the screws to secure things, without really accomplishing that end. I certainly won't disagree with a software maintenance policy, for Windows, Linux, and everything else. Nor will I disagree with firewalls and enforcing company policies across them.
But if I were to tell some of the more boneheaded things that are ALSO done, and the holes obliviously left open, you'd ei
Futile arms race. (Score:2)
However, despite these measures I can still use JAP or Tor to access any site. I can still ssh (via ProxyTunnel) to my home PC over port (my sshd runs on port 443). Basically, it just means I have to go through hoop
Productivity of compromised system (Score:2)
If you can restore a system in a matter of minutes (deep freeze), then maybe it's not such a big deal to have a secure system. But if it takes an hour or a day, then its a bigger deal.
Patch before you have a mess on your hands! (Score:2)
One thing you DON'T want is your network getting all loose; the bits fall out everywhere and it's very messy.
So keep your network tight! Apply patches!
Some ideas.. (Score:2)
Seriously, one of the problems has a relatively simple solution. Antivirus is running, and blocking SMTP. I am assuming that you run an "enterprise" edition of some anti-virus software. They probably have one group policy set for all machines, since everyone uses outlook or something.. This is not taking into account your groups machines, that need it to get work
Changing with the times (Score:5, Insightful)
I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.
Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.
Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.
Then MS05-039 [microsoft.com] is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.
Then Zotob.E [symantec.com] gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?
Because no one takes security seriously until it's too late.
From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.
I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."
I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF [microsoft.com], where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from.
Re: (Score:3, Interesting)
Re:Changing with the times (Score:3, Interesting)
While i was attending binghamton university as a freshman a SINGLE unix server got owned. it annihilated the entire dual OC3 campus network. for nearly 3 days.
Security vs. Users vs. the Big Bad World (Score:3, Informative)
Flip the calendar ahead 10 years... The internet is ripe with malicious content. Organized groups of crackers, writing exploit code for every system vulnerability imaginable... Script kiddies gaining "respect" relative to the number of machines they can compromise for addition to their bot-nets... Spammers building their armies of compromised boxes to anonymously sell viagra and fake rolexes... the list goes on and on. In short, the need for network security is real and sometimes the end user is inconvenienced in the process of running a tight ship.
In an ideal corporate world, the bad guys would stay out and the users would have everything they want. In the real world there is a balancing act that weighs a security "best effort" against business needs. It sounds to me as if the original poster's company is in the early stages of making this happen. Security measures are being taken and users are feeling the pain. The next step is for the users to identify the needs that are not being met and challenge their management and IT resources to provide for those needs while making a best effort to do so securely. This, unfortunately, often involves plenty of corporate political bullshit and associated headaches, but if you can show a LEGIT business need, it should make it through the process.
I manage all internet connectiity and perimeter security for a very large healthcare foundation that includes several hospitals, physicians offices and research facilities. Not a day goes by without some kind of request for additional access to some resource. Most are reasonable and can be accomodated with little or no impact on security. Some are not so reasonable politely rejected with a comprehensive explanation of why it's not gonna happen and where applicable, alternative solutions are offered.
As for the original poster's situation... should end users be applying system patches? hell no. IT folks get paid to do that. Should individual workstations be sending SMTP traffic beyond the network perimeter? hell no! IT folks should make a suitably secured SMTP gateway available. Should users be able to go anywhere on the 'net they want? hell no! The company pays for the bandwidth and owns the workstations... they can say "no" to anything they consider to be unrelated to doing business. If users need to get somewhere on the filtered list, it should be easy enough to justify it to management. Do the homework and make your case... you'll get much farther than someone that just pisses and moans about how restrictive those IT bastards are.
Best of luck.
And you're complaining about what exactly? (Score:3, Insightful)
Looking back 10 years ago, your biggest threat was someone bringing a virus-infected floppy disk into work and taking down one of the 20 computers in your 50-person office. But hey, if you want to connect your PC to the Internet with no proxy, no firewall, and no virus protection, then be my guest. I doubt your PC lasts 24 hours before it becomes unusable.
Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups;
And also very likely thousands of hacking, piracy, virus, worm, spyware, and phishing-related sites.
our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP
If it really is a legitimate purpose, you shouldn't have any problems being granted an exception for your specific case. Everywhere I have ever worked has done so.
and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline.
Ah, now I see. Your administration is incompetent. Under no circumstances should end users be installing security patches. They should be installed by administrators (if not automatically), and there shouldn't be any concern about cutting off non-compliant PCs because there won't be any. Anything less isn't security at all.
have we become so secure that we're stifling our own ability to get things done?
We haven't, but it sounds like the folks running the show at your place may have. But it also sounds like they don't know what they're doing either.
You've solved your own problem... (Score:3, Insightful)
Yes, you *can* be too-secure. "Too much security" occurs when you can't get work done -- as is your case. The only *real* question facing corporate IT is "what amount of liberty is necessary to perform the duties of the employee requesting that access?" In true totalitarian style, the old computer security saying "that which is not expressly-permitted is forbidden" is the basic principle of current corporate IT security.
We have this same problem where I work. Thank shitty MSFT security for the current mess...
On a related, more-general note, security and liberty are *always* at odds. They logically must be: if you are restricted from performing action A, then you are not at liberty to perform action A. Simple as that.
For a real-world example: if you are locked-out of somebody's home, then you are not free to open the door to that home. The home is secure against your entry (at least from this particular vector).
Frankly, he who wants to be both safe and free will never have what cannot be.
Re:Google Groups? (Score:2)
(Not going to happen though, I've graduated to management these days & run things my way.. no proxies ir filters.. if people wanna hava a little fun then it's fine by me - happy employees are far more productive than work slaves).
Re:Work somewhere else (Score:2)
Me, I just printed out the proxy server settings, so that, when whichever asshatically configured server it is that can't cough up my roaming profile, I can at least get a browser to function somehow.
Uber-consultants can surf teh jobz, if they're that good. Most of us have to bite off the tongue and swallow the blood, as they used to say.
Re:Basics (Score:2)
You've never had a problem with a patch breaking something? At the very least any competent admin would test the patch on a test box before pushing out corporate-wide. Pushing out pathes without testing is lazy and reckless.
Re:Firefox just banned - help me! (Score:3, Informative)
Re:Well, here's a war story that happened today: (Score:3, Informative)
You actually have to pay to watch this thing. Not only that, there's a charge for each person watching [awwa.org].