Slashdot Mirror
Cutting Security To Cut Costs?
just currious asks: "I work for a large company (10,000+ pc's) who recently out sourced the help desk. After looking at about a year's worth of data we find the 30% to 50% of the calls to the helpdesk are password related (password resets, password changes, etc.) this is alot of calls (at 20+ dollars a pop). Now they want to reduce cost by cutting security, since if you don't have a password, you can't forget it. So here's what upper management wants to do: remove the security from all of our Windows 2000 machines. Has anybody else seen security cut just to save money?"
We need to first know where you work. Actually, just the IPs will be fine.
it depends on whether or not there's anything worth keeping secret on the machines; though someone who wanted in could probably get in anyhow. if i were an employee i'd actually be more immediately concerned about other employees logging in as me and f***ing with my stuff.
on the plus side: if you know or can find out managements' usernames you can see what they've been working on ;)
I thought you said they were cutting security?
:-)
Sounds to me like your Windows boxes will be about as secure as ever
Fire the morons who forget their password or set it to "QWERTY" so they won't forget. :)
Repeal the DMCA!
I've been through exactly the same. Problems with passwords vanished within weeks as everything was swapped over. Then piece by piece, random pain in the fucking ARSE problems with other users fucking with fileserver files grew into a major problem. Users saved files anywhere they could with no restrictions. Other users who 'claimed' parts of the server space as their own threw out files that appeared there from other users. Management however, are still happy with their decision to cut security like this, despite nobody having a clue where anything is.
Am I bitter about it? To the point of quitting the instant I can. Thank god I'm not running the servers.
Now they want to reduce cost by cutting security, since if you don't have a password, you can't forget it.
You obviously not a BOIH(Bastard Operator In Hell):
"I lost my password."
"You've no password."
"What do you mean by no password? What's that big f%#*ing word on the screen saying 'Password'?"
"Just press Enter."
"small cap or all cap?"
"...."
I bet at least half of them have "QWERTY", their birthday, their phone number, their address, or some other stupid password.
Here's a solution: Fire all the morons who set their password to "qwerty" so they won't forget and then forget it anyway.
Repeal the DMCA!
So here's what upper management wants to do: remove the security from all of our Windows 2000 machines.
No sweat! *pause 3 sec.* It's being done!
*thank God not being asked to remove security holes*
You should hock your building's alarm system, and the lock cylinders in the doors; that'll bring you a few quick bucks.
Nothing like running lean and mean!
Where i work the security is pretty tight (comp locks after 5mins of inactivity, many things turned off, and so on). It's sometimes a pain in the ass, but at least they really take security into account...
Tsuyoikoto ha taisetsu da ne, dakedo namida mo hitsuyousa (Strength is an important thing, but tears too are necessary)
That's BOFH.
I should know - I am one. I even have a PFY.
Once they do it, you should post the name of your company here and and at FuckedCompany.com so we can all avoid giving this company any of our personal information.
Keep the passwords and charge anyone who forgets their's twenty dollars.
Unfortunately this is a fact of IT - there are those who because they dont understand the need for IT security, means that you are reduced to working at their level.
How many times have you heard this one?
(Regarding a server that is connected to the net for FTP / SSH) "But who would want to hack our server?"
I've often found that lusers actually do understand security concepts, however as soon as a computer is concerned they are thrown out of the window. For example:
Me: "Tell me - do you drive a car?"
Luser: "Yes"
Me: "And does anyone have a specific grudge against you? Would they specifically want to steal your car?"
Luser: "No!"
Me:"So do you lock your car after you park it somewhere?
Luser: "Of course I do!"
Me: "So if no one wants to steal your car, why do you lock it?
I've found they can't answer that one.
The real issue is that people just cant use computers. What would solve the problem would be some form of transparent biometric authentication. Think about how we as human beings authenticate people - we do it all the time from speaking to friends on the phone, to making a transaction at the bank. If speaking to someone you know, you dont use a password - you know what your friend looks, sounds and behaves like, and this is used for "authentication". With a bank, you may not know the person you are about to hand over all your cash to, however because the bank is a big building in the location it's in, you know that it can be "trusted" due to it's physical location.
Regarding passwords with Windows 2000 there are alternatives to this. The simple one is let them have no password, but make it so that their account can only log on from their computer. That will seriously limit the abuse that can happen. Alternatively just quietly delete all your CEO's MP3's and mail abusive messages and pr0n using his account - he'll soon wake up.
If they think it's expensive to run now, just wait until they get the repair bill after it's been run with no security for a while.
Here in Europe, some countries have laws sayingthat the management is liable if the get broken in (cracked) and the IT security was too lose ! That's the only language Managers are understanding, so I think it's a good idea, no ?
n-e
ONE PASSWORD!
Yes, that's right, retain some security while still making it super easy on everyone. Perhaps you could even change the password monthly... to the name of the month! (Although that might confuse some people and create more problems.)
Anyway, one password for every user is the compromise that will make everyone happy.
That applause you hear has nothing to do with the whooshing noise you just heard go by overhead.
Since the lusers can't remember, then switch to a system that relies on a physical item for the security. Do the employees have ID cards? If so, chances are those could be used for a login system (RFID tags?).
As for explaining to management why passwords are a good idea, ask them if they would like to see their salarys/bonuses/private email show up on F--CKED Company.com (not as a threat, just to point out what can happen when accounts aren't secured without a password or equivilent.)
You don't get it. Whether you are BOFH or BOIH is depending on whether you make people suffering or people make you suffering. :)
Whether you are BOFH or BOIH is depending on whether you make people suffering or people make you suffering. :)
;)
Heh - quite
(NeoEinstein, no offense intended. :) )
It sure is refreshing to see loose misspelled l o s e.
Yeah, but the hackers don't want you DATA, fool. They want a place to put thier kiddy porn and tcp reflectors for hacking NSA computers and sending death threats to the president...
... especially now that all your machines have been confiscated as evidence. :)
No, you don't have anything on your network worth stealing
"Your superior intellect is no match for our puny weapons!"
But doesn't the directory design in 2000 let you organize things into nice little containers where you could then delegate responsibilities? And doesn't windows 2000 have a "taskpad" or something, that you could say use the delegation infrastructure to give someone close to the convienent units, embodied in the little containers, the very limited ability of modifying passwords.
I get the distinct impression your employers aren't using the features that come with the very expensive software, that they're buying the very expensive service for. I can't really say whether its a security, or even a software issue. The problem seems obfuscated by significant human resource difficulties.
As an aside, I can't say I'd be opposed to learning what company we're speaking of. I've taken enough of a bath in the market, and this would certainly seem like a good indicator to sell.
--Jimmy has fancy plans; and pants to match.
Yes, I have.
Moronically, the highschool I was currently attending. I was the "Assistant Admin" (i WAS the admin, don't let the name fool you).
My principal started getting sick and tired of her front desk people having all of their time wasted by students asking their student numbers (also their password).
She came to me saying to take all passwords off, period. The only exception, mine.
It took 400 flunking students getting straight A report cards magically to set her straight.
Of all the Universal Constants, here's one I know: Nice guys finish last
Forced password changes => lots of help desk calls.
What is less obvious is that they don't lead to any significant increase in security. Most people, if forced to change their password every month, will use something easy to remember (and easily guessable), like qwerty1, qwerty2, qwerty3, etc. But they still can't remember which version they are currently on, hence the help desk calls.
If you force users to choose strong passwords but not to keep changing them, you'll get both an increase in security and a decrease in help desk calls.
Surely the most sensible way of sorting this out would be to have a trusted member of staff in each building/department/whatever with the authority to reset passwords. Note, I said *reset* passwords - not the ability to read them.
seany
If they won't listen, resign, and get a new job. In your resignation letter explain exactly why you are resigning. Also, make sure that you explain that you do not wish to be associated with such an incomptent comapny. Let them know in no uncertain terms the misery that this policy will bring them.
Having no password is just asking for trouble.
Instead, just make every password the same, and make sure it's printed on posters all around you workplace!
I was reading a few posts in this thread and started thinking "Hmmm, so he works for a BIG company. There might be some chance such a person would be googleable." So I looked at the email of the poster, griffis@mailexcite.com and google away at griffis.
p articipan tbio.asp?id=10985.
;)
The first few pages showed nothing, but then BINGO!!
http://www.nab.org/conventions/includes/
Finally MS is implementing the security policy they always wanted.
"I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
OK so point what no passwd will give you.
Complete and utter ability to impersonate your upper management, sent out emails supposedly from them and read all their files(assumming you're running AD for NT domains and the email uses the AD etc for authentication)....
What other risks to the business can you think of -
the cleaner can get as anyone...
people can update documents they aren't supposed to..
the list goes on.
by removing security from Windows2000? As in guest login with no passwd or no passwds at all for any user??
:) or just about anyone else on slashdot.
Setup a web page interface to a database that maps peoples names, zip codes, mothers maiden names, creditcard nos and passwords. Better yet add a phone interface, this will be cheaper and better than a full-fledged helpdesk.
At the least you could put up a webpage that allows users to reset their passwords to their credit card numbers or SS no. Simple effective and stable web/phone interfaces will do a better job than helpdesk staff.
All this is assuming you have LDAP or other central authentication service. If you do not, hire me
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
an Ask Slashdot?
or better yet... an entry on F*ckedCompany.com ?
Tell upper management, that turining off security is not an option. What it sounds like you need more is a solution that maintains security while stille providing the cost benefits of not having to reset passwords daily. You need an identity management solution, or at the very least, a single sign on solution... There are numerous password propogation, synchronization, IM and SSO soloutions available. Find something that will fit your environment, and run with it. Letting it get to the point where an innocent says "Can we turn it off?" is not going to help you, and you're to fault just as much as the suits when you get hacked because you LET it happen.
http://www.bistolas.net
Note that doing this is not smart, but here is how it can be done in WindowsNT. The registry in Windows2000 is not much different so it should work. MS's KnowledgeBase has an article on how to set this up if you need more details.
In the following registry key: HKEY_LOCAL_MACHINE -> Software -> Microsoft -> WinNT -> CurrentVersion -> WinLogon
Set the following registry values:
AutoAdminLogon -> 1
DefaultUser -> luzer
DefaultPassword -> password
DefaultDomain -> somedomain
Then reboot the system and logon as luzer. Now everytime the system is turned on, the system will automatically logon as luzer.
The above information was from memory, so you should verify it's accuracy before using it. Since Windows2000 likes to use Active Directory for everything, the DefaultDomain entry may have changed.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
First, if you are behind properly-maintained firewalls, and the Win2K boxes are properly configured (running no externally-accessible services unless they are a server, etc), then it's likely that you could get away with this without getting hacked externally. However, disgruntled employees are going to be a problem.
A better response is to force the user to use a password including a capital letter, a lower case letter, a digit and a non-letter character; to be at least 8 characters long; to never expire and have no history. Then the user is forced to pick a (relatively) good password, and won't forget it.
My company forces a password reset every 90 days, and won't let you reuse the last 8 passwords. I have my normal 2 strong passwords, then I go into a cycle of fairly weak (but easy to remember) passwords. At least it's not like when I was at IBM, where everyone had their RETAIN passwords written on the whiteboards (5 characters, randomly assigned by the computer every 30 days!).
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
You can get by with only one dialer 'cause you can just batch up the requests and do them sequentially. I'm sure there are a jillion ways to get the telephony/voice synth part working. There's Bayonne, etc. Since you're only talking about letters, numbers, and punctuation, you could just have someone read the letters into WAV/MP3 files and stream them into a voicemodem. Just a thought!
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
And do they offer public stock?
If so, I'm going to buy a few shares so I can sue them for mismanagement.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
check out True Systems
Hire a intern that does nothing but reset passwords. You can set up a script in NT/linux/solaris what ever that only has this ability.
Pay him nothing if it is and intern, or pay him the minimums. Force him to sign a security agreement first of course.
Now what you have is someone that is getting paid next to nothing that has taken 50% of your work load out of the picture costing less than anything upper management could ever dream.
My suggestion is that you find someone in your family, friends, or something like that. Someone just out of high school that you have a personal contact with. IE you can trust him more than the average joe. Then lay it out for them "look man, I have a job where all you have to do is change passwords all day and you can study, play games, etc..etc.. and get paid like you where flipping burgers.". Dream job for the average noob computer guy.
good luck,
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
This is really not that complicated to solve. It is simple to assign someone the rights to change/reset passwords, without giving them any other administrative priveledges. Assign a person in each department the ability to do password resets.
You'll probably need to make it a secretary or similar, but ideally it would be the managers so they can actually appreciate which users are on the ball and which are completely inept.
You get to maintain reasonable security, you save the cost of all of those unneccesarry help desk calls, and your management gets a little more perspective on who they have working for them. Problem solved
If privacy had a tombstone it would read "We did it for your own good" . -- John Twelve Hawks
C'mon, they've been cutting costs on security for years by providing less and less of it...
Rock is dead. Long live scissors and paper!
I am not an IT security professional, but from my limited experience, this is 100% on the mark. It's much easier to remember a single 10+ letter/number/symbol password than it is to be forced to change a password once every month with only a six-letter minimum requirement. Some people have devised calendar schemes of changing their secure password, but these people are few and far between.
As an IT security administrator, the smart thing to do would be to require a password that is 10 characters minimum (with numbers or symbols required). Then give plenty of suggestions to users for how they can devise a rather random password (e.g., think of a favorite song, then use the first letters of lyrics from a verse of that song, with numbers or symbols separating sentences). Then force them to change it once a year or so.
"I may be quite wrong." - Socrates
Right. And then when someones password is compromised, it stays compromised for a full year. The reason you change passwords every 60-90 days is so crackers utilizing l0phtcrack, john the ripper etc dont have enough time to crack it.
..set your password to be ******** (8x '*'). Impossible to forget unless your lusers can't count either.
;-).
BTW, anyone ELSE using your company's systems will thank you for it: your company (read: your managers) will attract the liability as a consequence (you're never going to proof who logged in - but usual "I'm no lawyer" caveat applies). So, basically, the problem will solve itself by police-assisted Darwinism when your management is led away in handcuffs (or at least the guy who came up with this idea). The only problem is that it might take the company down, so I'd suggest to keep your CV up to date and out there.
BTW, be careful with your backups, you may accidentally make a copy of all that free porn before they take the computers away
Before I get into WHY I say that, allow me to comment that I cannot envision ANY company the size of yours being run by people who are so goddamned bone-headed.
Ask your General Counsel if he would be happy to have each and every one of your company's business records rendered inadmissible in court if the company gets sued or sues someone else.
Security features like (DUH!) forgettable passwords allow you to PROVE who has accessed the documents and databases on your network. This is why MOST company's make it a termination offense to reveal your username and password to anyone else, employee or not.
Without secure logins, documents and business records can be tracelessly forged or falsified. The ONLY reason business records are admissible in evidence over a hearsay objection is because normal record-keeping practices TEND to cause them to be more reliable than other hearsay evidence. A soon as these records can be accessed by multiple persons without being able to prove WHO actually accessed them they become worthless.
If this is a publicly-owned company, PLEASE let us know which one it is so we can divest ourselves of its stock BEFORE they do something this outrageously STUPID!
utter rubbish
My (rather cynical) recommendation: let 'em do it. Natural selection at work. Ifthe entire system goes down the tubes because of a security breach, the "upper management" responsible for the farce will go with it. Hopefully, no one else would be affected. However, If everything turns out OK you don't want to be known for obstructing what was an "obvious" cost-saving move.
Folks around here are downright extreme about security (OK State Univ was mentioned on Slashdot a couple of times for it), so anyone who seriously tried to suggest such a silly idea would be out on the street in a heartbeat.
Making systems boot up and login non-interactively
is hardly "removing security". How do you see
that doing so would materially change the practical
security of your organization's data? Systems
are almost always logged in anyhow. That's why
nobody can remember their password. (You might
get the same sort of savings with a material
increase in "security" by enforcing password-protected
screensavers everywhere, because then the
passwords would always be in mind.)
"Security" is mostly a waste of time and money, and
only has value when it defends against an actual
breach. It is wise economic planning
to marshall your resources to address the cases
with favorable cost/benefit. Surely you don't mean
to argue that the decision is erroneous if it results
in a net savings? If you do, then "security" is a
religion for you, not a tool.
All too often, security means you can't do your job.
The $20 for the support call is just the tip of the
iceberg. It's the 2 hours that a meeting to close
a $500,000 deal gets delayed, or the hour that
two $300/hr consultants cool their heels while
Mr. PHB deals with support that are the real costs
here.
-I like my women like I like my tea: green-
fantastic... probably the best idea I've ever heard... . ..say... where do you work? :)
Oh god, that woman is John Romero!
I've seen these kinds of things happen periodically in companies, and there's a pattern that often hides the truth. In this case, the cost/benefit justification could be used as justification for something dumber: A very high level manager forgot his or her password. Before the helpdesk was outsourced, the manager knew who to call to just have it changed, no sweat. Now, with outsourcing, managers get they same treatment as the mail room boy, and they discover (surprise!) that real security imposes some inconveniences. They don't want to bring it back in house, but the high muckety-muck can't be bothered with having to remember a password or deal with the surly high-school dropout helpdesk employees that the cheap outsource company hires, so tada -- a nice cost-based rationalization just like business people like to see and can understand.
Of course, shortly after the policy change, there will be some other disaster, like the lead salesguy's powerpoint presentation gets replaced with a kiddie pr0n slideshow, so management will fire a few low-level types, then introduce draconian but ineffectual security policies.
Prepare for a wild ride, at best.
Author unknown, but it's a classic! (and for once, RELEVANT!)
"Lawyers are for sucks."
- Doug McKenzie
So here's what upper management wants to do: remove the security from all of our Windows 2000 machines. Has anybody else seen security cut just to save money?
I've got some Windows 98 CD's you can have for free around here somewhere....
Are you saying that there is nothing at all that is illegal in your country that can be done on your computer? If your machine were being used to host a terrorist information network, a conspiracy to kill leaders in your government, commit credit card fraud, hack into banks, etc, you could escape all accoutability just by saying "Hey, my machine was hacked, it wasn't me, I swear!"?
"Your superior intellect is no match for our puny weapons!"
This could well be a troll, as it portrays management as incompetent, is theoretically believable, and places the IT Pilotfish in the role of downtrodden hero. If it is a troll, it's very well done!
Well, not exactly.
I work as a security auditor for an accounting firm. I go in ahead of the auditors and sign off on the systems in use in the company and basically give the OK for the auditors to come in and do their job.
If I discovered that a company hadn't taken as simple and easily implementable security precaution as passworded access to systems, I would simply say in my report that the auditors could not rely on the evidence provided to them from the company.
This is VERY VERY VERY bad. CIO's can, have and do get fired over less than this.
Auditing standards for security are (frustratingly) low, and yet if you don't pass them and you're a publicly traded company - you're fucked. If you're a private firm, a partnership or anything where someone else doesn't actually own the company - do what you want. If you're public, you're assuming an ENORMOUS risk. (Here I mean risk in the business-audit sense of the word.)
Basically, if you implement this, it will last up until the next audit at which time the people responsible for this decision will be forced to recant and if they don't have the word "chief" in their title, they'll probably be fired.
What you're doing is making it far easier for someone to access information that they shouldn't on the spur of the moment. I would hope that part of the reason they're getting all those calls about passwords is because users' workstations lock by default when they're idle. If not, every file on every machine is potentially available to the cleaning staff, visiting A/C or phone technicians, clients waiting in an empty office...if you have data on those machines (email? memos? unreleased product information?) that you don't want the outside world to have access to, you're incredibly foolish to make no effort to secure them.
"Security" is mostly a waste of time and money, and only has value when it defends against an actual breach. It is wise economic planning to marshall your resources to address the cases with favorable cost/benefit. Surely you don't mean to argue that the decision is erroneous if it results in a net savings?
Here I really disagree. If you're "defending against an actual breach," which is to say dealing with a situation where you're already been compromised, that's not security . Yes, you do a cost/benefit analysis, but that analysis isn't "it costs us $x per year to reset people's passwords, and $0 to simply do away with the passwords."
Maybe some of those workstations don't need to be locked, and you can cut down on calls by leaving them open...but you have to consider the potential costs associated with lowering security: what if the data from that computer is made public? Could someone install malicious software on that machine, and what would the potential damage to the network be? What other machines could someone access from that workstation? The potential costs in system damage, lost business, etc. may end up making the costs of those password calls look like a good investment.
If you don't evaluate the potential costs of a security breach, you're in no position to decide whether or not there's a net savings.
* * *
It is a dada story -- it has no moral.
Can you impliment a secureId type solution? Person carries a token that identifies themselves to the system. This isn't perfect security, but it is a step above no passwords, and for high security needs is a part of the solution. These can be lost too, but that is a slightly different problem, so you might find it happens less often.
Have you looked at bio type ids? (fingerprint or eye scan?) these are not very good yet, but might be good enough.
Last, ask why users are forgetting thier passwords. I find that when I log onto a system every day I don't forget the password. This even if it changes fairly often. Perhaps you need to impliment a system where all passwords are always in sync so that users only have one password to remember.
Maybe you need to keep statistics that better reflect what is happening. It doesn't sound like your problem, but a small number of password resets is normal, but small when you have a lot of people around can still be a large number out of context.
Where I work (about 4000 employees and it is a medical institution, so the cow-werkers are as dumb as toast regarding computers) when you call the help desk, you get an automated message that asks you to: press 1 for password resets, 2 for all other problems, 3 for system status and 4 to hear a duck quack. This should be much cheaper than routing those calls to your outsourcing firm and still allow you to retain some control over restricting your users.
There have already been some great posts about questions to ask ("You don't need a password? Do you lock your car"?) policy to set ("have to fill out a form and walk it to IT to have the password changed"), but I have two additional suggestions:
Have you considered billing back use of the outsourced helpdesk to the other departments? Hit them in the wallet, and in doing so they need to fill out paperwork everytime they want a password changed. No writing them down either - that should be grounds for termination.
If not, maybe you need to consider either biometrics or access cards. You could replace password auth with smart card auth, and if they lose it they need to report it immediately or they really will get fired.
"All I ever wanted was to see Larry Wall give Bill Gates a Perl necklace."
http://www.eisenschmidt.org/jweisen
Shoot every tenth user that forgets their password. Keep this up until all the rest are remembering theirs.
Most places I've had the "pleasure" of working at have had your typical magnetic security/time cards. If the employee loses it they have to pay about $20. It isn't that the cards cost $20, it's the fact that it takes resources (i.e. time) to get a new card, encode it, associate it with the employee and to invalidate the old lost card.
Why not do this with passwords? People in IT (should) get paid quite a bit. Even if it is just a "help desk" person they get paid enough for it to cost the company a fair amount of cash.
Just because passwords don't have a physical incarnation like timecards do doesn't mean they don't cost money (otherwise you wouldn't be in this situation to begin with).
--adam
[Please don't mark this post "funny". I'm being serious.]
that allow password maintenance, including self service, and delegation. One time cost, plus maintenance, and I believe that a few of them are even web based (tied to IIS). I forget how they work, just check on google.
I've worked at a company that went from high security to low, another company that did the reverse, two that were controlled by the "Network Nazis," and one with so little security that I could still (don't work there anymore) bring down half the network with just a few keystrokes. I think there is a lot of money to be saved by cutting certain security measures, and most descisions need to be based on what the company does, what employees are authorized to do what, and how computer literate the staff is. It really takes little effort to sit down for an hour or two and iron out a list of security measures the company NEEDS. And even if the company can afford the WANTS, there is probably a better place and use for that cash. For instance, there is nothing worse than collecting all kinds of user data and logs when you really have no manpower to smartly analyze all those bytes. Now, concerning the PC logon password issue, I think all companies should use this inexpensive feature; however, $20 per call to reset a forgotten password is absolutely ridiculous and is something that needs to be brought in-house or renegociated separately in the service contract.