Cutting Security To Cut Costs?

just currious asks: "I work for a large company (10,000+ pc's) who recently out sourced the help desk. After looking at about a year's worth of data we find the 30% to 50% of the calls to the helpdesk are password related (password resets, password changes, etc.) this is alot of calls (at 20+ dollars a pop). Now they want to reduce cost by cutting security, since if you don't have a password, you can't forget it. So here's what upper management wants to do: remove the security from all of our Windows 2000 machines. Has anybody else seen security cut just to save money?"

My 2 cents

[RyoSaeba]

I guess it depends on many different factors. You have to ask yourself (or make the managers ask themselves ^_-) at least those questions:

• are there sensitive documents on the network, which shouldn't be readable by some users ? If yes, you'd better leave those passwords, since if you remove'em, anyone can log in as a manager & read that data. And forget those nifty Word / Access / whatever password protection, people need 10sec to find the password... The only way is to prevent users from reading files using groups access control & such, something easily defeated if no password...
• do you trust all your users ? again, removing passwords will enable anyone to log as anyone & create havoc w/o being able to find who did it, since the login won't help (maybe combination of which computer that was from & the time, but that may not be enough)
• are your users sufficiently educated to know how to use computers ? Meaning, are they responsible enough to understand what no passwords will mean, and act smartly accordingly ?
• study with your manager the security risk involved with having much data erased by someone who used a high-level account to trash many important files. Are your backups done often enough ? How long to recover everything ? Is it worth the spending of removing passwords ? (ok, that's a question you probably ask yourself often enough, but removing passwords will increase the risk of random file deletions IF users want to create havoc)

Where i work the security is pretty tight (comp locks after 5mins of inactivity, many things turned off, and so on). It's sometimes a pain in the ass, but at least they really take security into account...

F^cked Company

[Heinr!ch]

Once they do it, you should post the name of your company here and and at FuckedCompany.com so we can all avoid giving this company any of our personal information.

Re:F^cked Company

[Kibo]

Not to mention divesting ourselves of any ownership of it, and possibly shorting it.

Cutting costs - false economy

[skinfitz]

If they think it's expensive to run now, just wait until they get the repair bill after it's been run with no security for a while.

There is nothing on our netowrk worth stealing!

[gnovos]

Yeah, but the hackers don't want you DATA, fool. They want a place to put thier kiddy porn and tcp reflectors for hacking NSA computers and sending death threats to the president...

No, you don't have anything on your network worth stealing ... especially now that all your machines have been confiscated as evidence. :)

Re:*sigh*

[gnovos]

2)What would I lose if someone hacked into my pc?

The question you MEANT to ask is: What would I lose if I someone hacked into my pc and placed child porn in my personal directories and then called the FBI on me?

A) 5-10 years of your life... You only need to possess it, not even have knowledge that it is there.

How often to you force password changes?

[iangoldby]

Forced password changes => lots of help desk calls.

What is less obvious is that they don't lead to any significant increase in security. Most people, if forced to change their password every month, will use something easy to remember (and easily guessable), like qwerty1, qwerty2, qwerty3, etc. But they still can't remember which version they are currently on, hence the help desk calls.

If you force users to choose strong passwords but not to keep changing them, you'll get both an increase in security and a decrease in help desk calls.

security policies

[doofusclam]

Surely the most sensible way of sorting this out would be to have a trusted member of staff in each building/department/whatever with the authority to reset passwords. Note, I said *reset* passwords - not the ability to read them.

seany

Re:*sigh*

[MrResistor]

Yeah, well, Dmitry Skylarov isn't an American, either.

Jon Johanson is not only not an American, but has likely never been to America, and lives in a country where reverse engineering is supposedly still legal.

I'm going to take a wild guess and say that kiddie porn, sedition, and terrorism are still illegal in Portugal, despite the relative scarcity of law enforcement. Even if they aren't illegal, or are but aren't enforced, there's still this little thing called "extradition". There aren't that many countries in the world that don't have extradition treaties with the US, and I don't recall Portugal being on that list.

If you think the US can't put enough pressure on your governemnt to get you if it's important to them, I'm going to guess that you haven't gone much past the government mandated education yourself.

Remember, the program Skylarov wrote is not only explicitly legal in Russia, but Russian law makes Adobe the criminals for limiting access to purchased works. That didn't stop the FBI from nabbing him though, did it?