Security Responsibility Without the Authority?

Slashdot reader jamie submits this story about security administration. If you have the responsibility for security without the authority to make changes, your only role is to be the fall guy when something goes wrong.

On the other hand

[tverbeek]

On the other hand, having the authority without the responsibility is a much larger disaster waiting to happen.

Re:On the other hand

[dedeman]

Disaster, yes. But only if you're the fall guy. If you have little responsibility, it's great. Does anyone like the new ad at the top? Go IIS!!!

Re:On the other hand

[aacool]

Good first post - for once

From the article,

Upper management often issues orders such as "Clean up the system at any cost!" Yet when these same managers get recommendations for pre-emptive security implementation, too often chief information security officers are told, "The budget for this quarter has been exceeded. Ask me again later in the year."

Information security is a challenging and technologically rewarding profession. Unfortunately, those responsible for carrying out information security often are not given the authority and budget to get the work done.

http://www.gao.gov/new.items/d02627t.pdfTHere is the definition(pdf) of the Homeland security Dept's responsibility charter, for want of a better word

From another source, possibly not popular in these circles, is a paper on "Security Considerations for Information Security"http://www.microsoft.com/technet/security /bestprac/bpent/sec2/seconaa.mspx An excerpt:

Security is everybody's responsibility. The creation of a secure IT environment is not just the responsibility of your organization's IT staff. Everyone in the organization has the responsibility to respect and implement the corporate security policies.

Re:On the other hand

[pbranes]

I work in a higher-education environment as server/desktop/network support. I am faced with the problem of working with systems that were setup improperly and me not having authority over them directly, but having the responsibility of making sure the network doesn't collapse into a quivering heap.

The way we have started facing this problem is confronting the end user and the people that setup the misconfigured equipment saying: "you must work with us in fixing this problem, or we will disconnect you from the network and you can find your own ISP". That pretty much gets their attention and allows us to set security policies, firewalls, system/application patches, and virus protection.

Yeah, its not the optimal solution. We really need a single head person who can enforce security policies totally over every section, but that is difficult in the open environment of higher-ed.

Re:On the other hand

[magefile]

What ad? Oh, right, you're the kind of person that doesn't read the New York Times.

Re:On the other hand

[yintercept]

Authority (who's the boss) is usually assigned for political reasons. Reponsibility has more to do with ethics and capabilities.

When the boss is incapable of doing a task, then clearly, some underling bears the responsibility when things go wrong.

Conversely, the people with highly developed sense of ethics and professionalism step up to the plate, work to make the project work and essentially take responsibility.

Theoretically, it is possible to give authority to the people who take responsibility.

On the other hand, having the authority without the responsibility is a much larger disaster waiting to happen.

This might cause problems for a company...it usually doesn't tarnish the teflon coat of the people in charge. For that matter, when a company sees a manager with authority and no responsibility, they generally respond by expanding his authority.

Re:On the other hand

[Spoing]

I could work with you.

Have you inforced network-level (router + firewall) segmentation yet? (Ex: Systems A & B and B & C can see each other, though not A & C.)

Re:On the other hand

[zaffir]

I work in the IT department of a small offshoot company of a larger corporation. For reasons that have never been explained to me, or anyone in our small company, all of our networking hardware is controlled by the IT department of our parent company. Due to some wonderful policy we aren't allowed access to any of our routers or switches. We're practically neutered when it comes to tracking down network issues.

A while back we had a user bring in a sasser-infected machine from home and plug it into the network, grinding our operation to a hault. It took us a couple hours of trial and error to find the offending machine.

Even after this incident, and other similar problems, we are still refused access to our own hardware.

Re:On the other hand

From another source, possibly not popular in these circles, is a paper on "Security Considerations for Information Security"http://www.microsoft.com/technet/security /bestprac/bpent/sec2/seconaa.mspx [microsoft.com] An excerpt:

Security is everybody's responsibility. The creation of a secure IT environment is not just the responsibility of your organization's IT staff. Everyone in the organization has the responsibility to respect and implement the corporate security policies.

If that's the case, then most companies are fucked. You just can't explain to some people, "Don't open the email that claims to have nude photos of Anna Kornikova, no matter how much you want to see nude photos of Anna Kornikova." They simply won't listen. And I'm not trying to be funny. This was an actual problem at a place I worked a few years ago.

Likewise, the admin assistant will always put his/her password on a post-it note on their monitor, so anybody who walks by can just see it at a glance.

Plus, education takes money. Most small companies don't have enough money to hire enough people to do the job correctly, let alone spend money training the ones they did hire.

As much as I hate to say it, I honestly don't see how you can secure a facility without automated measures that enforce who can do what.

Re:On the other hand

[Kierthos]

I knew an admin who put a password on a sticky on his monitor. The password didn't work, and he logged all attempts to get into his account, and dealt with people who tried to do so appropriately. (Usually with a warning and cutting their print quota in half for the first attempt.)

Kierthos

Re:On the other hand

[Kierthos]

The university (right across the street from me) recently (last summer) and finally implemented a system where if students want to use the university's connection/bandwidth, they have to install certain software (AV stuff mostly) and adhere to the guidelines stated by the university. (Which mostly boils down to "No file sharing programs" and "No spam servers".) They also set the firewall settings on the student's computers, and tell the students not to change them.

They've had a bunch of students complain, but to no avail (thank God, as these students aren't bright). The CS department loves the fact that the number of calls for dealing with virus-infected computers has dropped by like 85% or more.

Kierthos

Re:On the other hand

[Chazmati]

How did he know who was trying to log into his account? Did these people try to log in from their own workstations?

Re:On the other hand

[Lumpy]

I will share the last IT security administrator's tactics....

He saw that he was being set up for the "fall guy" position... you know it when it happens, "you are responsible for all security", ":Oh, we have no money for your department, you can not impliment that security policy, no not that either,...."

for his last year he recorded all conversations with superiors, printed out and kept (against company policy) all communications with superiors and even kept recordings of voice mails on his company phone and personal cellphone.

well it collapsed, we were rooted hard, and when they looked for the fall guy, hew was ready and took 7 of the companies managers and executives with him flaming to the ground.

BTW, his tactics earned him quite a bit in a court settlement with the company. be sure to give all that information to your lawyers also... they love that kind of crap.

basically, document everything, and under NO circumstances trust your bosses.

Re:On the other hand

[signingis]

Score:5, Awesome.

Re:On the other hand

Did he manage to get another job afterward, though? I think that says something about someone that he chose to remain in such a crappy environment that he had to record all his conversations and prepare for the inevitable shitstorm. He could have just left for a new job with a more positive situation, in which he had the resources he needed.

Re:On the other hand

[tverbeek]

"Security is everybody's responsibility."

Never mind where this came from. Although it sounds good, it's the sort of platitude that can easily mean the opposite. That's because when you make everyone responsible for something, that means that no one is responsible for it. The buck doesn't stop anywhere, so when there's a lapse, the responsible party is arguably "everyone", and those who simply do not have the authority to take responsibility for security (which is most)... won't.

Re:On the other hand

I work in the IT department of a larger corporation which has many small offshoots. For reasons that we've explained several times to the management of these offshoots (but which they do not communicate down to their underlings) all of the networking hardware which has the potential to have an adverse impact on the corporate WAN stability is controlled by our IT department here in the parent company. Due to this policy, remote site IT staff are not allowed to access "their" routers. In the past when this policy was not so tightly adhered too, the corporate LAN had several "incidents" each year where a local site admin decided to make changes to the local site router, resulting in:

• Routing changes causing all of the (Oc12 backbone) WAN traffic to prefer to be routed through one small site's DS1 circuit.
• The "accidental" removal of anti-spoofing egress filters at one site (The admin thought removing the filter would make their Internet access faster), allowing spoofed source packets to flood the WAN.
• To make "remote maintenace" easier, one site re-enabled local password login to the console port of the on-site WAN router... oops, I still can't talk about the details on that one.

Re:On the other hand

'Upper' management (named I believe for what they are usually taking) want to shortest path to the biggest buck, anything that doesnt directly assist in this process in a provable way is an unneccessary cost. For this reason security is seen as something that 'we just do', everyone is 'responsible' for it, and its 'part of our process'. These are other ways of saying 'it doesnt cost anything', 'we can blame anyone when it fails', and 'its the responsibility of those at the coalface'. This isnt usually a problem, because most companies are over-resourced with people who have the spare time to be proactive on security between customer billable work, and these people are always looking for some new security stuffup to take the blame for ... like hell ...

The security manager though is more than just a designated scape goat, they are also responsible for telling lies to the customer when the excrement hits the air movement device. This is in addition to their duties of trying to justify budget for something that 'doesnt give us anything' and trying in vain to get even a small number of fellow employees to take them seriously (its very hard to get peers and subordinates to take you seriously when its apparent to everyone that upper management doesnt ...)

I 'know of' a company where this was the case. Mission statements say all the right things, customers get told all the right things, contracts agree on all the right things - reality ? they did the absolute bare minimum and hoped like hell they'd continue to be 'lucky'. Every now and then some very creative customer storytelling would be required, but thats life ... isnt it ? Does luck ever run out ?

My sympathy to anyone with Security Authority, Responsibility, or both ...

Re:On the other hand

"Security Considerations for Information Security"

Doubtless authored by someone in the Department of Redundancy Department.

Re:On the other hand

[Micro$will]

I'm at a school which was just aquired by a larger company, and I have a similar story. We had 4 class C subnets; 3 for students, and 1 staff segment. The new company made us dump it all and go to 1 single class B subnet. We complied and literally counted the minutes until there was a problem.

Everything ground to a halt, nobody could surf the web, access shares, or even get an IP from the DHCP server. After checking about 3 classes we found the problem. About 20 students were running a ghost session before beginning a new course, which was for some reason propagating throughout the campus. I can only imagine what Welchia could do...

Re:On the other hand

[berzerke]

...if students want to use the university's connection/bandwidth, they have to install certain sofware (AV stuff mostly)...

I wonder if they had any students using *nix (likely Linux or *BSD) who obviously would have a problem with the AV stuff and how they handled that. I wonder how they enforced that policy. Turning off the AV is not too difficult.

Re:On the other hand

A valid question. Clearly, he'd be well qualified to do consulting work, and would have a temperment and rep which might well have been seen as highly desirable for a niche community.

A better question is, what did the people he took with him into the abyss do for work? He made significant inroads into solving the real problem by insuring their spectacular implosion would pass into legend.

Your question ultimately reduces to: "What is the value of 'Altruism'?" And I suppose one could ask those left with it's legacy, but you really shouldn't have to.

Re:On the other hand

on the first attempt? Second attempt should have been fired for being stupid.

Re:On the other hand

[Vitus+Wagner]

Ash nazg durbatuluk, ash nazg gimbatul, ash nazg thrakatuluk, agh burzum-ishi krimpatul.


Is this a password which was engraved on this sticker? And was admin's name Sauron?

Re:On the other hand

[Monf]

I loVE Authority without the confining shackles of Responsibility....

GiMMe mY moNEY 'hO!!! ...gEt in tHE goDDamn caR !..!!.!!

Re:On the other hand

[TapioNuut]

This is like a police leaving a moderately new car, with its keys inside and doors wide open to the middle of a city and then arresting anyone who tries to start the car.
I think it's stupid, although quite a good practical presentation of users' will to go by the rules.

Re:On the other hand

[ifoxtrot]

Very astute comment!

In my experience, I've come across what social scientists call "diffusion of responsibility" with regards to security. Basically it's the notion that if you are on your own and you come across a person having a heart attack you will do something, if you're in a crowd, people will just stand there frozen in the expectation that someone else will do something.

In security this has led to me witnessing a "it's not *my* problem" attitude or a "someone else is taking care of this".

Responsibility and authority are massively important in order for a system be secure.

Applying the point of the original post to the comment "security is everybody's responsibility" means that everyone who has a security responsibility should have a matching authority. i.e. if it comes down to someone deciding whether to comply with a security procedure or bypassing it to get the job done more quickly, then if that person is responsible for security, they should have the leeway to delay the job to take care of the security.

Likewise everyone who has a security authority (i.e. an ability to determine whether a security measure is applied or not - which is very frequent in the case of systems relying on their users changing their passwords, making manual backups, encrypting their emails etc.) should have a matching responsibility.

This ultimately means that security measures involving people should be very carefully judged, because if you give someone authority over your system you have to depend on them to behave in the right way, which means that they have to be :
1. able to do so (not too demanding, simple, doesn't conflict with other pressures, etc.)
2. willing to do so (motivation, responsibility, culturally acceptable - avoiding security can be a sign of seniority!!! how many managers actually comply with policy?!)

Re:On the other hand

[Lumpy]

Actually yes. He teamed up with a small company here in town and formed a IT security company that consults with business and contracts with them for "repairing" the problems.

Funny part, I saw him here about 24 months later, we hired his company!

As for the managers and executives, I do not know.. All we know is that about 30 days after the lawsuit their offices were empty.

Re:On the other hand

[zaffir]

The problem isn't even with our one router that separates us from the "mothership". Denying us access to our internal switches is the real issue. And yes, they are our switches - paid for with our budget (this small offshoot is an almost entirely separate entity, required to make its own profits, budget etc.). When the wireless bridge connecting two of our buildings went down we had to wait for the higherups to come and fix it.

Re:On the other hand

"Security is everybody's responsibility"

Bullshit. Security is the responsibility of the employees working in security. I am responsible only for complying with security directives as they relate to my work.

Why should developers be saddled with more work? Do we ask the security guards to help program? Everyone wants security, but nobody wants to pay for it. A common idiocy is found at jobs that have badged access to the building - they want the safety of only valid badged personnel being allowed in, but they want us to "not tailgate" and "ask to see peoples' badges". If they want that security, do what IBM does - have a paid guard that makes sure everyone badges in, and let him/her check the badges.

Re:On the other hand

[Glamdrlng]

If that's the case, then most companies are fucked. You just can't explain to some people, "Don't open the email that claims to have nude photos of Anna Kornikova, no matter how much you want to see nude photos of Anna Kornikova." They simply won't listen. And I'm not trying to be funny. This was an actual problem at a place I worked a few years ago.

I disagree. You can explain that to your coworkers. In fact, you (as a IT/security professional) are obliged to tell that to your coworkers, in the form of a written infosec policy that every employee signs. And when someone opens that email with Anna K's picture in it, your management has a respnsibility to visit disciplinary action upon the offender, thus ensuring that your infosec policy has teeth.

Re:On the other hand

[Antique+Geekmeister]

Try telling the trophy secretary of the head professor that she has to change her password because it's been cracked, and she is not allowed to stick it to her desk on a sticky pad. And be prepared to lose your job for doing it.

Re:On the other hand

[OhBrian]

The problem here is that many folks who administer security think they know better than everyone else.

In order for security to work there has to be policy that defines what is being secured; how it is secured; and who is responsible for security. That policy doesn't have to define penalties but should define what a security violation is.

Authority is something that is shared. It is shared between the people who are responsible for what is being secured and those who secure it. If you are an administrator who can change a configuration you have some authority.

Penalties are something that need to be determined based on the circumstances. The guy who ribs a bank and throws the note he gave to the cashier on the ground on the way out usually isn't charged with littering. That charge is not levied in context of the situation (that when caught more serious charges will be levied).

Re:On the other hand

Sounds to me like he was pretty brave, had a lot of integrity, and was willing to screw the incompetents who had undeserved power over him. Sure, running from evil may improve your personal situation, but the willingness to confront and destroy it, even at great personal cost? Sounds like his documentation of their ineptitude provided more shareholder valuethan anything else he could have done in that straitjacketed situation.

This is by design

[Gothmolly]

I work at a Large Bank, and more often than not, we'll implement an expensive, suboptimal product because a) Someone Else Did It or b) Gartner Said It Was Good. It's all about preconfiguring the blame, it is always someone else's fault - this way, if there's ever a problem and the Gubmint comes looking for tail, we can always point the finger. On a small scale, this reduces to individual admins being force to do stupid things, because Thats What The Project Requires.

Re:This is by design

Management at large organizations don't care about the long term. They care about the short term so they can get promoted to doing something else. This is all the way up to the CEO's who worry about trying to boost the share price or else get kicked out.

Re:This is by design

[exi1ed0ne]

Folks, I WAS[*] the security guy for a large datacenter. It is all about CYOA. Security folks have no authority - no problem. When I issue my security report on "really fscked up project" or "retardedly configured server" the manager gets to sign off on it. Making the higher ups sign of on risk acceptance is what I like to call a "shit deflector." Kinda hard to dodge stuff like that.

[*] Security, we don't need no stinkin security!

this can be a 'good thing' ..

[arcanumas]

On the other hand this can be very good if you are *not* the guy with the responsibility. This means that when you fuck up there is a 'blame him' guy near by. :)

Re:this can be a 'good thing' ..

[Raul654]

Especially if he doesn't speak english.

Ahh, Tibor, how many times you've saved my butt."

Re:this can be a 'good thing' ..

[vwjeff]

Sadly I am the blame guy at my job, AKA, the bitch.

It goes like this at my job. I am "in charge" of network security and maintaining our Microsoft and Linux servers. You would think that my office would be located at the central office where all the servers are. This is not the case. Instead my boss, the IT manager, is located at the central office. Whenever he thinks something is not working right he makes changes to our production servers during business hours. My boss has no training in IT security. He's an MBA that has limited knowlege in security but thinks he knows more than he does.

Here's how most situations go. One person calls and complains that the finance database is slow or our inventory database is not working correctly. My boss then logs into the server and makes changes without documenting anything or telling me. You can image what happens next. Yeah, I get blamed for problems that occured after he changed something. I then have to go back and try to trace what he did. I know I can't ask what changes he made since that might seem like I am blaming him for the problem he created.

After going through this senario four times I decided to remove his login to our production servers. Big mistake.

I got a call from my boss two days later asking why he couldn't login to our production servers. I had prepared ahead of time and had a story made. I told him that I had noticed someone was logging in to our production servers and making changes during business hours which is against our IT policy. I went on saying that the changes made during these logins were responisble for the problems. I then told him for better security I should keep his account off the production servers so that the person who was making changes could no longer do so. He then said, "In the future could you please let me know when you make changes so we can be on the same page." I told him that I always documented the changes I made in the server logbook. I told him that I would reactivate his account with a different password. Since then he has not made any changes to the system.

Re:this can be a 'good thing' ..

[menscher]

That's beautiful.

I use a multi-pronged approach to keep the other admins under control:

• sudo logs their actions
• tripwire tells me what files they change
• firewall prevents them from starting new services

Overall, it works pretty well. (I think) I know about every change that happens to my systems. At least, strange stuff doesn't happen without an audit trail to figure out who was responsible.

Disclaimer: if you're one of my cow-orkers, please assume this was written in regard to one of my other systems.

Re:this can be a 'good thing' ..

[sad_]

Your manager shouldn't have access to the servers in the first place. It is not his job to logon to systems and change stuff, he is a manager not a tech.

Should be obvious but...

[Blair16]

I think that would be time to start looking for another job... FAST!
Absolutely no good can come out of this situation except as a blurb on your resume. i.e. Was responsible for network security at firm with more than 500 computers for the last 6 months.

Re:Should be obvious but...

[superpulpsicle]

I know so many folks who worked at big network companies like Lucent, Nortel, Cisco. And from what they admit, there are infinite number of security holes everyday for every customer they provide service for. To get fired over a security hole, something catastrophic would have to take place!

False priorities

[FiReaNGeL]

The phenomenon isnt specific to IT security admins; its the (sad) consequence of corporations with 'false priorities' ('one hand doesn't know what the other is doing' thing). Management ask you to do something they don't have a clue about (in this case, improving security on a network). Then you ask for resources to do the job, and the Finances guys refuse for budget (priorities) reasons.

Basically, you're stuck in a bad position : management yell at you if anything goes wrong, Finance is annoyed by your constant demands they see no 'use' for.

Of course, not every business works this way. But it tend to when the company gets too large...

Re:False priorities

[nine-times]

The phenomenon isnt specific to IT security admins

That was the first thought when I read the post. It's a very old idea in politics (not "politics" like government, but as in the subject of study relating to social power): never separate power and responsibility.

Whenever making someone responsible for some duty/task, always make sure you're also giving them the power to fulfill that responsibility. Otherwise, you're just setting them up to fail. Power without responsibility, on the other hand, is guaranteed to breed abuse.

In the ideal work environment, someone has gone through the trouble of spelling all this out. When you get hired in the first place, and when you show up each day, you know what you're responsible for getting done, and you're given the power, not just the authority but the resources too, that you'll need to complete those tasks. That's what a good manager does-- figure all that stuff out, not keeping power for himself, but doling out power and responsibility in reasonable portions. There just happen to be a lot of bad managers out there.

Re:False priorities

"Hey, boss, you know how you told me to improve security? I've can do that, as soon as I get the approval from Finance. I just wanted to ask you for some advice in requesting the necessary budget, as the Finance guys don't necessarily understand security like we do."

Re:False priorities

[Antique+Geekmeister]

Try it in academia, where security is considered antithetical to their desire to "share knowledge". The unwillingness to acknowledge the idea of malice on the parts of their own staff is also pretty shocking, especially when they sit around the coffee pot talking about how to screw other departments or projects. I swear, one of the big reasons they insist on avoiding security is to have plausible deniability when they or their grad students do something criminal.

This was the reason

[MacFury]

This was the reason many of my clients opted not to go with Linux. One of the project managers told me, "it doesn't matter how long the system stays up, what matters is when it goes down, I can blame one entity."

Doesn't matter that Redhat and everyone else offer support.

Re:This was the reason

[pmsr]

Yeah, sure. The good ol' blame Bill Gates trick. I am sure it will help them a lot. What do they think EULA's are for? To improve their reading skills? Jeez, some people really do live in a bubble, eh.

/Pedro

Re:This was the reason

[ergo98]

Interesting.

I'd say more often the exact opposite is true. People choose Linux because of the general perception that it is the more stable, more secure choice. After a rooting the security admin can proclaim "All the press and the community said it was the greatest thing since sliced bread...I don't know what went wrong!"

Given all the bad publicity Microsoft has (deservedly) received, it is a huge risk for architects and security admins to choose Windows -- when things go wrong everyone can immediately claim "duh! You picked Windows you idiot!" (see the Navy fiasco with the dead-at-sea warship, or the recent LAX fiasco. Both were application layer faults but that didn't stop the routine presumption that the core fault was the idiots that chose to base them on Windows).

In other words reapply the old "no one got fired for choosing IBM" onto Microsoft, which is who I'm presuming you're implying, is a false comparison. People choose Windows at great peril, and when their line-level admin doesn't bother with patches or basic security practices, instead it's the guy who chose Windows that gets the blame.

Re:This was the reason

[masklinn]

After a rooting the security admin can proclaim "All the press and the community said it was the greatest thing since sliced bread...I don't know what went wrong!"

The very point is that he can't because if the system itself cannot fail (or has a hard time failing), then the one who operates it is the failure, hence the admin.

Re:This was the reason

[asdfghjklqwertyuiop]

"it doesn't matter how long the system stays up, what matters is when it goes down, I can blame one entity."

But what exactly does that get you? If it goes down, do you plan on suing the vendor for damages despite the gibberish in the license? If the vendor is microsoft, do you expect to be successful in suing one of the world's richest companies? I don't think any software company has ever been successfully sued for damages before.

I just don't get how being able to blame Microsoft is any different from being able to blame Joe Blow OSS author. You can't reasonably sue either one for anything. The former will fight you tooth and nail (costing lots of money in the processes) and the later has nothing worth suing for.

Re:This was the reason

[Sven+The+Space+Monke]

It's not about suing the vendor. It's about being able to say to your boss/the board/the shareholders that "hey, it's not MY fault - MS made a lousy product. Whaddya gonna do?" Then your boss/the board/the shareholders shrug their shoulders and say "yeah, they DID make a lousy product. I guess it's not your fault." Then they buy the next version of Exchange ("WHIZZBANG EDITION!!!") and the cycle continues.

Since everyone knows that whole "do things the same and expect different results" def'n of insanity, so you may wonder why they keep up the cycle. The reason is not that they expect different results - they know perfectly well what will happen next time. They will get to defer blame to someone else - a someone else that happens to be a big corp that won't fight back if you blame your stupidity on it. They also get the luxury of maintaining the status quo. That is a huge plus since they fear change almost as much as they fear admitting they made a mistake. And that's what switching to another vendor would be - admitting they made a mistake all those years they stuck with Microsoft.

Re:This was the reason

[inode_buddha]

Interesting how the whole thing revolves around placing blame instead of being blameless. Speaks volumes to me, anyway.

Re:This was the reason

[asdfghjklqwertyuiop]

It's not about suing the vendor. It's about being able to say to your boss/the board/the shareholders that "hey, it's not MY fault - MS made a lousy product. Whaddya gonna do?"

Ok, but how is that different from going to the board and saying "hey, it's not MY fault - Joe Blow wrote some lousy code."?

Re:This was the reason

[Sven+The+Space+Monke]

Twofold - first off, there's the whole change/admitting mistake thing. They don't wanna do it. Being able to blame Jow Blow means they would have changed and thereby admitted a mistake in previously choosing Microsoft. Once a problem happens, then they will likely have to admit they made another mistake when they trusted Joe Blow.

Second, "everyone" uses Microsoft. That means when a problem happens, everyone gets to stand up and say with one voice "Microsoft screwed us over". If you read in trade mags and hear at cocktail parties that everyone's system got raped by a worm, then when your employees say that it happened to you, it doesn't look like you have incompetent employees. When that happens, it looks like a flawed product. But when you use JoeBlowSoft, you and maybe a handful of other corps are gonna get hit with a specific problem. That means that when your employees come up and say "a worm raped us", you've only heard it from your employees. It's only *happened* to your employees. They stand alone. No longer are they part of a crowd of professionals who got hit by an "undocumented feature", they are the lone schmuck who made a mistake. Whether the mistake was technically based or choosing JoeBlowSoft is irrelevant.

Think of it as "when you're all alone, you have no one to blame but yourself". Seriously, with how afraid of change some companies are, I'm surprised any progress is made at all. It's like anything visonary that leaks out is a fluke - a failure of the corporate machine designed to squelch any glimmer of inspiration.

Re:This was the reason

[mrchaotica]

But what exactly does that get you?

You misunderstood. "You" the company gets screwed, but "you" the manager or "you" the IT guy avoids getting fired. It's called putting your own best interests before those of the company.

Re:This was the reason

[drinkypoo]

It's about playing by the company's rules. They set the rules. If they wanted to succeed they would operate as a meritocracy and give the power to the most capable people. Instead, they just want to make some money and move onto the next corporation, which takes the fall instead of them, so they set it up so that the people who will support them are in positions of power so they can do whatever they want and get away with it :P

Re:This was the reason

[ragnar]

In my smart ass days of youth, as I was interning at a fortune 500 company, I had a discussion with the CIO about deploying Linux and Mac workstations to diversify the computing landscape. My reasons dealt with security (non-homogonized computing environment) and some benefits from more diverse exposure to systems.

He gave me the "who can I blame" response. I asked him point blank, "when is the last time you sued Microsoft?"

Double-edged sword

[fembots]

But what happens when one can set rules and enforce them at the same time? That'll be too much power.

Usually in a company, IT department takes care of the adminstration of IT-related stuff, and HR takes care of the rules/policies.

If these two departments don't compliment each other, that's the problem to be fixed, instead of mixing two different roles together.

That's my personal experience anyway, I find it easier to tell the users to take to HR (or vice versa) than having to deal with (punish) or explain certain policies to users.

Re:Double-edged sword

[0racle]

Explain to me how you could be the Security admin if you did not have authority to enforce the security policy? How would you you get users to use 8 character alpha-numeric passwords if you didn't have the power to click that checkbox? How would you limit Internet traffic if you couldn't alter the firewall/proxy rules. How would you scan for viruses if you don't have the authority to scan incoming email? To actually do the job of Security Admin, you must have the authority to enforce all security related policies, and obviously you would either be the one setting those policies, or you would have to be a member of the group that does. An IT department that does not have authority to make changes or enforce procedures is useless.

Re:Double-edged sword

[Ohreally_factor]

I'm haven't been in the corporate world for a really long time, so forgive me if this is s stupid question.

Why would HR be setting computer security policies? Is this common? Has HR become so powerful?

Re:Double-edged sword

[jmauro]

HR has a lot security of requirements that need to be covered. They need to make sure that the organization is HIPPA complient, that the employee lists don't leak, etc. It would be suprising if they weren't invovled in the group that sets security policies.

Re:Double-edged sword

[trashcanman]

I think perhaps you are missing the point that fembots was trying to make. Putting the authority to both make and enforce policy into one department invites corruption and uninformed policy making. I agree with fembots that the policy making group should be independent of the policy enforcement group in any large organization. That being said, I think it is imperative that the policy making group understand the implications of its policy. Thus, having some kind of IT expertise in the HR department (or at least in the IT policy making process) is required to make a policy that is informed and enforceable.

So all of the actions you alluded to in your comment (password length, firewall rules, etc.) would be the job of IT (or IT Security) to enforce, whereas the the writing of the IT policies would be the responsibility of the HR department (with participation of IT technical resources from within or outside the HR department). This is usually the way it works for physical security in most large organizations.

---

Re:Double-edged sword

[Jeff+DeMaagd]

That does sound like a bad idea, but in some ways, it looks like IT security is such a non-concern such that a security position isn't taken seriously. Why ask someone's opinion if you know you will reject it?

It looked to me that it is like asking a janitor to sweep up before hours but not allowing him/her a way into the building.

Re:Double-edged sword

[techno-vampire]

So all of the actions you alluded to in your comment (password length, firewall rules, etc.) would be the job of IT (or IT Security) to enforce, whereas the the writing of the IT policies would be the responsibility of the HR department (with participation of IT technical resources from within or outside the HR department). This is usually the way it works for physical security in most large organizations.

As long as the enforcement department is only responsible for enforcing the policies as written, no problem. If they're made to take responsibility for breaches caused by an inadaquate policy, you have exactly the problem this article is talking about.

Re:Double-edged sword

[i.r.id10t]

Because thats too hard for the VP of something or other, or the BGIC (big guy/gal in charge), to remember.

There are lots of changes a lot of us would like to make, for good reasons. And you get phone calls like "sorry, vp so and so always uses fifi for his password... gotta allow just 4, or he'll get pissed..." or something from one of his secretaries.

Re:Double-edged sword

[tverbeek]

Putting the authority to both make and enforce policy into one department invites corruption and uninformed policy making.

Exactly, this is why the U.S. government was originally set up to place policy-setting authority in the hands of a legislature, and policy-enforcement authority in the hands of an executor. (We should try doing it that way again some time.)

cliches in this industry

[digitalsushi]

Anyone else want to share some of their favorite overused phrases with IT security?

My favorite phrase is "... working hard to ensure this never happens again". We usually hear that within 4 hours of a customer calling and using the phrase "you people". "You people lost my database again!" "We can assure you we are working hard to ensure this never happens again". We've had a 0 dollar buildout and maintenence budget for 4 years. They actually get MORE surprised each time something breaks, cause we're supposed to be getting better at using the tools we have.

Ok here's a different question -- anyone ever had to use their own property to band-aid something within the company about ready to explode?

Re:cliches in this industry

Tooo many times!

Re:cliches in this industry

[Fulcrum+of+Evil]

anyone ever had to use their own property to band-aid something within the company about ready to explode?

Don't ever do that. If you do, then they think their current budget is fine, so they won't pony up the next time, and, should you ever leave, how are you ever going to retrieve your property?

Re:cliches in this industry

[Detritus]

Ok here's a different question -- anyone ever had to use their own property to band-aid something within the company about ready to explode?

Yes, I've used stuff from my own junk box to keep stuff running at work. I've also made the occasional run to Radio Shack or the local electronics store for a part. That's what happens when you have a severely dysfunctional purchasing process.

These days, I'd just say "fuck it". The organization treats you like a disposable part, why do them any favors?

Re:cliches in this industry

Yes.

When the the big new investors told the company to get rid of me, I took my stuff with me and the project failed as a result; they couldn't get new hardware in the budget. Naturally, the customer sued.

My former boss was pretty pissed, he tells me that me plus hardware cost about a 20th of what the lawsuit has, and the lawsuit isn't even over yet. When the company loses (it will), it'll be a lot more than that.

It's really immature of me to take such pleasure in seeing those clowns suffer for their sins. :)

Re:cliches in this industry

[zokrath]

In addition to the problems mentioned in the other reply, involving yoru own hardware can make you far more liable for a situation than if you simply 'followed procedure'.

Whenever something goes wrong in a business environment, there is a fight over who gets the blame. Whenever something goes right, there is a fight over who gets the credit. The person actually responsible is rarely the victor, in either case.

Re:cliches in this industry

[mrchaotica]

Or you could try doing it and then sending the people in charge of the budget an invoice : )

Re:cliches in this industry

[TyrranzzX]

Well, you go upto it, unplug it, and take it...after telling them that it's yours, and documenting those transactions, of course.

CSO Magazine

CSO had an article about this a few months back, and talked about how many corporations have taken the teeth out of the CSO position.

I've seen this first hand in our midwest US city, where the requirements for most security positions are a MCSE and a CISSP with little to no interest in management and policy-level expertise. IT security has very quickly become a janitorial position. Senior management has punished IT for excessive spending by gutting it of senior level representation (to the benefit of other empire building projects, typically).

Curiously enough, these companies are sitting ducks for your run-of-the-mill script kiddie. From putting unencrypted backup tapes on the top of file cabinets in highly trafficed hallways (at one database company that I've worked with) to believing a firewall and antivirus is perfect security (to several of the larger banks I've met with on security projects), they're complacent and believe IT security is just another IT "dot-com money wasting project." Better to spend the money in the profit centers and ignore defensive protections as the lack of a serious attack means they'll never experience one. Little do they realize, the only reason they haven't been attacked is that there aren't enough hackers to take all the easy pickings.

Re:CSO Magazine

[buysse]

Or, alternately, they've already been 0wn3d and don't bloody realize it. That's a fairly common result of complacency.

terminology

[sanctimonius+hypocrt]

It's all about preconfiguring the blame

In the field of enviornmental compliance, the person 'in charge' is known as the 'designated inmate.'

one word : document

as with any job where you might be in a delicate
position or 'the target' should things go wrong
that are beyond your control ( whether due to
lack of authority or lack of omniscience ),
Document, Document, Document .. do your due
diligence, report any possible vulnerabilities,
suspicions of attack and recommended changes to
your immediate boss, your IT/CIS team and their
managers. Be public, but don't be patronizing.
This 'paper trail' will help you immensely should
you be terminated over some security breach should
you be able to prove that, were your suggestions
implemented, the breach could have been prevented.
Security work is ridden with chance : if there is
a flaw in the hardware or software that had not
been documented at the root of a breach, report
that this is a new issue with that particular
system and that a patch is available and has ( or
should, if you lack even the authority to patch )
be applied immediately, or that a patch is not
yet available. I'm not a litigious person by
nature but I wouldn't hesitate to sue on the
grounds of wrongful termination if i could present
evidence that i had made those in power aware of
the problem and had not received authorization
to make the changes that would have prevented the
breach.

If you're the security guy, you Are the fall guy
by default, but if you don't leave a document
trail behind to show due diligence you will have
no cushion for your fall.

Follow the same basic guidelines that the medical
profession uses - document anomalies, perform
frequent monitoring, document changes. All of
this will help greatly should you be in the
unfortunately position of having to take legal
action against a former employer.

That this is necessary is sad, but it Is
necessary.

Re:one word : document

[msi]

All of the above and where I work Finance get the old slow equipment so they know why we need to upgrade.

It's all political.

[khasim]

It isn't about getting anything out of Microsoft. It isn't about the EULA.

It's about being able to say that it isn't YOUR fault. You did what EVERYONE ELSE was doing. Then you pull out the magazines and articles about how whatever just happened to you has been happening all over to other companies.

In many companies, it is more important to not be blamed for a problem than it is to be the one who solved a problem.

Re:It's all political.

[Fulcrum+of+Evil]

In many companies, it is more important to not be blamed for a problem than it is to be the one who solved a problem.

Fuck 'em. I want a company that's interested in getting the job done right, not playing stupid blame games when they screw up.

Re:It's all political.

[ScrewMaster]

Going back even further, remember the phrase "you can't get fired for buying IBM?" That pretty much epitomizes the pack-mentality approach to IT ... do whatever everyone else is doing and you, personally, have your ass covered. Doesn't matter if you've left your company wide-open for a security breach, or simply wasted the company's resources on an inadequate solution. Nowadays, of course, it's "you can't get fired for buying Microsoft" although there are an awful lot of people, from CEOs on down, that ought to have their asses in a sling for that reason alone. From my perspective, if a corporation deliberately stores my personal information using a server OS that is known to have more security holes than the Moon has craters, when that info is stolen the people that made that decision should be up on charges of negligence or worse.

Re:It's all political.

[yy1]

Don't IBM use Linux Now?

Re:It's all political.

[killjoe]

You know I started thinking about what you said and something occured to me.

If reading slashdot is any indication there are an awful lot of companies in the US making decisions based of really stupid and irrational criterea. I have heard many times "we didn't go with X because there was nobody to blame" and "we didn't go with Y because SCO might sue us" type of totally idiotic reasons. Why is that? Is Harvard business school or joe blow MBA mill really producing management that is unable to assess risk and intelligently apply reason to their decision making process? Think about it.

I wonder if this is some sort of an American thing. Are people in Europe and Asia making decisions like this? If not we are about to get our assess kicked awfully hard.

Re:It's all political.

It's about being able to say that it isn't YOUR fault. You did what EVERYONE ELSE was doing. Then you pull out the magazines and articles about how whatever just happened to you has been happening all over to other companies.

So... you deliberately implemented a solution that had multiple known deficiencies, thereby dragging us down to the level of our competitors and nullifying our edge?

Re:It's all political.

[eyepeepackets]

Heh, here is a clue, check and see if perhaps it applies to your area too: The single biggest section in my local Yellow Pages is for...lawyers.

Ciao.

Re:It's all political.

[dubl-u]

Is Harvard business school or joe blow MBA mill really producing management that is unable to assess risk and intelligently apply reason to their decision making process? Think about it.

Reason doesn't really enter into it; the political considerations at large companies often trump any actual facts. For an interesting study of this, see this article that has evidence that being a good manager often has nothing to do with being a sucessful manager (that is, one who gets promoted).

I wonder if this is some sort of an American thing. Are people in Europe and Asia making decisions like this?

I've worked on four continents, and so far it seems universal to me. I think of it as the human equivalent of the dominance games that chimps spend an awful lot of time on.

And...?

[jonfelder]

This is somehow news? Companies do this all the time. For example, many go with closed source software instead of open source software so they have someone to blame/sue when something goes wrong.

In this case the company is paying someone to take the fall when they have a security problem. If this person doesn't realize it, then they are clueless.

Quite a few people in this position are probably content with it because they get paid to do nothing. The trade off for that is crappy job security.

Those that aren't content with it (as the article illustrates) quit.

amazing how one person resigning causes FUD

[HBI]

In one mid-sized US Government program, I can (and do) perform the following actions:

- Each application's owner is advised of the CIO dictums and regulations covering their application and its interface. If they don't abide by them, the application doesn't go online. They comply.

- If the application is not certified, the application does not go online. This means an extensive sheaf of documentation about its form and function. While this is not foolproof, it is very effective at getting stupid errors out of the way.

- The network itself is accredited. Once again, a lengthy process based on standardized criteria that is redone every three years. This accreditation is called DITSCAP and can be googled.

- OS and common application patches (called IAVAs and generated by ACERT, the 'Army Computer Emergency Response Team', which would give a link for but it's Army-only with authentication required) are required to be applied. If an application owner declines to be patched, it's the CIO's judgement if we want to unplug their server or not. Generally we will, and the application owner relents.

Mind you, we just host applications. There are several layers of border security beyond us on the network, controlled by different organizations, that we have to justify things like port opens to. The list is kept to an utter minimum.

This is only the big picture of what we do, and the details would take more writing than i'm likely to do on a Sunday afternoon.

I have no idea what's going on at DHS, but what I know is that they share installations with my branch of the government, and they have to comply with the same rules when they do.

Security IS taken seriously. This guy has a political problem and that's why he resigned. Everyone wants to make a big splash when they don't get along with their cohorts. Only the classy ones keep their mouths shut. This guy isn't one of those, apparently.

Re:amazing how one person resigning causes FUD

In many US government organizations this has only resulted in a lot of paperwork rather than an increase in security. Being recently involved in the DITSCAP certification of a new system, I think the biggest problem is personel:

1. The biggest problem is that the people doing the work don't know what they are doing. At my company, less than 10% of the people doing certification analysis have a technical background. On the project I was on, only myself and one other person (the rep from the SW developer) had a software background, out of a total of about twenty people involved with the security. Yet these people were making software security decisions.

2. Lack of effective government oversight. My experience has been that those who are supposed to review the DITSCAP documentation don't have a clue. I try to be helpful, but even then they don't seem to get with the program. Even the local government Certification and Accredition subject matter expert barely qualifies as compentent on computer security IMHO, much less an expert.

3. The personel problems aren't getting better. There are a lot of qualified people out there, it's just that the defense contractors would rather hire ex-military/ex-Civil Servants. There also seems to be a bias towards direct experience as opposed to competence, which seems to be how some of these incompetent people keep being employed.

DITSCAP, IAVA's and company are a good attempt to do something, but the computer security problem in areas of the federal government goes deeper.

Re:amazing how one person resigning causes FUD

[Jeff+DeMaagd]

Keep in mind that the DHS has repeatedly gotten "D" report card marks for security. The US government as a while averages at "C" I think, and IIRC, only the NSF got a solid "A". There are rules, but if they aren't enforced or enforcement is hindered, the rules are worthless.

This guy has a political problem and that's why he resigned. Everyone wants to make a big splash when they don't get along with their cohorts. Only the classy ones keep their mouths shut. This guy isn't one of those, apparently.

I agree that this can and does happen. The problem I have with a summary statement like that is that it leaves no room for the possibility for whistleblowers.

Re:amazing how one person resigning causes FUD

[HBI]

I contend that a whistleblower in the US government would be well advised to keep their position and talk to the press like this guy did after resignation. It's more effective and it makes them fire you, which is hard to do.

When they quit first, it implies there is something not being said, like the guy was misusing his expense account or hired strippers for the last meeting. Or whatever.

Re:amazing how one person resigning causes FUD

When they quit first...

Um, ever hear of resigning on principle? It is hopeless trying to work from within the Bush administration which has no use for reality, instead making all choices on the basis of short-term politics.

Besides, if he "blew the whistle" he'd promptly lose his security clearance, be unemployable in his field, would have been smeared as a troublemaker, and would have had even less impact on business-as-usual within HUD.

Re:amazing how one person resigning causes FUD

[HBI]

That just proves how little you know about government service.

Re:amazing how one person resigning causes FUD

[HBI]

The government people who do the DITSCAP certification by me are conduits. They ask my team for technical information and ask opinions constantly. It's a fairly good system because they can concentrate on the regulatory part where we can concentrate on the technical one.

I recommend a similar system if your DITSCAP isn't going all that well. Of course, the govt people have to be on board with this, but in general they will be. It's less work for them and they get a better work product.

Re:amazing how one person resigning causes FUD

[Kludge]

And your system is crap. I work in a mid-to-large size goverment program that implements policies such as the ones you outline and this is what happens:

1. The process of getting applications approved is so slow and onerous that people just install the apps on local machines w/o the knowledge of IT. If they didn't, work would never get done.

2. Their network 'accredited'. So it's like everyone else's. Big whoop. They block outgoing ports, like ssh 22. That's just a pain in the ass. So I have to run my sshd at home on port 21 as well.

3. They install OS patches too, when they can. Of course everything is M$ (like I bet yours is), so sometimes those patches never appear or appear a year later. I laughed out loud when I got an email informing us that IE was vulnerable to certain web sites, so we should be careful about the web sites we visit
and which emails we open. Now that's security!

Real security is not DITSCAP, IAVA, or ACERT, or any other dumb-ass acronym. It's using only secure operating systems like Linux with a simple firewall that allows only secure connections, like ssh or virtual private networks.

You've got to be kidding!

[JackHolloway]

If you think the only way to fix something is to use your own kit, you have a big problem.

That's like working for free...and probably about as legal. You need to suck it up and tell the boss "we need this piece, and if we don't get it, Bad Things(tm & C ) will happen."

And document it to within an inch of its life.

that way, when the witch hunt starts, you can whip out those docs from your own personal Pearl Harbor file and show that you knew what you needed, and were told to sod off.

Holloway's laws of business...

- Always document everything, even the slightest move. that way you have a paper trail to cover your ass.

- If your employer is asking you to do dodgy things to keep them running, tell them what the bill will be. If they threaten your employment, its time to hit the silk anyway. they are going to make a smoking crater in the sand...

My two centisols

Security is everyones responsibility but ...

...your only role is to be the fall guy when something goes wrong.

Any time security goes amuck... look to management as the culpret. If anyone points fingers at anyone else but management they really don't know too much.

Management has the political power, the money and the fudiciary responsibilty.

And if they don't know the assessed level of their security and security requirements, this then means they aren't doing their job.

It's still political.

[khasim]

Fuck 'em. I want a company that's interested in getting the job done right, not playing stupid blame games when they screw up.

In which case, you need a boss who understands the politics and is ACTIVELY working to counter them AND has the support of HIS boss.

Politics happen in companies. Politics happen anytime you get 3 or more people working together.

It all comes down to different people having different agendas working together in a company with limited resources.

The sad thing is that once your technical skills are at the "minimally competent" level, you'd be better advised to learn corporate politics to further your career.

A technical genius without political skills can be used and abused by a mediocre technologist with good political skills.

Re:It's still political.

[Fulcrum+of+Evil]

In which case, you need a boss who understands the politics and is ACTIVELY working to counter them AND has the support of HIS boss.

I am familiar with the need for a champion (connected person pushing for your project), and the current place I'm at is so very bad at this stuff. I'm mostly venting.

The sad thing is that once your technical skills are at the "minimally competent" level, you'd be better advised to learn corporate politics to further your career.

Got any pointers? This technical genius would like to further himself out of the cannon fodder box and into something more lucrative.

Re:It's still political.

[Radius9]

Another poster suggested some books that are good, but for a quick, easy to understand list of things that you can do, try "The 48 Laws of Power". Not all of them will always apply, but it does list 48 good rules to follow, with examples from history on someone being succesfull following the rule, as well as someone failing not following it (or using it at the wrong time/place).
Psychology in general is a pretty good field to study. Unfortunately, filtering the wheat from the chaff is difficult, so to be more specific, there is a field called Neuro-Linguistic Programming (NLP) that studies the effects of mannerisms, tonality, and what things you say and their psychological effects. It is a fairly interesting field, although it has become a little popular lately, so there are quite a few terrible books on it (NLP for Dummies type stuff). Try starting with books by Richard Bandler and John Grinder. Much of it is how to treat people therapeutically, but if you can apply and/or observe the things you read in those books to real life, you'll do fairly well.

Re:It's still political.

[owlstead]

Politics happen anytime you get 3 or more people working together.

I've seen it happen with just two. If you have multiple personalities, or if you take on multiple roles you could manage with just one. In that case, politics are better known as headaches.

Re:It's still political.

Got any tips for someone who has a local politician as one of their technical co-workers?? Oh, did I mention he's best buddies with the owner of the Bank (the one I work for has around 2 billion in assets :)

My best answer is to move on and find somewhere that's not so political.

Someone ealier said that their boss was only looking for someone to blame all the time. That's my boss. They don't care about the technology, or doing what's right all they care about is that there's someone to blame in the end.

I got written up recently for being deficient, and it's funny because most of the things mentioned were things that were configured/setup by the politician on staff, and then were resolved by group effort. I was singled out for sole blame.

Anyone in Orlando looking for someone that's a good technical person?? Screw politics, I got into computers (back in 1978) because of the technology, not because it pays well. :)

Re:It's still political.

[CamMac]

A technical genius without political skills can be used and abused by a mediocre technologist with good political skills.

Thats my career plan!:-) No seriously... I see so many bright and capable people who can't play the politics game and get ground to wheat because of it. I'm good at the technical aspects, but some of these people are so much better than I am. So I figure that in return for protecting them and getting them what they want and need, I'll get them to do great things for me.

--Cam

Re:It's still political.

[dubl-u]

Got any pointers? This technical genius would like to further himself out of the cannon fodder box and into something more lucrative.

Ok, here's my own analysis, based mainly on my personal experience. It may or may not work for you.

Everybody has different capacities, and we tend to develop in the areas where we're strongest and ignore the areas where we're weakest. If you're here on Slashdot, likely you've gloried in things that go well with a traditional IQ and ignored politics.

Basically, there are two paths to pursue. One is to pursue the kind of natural, intuitive understanding of people that a politician has. The other is to try to get an intellectual grip on the problem. I think both are necessary.

Regarding the intellectual stuff, two books I found very useful were Chimpanzee Politics and Impro. Both gave me insight into the mechanisms of human dominance dynamics. The first helped by showing what it looks like in our nearest living relatives. The other, which contains an improvisational theater instructor's notes, breaks it down in detail and gives some exercises. Also worth reading are books by and for people who are strong politically but weak intellectually. A lot of management books and sales handbooks are fascinating to me; they focus on very different things than I would have bothered looking at.

And then there's just practice, both of analysis and of doing. Theater can be a good way to explore both aspects. Some movies and TV shows are great for analysis; after reading Chimpanzee Politics I found gangster movies really interesting as the power dynamics are clearer. And of course, there's plenty of opportunity for both observation and participation in your average office.

One thing it too me a while to get over: the notion that things are supposed to be done in a rational way. Politics has almost nothing to do with that. It used to make me crazy, but now I see that as the price to be paid for building an organization out of half-evolved monkeys. Complaining that people are rarely rational is like complaining that bits have only two values: there might be better ways to do things, but you gotta work with what you have.

Re:It's still political.

[CountBrass]

Go contracting or consulting.

MCSE + CISSP

[Gothmolly]

Are both meaningless certifications, further worsening the problem!

*NEW* Assistant Secretary

[pyrrhonist]

From the article:

I, for one, sincerely hope that the cyber-security position will be upgraded to assistant secretary.

I, for one, welcome our new assistant secretary overlord.

Depends on the situation

[ShatteredDream]

Keep track of all of the times that you couldn't do something important, especially things legally necessary, because the powers that be didn't want to let you take the risk or rock the boat. Then when the police come in to investigate, if the higher ups decide to make you take the fall, take them with you by dropping all of your documentation about their ordering you to not do your job, onto the cops' lap.

There is nothing that police at all levels love more than taking down big rich guys.

Pity the poor Security Admin

[paranerd]

I'm sorry. Where I work it's the other way around. Our security department has all of the authority and none of the responsibility.

What the result is, anyone can guess: password rules so byzantine that no one can log onto production systems when sev1 issues occurr, sysops waiting three days for product tapes to be logged in and mounted, security changes being made willynilly with no change control management instituted, gateways which serve no data being loaded with full blown virus scanning software, bleeding edge maintenance being forced onto hardware and users not ready for it because it included some security fix of doubtful worth, managers not knowing the IP addys of their own *&#@ servers.

What else is the result: passwords being taped to the bottom of keyboards, users being covertly supplied administrator rights to databases and servers, sushi programs installed by everyone, hacks programmed into apps to slip data through firewalls, and entire job streams running under one userid.

Pity the poor security admin.

Re:Pity the poor Security Admin

[paranerd]

I'm sorry. I should have read the first reply, this story just pushed my button.

Agreed. Great first reply.

Security led at the VP level

[Skapare]

I used to work at a major financial services company. This was just as commercialism was just discovering the existance of the internet, so I was hired to design and deploy their high speed redundant connectivity. One thing this company did right, I think, is that all of their security was focused through the VP of Auditing, who reported to the CFO. And the guy who had this position was smart enough to know he knew very little about security and had to learn. I actually got to teach him more about it. We formed a group of people (at my suggestion), including another network engineer, two accountants, and one of the staff lawyers, as the security committee. His original mandate was network security. But in our first group meeting I gave a presentation on one of my long long ago hacking efforts (back in the mainframe days) that successfully broke into a major insurance company's three mainframes. I explained to them how I did it using entirely social engineering. Of course I had knowledge of the system, but I didn't utilize any bugs in the system to get in. With this I was able to get the group to change the focus of security from one strictly focusing on computer technology, to one that would be applied to everything the company did. Software bugs and misconfigured servers are, of course, important, but people are the weakest link in security, and this is even more so the larger a corporation is. Every operation of a company must consider security across the board.

Re:Security led at the VP level

You're quite right--one of the BIGGEST things we can do to impact real, bottom-line security is educate.

Hell, even for those organizations that have some kind of security policy or plan, there are entirely too many employees who don't know it.

I've been looking for a job of late, hopefully at a company with at least something of a clue. Easy way to check if they have one? See if they're hiring anyone to do security education...

Re:two words : word wrap

Please take the enter key off your keyboard and throw it away.

It all depends.....

[Fantasio]

...on how much one can ask for being a scapegoat. Make me an offer I can't refuse and I'm your man ! (paid in advance, please...)

Re:It all depends.....

[mikewas]

A place I worked had a VP that, as far as we could tell, did nothing. Every project & department had to pay a part of his salary, though.

We finally found what his job was when government auditors showed up. He was the company scapegoat. He got 9 months off work -- with pay. Within a month of coming back they announced he was retiring -- golden parachute, full pension.

I wanted that job!

Re:It all depends.....

[haruchai]

Please tell me that you're joking.

well, duh!

[twitter]

On the other hand, having the authority without the responsibility is a much larger disaster waiting to happen.

That's what having a fall guy is all about. Someone has the authority to fix the problem, but no real clue or budget. Enter the fall guy. Upper management "concentrates on the company's core business" while the fall guy eats the blame.

It's not something that can work forever. How many years can you go to the share holders with bloated IT budgets? Wall Street replaced their core infrastructure with Linux and other free software years ago after the some of the first big M$ worms. They will soon run out of patience for big dumb companies that flush millions down the upgrade toilet and are still prone to data loss and worm breakouts that resemble those of four years ago.

This eweek stuff is pathetic for ignoring the core problem. M$ makes an OS that has no place on a network. It is used, without the owner's knowledge, to send more than 80% of the world's spam and for all sorts of other crimes. Their data models are the roach motel of the digital world and they proudly remind their customers of the costs of migration while lying about the benefits their competitors have to offer. Until Eweek gets it, they are part of the problem.

Re:well, duh!

Dude, "Wall Street" was a Sun shop, not MS. They went from a costly Unix implementation on costly hardware to commoditized hardware running a "free" operating system. (Where free means I hire some company like Redhat or I have my own internal Linux group hacking kernels for my own evil uses)

Your rant, while by slashdot standards is a tasty yarn of anti Microsoft bigotry, is completely founded on the false premise that the entirety of Wall Street was running MS on their trading floors.

In other words, you're fucking trolling.

Re:well, duh!

I don't know what you mean by "Wall Street", but most brokerage houses, banks and even the actual NYSE never used Windows for anything except desktops. The business has always been run on big iron IBM OS/390 and Sun boxes.

I've worked here (in NY) for the better part of the past six years as a consultant and I've never come across a major financial institution using Linux except for web and file servers. The desktop is still Microsoft's and the business is still IBM's and Sun's. SSB did have a successful deployment of some 200 custom workstations with a vertical market (analysis) app written for Linux, but that was about a year ago.

So unless you clarify what you mean by "Wall Street" I'd say you're lying to make a point to bash "M$", which although noble in itself should not translate to mod points, or so I understand from the definition of "offtopic" and all.

Sigh. It seems this place is full of teenagers claiming the most amazing stuff about Linux and other free software, but those of us out there in the real world know better. It's a shame, but it does no justice to strut around Slashdot and IRC just plain lying about it.

Re:well, duh!

Did you check what was running on the 390s? Linux was ported a long time ago, and it is not uncommon to run several linux images on them.

Re:well, duh!

sigh... the S/390 boxes (and the Gx ones) run OS/390. These are the "black closet" monsters, if you've ever actually seen one up close.

The ones that run the partitioned Linux images on top of that weird VMS hack (though I must confess they do work) are the zSeries boxes. They're also black and big, but not as much as the older ones. You cannot install Linux on the S/390; it's only supported on the zSeries.

Now the grandparent post sounds as if "Wall Street" (whatever that means to him) was "switching" to Linux... you have to understand this is the world of 30 year-old COBOL and C and RPG apps that process billions of dollars in transactions each year. They're not switching to Linux or Windows or anything else. They're paying IBM milions of dollars a year for the privilege to run their apps on these big boxes and that's going to stay that way for the forseeable future. My god, I can imagine the managers laughing when I suggest we move the Amex merchant processing systems to "Linux" or "Windows". Sure.

Re:well, duh!

Wall Street replaced their core infrastructure with Linux and other free software years ago after the some of the first big M$ worms

What a bunch of ridiculous tripe. Their "core infrastructure"?? My god. Care to provide a link to back this up, or are you just passing wind?

Re:well, duh!

[whitegold]

Sorry, but this is silly. MS software is a valid option. I'm a graphic/web designer. I need network access. Clearly Linux/Unix is NOT an option for me (Photoshop), nor is it for a large number of users.

I will concede that the Windows family has more exploits and holes than every other OS combined by far. But that's because everyone and their pet goat is using it. And if everyone is using it... it needs access.

I'm assuming you're talking about end-users, not about e-week's central server setup. If you were, and I've missed your point, ignore me. I do that a lot.

Re:well, duh!

[DLR]

Correct me if I'm mistaken, but I thought the Apple Macintosh was originally the Holy Grail of graphics arts/desktop publishing? If I am correct (and I believe I am) then Unix is very diffinately an option for you, and a good one too.

Just in case you were unaware, OSX = BSD = Unix.

Re:well, duh!

Not really in web design. I've worked in a number of different web design companies, and Windows was distinctly the preference. Mostly because of the "use what your viewers will use" aspect, but also issues like price for performance. And yes, Apple is more popular (why Holy Grail?! That's a lost artefact of a distant past... what are you saying?!) in Desk Top Publishing. Largely because it's an entrenched market.

And yes. I know OSX = BSD = Unix. I just don't care. For the record every company I've ever worked for (including my own) uses BSD or Linux for web hosting. Windows for desktop. Unix for server. In my world Mac just doesn't have a place. But that's just me. YOU can use whatever you like.

Unfortunately, with management...

(the military has a term for this)
"shit flows downhill"

Know your enemy.

[khasim]

Got any pointers? This technical genius would like to further himself out of the cannon fodder box and into something more lucrative.

Start with "Death March". It's a good book on why projects fail and introduces the concepts of politics with agendas.

I'd also recommend "The Prince" by Machiavelli. Also, take a few MBA courses. It helps to know how they think and what their phrases actually mean.

But no book will ever be able to replace the insights gained from person-to-person interaction. You have to learn how to be "friends" with people who annoy you and how to manipulate them into supporting your agenda. That takes practice and you shouldn't practice it at work. They probably already know it better than you do and will be able to spot your amateur attempts. Instead, look at non-work groups. Your local church is a great place to start. They are usually packed with inter-personal relationships and petty politics. A friend once gave me this bit of insight: "The politics are so vicious because the stakes are so small".

Politics is about manipulating people to achieve your agenda. Before you become good at politics, you have to be comfortable with that.

Re:Know your enemy.

[Fulcrum+of+Evil]

They are usually packed with inter-personal relationships and petty politics. A friend once gave me this bit of insight: "The politics are so vicious because the stakes are so small".

The first time I heard that, it was in reference to university machinations.

Re:Know your enemy.

[sirReal.83.]

"You have to learn how to ... manipulate them into supporting your agenda. ... Your local church is a great place to start."

I like how you think, Mr. Burns.

CYA or get another job.

If you're responsible than you make the recommendations. If they aren't followed you warn of the consequences. If the consequences result your ass is covered. This is BASIC employee CYA.

If you do your CYA bit well your boss will follow with his CYA bit and eventually someone will sign a check or the memos will stop with someone stupid enough to take the fall. Otherwise you don't want to be working there. Works no fun if you can't do your job.

If you don't like the CYA game, spend the time and effort you would put into implementing your recommendations into finding another job.

Life's not that difficult!

Re:CYA or get another job.

[Forbman]

Before you leave your job, leave 3 envelopes in your desk.

The first one says, "blame the system."

The second one says, "blame the users."

The third one says, "make 3 envelopes and put them in your desk drawer."

that's funny.

[twitter]

Companies ... go with closed source software instead of open source software so they have someone to blame/sue when something goes wrong. ... the company is paying someone to take the fall when they have a security problem. If this person doesn't realize it, then they are clueless.

No one takes blame when their software does not work or loses your data. The clues are:

• Microsoft's massive cash pile.
• Everyone else's bloated IT budget.
• Articles about a complete lack of "cyber security" in a place that runs mostly M$.

More direct clues can be found in your EULA.

This is not specific to IT

[EmbeddedJanitor]

The responsibility vs authority thing is exactly the same for IT as it is for just about any other activity involving many people.

When I was in the army 20 years ago I had the "responsibility" to get a bunch of guys to move some furniture. Unfortunately I did not have authority over these troops since they belonged to another division.

DHS is an oxymoron ...

[quarkscat]

Well, I could give you a quite long list,
but it would be considered OT. Instead,
consider that DHS settled upon WinXP and
Server 2K3 for their IT infrastructure.
Also consider that DHS has NOT been able
to retain an IT security officer for HQ.

Be afraid. Be very afraid. The data that
DHS has on about 50% of the US population
(and about 25% of the EU population) cannot
be considered secure. 'Nuff said?

Re:DHS is an oxymoron ...

[HBI]

So does the DoD, so does the rest of the US government.

Whatever your (or my, frankly) bias against Microsoft operating systems, in practice they have been functional.

You'll have to come up with something more than perceived security improvements to make the US government switch to something else.

hacks programmed into apps to slip data through fi

"hacks programmed into apps to slip data through firewalls"

If someone with access wants data in or out, there ain't nothing you can do to stop them short of locking their ass out of the building.

On the other hand, brain dead security policy sometimes makes it impossible to get ones job done without circumventing the firewalls. Proxies are your friend here, as is email and ssh.

It looks like you just found out

that you aren't allowed to criticize the /. gods ..... remember that just like the USA this place is _not_ a democracy and calling a spade a spade is unacceptable ..... so if you think Hemos is a boring fuckwit or Roblimo is a wannabe people's hero or Michael a sleazy lying scumbag keep it to yourself or be banned.

civil legal matters

[zogger]

"From my perspective, if a corporation deliberately stores my personal information using a server OS that is known to have more security holes than the Moon has craters, when that info is stolen the people that made that decision should be up on charges of negligence or worse"

If it is a company you do business with, send them a letter-snail mail, registered, notarized whatever, in advance to that effect. Not a threat, just a reminder that they have alternatives, and it's in their best interest business-wise and liability-wise to look at ALL the options. then they can't claim down the road that they "didn't know". Send an identical copy to their CEO, CFO and CIO/CTO. It's a +1 bonus if you can have several people on your side with simjilar viewpoints sign it as well, all customers of theirs.

Another thing you can do is to buy stock in the company, that gives you an additional legal edge should something "go wrong", and also let's you offer suggestions and/or complain at shareholders meetings, or give you another avenue for a potential lawsuit.

Stupid IT Policies

[Stupid+White+Man]

I have a client, however, who's IT security policy is so strict (14 characters, alpha, numeric, plus special) that each and every employee has taken to write down their user/password on a post it note and taping it to their monitor or under their keyboard. Just walking through the office you can pick up at least 6 user/passwords. I've tried to argue with the head dick in charge, and all I get is BS. Why put together a security policy so strict that it keeps employees from doing their jobs, or forces them to write down their passwords out of ignorance. Nothing worse than that.

There's a better definition

[kafka47]

I've seen many definitions in the vendor and user side of security. A statement like "responsibility without authority" is highly negative and a little fatalistic, dont' you think? One of the key defining elements for me is that a good security administrator has the ability "to influence without power". That means, being Mr. SecAdmin is as much an exercise in politics as it is in technical werewithall.

Relate this back to the industry. You're either at the top-level or you're in the trenches. A good security admin will bridge the two as best he/she can. Security fundamentally affects (and is affected by) almost every facet of an organization. I've seen through personal experience a "silo-like" mentality to security policy execution. The secadmins were in their own private bubble that attempted to be dictatory and impervious to external influence. This is wrong, wrong, wrong!

Unfortunately, the needs of the job amount to being a little political. The decisions must be participatory, or at least giving the appearance of being participatory. That is what gives you buy-in from your users. You might say, "Why should I?" Well, if you're saying that, then you might want to find another job. Its a necessary evil if you care about keeping your org secure. If not, you might be the one complaining after the fact, "They never listened to me". Even if you're merely sitting there explaining why you are doing what you're doing - at least people are involved. You might even be giving them bad news, but at least you're telling them that you're giving them bad news before you change their lives. The real challenge here is finding the right people to involve. :-)

Good security as much depends on the "how" of security versus the "what" of security. If your methodology is technically correct, cheap, and does the job, but you've dumped it on the organization, then guess what. It ain't gonna fly!

The article, in its efforts to be concise, has not really justified its claims. Trying to sway the course of one of the largest governments in the world indeed sounds like a recipe for frustration, but does not necessarily map back to the industry in general. Those seem like radically different things. I remember Richard Clarke seeming positively perky during the days of his assumption of cyber-security czar role. Look at him now.

Re:two words : word wrap

heh ;) .. i detest word wrap. html textareas were
not the norm in my when and i won't start using
them now ;) .. and if you've never run across
a browser or web page that doesn't properly deal
with page boundaries you wouldn't be so quick to
throw away that enter key ..

i'd rather have an 80x24 clean post than have to
have some poor bastard arrow/mouse left/right just
to read the content.

maybe this is just a fault of mine, or years ( and
years and years and years ) of habit. deal.

if this is the only useful extension you can offer
to this thread, i offer three words in return :
"don't read it"

Re:two words : word wrap

[zogger]

--just a guess, but maybe he's on a PDA writing and posting and it looks cool there on the dinky screen. I do not know that, though.

illusions

[killua]

Circumstances like these often accomplish something very important in politics, it gives the illusion of doing something to solve the problem, when in reality they have done nothing.

Re:two words : word wrap

I DETEST LOWRE KASE LETTRES AND SPELLINK KORRECTLY, AND PEOPLE TELL ME IM OBNOXIOUS TOO. I FELE UR PANE.

sigh another gem ruined by the lameness filter. sigh another gem ruined by the lameness filter. sigh another gem ruined by the lameness filter. sigh another gem ruined by the lameness filter.

most security is useless...

[geoff+lane]

as it addresses the wrong problem.

The US thinks that taking nail clippers from passengers makes air travel more secure. It doesn't but it looks as though it might.

Most computer security looks outwards to the internet, forgetting that the biggest threat is sitting inside the firewall.

We are all surrounded by pretend security that is in position just because it looks good. Real security is a pain in the backside. It is disruptive to the people who have to work with it and it's very expensive. It's also complex and difficult to implement.

If the security officer in a company cannot overrule EVERY single person in the company on a matter of security, the job is a joke and exists merely as a butt-covering operation.

Re:most security is useless...

[BobaFett]

If the security officer in a company cannot overrule EVERY single person in the company on a matter of security, the job is a joke and exists merely as a butt-covering operation.

This would be true if security was the overriding concern, the ultimate goal. It isn't. It would be true if the cost of security breach was infinite, but that is not so as well. So it is an entirely legitimate question to ask: should we accept the risks at our current level of security, or spend more on tightening it (in the form of direct expenses or lost productivity). There are other ways to mitigate against risks (redundancy, insurance, etc). If at the end of the day you can come out ahead by accepting the risk, that that is the correct thing to do. Security officer is not qualified to make this judgement.

Re:most security is useless...

[abb3w]

Security officer is not qualified to make this judgement.

This depends on the security officer; it's a standard cost/benefits analysis, which is covered (at least around here) in standard undergrad engineering classes-- and I've never heard of a computer security job that didn't want at least BS CS. The SO may need to get numbers from the local bean counters, but that's not usually too hard.

On the other hand, any time someone overrides the Security officer for "higher" priorities, he should be able to document the consequent risks, and require WHOEVER is overriding him to document what they think is a higher priority, and assume responsibilty. Drop copies off with the legal department and the bean counters, and let them know where to to bury the axe.

Re:two words : word wrap

ok ill accept that, though to me it looks like there is a pause between each line because im not expecting a line break there

been there..

[TheHawke]

Done that.. Pissed off more than a few clients with the security policies, blown a couple of budgets by a little bit. But it's still secure by overbuilding, securing the systems with personal passwords, set to expire in 30 day intervals. Education, education, education... The current headache with the 'wares was simply resolved by implementing a HOSTS file into each terminal via administrative batching. This was done within a hour and the infected machines were then reimaged with clean OS's. No slouch this nut is. As I said, i've pissed off a few folks, but they learned lessons the hard way not to break the NSA's rules and you don't wind up with a blank computer, or worse, a letter in your docket for the security violation. I'm not in the business to make friends, both personally or politically, which irks some of the suits. They pay me the big bucks to keep their business secure as Fort Knox, and they get what they pay for.

security folks=worthless

security people are annoying.
at my company all they do is read bugtraq and send out 'items' for everyone else to do.

then they take credit for whatever they made us do.

many times, one small patch turns into a very large upgrade and project. security guys just sit back and say 'we need this patch installed' and offer no other help than that.

very damn annoying.

any idiot can do a security persons' job.

been there

[Revek]

Ive been in that situation with everybody wanting things to be secure but not wanting to give up one thing they do even if it caused the problem. Of course im not working there anymore

jack of all trades

[mslinux]

What about a company that has 300 users 450 computers and only one fulltime IT guy who primarily does sys-admin related tasks (email, viruses, backup, troubleshooting, etc.). By association, he's the "security" guy as well. He does all of the computer inventory & tracking, ordering & provisionsing, repairing, programming... does he have to be the "Security Officer" too?

Re:jack of all trades

[Monf]

no - but he should know enough to tell the higher ups that it is an issue, suggest a way to deal with it (higher a COMPSEC guy)--

and then get the denial in writing when the company doesn't want to pay for it...

Re:jack of all trades

yeah, im one of these cover all IT guys. i also have all the responsibility and none of the authority. So im leavin a paper trail!

Cheap way to increase security

[kabz]

One way to decrease users tendencies to download crap might be to publish a web page harvested from the firewall logs (you do have a firewall, right ?) and allow general access to see what users have been downloading.

This would favorably impact the following :

o Porn searching
o Cosmetic surgery searching
o Perv searching
o Joke searching
o Browsing slashdot at -1 ;-)

The Slashdot model of moderating/censoring web page accesses would also be driven by the curiosity to see what your dodgy co-workers have been downloading.

One thing that one of my previous companies also emphasized was ensuring that machines have a password protected screensaver whenever a user is away from his/her desk. Another co-worker being able to hit porn from an open desktop would be a great motivation to lock up your desktop on restroom trips, coffee etc.

Most companies have policies on non-business use of machines, though these are seldom enforced with any vigor. Enforcing them through a peer mechanism like that described above might help to keep users and company networks safe from themselves.

--

Re:Cheap way to increase security

At my old company the Helldesk girl (with a Domain Admin account [don't ask, its hurts me]) walked away from her desk to make a coffee, and once again did not lock her 2000 Pro Workstation.

We can't officially discipline her for that, and with the new security cameras installed, the rubber hose method won't wash either.

Sarbanes-Oxley Compliance

[adrenaline_junky]

It may also be worth noting that your boss going in and making undocumented changes may very well be illegal now, under Sarbanes-Oxley (assuming you're in the U.S.).

Dictatorship

You try to place the blame on misconfigured systems. But when you demonstrably create an adversarial relationship with the users you're supposed to be supporting it proves you're part of the problem. Over and over, IT throws its weight around by not allowing anything useful. Anything IT doesn't understand is disallowed behind the "security" bogeyman and there's no effort to work with the users. When IT does get authority it's a power position, not a technical position. Automatic dictatorship.

Re:Dictatorship

[pbranes]

Then, what do you propose we do? Go sweet talk the user and ask that they nicely reconfigure their system pretty please with a cherry on top? We aren't just cutting them off of the network - we are giving them a choice - either configure their system properly, or don't be on our network.

In IT, more often than not, security has to come first, and people's feelings come second - we are talking are personal information being passed around. How do you propose running a network where the emphasis is on sharing and being nice instead of enforcing strict security policies. Go to a warehouse - the physical security of that warehouse doesn't care if you are a nice person or not - they are going to make sure to enforce the security policies on you the same as everyone else. The same idea applies to data security.

Re:Dictatorship

[tverbeek]

How do you propose running a network where the emphasis is on sharing and being nice instead of enforcing strict security policies.

Try "good cop"/"bad cop". Have one person in your department go around and threaten to disconnect people, then have another go around "behind his back" and help them to stay on. (If you're a department of one, ask your director if he'll sign a "bad cop" memo; if not, let him be "good cop" and "force" you to cooperate.) "Bad cop" may not end up the most popular person in the organisation, but if he responds by enthusiastically congratulating and thanking the newly-complying parties, that should avoid too much permanent bad blood.

Re:Dictatorship

[Lancaibheal]

And when the security is breached, as it inevitably will, who's fault is it that IT was all touchy-feely with the users rather than making the difficult choices to keep the system secure and the data safe?

IT is there to keep the network secure, not to make friends. If you want "useful" services, go and pay for and maintain your own network.

Re:Dictatorship

[Antique+Geekmeister]

You rely on the kindness of strangers.

More seriously, you rely on the people who buy your equipment and services to pay the extra cost in an emergency for the extra bandwidth wasted and the downtime, because they refused to pay it up front. And you keep your resume up to date, because when it fails and you point out to them, in writing, where they told you not to do the necessary changes, they will fire you for exposing their stupidity in the review or lawsuits.

Of course, their firing of you will be six months later, so you'll have time to go looking for something better.

Re:Dictatorship

[_Sprocket_]

The adversarial relationship is natural. IT tends to involve an inverse relationship between functionality and security. The easier something is to use, the less secure it is likely to be. And likewise, attempting to put in security restraints will tend to impact ease of use. This applies to people too.

Users' primary interest is having widgets to do their work. Infosec's interest is about protecting existing widgets. The adversarial relationship tends to come in place when deploying new widgets, or making widgets easier to use and access, impacts the security of all widgets (and information in general) already deployed.

It might be interesting to note that this exists within IT too. IT departments tend to be held responsible for deploying widgets. And since widgets are easier to deploy in less-secure configurations, the natural temptation is to cut corners on security for the sake of easing deployment. This conflicts with Infosec who's goal is to keep widgets secure, not necessarily to ensure more widgets are deployed.

The challenge is to recognize this inverse relationship and take advantage of it. Use the natural inverse and work it in to your organization as a check-and-balance.

First and foremost, an organization should have their security policies well documented and those policies should be applicable to most common access requirements without interpretation. When Infosec notes something is dangerous, it shouldn't be a judgment call - it should be based on documented policy.

Secondly, Infosec's role is not to be a road block. It's there to help conform (and modify) existing policy. If a policy is unworkable, fix it. But more likely the policy is functional and it will simply take some working with the end user / developer to modify the system design to properly conform with that policy.

Finally, there will be times when the policy is valid and the project simply can't be modified. This is where Infosec helps define to level of risk. Meanwhile, project developers define a business case for their architecture. Both cases are presented to higher management who ultimately weight risk against business case. And if the business case outweighs the risk, that risk is well documented.

Re:Dictatorship

[CountBrass]

The easier something is to use, the less secure it is likely to be.

What complete rubbish: the reverse is actually the case. Which is more secure *and* easier to use: one that allows you to directly access and manipulate the fields in a database or one that is task driven and guides you in performing that task by prompting you to enter the information required?

Re:Dictatorship

[_Sprocket_]

What complete rubbish: the reverse is actually the case. Which is more secure *and* easier to use: one that allows you to directly access and manipulate the fields in a database or one that is task driven and guides you in performing that task by prompting you to enter the information required?

Which is easier to use? The database interface that you just sit down and begin entering the information required? Or the database that first requires you to authenticate before you can begin entering data (and then what happens if you forget your password or lose your smartcard / keyfob)?

What you described is simply a better interface. It does nothing to protect the data involved. Without basic authentication, authorization, and access controls you do nothing to protect the integrity or availability of the data. At best, it might assist in data accuracy.

The holy grail in Infosec involves minimizing the impact of the inverse relationship. This is certainly possible (enter 2-factor authentication mechanisms such as tokens and smart cards). And there are certainly scenarios where one can move to a more secure interface AND improve ease-of-use over a legacy insecure and hard-to-use interface. But that relationship tends to remain intact, if minimal.

Re:Dictatorship

[whitegold]

This is network security management, not a small latin american country. Dictatorship is an entirely valid system in this case. This enables the more knowledgable person who is responsible for securing the systems to "dictate" how things have to be.

Granted in all cases where systems have to be changed some dialog is necessary to establish reasons for existing security flaws, etc, but when considering that the needs of both parties might sometimes clash there's still no good reason compromises cannot be made in some cases. It's simply up to the admin what he/she can and can't compromise on.

If it were that clear it would already be done

[HBI]

It's not that clear.

I'd love to use Linux (i've actually seen a program do it - it can be done, but it isn't in vogue) but getting it through the management's head is not that simple. You can blame the government. You can blame the contractors. You can blame the people in green, but the system stays the way it is because the users of the system want it that way, and it's secure enough that there haven't been any high profile penetrations in the past few years.

A few of those would go a long way towards changing the Army's IT.

Re:two words : word wrap

These "back in my day" bullshit rants need to stop. I think I'll start taking my shotgun to you pasture geeks so you no longer have the power to ruin my field.

Re:two words : word wrap

[mrchaotica]

If you let your words wrap normally (or better yet, use the <p> tag), there's an extremely slight chance that someone might have to scroll horizontally (note: that's typically only on boards where inserted images are allowed, and Slashdot isn't one of them).

On the other hand, when you use hard breaks in your post, you piss off the other 99.9999999% of us!

Plus, you should be using XHTML markup anyway, so as to convey as much semantic information as possible. After all, some blind person could be using text-to-speech to read your post. How would you...like it if...there was an annoying...pause every three...seconds?

So yeah, your "habit" is not only annoying as hell, but it is also wrong!

"Big Mistake"?

[Large+Green+Mallard]

Doesn't sound like it :)

Re:"Big Mistake"?

[vwjeff]

It wasn't a mistake in the terms of me having control of the system I administer. It's more of a situation that I feel like I always have to watch my back. I am no longer the fall man most of the time. I still make mistakes but at least I know what I did.

The big mistake was me challenging his authority. I believe my boss knew he created the problems by his actions and now knows that I know he created the problems (if that makes sense. :) He hardly talks to me now and I think I am seen as a threat.

In an IT department with only five people, myself included, an IT manager really isn't needed. In the past there have been talks of cutting his dedicated position and giving the manager responsibility to someone else in the department. Since I have been there the longest I would be the most likely to get the manager responsibility.

Office politics, you got to love it :)

Re:"Big Mistake"?

I understand what you said, but I believe you're setting yourself up for a big fall on the promotion bit:

"In an IT department with only five people, myself included, an IT manager really isn't needed."

You think the manager's position will be eliminated. But then you say:

"In the past there have been talks of cutting his dedicated position and giving the manager responsibility to someone else in the department."

You then believe it will not be eliminated, but be reallocated to an underling.

"Since I have been there the longest I would be the most likely to get the manager responsibility."

And hopefully it will be you.

I hate to burst your bubble, but do the math. There are two possible situations here, and you won't benefit no matter what:

1) The managerial position will be eliminated. That means NO promotion. There won't be a managerial position to fill. You won't get squat and you'll have to answer to the next higher boss, who will likely know LESS and have you do MORE stupid things.

2) If a managerial position gets eliminated, then refilled by a promotion, guess what? The company doesn't save the managerial salary, they save the admin's salary. So, the net effect is one admin is eliminated. And if one IT guy has to go, you know for damn sure it won't be the manager. He'll nominate an underling. Watch your back.

My advice is to start looking for another job. You won't get any notice if/when the axe falls.

But you can always look on the bright, cheery, optimistic side and hope that your manager really will be lousy enough at politicking, won't be friends with his boss, and lack enough foresight to dodge the bullet.

Good luck there.

Sushi programs?

[Nonesuch]

paranerd writes

sushi programs installed by everyone

Sushi programs?

I'm confused, what does raw fish on rice have to do with data security?

Not just security...

[supabeast!]

This doesn't just apply to security, it applies to IT in general. The sysadmin is always the guy who has to implement all of the stupid shit managers promise to people, and rarely has any input on how it will be done. I finally knew that my IT career was about to end the when, on a Friday morning, I was asked to work at least 12 hours on Saturday AND Sunday because the director of a federal agency I was working for (as a contractor) has promised that we would have a certain system working by a certain date which just happened to be Monday morning. This was the first time that ANYONE on the team responsible for the implementation had heard about it.

I refused -- not that it mattered, because the coders needed time to adapt beta code from a different project to this one--, and dropped by for a few hours on Sunday just to check on the status of things. Two weeks later we had a semi-functional prototype. Three months later it was still a lame cycle of the same crap.

Now I'm going to art school and painting full-time. The money sucks, but I never have to come in at three AM to cleanup after someone else's dumbshit idea.

Re:Not just security...

[js290]

It's chronic in this industry. I'm amazed at the ability of incompetent IT managers to unzip, pull out cock, and insert into mouth in one fluid motion. As Jerry Seinfeld would probably say, "How do these people get promoted? Where do they come from?" One theory is incompetence is promoted to reduce the damage they do. It may be time to move on to something else.

Re:Not just security...

[supabeast!]

In my experience IT managers usually end up that way via a field promotion; the boss quits, and his bosses don't have time or money to spend replacing him, so they just promote whoever's been around the longest. In IT that usually means promoting some lazy, easy to placate schmuck who's only been around that long because, unlike most IT workers, he's too lazy to post a resume on Monster.com.

It doesn't help that good techies rarely make good managers. Programming/sysadmin/dba skills rarely translate into people skills. In the best IT teams I worked on, the team really managed itself and the boss was there as what we called a human shit filter -- someone to communicate between customers and IT staff and make sure that the two sides didn't flip out and kill each other.

Re:Not just security...

It doesn't say a lot about the industry when most promotions are done through attrition than through technical merit.

Another problem, as it's been described to me, is that these incompetent IT managers who get promoted through attrition become a bit overconfident in what they think they know. So instead of letting or hiring people to do what they are capable of doing, the manager starts dictating a lot of bad ideas.

I think the problem with IT, much like programming, is that anybody who can turn on a computer and connect a SOHO thinks they can handle the issues involved in enterprise networking. While, IT isn't rocket science, it's not as trivial as some of these managers make it out to be. What can you do when words such as "I don't care about security," "We just provide ports," "Can't we just static route everything," and regarding management of DNS, "It's just editing static files," come out of your managers mouths? What can you do when a manager threatens to quit if users are not allowed to have 100FD to the desktop, and a manager, against all advisement of his staff, chooses a software system that won't do what the dept needs, won't do what the vendor claims, and hires someones not qualified to manage the system? Those guys aren't going away. They suffer no consequences... it's bad...

"Wall Street", Linux, security and accountability.

[twitter]

What a fun little exercise you have provided, AC.

I don't know what you mean by "Wall Street", but most brokerage houses, banks and even the actual NYSE never used Windows for anything except desktops. The business has always been run on big iron IBM OS/390 and Sun boxes.

You are wrong, but even if you were right, investment firms won't have any patience for companies wasting money on Windoze, desktops included. My point was that they had moved away from that themselves and I find an abundance of information to back up my vague memories. Given the wrongness and insult of your reply, it's easy to see why it was posted AC.

My memory was of a stampede away from Windoze on the desktop after the early M$ dissasters, Melissa and Iloveyou arround 2000, 2001. The worms might have helped. I can't put my fingers on those articles now but I do find these, which offer much more. The time frame is correct, 2001, but the speed of adoption is faster and wider than I remember. Read and enjoy:

• A 2002 report of part of the stampede I remeber.
• Merril Lynch Complete top down implementation by one of those companies.
• NYSE replacing "dumb" x terminals with Linux for all the reasons M$ uses to sell their stuff.
• Some people from big companies who should know.
• The most informative article of all. Tracing the roots of the migration and it's totality, including taking desktops from Microsoft.

I've worked here (in NY) for the better part of the past six years as a consultant and I've never come across a major financial institution using Linux except for web and file servers. The desktop is still Microsoft's and the business is still IBM's and Sun's.

From the above, I'd say you are out of the loop. Microsoft is not on the desktop anymore. Sun may still be around, but people think it's expensive and IBM is doing well because they reduced costs with free software. Who do you service, hot dog vendors or dopes like Bankone?

The topic of disccusion was responsiblity and accountability for "security". I identified the biggest security headache out there, it's ramifications and why no company employing fall guys is going to get away with it for long. The bankers know, from first hand experience, what the problem is and what the solution is. They are not going to fall for blame shifting and excuse making when they look at IT budgets bloated with Windoze induced costs. The bottom line is what's inspected.

Anyone looking for an ex-security administrator?

[Lancaibheal]

"If you have the responsibility for security without the authority to make changes, your only role is to be the fall guy when something goes wrong."

Oh.

Great.

OK, here are some links.

[twitter]

The third AC to pester me for details insults and asks:

What a bunch of ridiculous tripe. Their "core infrastructure"?? My god. Care to provide a link to back this up, or are you just passing wind?

Sure, I looked up stuff to verify my impressions. It includes things like NYSE financial trading and total usage, desktop and server by most major trading houses. Is that core enough for you?

I am not your God but if you insist on that status for me, I must exercise the usual free will doctrine to shed myself of responsibility for your obnoxious actions. Please give generously to valid charities and buy beer for anyone who identifies himself as Twitter.

Here is your requested raz-berry, pththth-fit.

Is there anything else you want on Halloween?

Re:OK, here are some links.

[twitter]

Are you starting to feel stupid yet?

Yes. From those quotes, picked have little to do with the contents of the articles and present a distorted view. Just reading the titles is enough for most reasonable people. You know, titles like "Wall Street Embraces Linux" If Merrill Lynch and four other major trading houses using Linux for everything, and the NYSE using it for transactions is not enough for you, I'm not sure what is. The logical progression from experimentation in 2001 to adoption in 2003 by those banks and trading houses should not be a big surprise to you.

Get back under your bridge. No one legitimate posts AC.

Re:OK, here are some links.

quotes, picked have little to do with the contents of the articles and present a distorted view

Well it's obvious you didn't read them. They talk of plans and interest, but nothing more.

Just reading the titles is enough for most reasonable people

Oh, I'm sorry - I didn't know I had to just read the titles and stop there. I guess I'm not reasonable. I bet you buy those supermarket tabloids all the time, don't you? Man, they have great titles!

The logical progression from experimentation in 2001 to adoption in 2003 by those banks and trading houses should not be a big surprise to you.

There is no "logical progression", except maybe in your head. Note I'm still not saying anyone in "Wall Street" doesn't use Linux, far from it. But you said core infrastructure. That's the gist of it, and it's a misrepresentation, period. If you wanted to turn this into some sort of "Linux vs Windows" thing I'd say you didn't do a very good job, and if anything you come across as a grandstanding looney.

Get back under your bridge

Sure kid, won't bother you again. Got better things to do.

Re:two words : word wrap

heh ;) .. "back in my day" you were still just
a glimmer in your daddy's eye ;) .. i'm not sure
how those of us that have been doing this for
20+ years have the power to ruin 'your field'.
I'd say it would likely be the other way around.
Having been brought up with the changing winds
of technology we ( the oldsters .. and i'm not
very old ) have a more solid grounding in what
Really goes on under the hood and probably a better
understanding of how to create robust code and
systems.

but whatever :) .. i'll keep my job and you can
scout the breadline ;) .. the only thing i have
to do is keep abreast of current changes .. you
have an entire philosophy to absorb. i'd say we
have the competitive advantage as our bullshit
detectors are finely honed by this time ;)

anyone want to buy a used copy of X-Treme
Programming? .. I think this guy has one for
sale ;)

Re:two words : word wrap

one word : "bullshit"

xhtml : my ass

and if the text to speech system in use counts
line breaks as pauses, that sounds like a bad
text to speech system.

i don't use html markup in my posts. i'm not going
to start any time soon ;)

as for the 'extremely slight' chance, well .. you
obviously haven't worked with too many platforms
or browsers or have had the dubious pleasure of
experiencing the wide range of idiosyncratic
behaviour between similar products on disparate
platforms.

i contend that my posts are readable by all.

if it REALLY bothers you that much, just lessen
the width of your browser window until the width
of my post matches :) .. then everyone is happy!

Trying to get upper management to understand.

I worked once for a international consultancy with a IT security division.

It was a matter of policy to ask the entire board-of-directors what the corporate policy was for "gross fiduciary irresponsibility" on the part of board members and upper management. So, they asked if a board member or officer who would do something like leave sensitive corporate info lying around in plain sight would remain on the board for long. The universal answer was that such a board member would be asked to resign immediately.

They then led a small working tour to each board member's office where they showed all the sticky-notes with passwords attached to the bottom of keyboards, side of monitors, etc. ... and then asked who would be turning in their resignations that day.

Gutsy move, and it actually cost them some clients. But it also drove the point home about the importance of IT security.

Responsiblity

[Tesral]

Posted over a foreman's desk in one of the factories I once worked in before the IT age.

I'm not allowed to run the Train
The whistle I can't blow.
I'm not allowed to say how far
The Train's allowed to go.
I'm not allowed ot blow off steam,
Or even clang the bell.
But let the Damn Thing jump the track,
And see who catches HELL.

Nothing changes but the names and places. I have no doubt this, or a local variation thereof, is scribed on a rock somehwere in the Great Pyrimad

Ob. quote from "Yes Prime Minister"

[Ctrl-Alt-Del]

"Ah yes, Bernard. Responsiblity without power - the prerogative of the eunuch throughout the ages." - Sir Humphrey Appleby

Don't mess up the church

Please don't try to make more divisions in the church. It's God's church, and He won't take kindly to those who mess it up.

Re:two words : word wrap

[aardwolf204]

I use TTS to read this post, it was VERY annoying, however the post was insightful to me. I'm going to start blogging my findings at work. There is a feature in Outlook 2003 for this... Its called "remove unnecessary line breaks", wish slashdot had something like that. and yeah, xhtml my ass too but seriously you sound like a bitter old sysop hanging on to your series M IBM keyboard with an elitist chip on your shoulder. might explain how insightful your post was... got blamed for some security mishap because you didnt document the system and now you regret it maybe? not sure where I'm going with this but trust me, its annoying. oh yeah, and back in my day the F keys only went to 10 and were on the left side of the keyboard, does that make me special? pfft

PS: Thanks again for the great advice