Slashdot Mirror
Has Corporate Info Security Gotten Out of Hand?
KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"
The only real problem is overzealous proxy servers, which can be tough to configure, but should have a whitelist of some sort... the rest of the problems mentioned are problems that have solutions. There are plenty of corporate-level antivirus solutions that will allow the control of virus scanning policies so that you could enable the sending of e-mail through SMTP. If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem. There are also plenty of options for keeping up on patches that would relieve the users of this responsibility. Even in the case of Windows, Microsoft distributes a free "private" version of Windows Update, called Windows Server Update Services that can be deployed on a network. This version allows you to choose when and how which patches are distributed; all you have to do is point your computers to the server. Assuming you are running a Windows network, the settings for the Windows Update can be deployed via Group Policy without ever having to visit a workstation. Workstations can be scheduled to update themselves without taking control away from the IT department in regards to which patches they want installed.
Most of that was assuming you are running a Windows-based network. I am not as familiar with Linux software, but I know that similar services are available for Linux as well. In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.
I think overall mankind's productivity has increased thanks to the technology. I can't say if the IT world would be more convenient if 95% of us were using Linux.
It's like when cars were first introduced, there were not speed limits, cars were hardly locked and tyres were hardly threaded......
As cars become more common, more people died in car accidents, so you can't drive too fast anymore, must wear seatbelts and cannot drive drunk.
As car thefts become a norm, we must lock our cars, when that's not enough, we need to put on the steering lock, alarm, then immobalizer, and now the security datadot. However, I think overall we do benefit from the introduction of vehicles.
Virtual Betting on Facebook for non-geeks.
Security like most things, is a balancing act. Being able to manage the 'pain vs. protection' factor is the key to all of it, and unfortunately no tools seem to have the sliding adjustment with those options on it.
Ideally security will allow everything that's vital while not stepping on any services that are required. With most companies, what is 'required' ends up being pared down as the security net gets closed down tighter.
Nostalgia is one thing -- how many of us worked on systems that had telnet / ftp open to the outside without a firewall? I know I did back in the day. When management is behind security initiatives, being able to work on the business isses ("No, we CAN'T disable FTP!") becomes less of a problem.
Regarding individual workstations -- putting the burden on end-users doesn't seem to be a common (thankfully) configuration in the companies I've seen. Most larger places are doing automated patch management and deployment now. I know quite a few places where every single system (desktop and production) is patched within a 15 day window. While it's not bleeding edge, this relatively fast schedule combined with the concept of 'defense in depth' goes a long way to preventing issues. I know places that haven't lost a machine to a virus in YEARS.
Security that's preventing legitimate work from being done needs to be adjusted. All of the problems you've mentioned are fixable.
When I run into such a seriously aclueistic situation, I point it out. Once. Then, I go work somewhere else if they don't get a clue.
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
One time for security's sake my office ethernet port was turned off by IT. Figuring it to be some outage I called support (hah!), and they looked up my IP address and said yes the port had been turned off because my machine had refused to accept recent XP updates.
Hmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port. I asked why I hadn't been notified -- they said ALL XP login scripts had been posting the notice for over a week, I had been given "plenty" of warning!
Hmmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port.
Fortunately I had a dual-boot, so I was able to comply.
But, ironic that one of their (in my opinion) least vulnerable machines on the network was mine.
(And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix... so I wasn't in violation of any policy (such as they existed).)
individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access
I don't think this is unreasonable at all. What's the downside of enforcing a little rigor in your employees, when the alternative is having your entire corporate network become a zombie farm overnight controlled by a mob boss in Russia named Vladamir?
I'm sorry. The number you have reached is imaginary. Please rotate your phone 90 degrees and try again.
But also realize how much the worms of 2003 and 2004 cost corporations. I saw it first hand when working in a plant, and it was seriously disastrous. I can understand why they don't want that to happen again.
If surfing "bad" sites is THAT important to you, perhaps its time to get your resume out to a company that trusts its employees more. Or quit complaining to a bunch of slashdotters and present a true solution that benefits everyone. There are ways to have both security and usability.
Berto
What is the situation like at other companies?
I'd love to tell you but that would be a breach of security.
Everywhere I've worked seven to ten years ago (1995-1999) made IT workers who wanted Internet access sign special forms that had to be okayed by three levels of management before Internet access was granted. And once granted, it was heavily monitored.
/. that checking code into CVS.
Four to seven years ago (2000-2002) getting Infobahn access was far easier, but most companies still required that you use their proxy so that they could monitor who visited which sites and who spent more time posting to
But lately, Internet is usually just taken for granted. At most you have have to worry about firewalls that don't let ports other than the standard http and https ports in or out. And that is fairly easy to bypass by anyone with a home machine.
- Google Groups doesn't sound like a business website. That's "bad" from a management perspective.
- SMTP blocking would not be needed if users didn't keep clicking on emails from the "FBI" "CIA" , etc. Besides that, it's easy to configure an AV policy to exempt legitimage SMTP usage.
- Updates can and should be applied automatically and without user intervention. If a reboot is required a nightly shutdown policy will suffice.
I'd love to live in a happy land where all computers can be open and free but unfortunately malicious crackers, crappy programming and ignorant users have made that an impossibility these days.
"under threat of their machines loosing network access" would be losing network access?
Hmmm, maybe if you didn't filter out google groups you could actually find out what other companies are doing. That's like one of the #1 internet tools for troubleshooting everyday issues. Pop in an error message and out comes reems of articles with other users having the same issue and the fix to the problem. it's the best free knowledge base ever!
Adeptus
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
I think that there are too many companies who have people who just decide iTunes purchases and downloading of podcasts specifically through iTunes is not a good use of resources, yet we are a educational institution that can have VALID reasons for purchasing music and downloading podcasts. There's a programmer that creates...things that are put into our login scripts to kick off antiviral scans at every reboot, scan inventories and update records at every log in among other things. It's to the point that I never log into the network with my laptop (I just use the ethernet) so that my tools like VNC are still around when I need them. I have no power on what I have on my PC any more because somsone things that X thing is "dangerous" to the network. This is what malware and Windows Bugs has done to a great industry.
Gorkman
Being a memeber of the IT dept. at a school district , i am glad our secuirty policies are as stringent as they are. when you have a few thousands teenagers trying to download as much spyware and pr0n as possible. Now you may say most business dont have teenagers as employees, but even the teachers need to be protected from themselves because they dont know any better. What im getting at , is if he thinks its hard to get stuff with his security policies wait one week without them and see what he can do.
"When they invent bitch slaps that can go through a monitor you better f'ing duck" --deft (253558)
A slow transition is better than sticking with the current situation.
At big big US government agency they block jakarta.apache.org because it is a "hacker tools site". Ironically the majority of their own stuff runs on Tomcat, et al.
Your complaints are more about lazy and/or stupid and/or under resourced sysadmins and bad security setups than security in itself. Regardless the poor security is generally less of a dent on productivity than corporate lans without virus scanners or fire walls.
Curious.
Out of hand? Maybe. Bad? No. People in the IT industry don't have to worry about losing their jobs as long as viruses, worms, etc. exist. Therefore, malicious computer stuff is good for the economy. There's you're glass half-full perspective. :)
There are no uninteresting things. There are only uninterested people.
Has Corporate Info Security Gotten Out of Hand?
Obviously it still needs work.
google: stolen customer data
Comment removed based on user account deletion
And, why, yes I am a network administrator, thanks. I'm lucky so far -- it's a small company, people are well-behaved, and I don't have to implement the policies you describe. I set up times for patches, there's no proxy yet and not too many firewall restrictions.
But if this place gets to be big enough that I can't count on collective intelligence and/or social pressure to keep people doing the right thing, I'm going to have to seriously consider policies just like the ones you describe, in order to keep things running as they need to -- because your complaints about the network not working 'cos of the latest virus outbreak are going to be a fuck of a lot louder than your complaints about your desktop machine not being allowed to be a mail server.
Carousel is a lie!
What does create havoc (and I jump in with this in every one of these discussions because it can't be said enough) is the insanity with multiple, long, complex, frequently-but-out-of-sync changed passwords. It causes huge hassles, prevents users from taking advantage of resources and is an absolute disaster for security.
What I'm listening to now on Pandora...
And not just on the IT side. Arbitrary security requirements often slow progress tremendously if the don't halt it altogether. It's grown its own huge beaurocracy & career path. And heaven help you if you question anything security requires. I've literally been told that I'm "unamerican" because I questioned a particularly useless security requirement that arbitrarily levied on us. And you wonder why I post this AC?
And the economic cost is enormous - I used to work in a major acquisition system program office (SPO). Various security costs amounted to the biggest budget line item in the program, although they were careful not to show it that way on any single chart. And that didn't account for military personell dedicated to security, as they didn't come out of that cost. And it certainly didn't account for the huge drain on productivity it caused.
Of course, when companies get nonsensical security policies, they force people into horribly inefficient and/or insecure workarounds.
Rather than issuing in-office consultants a company e-mail address, CCing a Yahoo.com e-mail address, besides being insecure and unaudited, just looks damn unprofessional.
Don't have a document management system, SFTP, or even FTP? People clog up Exchange with huge attachments with no central control or even a sense of where the authoritative copy of something can be found.
How many of us have run SSH on port 443 on an outside box just for SSH tunneling? I had an employer who blocked 22 specifically because the firewall guys new that inbound tunnels could be opened... but damn it if 443 wasn't wide open.
When C-level execs bitch about things, though, it's not hard to get someone in IT to demand the security equivalent of a chmod -R 777 /
*sigh*
500GB of disk, 5TB of transfer, $5.95/mo
I work in a .mil environment with managed images and very good security. What I'm reading is that your company is still in the learning phase when it comes to customer service balanced with security.
We operate under a standard image architecture with updates and patches pushed out across the enterprise. Proxy servers are a necessary evil, but we are very reasonable on our block lists. (North Korean sites are discouraged along with Ebay...) This is for our unclassified network...
We learned the hard way too. Our first generation of machines were issued with padlocks on the cases and no CDROM drives...
Our IT system never compromises operations for security, and it never has to. Your IT staff may need a bit of fresh air, a few customer-centered workshops, and maybe some field trips to see how others work.
I feel your pain and wish you the best.
ay
Over zealous security is only the result of clueless co-workers. If the company didn't need to protect itself from the threats because people didn't try to open the mail offering them pictures of a tennis star, then I'm betting half the policies wouldn't exist.
I know at my last job the sysadmin lan was basically able to do pretty much anything they wanted - inbound access was controlled, but that was it. but then again, the people who had machines on that lan could be trusted not to be stupid.
Since you can get a replacement RJ45 modular plug for about $0.05, you can easily repair loose connections so you don't lose network access. It's not really that big of a problem.
Security : Top-notch
Users: Some give away their personnal passwords(for legit purposes) instead to ask to the right persons to create new accounts.
Impact on security : The security becomes useless.
This is a problem in many large organisations, specialy when dealing with people who know about nothing about computers and security.
The best excuse for a President, a King or others *insert your words*, is God. God has still yet to find an excuse.
What is the right balance between security and productivity, in the corporate IT environment?
Simple, more security. As more secure systems tend to run more reliably (less bugs) and with lower maintenance (removing root kits)than do less secure systems. Knowing most corporate environments, security tends to be lax.
Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.
Yes, it was better more than ten years ago. If your computer was connected to the internet and caused someone problems you got kicked off for a week or two to think about it. Some were even blacklisted. And few if any ran Microsoft products as their gateways or terminals.
But the fact is with many hundreds of millions of Internet users today practicing self administration of an inherently insecure OS and trusting everything they click on -- without regard to others or their companies costs, security has had to evolve. And believe it or not, firewalls existed 10 years ago.
Then along comes the modern cowboy on an unmonitored cable connection hacking people for sport and profit. People hack computers just to send spam, and the system/ISP do nothing. They have long since abandoned kicking them off. The result is the problem is mow rampant.
have we become so secure that we're stifling our own ability to get things done?
Not at all, I have always kept important stuff on UNIX and Linux, and professionally manage them like I do at work. They haven't been hacked or wormed. I also tend to use "safe" tools as they also fail less as well are more secure.
But the optimum answer to be secure is to use securable tools and secure practices in what you do with your computer, something like safe sex.
Heh, my Christian University is a lot worse than that. We have mandatory antivirus (which seems to run scans at the most inconvienent times. Cancel them and you get kicked off the network.) We also have to run all traffic through a HTTP proxy, because they block all outgoing port 80 traffic. The HTTP proxy logs all traffic which is then sent to our deans and hall directors, as well as kept on record forever. In addition, it blocks such disgusting websites as Ebaumsworld, and hackaday (hacking is illegal, kids). It can be loads of fun trying to get programs without proxy support to work. We also get AIM file transfer (for my non-geek friends from home) disabled, along with bittorrent and pretty much every non HTTP protocol. They even have a packet shaper which detects traffic on the wrong ports and blocks it, so forget about using a proxy. Internet access at schoool can be much worse than at a workplace... Thank the gods for PGP and dial-up!
general manager of a franchise location-- think 'mcdonalds' but it was not foodservice.
chain (under the guise of 'uniformity' but really as a means to screw every last blood cent out of the franchisees) made mandatory for EVERY SITE in the flock a satellite internet connection, at $150.00 per month.
prior to that, I'd been running on a consumer class verizon dsl account for 30 a month- for me only.
of course, as soon as this high speed (incredible ping) service became mandatory, the owners refused to pay for the 30$ dsl
ya know what- the franchise blocked among others, groups.google.com and refused to unblock any site on the forbidden list.
with 4k locations total, they didn't care jack about one request, and there was no way to get it reversed.
Exactly. Eye-tee has figured out the same thing the government has figured out. Few dare question anything done in the name of security. And those few can be dealth with harshly. It's how they're going to turn corporate computing back into a priesthood.
I too have felt the cold finger of injustice.
" Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice,"
Of course its out of hand. Companies, as well as individuals pay alot of money for computers. If we bought a car that needed patching every week to run properly it would be called a lemon. And we have lemon laws. If we bought a TV that needed to be patched every week to work properly we have a warantee to help resolve the issues with that product.
While the computer itself works fine, its the OS and Applications that need constant patching. When the OS makers and Application sellers are held to the same standards as other products are, then maybe you will see your cost of doing buisness with computers go down.
This has been another valuable and informative opinion from:
Catahoula!
I'm the network admin for a small city government and I have to fight hand, tooth and nail to keep acceptable security practices in place. My users, and the senior management also, are constantly trying to get me to basically negate the most essential security because they'd rather have more convenience and if something goes wrong, then they don't give a rat's patootie that I'll be the one getting punished. The users keep wanting full routability from their desktop to the public Internet without any firewall in place, the senior management wants me to place a bunch of unprotected Windows servers onto the raw Internet outside the firewall, everyone complains about spam, and then when they finally get me the funding to buy a Barracuda, they have me configure it to let over half the spam blaze right thru it anyway. Oh, and when anything bad happens because I was ordered to bore a hole thru what's left of my firewall to satisfy some clerk's need for more convenience to access some ftp site or whatever, it suddenly becomes my fault for allowing our network to become vulnerable. And here's the clincher... one of our own desktop support techs got caught using one of the cops' computers to download a bunch of porn, that somehow became my fault too even though I am not permitted to have any authority over the police dept network security or access controls.
It's tough when you are forced to bear all the responsibility, yet have no effective authority in matters of network security. I say give you network admins more power and authority... after all the company network (or govt org's network) is a business tool that was put in place for the purpose of conducting valid business, not for the users entertaining themselves on the Internet.
You need to talk to my sys admin. Our corporate system is so locked down that it's next to impossible to get anything done! He enforces an insane level of "security" and wears it as a badge of honor that he is pissing off most of the workers; it shows he's doing a good job. It's an absolute pain in teh ass to work on our system.
Years ago people didn't lock their doors because everyone knew each other. Years ago you didn't need a firewall in many cases and these things weren't on your mind. Times change and you have to protect yourself.
Many of the complaints in the submission sound like bad IT or mis-directed policy. AV might block a server from sending SMTP mail, but how is it supposed to know it's legit? The IT staff should be telling it which is legit. Users shouldn't be responsible in a corporate environment for patches and updates. That's the Network Group's job. They need to be making it as painless as possible for the end user. I don't expect my users to know about updates and patches and exploits. That's why my team is there.
You should have simply rebooted to the XP side and run the updates. If you want the luxury of a dual-boot system, you should be willing to maintain both halves.
My policy for dual-boot machines is this: No. You can have two machines. I'll get you two monitors you can use dual-head on each machine, a KVM, your own switch, and I'll even clean the goo off your keyboard. But I won't manage a dual boot machine, and I don't want them on my network.
Why?
Raise your children as if you were teaching them to raise your grandchildren, because you are.
but employers do have a right to dictate what happens on their own property. (Although some employers are abusing this right now to dictate what happens on their employers' property, which must be stopped and soon.)
Any employee computer activity on the job, especially internet activity, is a potential liability for the company, and if you browse to the wrong site you can get hit with spyware, cookies, etc. that could compromise the security of the network. Get nailed with a keylogger cookie and all your intellectual property could be stolen.
One day the employees are playing Unreal Tournament 2004 online. The next day it could be this.
Now, honestly, I feel bad about saying all that because I've lived through dialup and I loved to use my high speed access at work before I got my blazing high speed cable modem. But this is the reality of things. Employee optimization, as it is called, can save an employer from FBI raids, massive RIAA litigation, IP theft, and other horrors.
--- Grow a pair, liberals... stop letting the Republicans bully you!
How about too many accounts and strict passwords? That part drives me nuts.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Security has very little to do with updating your virus definitions hourly, and everything to do with knowing when to just unplug the box and find another way to get the job done. What's your risk model? Point granted: the network is a demanding mistress. But fortunately, everyday risk is often handled best by the simplest of means. Stop instant messaging the person one cubicle owner, and get to know your local coffeeshop owner. Or neighborhood banker.
http://tinyurl.com/4ny52
Hey Cliff
My opinion is based on 10 years as a computer professional. I have predominantly performed some level or type of support working with end users. Which means I may be a little biased.
My opinion:
It is important that there is a balance between security and freedom. The best balance maximizes productivity.
"FREEDOM!"(Mel Gibbson, Bravehart)
On one side we have the users freedom to do whatever they want. This can and will cause hits to productivity in a number of ways. It's my opinion that the most significant of these ways is the productivity hit of viruses, spyware, and problems caused by the install of unapproved programs.
SECURITY (sorry can't think of a qoute)
On the security side productivity can be hampered by having to go through red tape to do your job, having to get special permission for important job related functions, or simply limiting your otherwise boundless resources.
After seeing and experiencing what I have I beleive the best is to provide all protection possible that doesn't limit freedom. Then make policies regarding misuse of the equipment. Create limitations as needed based on abuses that decrease productivity (if everyone is using internet radio they won't stop and it is hurting network bandwidth start blocking those sites or services).
Good luck.
You're upset over your access to the Interent?
We have no e-mail, no web access, no ftp, nothing. We have no networking at all!
I work on a combat vessel. None of our systems are networked -- at all. The Commander won't allow it. We're defending a civilian fleet and every member of our enemy forces, literally every one, knows enough about computers that they could infect any of our systems with some of the nastiest computer viruses you've ever seen. The XO, on one occasion, allowed them to network a few computers to calculate our course so we could catch up to the rest of the fleet and it resulted in a firewall weak enough for the enemy to penetrate the system. They almost brought down all the systems on the entire vessel. At one point (the start of the recent hostilities), a number of our fighters were completely disabled and taken out by the enemy because their onboard computers were targeted, knocked offline, and the fighters left defenseless and were picked off one by one.
So if you're complaining about having to deal with web proxies and firewalls, be happy you're not serving on our ship.
Company B - XP Pro locked down so tightly that we can do browsing, email and that's it. No virii in 2 years that I've seen or known about. Patches done to all workstations in a two week window.
The staff in company B are more productive, less distracted and have significantly more uptime, so I think the heightened security is a good thing.
I'll tolerate anything except intolerance.
(Whoops should have been Highlander (with an R))
The stupid part of the story (as told by the poster) is that these IT "professionals" didn't seem to understand that Linux is incompatible with XP.
Why are people who don't comprehend - or can't communicate - this employed in an IT organization??
Had they just explained things the way you explain them in your post, there would be no problem.
Yes, security is most definitely being used as the stick to beat end-users down as far as 'distractions' go. I have had the fortunate experience to work for a company where the motto is:
"It's the result that matters."
If you spend time on slashdot or other forums during the day that's ok (and most definitely not filtered) -- but at the end of the month you have XYZ to get done. If you get it done by working nights / weekends that's your prerogative. Flexibility like this is one of the reasons why we've had zero turnover in my department in almost 5 years.
The tighter companies restrict internet usage and employee behavior, the less personally attached to the company (and their work) the people get, at least in my experience. Companies with fanatic employees can do great things. Companies with people that feel oppressed are just places to work.
The first problem you mentioned is what we always call 'management by magazine.' Some exec saw something on cnn / in a magazine / at his country club and wants to know what it's not being run. Thankfully most executives are adverse to spending money -- and in this case it's usually a good way to end some of the ideas they bring to the table.
Speaking of the idea of 'having something just to have it' -- I think this is a problem that's being pushed along by things like SOX / PCI / CISP / and other compliance programs. "We're required to have intrusion detection" so people get out a checkbook and make rash decisions just to put a check in a column.
I am probably one of the only mac users on a large (50000+ employees) network. I practically daily messages about patches, reboots, viruses, malware, etc. from corporate IT. I ignore them, and simply keep my computer up to date via Software Update. Ironically, my computer being on the network technically violates IT policy. If I were to follow IT policy, I wouldn't get work done. Why can't IT leave people alone, especially in technical (engineering) environments?
I have run into this problem at my college as well. Virtually every port is closed except those needed fot http, https, ftp, and smtp. I cannot use RDP, SSH, or VNC to check on my servers at home or at work. Frankly, with better security implementation they could allow these services to students without compromising themselves too much. I think it is mostly just the higher-ups in the college who are all concerned about "piracy" and hackers.
What a timely question. I have never seen so much time and effort spent on defensive measures that have no value other than to keep machines from being completely useless. Anti spyware. Anti virus. Bureaucratic hoops. Authoritarian policy smackdowns. Network restrictions. The sad thing is, it's not entirely unjustified. Without these measures, and even with them, we spend countless hours repairing the damage caused by viruses and other malware. So much time, money, and effort just to keep the ship from completely sinking. It's absolutely pathetic.
I spent some time talking to a guy who runs an IT department for an organization that almost exclusively uses Macs. They have no such problems. Stuff just works. My linux machines likewise just work, as do my BSD boxes.
I don't care if it's because MS products are inherently less secure, or if they just happen to be the biggest target. The obvious truth that so many people want to sweep under the rug is that MS products are one big rip roaring pain in the ass to maintain. I am so absolutely sick of MS apologists hiding behind Gartner group PR in an effort to promote this continuing assault on everyone's productivity. "More policies" they say. "More anti-this and anti-that! Stricter controls! Take people off of the network! Limit their use of the network!" On and on and on. If you have a rabid dog, don't wrap yourself up in blankets and swallow your medicine cabinet! Git rid of the git! Could anything be more obvious?!
It's about time someone got fired for buying Microsoft. Really. The people who are promoting Microsoft are wasting your company's money. They are wasting people's time. It's coming out of your pocket.
really, the only people that aren't a security risk without security disabled can easily get around it, if they need (or want...) to. The average luser will cause more problems than this security will. The key to this though, is punishment of those who circumvent security. At my school, I regularly aid even teachers in getting freemail access, around the filter, etc. They trust me because they know I'm smart enough to do this, and not do anything stupid with my 'superpowers'. Most of them are well aware that the security there is bad and the IT staff unskilled (with few exceptions) enough that if I really had ill will in my heart there's not much they could do to stop or even catch me. My cousin's school used to be like this, but then a new administrator came along and changed the rules. My cousin was found using a proxy that SOMEONE ELSE had once, A YEAR AGO, used to look at ONE pr0n site and was suspended for a week (and grounded). The biggest irony is that he used the proxy to get to a site he NEEDED for his assignment. I don't hate stupid people (everyone is stupid in some ways) but everyone hates having an idiot in charge and being unable to avoid their work. With a bad restaraunt, you can go elsewhere, with a bad leader, your options are limited (esp. when you don't get a say in determining the leader).
The 'Net is a waste of time, and that's exactly what's right about it. - William Gibson
A few years ago we had to put an ssh server on the telnet port, because one of our users was at the Federal Reserve Board, whose security committee hadn't approved outbound access to ssh servers on the usual port! In a telephone conversation with me, their security person suggested I turn on the telnet server at my end, and said that he had read about security issues with ssh that discouraged them from allowing it!
Lots (not all) IT security is just dumb rules of thumb with no analysis or understanding. Lots of IT staff don't think the other employees have work to do, and don't mind interfering with their efforts. As the years go by, management will become more experienced at understanding who is a blowhard and who knows what they are talking about. But it will take time.
That's not a problem with technology. That's a problem with a legal system that's feeble against protecting free speech and free expression.
So what if you're looking at hardcore pornography at work? It's of no concern to any coworker of yours who might happen to notice while he or she is walking. Of course, your manager may get angry at you for wasting company time. But nothing about the act of you looking at midgets sucking on horse cock, for instance, is truly harmful to anyone.
Cyric Zndovzny at your service.
It is imporant to get the basics, and most of the basics can be taken care of by IT. If done properly won't impact the user at all. "What about passwords?" you might ask. The most insecure thing at most companies will always be the user. The best thing to do is be sure that no normal user has access to everything; every record, every file, every database . . . This will limit a lot of damage. I tend to believe user education is a waste of time too. It isn't a user's job to worry about this stuff, and the fact that we have poorly designed OS's isn't their fault. Other than these issues, most security-related issues can be taken care of behind the scenes.
BTW not sure why your company is mandating manual patching versus implementing Windoz Update Services (WUS). Computers patch and reboot VERY early in the morning, and the user doesn't have any choice in the matter. I have never had problems with this procedure BTW.
-Schnibitz
Have you ever used USENET? Many of the comp.* groups are quite active, and many are a prime source for information concerning IT-related issues. If you want help, that's the place to go. You'll often get a quick answer, often from somebody with a high level of expertise.
Cyric Zndovzny at your service.
I develop display software for US military aircraft. IT wants the company to switch from UNIX boxes (Suns) to Windows. Need I say it sucks? Windows screws up the case in filenames. The machines aren't set up to carry your environment from one box to another. They have to be rebooted at least every couple of days. There's so much useless crap loaded at boot that they've already consumed 300MBs of RAM before you log on. Then when they are running they're constantly probed by the mother ship. We have the blocked URLs and crappy internet access but I can live with that. They upgraded all the machines from W2K to XP but didn't bother to get compatible applications. I can't run Outlook and my Xserver at the same time. Guess which one doesn't get run? Then there's the phone system.....
We have pretty much no security policies where I work, and as such really no security problems that I could see. Just my $.02 === Your PC has been infected by SPYWARE! You need Ultra Spyware Removal 6000 to fully optimize your PC for the internet! Download now at www.ultraspywareremoval6000.cx and get started today! ===
(term coined by Bruce Schneier, AFAIK)
What bothers me more than the company turning down the screws to secure things is when they turn down the screws to secure things, without really accomplishing that end. I certainly won't disagree with a software maintenance policy, for Windows, Linux, and everything else. Nor will I disagree with firewalls and enforcing company policies across them.
But if I were to tell some of the more boneheaded things that are ALSO done, and the holes obliviously left open, you'd either know where I work, or how to crack the place.
The living have better things to do than to continue hating the dead.
I work for a company which has a very restrictive policy. All PCs are centrally managed, monitored, patches are remotely applied, internet access is very strict (only ports 80, 443 outbound allowed). All access is via corporate proxy server with layer 7 filtering. Every outbound access is logged.
However, despite these measures I can still use JAP or Tor to access any site. I can still ssh (via ProxyTunnel) to my home PC over port (my sshd runs on port 443). Basically, it just means I have to go through hoops to get stuff done.
I understand that these measures are aimed at the non-geeks - the same people who have spyware infested PCs at home (and aren't even aware of it). However for geeks in the I.T. dept like myself, it is just a futile arms race which can never be won by either side.
What is the productivity of a system full of spyware/viruses? Usually, just about zero.
If you can restore a system in a matter of minutes (deep freeze), then maybe it's not such a big deal to have a secure system. But if it takes an hour or a day, then its a bigger deal.
- The reasons there are driving rules is because kars kan KILL people!!! Komputer security is mainly about defending ourselves from other komputer users!
- If your kar is speeding a kop kan chase you down and give you a tikket!
- You have a kourt where you kan go with your tikket and fight the tikket!
- You drive your kar so much because there are bigger and better highways, and that means you need better tires!
- You lokk your kar because anyone kan drive your kar anywhere and there are so many kars that noone can point out a stolen kar!
- You can get away with your kar after a theft!
- People die in kar accidents!
Some kuestions for u:1. How will u break speed limits in your komputer?
2. How kan u kill someone with your komputer? (other than hitting them on the head)
3. How kan u put a steering lokk in your komputer?
As car thefts become a norm, we must lock our cars, when that's not enough, we need to put on the steering lock, alarm, then immobalizer, and now the security datadot. However, I think overall we do benefit from the introduction of vehicles.
I kan't wait for the day when komputer theft bekomes a "norm". So much for an insightful komment!!!!
Apparently the guys at my school district all want to kill me or something. I remember just a couple years ago, you could get away with just about anything – now they've got a proxy server that blocks everything, even my own Linux system / school project, and (anti-)virus software that never stops running. All the control panels have been locked down, you can't even access the Task Manager or lock your screen to keep other people from using it. And of course they're always spying on us me, too – they think I'm some trying to take them down all because I managed to use an SSH tunnel to pass through to my own machine to work on a LEGITIMATE SCHOOL PROJECT.
Hmm, if that isn't overzealous security I don't know what is.
Creative misinterpretation is your friend.
What's more, unlike the useful free accounts such as gmail and yahoo that often put suspect mail into a spam box, I have no access or knowledge of what the spam filter is destroying - so emails aren't received, customers get cranky and information is lost, time is wasted. I'm sure there must be others who feel the pain of spam filters both at work and home.
Companies today cannot afford to not be producing at 100% efficiency. With increasing competition from China, India, and numerous other nations, any large company that is not completely efficient will quickly run into problems, if not a swift bankruptcy.
Much like a nation should never trade freedom and liberty for security, a firm cannot trade efficiency for security. The end result is a defunct nation or firm, void of all it once stood for.
Cyric Zndovzny at your service.
so the question is, would you risk your job over the security of your workstation? I hope not... If so you are a moron and deserve MIS to come craking down on you. MIS and HR are tight at my company, and for good reason.
> [...] individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access [...]
One thing you DON'T want is your network getting all loose; the bits fall out everywhere and it's very messy.
So keep your network tight! Apply patches!
I don't know the meaning of the word 'don't' - J
Yeah, weird that they might want a machine running Windows XP to be updated. You might have Linux on the machine, but you also had Windows XP, and it sounds like it was missing security patches.
The fact that he hadn't noticed the loginscripts for over a week indicates to me that the didn't use his XP installation at work alot and even then how can you assert it wasn't patched? He may even have had to wait until a patch becaeme available to qualify for a connection because his XP installation was already fully patches! Off hand I am guessing this guy probably got issued a laptop from his employer and used installed Linux on it for day to day for home as well as for work use dual booted with XP for mostly for gaming and perhaps for that once-in-a-blue-moon that he couldn't get something done at work with Wine+[Random M$ application] and for Gaming.
I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.
It is stupid because they could have exempted him from their Windows specific policy quite easily. It is stupid because they may even have given him a hard time because they didn't even know how to exempt a non Windows boxen from their MS specific setup. All it would have taken was to send somebody up stairs to check out his setup for security and if it was OK adapt the policy. If you are an IT tech that works alot around Engineers, non-MS admins or Programmers you are going to have to get used to cases like this (ie. escaped mental patients who use Linux or OS.X in a corporate environment) and unless you find out how to cater to people running non-MS Operating systems you will quickly find out that you haven't got any friends willing to do you a favor when you really need it (ie. when you have screwed up and need a quick fix from the local nerds).
Only to idiots, are orders laws.
-- Henning von Tresckow
Information security is not just about what comes in the door (via the internet), but also what goes out, whether by telephone, paper, or via internet using data collection tools, such as the ones in the Google or Yahoo toolbars which permit "anonymous" collection of some user information. Is it overkill? It depends on how valuable/sensitive your data. My organization searches the dumpster ocassionally to see how much data can be mined. The company policy is that everything gets shredded and sent to recycle. How many manhours are consumed by that? Lots.
You sir, need to accept the bureaucratic nature of large organizations. There have been a few times that I've had to do some really asinine things in order to keep my job. I knew it was bullshit, my coworkers knew it was BS, and the poor SOB on the other end really knew it was BS. But, if either strayed from policy it was our asses. Why was this policy in place? Because the higher ups didn't want to take the time for all of the inevitable exceptions that occur.
The solution? Acceptance - Zen practice. Or, start your own organizaton - if possible. Entrepreneurship!
There's a reason why small companies are the ones that are creating most of the jobs. There's a reason why small companies are the innovators. There's a reason ... you get the idea.
So the question that LEAPS out at me, is how can they block groups.gooogle.com as being a "bad" site, and still allow access to slashdot? WTF??
Seriously, one of the problems has a relatively simple solution. Antivirus is running, and blocking SMTP. I am assuming that you run an "enterprise" edition of some anti-virus software. They probably have one group policy set for all machines, since everyone uses outlook or something.. This is not taking into account your groups machines, that need it to get work done. Usually,, you can create another "group" in the software, and give them slightly different configs.. (like letting SMTP through) and only putting your machines that NEED it in that group..
The other possiblity (wasn't explained well) is that they block port 25 on the network. This is a little more difficult. I personally have my routers set to deny any outbound port 25 connection that is not from a list of mail servers.. It gets logged, I get an email, and I have a pretty good idea what machine is infected with a virus... (also handy for other ports, 110, 443, 135, etc)
Egress filtering! its good to be a nice Net-Neighbor!
What are we going to do tonight Brain?
Sounds like someone needs Altiris: www.altiris.com
To a large extent, it depends on who you are, who most of the computer users are, and what objectives the IT security staff has. Our company has had its share of lockdown mania. We're about to go through another one very soon. The problem is technical ignorance. Those in charge do not understand what the fundamental issues are.
In fact, although it's possible to secure a gaggle of Windows based systems, most people don't know enough to do it right. And in addition, once you learn that much, you begin to see the wisdom of the designs in so many other "complicated" OSs. It's not that Windows is more or less complex. It's just that they have successfully marketed themselves as the "easy to use and secure" OS even though the underlying concepts are anything but.
Real security comes from understanding. That understanding is not commonly found among the many people who call themselves Windows network administrators. That's why this problem exists.
In other words, Marketing is one of the biggest reasons why Windows really sucks. The security features are there. It's just that learning to use them is far more difficult than most customers have bargained for and the folks who market this stuff do not want that commonly known. They'd rather sell security "improvements" and update services...
Nearly fifty percent of all graduates come from the bottom half of the class!
My company has been in the middle of the road - until recently. One day, I was attempting to download an update to one of my favorite Firefox extensions, and low and behold - mozilla.org was blocked by our firewall.
I thought this was just an oversight or something, so I submitted a request (like many others I've done in the past) to get mozilla.org unblocked - and was given a message sorta like this:
"Mozilla and Firefox are now blocked - not approved software anymore, due to a vulnerability identified in a pre-1.0 version of Firefox"
Huh? So I'm to run this thing I haven't run in a LONG time called Internet Explorer? Umm
When I pressed them, their response was "with IE, even if there are 100 patches released every week - at least we have an automated way to distribute them to the thousands of systems in the corp. With Firefox, there is _no_ way to do this - so a single vulnerability puts us at a much greater risk"
Now, I'm no Microsoft admin or anything - so I'll look to the community here: am I getting smoke blown up my ass? Is this just a case of ignorance by my admins? Or, are they being honest? If they are, I think this is something that should definitely be addressed if we're ever going to get FF accepted in corporate America.
At a Federal Agency (US) that will remain nameless, they have gone to great lengths to approve applications that get along with a standard operating environment and severely limit the use of applications not in that list. They don't go quite as far with taking machines off the network if they don't have updates/patches, as your company does, even though it is being discussed. There are quite a few limitations put on what types of files can be emailed, what sites on the internet that can be viewed (if the user even has permissions to access the internet).
"Mentally confused and prone to wandering."
OK folks, I can see modding my post "Offtopic" (I said as much in it), but "Flamebait"? C'mon.
Assume that almost all software -- including firewalls, anti-virus programs, and operating systems -- is crap, and probably has security holes. This is not an unreasonable assumption. Once you make that assumption, you can understand why companies put up so many barriers because all of the barriers are made of crap. This way, attackers have to sift through a lot of crap to get what they are after, and hopefully most will give up before succeeding.
http://outcampaign.org/
In a large organization, no one is going to stand up and say, "You know, this is getting kind of silly," for fear that the next "security event" would be blamed on them. We are in a society where the media has hyped up security risks as much as terrorism and everyone is running around securing their closet doors.
Meanwhile, someone dimwit from payroll has a laptop sitting in their a car, parked in a grocery store parking lot, with a 1/4 inch of glass keeping my salary history out of a pawn shop. Sleep tight, o' protector of security.
Name withheld to prevent my server from dropping off the network.
No computer is safer than one that is not connected to the Internet... wait, that probably doesn't help you much. Pay no attention to the man behind the curtain!
Why not? Production machines need to be able to mail their owners about problems. Desktops need to be able to send mail. Both might just not be Windoze machines able to talk to your crappy, virused out Exchange "server".
Not accepting SMTP requests from desktops is just another workaround to M$'s really shitty security that won't work. The virus writers will figure out how to use the exchange server through 2k worth of API calls before the ability comes to either of the uses you deride.
I'm willing to bet they think it's [applying "security patches" that break everything else] important...no one lets themselves in for a shitstorm voluntarily just 'cos it's, you know, second Tuesday of the month.
Can you imagine that mindlessly applying "patches" that never seem to really improve security but manage to make machines stop working is a bad idea? What's important to you should be that people and machines do what they are supposed to.
I'm lucky so far -- it's a small company, people are well-behaved, and I don't have to implement the policies you describe.
It's not the users. Think about it and tell me why you have never heard of such problems in places that use Macs. Don't tell me that it's because graphic designers are better behaved or know more about computers than the rest of us. Well, they do know better than to use computers that need and Administrator like you.
Friends don't help friends install M$ junk.
You do all of this, yet the same thing happens every year. Why is that?
Friends don't help friends install M$ junk.
About 15 senior engineers and managers of the water & wastewater utilities that serve a city of a million people (combined yearly budget: >$250M) gathered in a conference room with the manager that handles the IT budget (>$4M) for both - to watch an American Waterworks Association "Webcast" about "Managing Your Assets" that uses streaming media, your choice of Win Media or Real.
Tried the Windows Media player - no go. "We saw a Webcast at another boardroom", said one guy - "we had to use Real - because of the corporate firewall.". Didn't have Real. Tried to install. But the manager for all our IT did not have an Admin login on the XP machine - or any other XP machine that she signs off on over a million dollars a year for, to get corporate IT support.
NOBODY outside the actual IT dept has an admin password on any machine connected to our network; and believe me, they are so locked down I have icons on my desktop I can't delete; and I certainly can't install anything that doesn't run entirely in my own home directory; "C:\" is locked to me, for instance. Almost every installer just dies before it starts with a message that "your account can't install this".
I agree this is a good thing for 90% of users; but the manager in question - and I - were doing PC support and Unix workstation builds back when the first 286 hit the corporation. Doesn't matter. No exceptions.
Anyway, the whole meeting broke up, the reps from some local companies that are much smaller and, ahhh, less formal about such things, shaking their heads in wonder.
It's the "no exceptions" thing that is the mistake. So my vote is "Yeah, It's Gone Too Far".
Bill Gates Loves You.
On this planet, where you know, people need to get things done there is software that works.
Friends don't help friends install M$ junk.
Disclaimer: I work on the security team for a rather large (Fortune 5) corporation.
I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.
Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.
Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.
Then MS05-039 is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.
Then Zotob.E gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?
Because no one takes security seriously until it's too late.
From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.
I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."
I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF, where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from.
---
"how can the same street intersect with itself? i must be at the nexus of the universe!" - cosmo kramer
I needed to rant about the company I work for. Our IT security people have this cool ability get in the way of absolutely everything I need to do for my job -- all in the name of security.
1. I had to cancel my MacBook Pro order because user-directory encryption (FileVault) is not good enough they want full HD encryption. So no mac laptops. Sorry, it's security policy.
2. We can send 3. They block all file types in email with a known extension. So you have to make up an extension and rename the file.
4. Our screen savers come on after 1min and we must type our passwords to get back to the desktop.
5. The virus scanner runs during peek office hours and brings our PC's performance back to the stone age.
6. There is a web filter which is always blocking legit websites. It has an animation and it makes you feel like a criminal.
7. User passwords expire in 90 days and must be the standard Alpha-numeric+non-alpha-numeric+long+never used before... which is actually fine except the AD admin password is something any dictionary attack could break in 1 second and it never changes.
I thought that the IT department was supposed to provide the IT services that the company employees need. Lately, the IT department is deciding what we need without asking for our input. If you go around their back to get your work done (use an anonymizer to access the web, P2P to send files to customer...) you can get fired for being a 'hacker'.
All this whole comment is about is "I can't surf without penalty, I can't run my own machine, wahh..."
.....
First: Did you buy the network infrastructure? If not, then you don't make policy.
Second: Did you buy the computer? No? Then again, you can't bitch about the way it's controlled.
Why stop SMTP mail? On a Windows network, if you're running Exchange, there is NO reason to have SMTP mail enabled. Outlook transfers its mail to Exchange for delivery. Unless, of course, you're trying to bypass the corporate mail server.
"Overzealous Proxy Servers" - ? Hardly. Deny all, explicitly allow.
In most cases, you do NOT own the computer. Even if you DO (contractor), then you don't own the network infrastructure.
Too many liabilities - including morons like the submitter - are why *real* IT staffs have to keep things under tight control and wraps, so that when the next Windows vulnerability surfaces, we can limit its impact and rampant stupidity.
However, since this is gonna be posted AC, nobody will read it anyway
If your company was really doing their job, you would not be able to install any software. You would be a Restricted User. We changed everyone to RU a year ago after our first SarBox "unauthorized software" audit turned up 900+ programs on 1,100 computers. RU was shot down time and time again by mgmt, right up to the point that they realized their butt was now on the firing line. This year's audit turned up less than 20 unauthorized programs, and many were on IT staffer's computers (can you say "abuse of authority"?).
Spyware/adware/malware? Gone. No scanning programs needed. Remote users shipping in infested computers full of kid's games amd peer-to-peer software? Gone. Liability to the company for illicit activities? Drastically reduced.
If your company was really doing their job, very few people would have unlimited access to the Internet. Why should they allow millions and millions of web sites, many malware infested, when maybe a couple of hundred are required, or maybe even a thousand, would handle all of the business needs for the vast majority of employees?. This is one of the best ways to reduce the exposure.
Why would you want to run SMTP from your desktop? That's dumb. The firewall rules should only allow specified traffic from known sources and drop everything else.
The principle of least privilege says you give people the minimum needed to do their job and that's it. It doesn't say you give them less, which causes job issues and it certainly doesn't say you open up everything.
Why should IT waste their limited time cleaning up the mess you caused?
For those in who suffer the indignities, torture, and gagging suffocation of being on the No More Connectivity Intranet... ouch.
:-(
:-)
You gotta love a multi-million dollar boondogle with highlights like this:
Only one in four of our users now wants to stab out their eyes with a government pen!
"The latest Navy Marine Corps Intranet (NMCI) Customer Satisfaction Survey results continued to show slow but steady improvement in user satisfaction with NMCI and EDS related services. For the second quarter of 2005, overall NMCI customer satisfaction increased two percent to 76 percent."
Name renaming by the Department of Redundacy Dept.
"The Assistant Secretary of the Navy for Research, Development and Acquisition (ASN-RDA), Mr. John Young, has restructured the NMCI office. Previously called the NMCI Directors Office, this office has been renamed the 'Direct Reporting Program Manager (DRPM) NMCI.'"
Reassembling random Dilbert quotes generates a Mission Statement
"NMCI is an initiative that launches the Department of the Navy's (DoN) first step toward reaching both Joint Vision 2010 and Joint Vision 2020's goal of information superiority for the Department of Defense. NMCI delivers a comprehensive, end-to-end information services to the DoN through a common computing and communications environment. This will enhance system and software interoperability and, in turn, enhance information exchange capability for garrisoned and deployed forces as well as individual users. "
But at least EDS is making lots of money!
ISPs are able to serve thousands without blocking ports or web sites, and don't disconnect customers for not installing the latest patches. Some cities are even putting in free wireless Internet access for anyone and everyone, no identification, membership, or monthly fees required. There are plenty of cafes, bookstores, motels, and other businesses that offer free Internet access. What's their secret that, unlike the typical employer, they can grant free access without having their networks slowed to uselessness by a ton of spam and virii and whatever else?
What is it about work environments that management and administration want to hold users hands more firmly than the users want them held? They convince themselves it's in everyone's best interests, even the users who are only "occasionally" inconvenienced. Security is too easy to use to excuse all sorts of obnoxious policies, and not just in IT. They forcibly take responsibility, then have the nerve to sneer about employees being whiny, dependent, clueless lusers, not appreciating they're partly to blame for fostering and forcing the dependence. I've seen this attitude too often in network admins. I've had far more trouble from overzealous security than I've ever had from the stuff the security is supposed to protect me from. And, yes, I've used computers just fine with far less protection than most admins seem to think necessary. In other words, you don't need the latest patch to fix the vulnerability in the never used service that listens on ports 135 to 139 if you simply shut that service off or block those ports yourself with your own firewall. You don't need the continuously operating automatic virus scanner chewing up 50% or more of your processor time and banging your hard drive as hard as a virus would if you use apps like Thunderbird and not a broken email app like Outlook. It's like the bad old days of Ma Bell, when ordinary mortals were not permitted to use anything but a few basic models of phones, no modems, and the phones were only leased out-- Ma Bell still owned them. Today, phones are libre, but computers sure aren't.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
A decade ago it was not unusual for corporate networks to have little or no restrictions on end users. Workstations, servers and even printers had publicly routable addresses and free access to the internet as it was. Back then we had to deal with relatively few miscreants... the occasional "ping of death", "teardrop" or the dreaded "smurf" attack. Malicious activities could be deflected by a few simple firewall rules.
Flip the calendar ahead 10 years... The internet is ripe with malicious content. Organized groups of crackers, writing exploit code for every system vulnerability imaginable... Script kiddies gaining "respect" relative to the number of machines they can compromise for addition to their bot-nets... Spammers building their armies of compromised boxes to anonymously sell viagra and fake rolexes... the list goes on and on. In short, the need for network security is real and sometimes the end user is inconvenienced in the process of running a tight ship.
In an ideal corporate world, the bad guys would stay out and the users would have everything they want. In the real world there is a balancing act that weighs a security "best effort" against business needs. It sounds to me as if the original poster's company is in the early stages of making this happen. Security measures are being taken and users are feeling the pain. The next step is for the users to identify the needs that are not being met and challenge their management and IT resources to provide for those needs while making a best effort to do so securely. This, unfortunately, often involves plenty of corporate political bullshit and associated headaches, but if you can show a LEGIT business need, it should make it through the process.
I manage all internet connectiity and perimeter security for a very large healthcare foundation that includes several hospitals, physicians offices and research facilities. Not a day goes by without some kind of request for additional access to some resource. Most are reasonable and can be accomodated with little or no impact on security. Some are not so reasonable politely rejected with a comprehensive explanation of why it's not gonna happen and where applicable, alternative solutions are offered.
As for the original poster's situation... should end users be applying system patches? hell no. IT folks get paid to do that. Should individual workstations be sending SMTP traffic beyond the network perimeter? hell no! IT folks should make a suitably secured SMTP gateway available. Should users be able to go anywhere on the 'net they want? hell no! The company pays for the bandwidth and owns the workstations... they can say "no" to anything they consider to be unrelated to doing business. If users need to get somewhere on the filtered list, it should be easy enough to justify it to management. Do the homework and make your case... you'll get much farther than someone that just pisses and moans about how restrictive those IT bastards are.
Best of luck.
chown -R us
Pffft, firewalls and 8 different passwords for 6 different systems is nothing. What about being in a building behind three layers of locked doors, having to lock down your desk and all your files over night because they don't even trust the cleaning crew. Shoot, they don't even trust the daytime workers either, get up from your desk, ok lock your workstation. I've gotten so used to that when I walk away from my pc at home I hit ctr+alt+del just by reflex. What's worse is we can't even leave paperwork face up on our desk over lunch breaks. Everything must be turned over.
At this rate we won't even be allowed to look like we're doing anything. We'll just have to sit at an empty desk with a blank screen on the monitor.
For all the things companies do poorly, I've found my own company does IT pretty well ... or, at least the portions you mentioned.
The proxy really only blocks things you truly shouldn't be viewing while at work. They tried keyword filtering, but when it failed it was backed off and progress kept moving forward.
Security patches and such are handled decently (if you're on the corporate domain). If you're not on the corporate domain, see next item.
A/V is really the only thing that ever crops up and "interferes" with normal (legitimate) work. If you have an active virus, the networking group disables your network port until things are cleared up. Typically people get the virus in the first place because they don't have their machine patched. If you become a problem it goes to your management (either because someone picks up the phone and calls your manager, or more likely you can't get your work done and your manager finds out you've been wasting your time setting up your own domain and goofing around doing irrelevant things).
Winners tell stories while losers yell deal.
I would agree, especially with the second point. Does your employer pay you for every minute you worry or think about your job when you're at home? If not, then what reasonable basis do they have for forcing you to spend every minute at work thinking about your job. I mean its one thing if someone is spending the entire fscking work day reading /. (I'm available for any jobs that entail that ;) ), but its another thing entirely if they spend like 2 or 3 minutes here and there reading a website/usenet or emailing/calling a friend or spouse or something.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
Security technologies these days are pretty well defined, but getting policies right (and making people follow them) is an ongoing battle.
:)
Our company setup a "transparent" proxy server on the border router which requires proxy-auth to access any external web sites and then logs the crap out of you. Since I object to such monitoring I refuse to use it. Whenever a new server gets setup for us to use, like CVS or SVN for example, I find myself getting prompted for access because the server builders put it on a public IP.
I take great delight in telling my manager that I can't do any work until they've followed their own security policies and put an internal system on our internal networks. You'd think they'd learn after the first few times.
Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.
Looking back 10 years ago, your biggest threat was someone bringing a virus-infected floppy disk into work and taking down one of the 20 computers in your 50-person office. But hey, if you want to connect your PC to the Internet with no proxy, no firewall, and no virus protection, then be my guest. I doubt your PC lasts 24 hours before it becomes unusable.
Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups;
And also very likely thousands of hacking, piracy, virus, worm, spyware, and phishing-related sites.
our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP
If it really is a legitimate purpose, you shouldn't have any problems being granted an exception for your specific case. Everywhere I have ever worked has done so.
and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline.
Ah, now I see. Your administration is incompetent. Under no circumstances should end users be installing security patches. They should be installed by administrators (if not automatically), and there shouldn't be any concern about cutting off non-compliant PCs because there won't be any. Anything less isn't security at all.
have we become so secure that we're stifling our own ability to get things done?
We haven't, but it sounds like the folks running the show at your place may have. But it also sounds like they don't know what they're doing either.
Being a corporate IT security at large corporation I can tell you why google groups are blocked. If I am looking at porn on alt.binaries.erotica and a female co-worker walks up behind me she could sue for sexual harassment and say the company did not take adequate measures to prevent this situation.
My understanding is the hoopola about "if you don't block pornography, you're liable" is nonsense that's heavily propogated by vendors of filtering software. The case that claims about liability are based on is the '91 ruling in Robinson v. Jacksonville Shipyards, Inc. Here, the plaintiff was being directly targeted and porn was being publically pervasively placed throughout the workplace. That's a *far* cry from someone walking in and seeing a pornographic image on someone's computer monitor. That's even *further* away from a company being liable because they actually aren't buying a product to do filtering.
My impression is that most of the people that install these packages get sold a bill of goods by the filtering people "Lawsuits! Lawsuits!" The IT people pass the possibility of a lawsuit on up, some higher-up decides that the software is cheap insurance against a lawsuit, and buys it.
Frankly, companies don't need to worry about liability from not filtering porn (IANAL and all that). They might need to worry about employees being off-task (I mean, come on -- if you're browsing porn, you are *not* doing work). However, I've been incredibly frusterated by stuff in the past (like pages containing "wine" in the URL being blocked -- when I'm trying to look up constants in WINE's header files), with information about HTTP tunneling that I needed for writing some software that had to interoperate with a firewall being blocked (as "criminal activity", impressively enough, along with anything involving a "proxy"), and so forth. Companies aren't avoiding liability at all -- they're trying to control employees, and keep them from goofing off at work. I'm not saying that there's necessarily anything wrong with that that, but it's just not really a liability issue. I've seen people blow time chatting with their friends on non-work related stuff on AIM, and I can understand that there's a desire to not let the computer be an entertainment device.
However, I've got a much better solution. Have software that skims browsing history, flags anything suspicious, and allows an employee's boss to take a gander at it (if he really wants to). Oh, and *tell* the employee that you plan to do this -- the idea is to prevent abuse. I don't have a problem with my boss seeing a complete log of my at-work browsing history -- I do have a real problem with IT blocking things. I don't abuse my work connection, and it's really irritating to be treated as if I have because someone somewhere *has* done so.
Basically, I think that it's probably unreasonable to prevent the following types of Internet usage in a regular work environment, at least from a security/liability standpoint:
* Outbound TCP connections, other than maybe to port 25. The whole world is not HTTP.
* Requests to DNS servers other than the company one (why on *earth* do people do this?)
* Outbound SSH connections (a special case of the above that's particularly annoying -- sometimes I need to get at my addressbook or something else on my home computer). (There is a small potential security issue here in that someone could set up X11 port forwarding, and have a compromised outside box keylog or screenshot their workstation machine desktop) but goddamn it, the risk is awfully small and the loss of functionality enormous. This is not James Bond, and armies of ninja hackers are not out trying to take screenshots of desktops.
* Access to webpages. Good *God*. If you have to log them, fine, but for Chrissake, do not filter. It's *so* irritating.
Real security risks? Worms, dubious software that people intentionally install, people simply taking confidential (*actually* confidentially, not doc
Any program relying on (nontrivial) preemptive multithreading will be buggy.
That would be a violation of our security policy.
ssh'ing to external machines is not blocked at my company, so all of the security obstacles are easily bypassed with one command:
:)
ssh -Y me@myhomebox startkde
sure, its a bit slow, but its quite nice to be sitting at your home box when you're 30 miles away in a tiny cubicle
(Software developers on the other hand, I guess, exist to download free web proxy software and set it up on one of the company's web servers, so that the software development group can bypass the filtering AND the logging, and surf freely.)
If only my network administrators and/or supervisors thought like you. It took several months of begging to get a junker out of the warehouse that I could use for linux, so I didn't need to have a dual boot machine. They are a huge PITA. How people develop software on multiple platforms without having a sample of those platforms that they can destroy occasionally is beyond me.
My momma gave birth to a winner, I gotta win.
But at school (which is as close to a "corporate" environment as I can get), it's another story. We have a (horrifically unstable, read: if you touch it in the wrong place, the hard drive disconnects) proxy server as a pr0nfilter, about three different - all ineffective - AV/AS/AA software setups. We use some stupid Novell launcher that makes it impossible to do anything productive and very difficult just to waste time (Adobe reader isn't associated with PDFs, so you can't open them... extrapolate that level of difficulty to trying to code a standards-compliant idiotproof website with php and stylesheets using notepad and you'll relive my last two months). They'll kick you off the network if you look at the IT department the wrong way.
They put the newest machines in the lab where they teach keyboarding, but leave the slowest machines I've used in the last ten years in the CAD lab. I mean, damn. I've heard the hard drives dying on those things. You think they try and make it impossible to do anything.
And where does it get us for security? Absolutely f'ing nowhere. I still get more spam at school than the rest of my half-dozen email accounts combined, have effectively zero productivity, and all my popups are instead replaced with script debugging errors. Meanwhile, files seem to dissapear out of my network storage, and about eight different CrapWare! toolbars are installed on every copy of IE (no, they won't even consider letting us use firefox).
So, their fifteen steps of added security has done absolutely nothing productive. It makes the computers (most of which don't even meet the minimum requirements for XP, but that didn't stop them!) EVEN slower, makes it harder to do anything, and I still am nervous about logging in to check my email on my own webserver (as they blocked gmail with the pr0nfilter). Basically, they did all the stupid crap the government makes them do to comply with the CIPA so they can keep getting (and wasting) federal funding. I flat-out refuse to work on anything of real importance on their computers, because even if security is moderately reasonable, reliability is near-zero.
Sure, I can't look at pr0n at school (as if I'd want to, their 17" LCDs are all forced into 800x600 anyways, and have some of the worst constrast I've seen, not to mention a good portion are shattered), but I certainly can't do a project for a health class either. That's all we have to show for tons of "security" measures that all translate into ineffective anti-stupidity measures.
I remember, back in the day, the school security measures were take your floppy to the tech guy's office and have them make sure it doesn't have any viruses on it before using it. And if you wanted to open your .htm files in wordpad, you could. Nothing ever dissapeared and identities weren't stolen. Heck, there wasn't even spam. I'm glad I have real computers at home...
How are sites slashdotted when nobody reads TFAs?
Comment removed based on user account deletion
What corporation wants their network access to be loosed?
You're asserting he uses Groups to do 90% of his job. I read it as he solves 90% of his problems with it.
I'm the same way with Oracle's Metalink - most of the time I know what to do but when I don't, I go there.
You better watch out, there may be dogs about . .
At my company security is definitely not a priority. I'm sure I'm often viewed as "bitchy" when it comes to securing the network. I'm a firm believer in security first, everything else later.
-Nick
"A plan fiendishly clever in its intricacies"- Homer Simpson
Where I work (a municipal government), the security folk are more concerned about the appearance of security than actual security. All ports are now blocked but for ftp, http, https and 12173 (specific app). I used to be able to SSH, but no more. The worst part? They are now blocking a pile of "games" sites. The dumb thing, in two parts: (1) they're blocking via a firewall which only blocks IP addresses, not URLs, so they scanned all http traffic for "games" and blocked the corresponding IP address; (2) this blocks "games.slashdot.org"... and it.slashdot.org, and ask.slashdot.org, and books.slashdot.org, and science.slashdot.org -- all *.slashdot.org resolve to the same IP address -- but NOT http://slashdot.org/ !!! So I can view the main page, but almost no articles and comments. Yes, I'm posting this from home. Yes, I explained that games.slashdot.org does not CONTAIN games in any form, but just news ABOUT games, but they haven't responded. They're a bunch of twits.
I always equivocate. Well, almost always.
The situation where I work is great. The IT people are extremely competent and know that their job is to facilitate the developers and others in the creation of the company's software (sales of which are being where the company makes its profit). As a programmer, I greatly appreciate the job they do, having worked at other companies where the IT people seemed to think their job was to reduce the amount of work they had to do on a daily basis, regardless of how their lockdowns and poorly thought-out policies impacted anyone else or the company's bottom-line.
Not having access to Google Groups/Deja would be a real productivity loss for me and most other developers I know, so I'm thankful I don't work at the article poster's place of business. Of course, YMMV depending upon where you work and the needs of the users, and blocking sites like Deja may make sense at some companies.
And I do agree with you on the remainder of your post - the WHY is more important than the fix.
On the Oracle Applications side, though. . . metalink often only points you in the right direction for a diagnosis. Oracle Apps is a sumbitch, and the error documentation rarely points to the WHY of a problem. But it does make a fantastic search phrase to start your work from :)
God I hate Oracle.
You better watch out, there may be dogs about . .
Maybe a good example of the corporate IT environment will be the example of my (recently) former company: a major computer manufacturer. I signed a nondisclosure agreement, so I won't give anything blatant away, but you can draw your own intelligent conclusions. I agree with most of the comments made: that company policy and actual security are two very different things. My point is, that a company that deals with computer manufacture and OEM releases of Windows should know better. All companies have small beginnings, and people talked about the good old days when I came to the team. But by the time I got there, people in product development had computers with no cd/floppy drives and locked cases so they "couldn't steal the RAM" (all pitiful 64 MB of it) and you had to save all your work on the network where everyone else could access it if they really felt like looking. My machine had an 8 GB hard drive. After my OS, normal security measures and applications, not to mention management-inspired insanities, what was I supposed to do with the remaining 1 GB of my "brand new" computer's hard drive space? To be fair, in 1997, it was running on a Win95 network, but in 2002 it was still running on the same basic infrastructure. For security reasons. Management was so terrified of theft of ideas and possible piracy (like people didn't have their own broadband at home) that security searched you and your belongings every day for discs/diskettes. No more notebooks or working at a place other than work. Not even for management. You had to check out discs and RAM for a system in the lab, which was the only place that had computers with drives outside the server room, the actual manufacturing floor, and six offices used on rotation by managers. This was primarily for demonstrations when you were teaching tech support staff about new products, services, or OS releases. I had to introduce serial ATA to 30 people at a time in my building, while being monitored by security and recorded, with a checked out copy of a Windows XP beta edition and one stripped-down computer case because that was all that they were willing to give me. And then came WinXP. All the systems complex-wide were falling apart, being 4-7 years old, so they upgraded every box to 128 MB RAM and 8 GB hard drives. Then they installed the OS as soon as it was released. Needless to say, systems were crashing everywhere, none of the company-wide software applications were even XP-compatible, and there was a general state of chaos. There were real security holes everywhere, but corporate HQ touted their trend-forward steps for their shareholders. For a year this particular location operated in total darkness while their crippled and villified 10-person IT team tried to allocate resources and time to fix everything. Not only did Corporate expect IT to magically fix everything; they expected an entire manufacturing, customer service and tech support center to operate with unreliable documentation tools, poor shipping fulfillment software and customer information database vulnerabilities. Things are running more smoothly now, but this event illustrates the problems with so many companies, both tech-related and not. Most corporate-level managers still think it's 1985 and things are as simple as MSDOS 6.0. They can program in QBASIC. If they had any technical experience, it's long out of date. These are the people who set the policies that drive your IT practices, especially in larger companies. Kudos to all the businesses that still give their IT staff the power to use their own discretion, but they are becoming rarer every day. In the end it's not the intelligence of the end-user that needs to change; it's the education level and experience of the person setting technical policy that needs to change. If this means the company's CEO spending a 2-week internship in Engineering, why not? He's still getting paid. If the VP of sales needs to understand that she can't guarantee a client that her company uses this or that security protocol, fly her down to a local sysadmin's office for a month. Corporate practices need to change before industry standards will change. Until then, we all just need to hang in there.
I'm going to attempt to answer this question. I've been in schools and government and I see the slide toward using "SECURITY" as a way of managing workers. And I think this has to stop.
I'll explain what I mean. Security, as most employers define it, is to keep the IT resources available for "Legitimate Use". Now with firewalls and proxies you can define for the employees exactly WHAT legitimate use is. Except you need another IT department to deal with monitoring blacklists, removing sites from blacklists for legitimate purposes and analysing logs - assuming you want the the system to work effectively AND maintain productivity. And all this in the name of Security.
How about taking a step back and looking at the bigger picture. Here in Australia we have laws that determine what we can and can't see. Various magazines can only be sold to adults and pretty much everything comes with a classification rating. On top of that we have various other legislation that basically says "Don't discriminate" and this means no girlie posters/magazines where someone may be offended. And workplaces, abiding by that legislation, have procedures to follow in the case of a breach of one of these laws.
SO! Why block these websites? If someone detects this (either by logs OR by walking past) then there is a clear procedure to follow. Why should something being viewed on a computer screen be any different than printed. The answer is - BECAUSE SYSADMINS HAVE THE TOOLS TO STOP IT!
I disagree with using these tools because it is a "quick fix" solution for management (a handball if you will) which becomes one of the biggest headaches for the IT department. If you already have the procedures, then follow them!
I'll extend this further by taking the given example of Google Groups. For what reason is this being banned? Does it contravene any legislation? NO! Does it contravene any Human Resource policy? NO! What it does do is allow staff to spend time not doing work. Now, I seem to recall that, once upon a time, workers not doing work were sacked! If you were in derelict of your duty, a reprimand was issued. After this it was "Here is the door". So follow this well established procedure. Don't force staff into a shoe box. Reward good workers with latitude and get rid of the dead wood!
So the answer to your question is - Make a clear distinction between what is necessary for security and what is purely management not wanting to manage. Security is about patching machines, antivirus and appropriate controls. Security is NOT about content management. Yes, there are some grey areas (like email and firewalls) but if you can make that distinction then lineballs become easier to deal with.
**Please note that I have a different opinion where minors are concerned.
You Aren't Alone. I am part of an "IT" department, but I don't exactly do "computer" things. I have nearly 200 networked control systems throughout a large complex, and have fallen victim to what you describe. The "computer" people in IT set policies on a per-jack basis around our facility. I can no longer communicate with a good 60-70% of my control systems, and we've had a help ticket in for about 6 months. It's kinda a pain when you can't get statistics and usage information from *YOUR OWN GEAR*. And, frankly, it's not that it's a difficult thing to figure out. It's just that none of these people considered that they'd have to go around and manually configure nearly 200 different peices of equipment around several different locations. Now, it's become so much work that nobody wants to go around to fix it. Assinine, I'd say. It just gets to be too much when you can't even use your own shit internally.
If the security rules were then written to use capabilities instead of ACLs, it would pretty much be bulletproof...
Someday we'll get there... but the pain isn't sufficient yet... and the virtualization hardware is just coming into play.
--Mike--
I work as an IT manager at a company where I had to install an attachment scanner -- and it routinely chews up legitimate emails I get from programmers -- But there's nothing I can do, the virus writers are getting smarter and are zipping or otherwise encrypting emails and I have to do something to stay a step ahead of them. Thankfully Linux has helped me immensely in keeping our infrastructure from dying.
- Brett
So to make your job easier, you're happy to inconvenience your users and cost your company money? Yes it might be a PITA. Guess what, that's why you get paid. If your users have a genuine need for a dual boot system, you should be supporting it. It's not some strange alien configuration that you couldn't possibly know about. How will you ever cope if your users get VMWare?
As other users have pointed out 2 machines = twice the cost and twice the admin, and as a user there's a good case for not booting up the one you're not using at the time, so you'll still get out of date updates.
Thank $!@# you're not my sysadmin. (And you should thank !@$% I'm not your boss either!)
These posts express my own personal views, not those of my employer
First, I doubt any user owns any of the computers at your company. Stop thinking of the computer in your office or your backpack as YOUR computer. But don't stop there -- correct your thinking while you're at it: start thinking of that computer as a SERVICE the company provides to its employees to do what and ONLY what the company wants you to do.
You do NOT have ANY rights regarding that computer, the software installed on it, how it runs, etc. You also should NOT be browsing the web for personal enjoyment or reading personal email.
Face reality - you are there to do a job and any time you spend doing something else is time you are being unethical. Do you think your colleagues on the GM assembly lines have ANY sympathy for your whining? They have every minute of their working day scripted by the timing of the line, down to how long they get in the bathroom. Most IT workers in the US spend 80% of their day surfing the web or chatting online, then go home and bitch about how the IT group cut off AOL access.
You are there to DO WHAT YOU ARE TOLD and to SERVE THE COMPANY TO EARN YOUR PAY. You are NOT there to go to websites the company doesn't ask you to visit. Do what you're told or find a better job, if you really think you can.
I am soooo sick of whiny white-collar workers who think they really work after surfing the web all day - you'd think none of those people knows a person with a real job.
I'm not sure how it could happen more than 52 times a year. It takes at least a week to reinstall all that broken junk. Considering the number of critical patches every month, it's a wonder this limit is not attained.
Let's hope more people do as you say and less as you do. As you said somewhere else, "security would be easier in an environment where everyone ran Linux on the desktop." I say it would be a lot easier for everyone. I won't have to pay that much more for all those things big dumb companies make. I also won't have to put up with their big dumb networks taking down the whole internet and being used for extortion and all the other things the M$ monoculture provides.
Friends don't help friends install M$ junk.
Yes, you *can* be too-secure. "Too much security" occurs when you can't get work done -- as is your case. The only *real* question facing corporate IT is "what amount of liberty is necessary to perform the duties of the employee requesting that access?" In true totalitarian style, the old computer security saying "that which is not expressly-permitted is forbidden" is the basic principle of current corporate IT security.
We have this same problem where I work. Thank shitty MSFT security for the current mess...
On a related, more-general note, security and liberty are *always* at odds. They logically must be: if you are restricted from performing action A, then you are not at liberty to perform action A. Simple as that.
For a real-world example: if you are locked-out of somebody's home, then you are not free to open the door to that home. The home is secure against your entry (at least from this particular vector).
Frankly, he who wants to be both safe and free will never have what cannot be.
Is Capitalism Good for the Poor?
At one company I worked for we used to joke about the servers that we were going to "manage them to their knees" since we had so many security and monitoring applications on them.
Of course this was the same company that would randomly block websites (that had worked before). At one point they blocked access to CPAN of all things. When I questioned it with someone in Info Security I was told "we get our filtering rules from the company that supplies the proxy, we can't change them, just wait until next week and your site might be back off the block list". Great way to manage security huh, just "trusting" some other company to do it right and if it's wrong just wait a week.
My former employer, Analog Devices, first implemented web filtering many years ago.
They put an immediate halt to it, pending better software being available, when their very own website was inaccessible to them. Why? It contained the substring 'anal'.
Yeah, they had to change filtering software pretty quickly.
They also blocked anything beer or wine related, even years later. Planning corporate (e.g. sales) related outings necessarily involved circumventing things.
the whole "criminal activity" thing about http tunneling, proxies, etc. definitely rings a bell too.
Suffice it to say, our head of Information Security was a great moron.
-- "Those who cast the votes decide nothing. Those who count the votes decide everything." -Joseph Stalin
Good times.
...of your article clearly shows allmost everybody that your business is primary using MS Windows on your workstations and servers...
--
I'll have a good sig. once Windows is secure...
But you know, inspite of all the above, I would say that information security is now taken more seriously than before. When we point out vulnerabilities at least now we get a little respect. Not much, but its more than before. Now applications are supposed to be scanned before they go into production. It used to be it took almost a year to deploy a single critical patch. Now it can get done in under a week.
My experience is that IT departments are more in the business of CYA these days. In a recent job, some colleagues were developing a data warehouse on Oracle. They were piggybacking off a dev server we had, behind the firewall, sitting under my desk. Two guys, some commodity equipment, and they were doing a ton of good work. One day they decided they needed their own dev server, which was fair enough. So they put in a request to IT for a new desktop machine. IT came down to talk about what they needed it for, saw what they were doing, unplugged the dev server and then made them put in a request for a mid-range machine. This of course required a budget, a project manager, a business case, and in short order the project stalled, for months. All their good work was going nowhere fast and the business was crying out for their solution, which was initially only costing the DBA and developer's salaries and two desktop machines. These guys weren't cowboys either. The DBA was one of the best Oracle DBA's I've ever met. But IT effectively shut them down.
To my mind businesses need some kind of network-DMZ where people can start their projects without the need to resort to business cases, project sponsors etc, because IT is mainly concerned with making sure the network is safe.
They said ALL XP login scripts had been posting the notice for over a week, I had been given "plenty" of warning!
"Nonsense. All Plans for the new intergalactic highway has been posted at your nearest Solar System for 100 years."
What actually happens when an employee looses his/her network access?
Doesn't it fit anymore to his/her computer?
Capitalization is the difference between "Helping your uncle jack off a horse" and "Helping your uncle Jack off a horse"
This isn't about security, this is about policy. Take the poor mouth off you and realise this is what you signed up for when you took the job. Unless your job is getting paid to read Google Groups then you don't really have an argument.
That is how it works at our company. The default is linux. All "regular joe's" have linux on their desktop. All servers are linux. If you begin and you don't know linux, that's your problem, learn it. But you can have windows, if you have VERY good reasons (e.g. secretaries that receive MS-office documents all the time). These windows-machines are completely locked down. You can do exactly what you wanted your windows-machine for, but nothing more. Also, these machines are reinstalled every single night (ghost) with a new image maintained by the IT-department (so daily updates).
The linux-machines are gentoo-based, and are also tuned. Nothing too much in there, but what is there simply works. These machines can also be automatically installed by just connecting them to the network and booting from a usb-stick, or remotely from a server.
Combine this with a little education of your users, a little trust, a security-model not based on the "hard shell soft inside" model, but the "insiders can also seriously mess things up" model, a decent network-infrastructure (e.g. managed switches, fast uplink) and some guys that really know how to setup and secure a server or a network, and you won't have many problems or complaints.
int main(void) {while(1) fork(); return 0;}
Cyric,
Please read your employee handbook under "company policies", then report to the HR department.
Everyone else, please mod this employee down.
Thank you,
-I.T. Security
...their machines loosing network access...
Let me clarify: there's no such word as loosing , it's losing .
I am at work from 5AM until 4PM usually, and out of those 11 hours, my computer is only usable for about 4 of them.
5AM-6AM: Usable
6AM-10AM: Unusable because IT folks force a full virus scan at top CPU priority and I can't change it.
10AM-11:30AM: Usable
11:30AM-12PM: Unusable, some process called RPG.exe runs at highest CPU priority during this time. I don't know what it does, but a quick google says it's for some kind of backup and restore function.
12PM-2PM: Unusable: mandatory daily over-the-network "full" backup of local drives, even though work product is not stored locally and the local disk doesn't change much. I suspect this is actually just to see if I am putting "unapproved" software on my PC. I have had shareware apps simply disappear in the past, including FireFox, Thunderbird, and OpenOffice (we have a contract with M$)
2PM-4PM: usable, except when pushing M$ patches, when my PC reboots w/o warning and at random, not allowing me to save my work.
I've complained all the way up to the VP of engineering, and the attitude I get is "tough ****, deal with it, we will not compromise data security for your convenience."
So yeah, valid topic, good article.
The best one I came across was a company who disabled the right-click on their standard NT build. Very upsetting if you're a developer, and the process to re-enable it took much form-filling and was taken suprisingly seriously. Another good one is locking down the registry which stops a vast amount of 3rd party software from working !
Well, the company (> 100,000 employees) I work for has a "No Shadow IT" policy. In essence this policy says that ALL systems on the network that provide services for multiple users MUST be owned, operated, or controlled (or IT has formally given such control to another unit) by corporate IT. Anyone violating the "No Sh*IT" policy is subject to disciplinary actions. NO EXCEPTIONS.
IMHO it is a horribly written and overly broad policy (e.g., it means that ALL UNIX/Linux boxes that provide multiple logins and any web server that is accessible by anyone other than the owner all fall under its purview). But, it is the law of the land. As a result, all kinds of information sources inside the company have fallen silent. Folks no longer share information for fear of getting sacked.
All "personal productivity" tools (i.e., the PC you use to do your work) must come from IT. It must have corporate anti-virus installed and a security "agent" installed (centrally controlled firewall) which decides what it will allow.
Bottom line: it's ITs game and they call all the shots. Be glad your environment isn't as draconian as mine.
You can't solve a problem by ignoring it. I'm working at an antivirus company, and simply "shutting things out" is no option. After all, we're supposed to pluck them apart, watch them work, see their destruction first hand to inform people what the latest piece of malware does and of course develop counter strategies.
:)
So what you really need is a good way of getting your computer back to working condition instead of trying your best to keep it from breaking down. Because you simply cannot do the latter, the user will find a way to circumvent your security wall (which is more often than not a necessity to get work done, because the tool or the info you need is on a "bad" site).
Trying to tighten security to the point of rendering the system useless is the way of the lazy and/or clueless admin. The pro knows he cannot keep desaster from striking and instead works on ways to minimize the time needed to get the system back to work.
'sides, it's always a nice way to make the user feel dumb and lecture him while you're resetting his PC.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
...says the man who wastes his time on /.
And then he said: "I'll tell you the meaning of life. It is" and then realized 120 chars are definitely not enough...
IT security is not about restricting what users can and cannot do - it is about enabling users to do what they need to do in a secure and stable fashion. As an IT professional, all too often I hear through the company grapevine about someone who has been grumbling that the IT security policy was too restrictive, but when you go and talk to the person it turns out that whatever it is they wanted to do can be done, they just didn't know how to do it properly with the systems you have in place. Naturally, they blame the systems, not themselves. Why would you want to send outbound emails from your box, when you can relay through the corporate mail server? Why do you need to run an FTP server to upload your files from home, when SSH is running on your computer already? Why do you need IT to open up ports 1024-65535 in the firewall to allow your new piece of code to work when you could just write it properly in the first place?
IT security policy should not be inflexible, but neither should users assume that it is there just to block them from doing things. If it is, then that is because company management have decreed that behaviour X is not allowed - and that's not an IT security problem.
Why can't we all just get along?
It simply boils down to a lack of accountability. Most IT organizations are now allowed to make decisions unilaterally for the entire business, even if it results in creating unnecessary or exorbitant expense. I know of IT security managers who would be perfectly content to see their employer go down in flames as long as the noble ideals of their security policies were never violated.
The IT security discipline has boomed over the last few years and I fail to see how the situation has improved. In fact, it has only worsened. We don't need more security admins... we need security admins who are committed to the same goals as the rest of the organization and make THAT their first priority instead of worshiping at the feet of noble theory. The principle job of a security admin should be ENABLING users to go about their work in the most secure manner possible, not preventing them from getting the job done. Big difference.
One of the greatest risk's to security is the User...machine to machine interaction can be structured nice and tight. It is when you get people running unauthorized apps, introducting flash drives etc. into the mix that increase the security risk.
> and individual employees are forced to apply security patches with
> little or no notice, under threat of their machines loosing network
> access, if they do not comply by the deadline.
You have a lazy-ass IT department. Ours has things set up to automatically update whatever they want whenever you log on or reboot.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
...spellcheckers are prevented by security forces too.
I am in InfoSec for a medium-sized environment (3-4000 users) and know all of the tradeoffs that have to be made to keep usability and security from defeating each other. In my case, I work in a hospital, so usability trumps security. If a computer is unusable, someone could die; if a security breach happens, we can mitigate the damage. There are definite ways to keep desktops and servers secure which do not significantly degrade their usability. However, if the company doesn't give adequate funding and get well-qualified people to run the security department, you get the kind of overzealous blocking that you have described.
-Blocking technology is out there to allow an individual to bypass the block by entering a username and password. Yeah, I know "just one more password to forget," but this kind of thing helps to keep access to potentially "bad" sites honest. The technology also exists to always allow a certain computer/account to access these types of sites. Anything less is a case of underfunding or using the wrong tools.
-Your antivirus vendor should be at least customizable enough to selectively allow SMTP sending on production servers. Ideally with servers, you'd have it only allow certain programs to send mail or have a threshold of connections per second that it would prevent (most mass mailing viruses I've seen send one email per connection before changing servers). If your AV has these tools, the IT department doesn't seem to be managing them well. I have a problem here with our AntiVirus detecting security tools as "hacker tools." As far as I know, with our current configuration we cannot change that behavior just for me and not for any other computers, so I choose to deal with the hassle of it reporting, but not quarrantining my apps.
-Patch Management is tricky, but if there are adequate safeguards on the desktops (ie. minimal services, userlevel accounts, antivirus, etc.) then your company should be on a schedule of deploying patches. For example, once a quarter you test all the apps for compatability with patches and then deploy the ones which don't break anything. Deployment would be carried out with minimal downtime, at off-peak hours. This procedure would be thoroughly documented through some kind of change management procedure where everyone knows that changes will be made to the systems, so they can report any problems with the upgrades.
Businesses are there to make money. Once they start making money, there are a lot of people that want to take it from them. Securing their IP, their network, their workplace is a natural step and it's usually sucky when you're a geek that has been "off the grid" doing whatever you want, sshing home, running a "web server" on your desktop, etc..
Do it the right way, secure your network, get on the team and get with the program.
With more and more internet users behind NAT routers, networked malware is now instead of running on a machine and listening, is running on a machine and making an outbound connection to some remote host. If you don't have egress filtering, your firewall may as well not exist.
I will grant that I think about this less; in the Unix world, security problems are slightly different. However, I have discussed this with some rather notable gentlemen who are more oriented around Windows security, and their opinion is different. They suggest that it is not really possible to keep information from filtering *out*, if software on your machine wants to send data out. There are just too many ways to sneak bits across the wire, and they cannot all be blocked in the real world. Their take is that the only reasonable way to stop malware is to keep it from gaining a foothold on the computer in the first place, rather than trying to keep it from then communicating once it is there.
Actually, to some extent, this is exactly what you just said (though about NAT, not about firewalls) -- security administrators tried using NAT to lock down their networks, and discovered that malware simply adapts to deal with it, and now there is a big functionality hole that makes it difficult for people to write and use legitimate network applications.
Highly restrictive blocking, as implemented today at a corporate level, is *only* useful in that people that do so may differ from the majority, that they have an "oddball" configuration. That's where the practical security benefits that they're claiming comes from, not from the fact that their blocks cannot be walked around by anyone who tries to do so. If I can write malware that, on 90% of the machines out there, can just open a TCP connection to the outside world on an arbitrary port and send data, I'm probably going to do so, rather than making that worm take a clever approach of having to subvert Outlook or IE to send its data out.
The problem is that now a number of companies *do* only allow access out through a proxied connection, and now malware writers that want to target them need to hijack things like Outlook or DNS requests or whatever. The benefit is highly impermanent -- so there is no long-term security benefit, but there is a blow to functionality, in that features once present are now missing on these corporate networks (and doing things like ramming previously-working apps through HTTP tunnels simply degrades performance and increases complexity).
If you want to occasionally SSH to your home machine, run your sshd on port 443 and go via your company's web proxy (tools like PuTTY can use HTTP CONNECT to do ssh via a proxy on port 443). Be sure to ask your company if this is OK first though. That way they don't have to open port 22 to the world, and instead they have a logged, traceable connection.
Oh, I have. Had a meeting with our security admin and everything. He said "no go" and warned me that he monitors connections. Actually, he used to have a configuration in place that killed any outbound HTTP connections that lasted too long. That was infuriating to work around if you needed a Linux ISO or something similar. He finally got enough complaints to decide that that was a bad idea.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
From your examples, it looks like your whole IT deparment is working very hard to be downsized or outsourced. From my experience, the minute a smart VP or CEO (or, a common case, an external consultant who has the VP or the CEO's ear) notices and documents the kind of impact they are having in the bottom line, lots of high and middle heads will start rolling. Having inflexible rules when your market is evolving or constantly changing (and when your market is global it is always changing and evolving) is so dumb it hurts - when have we called the high priests back to the computer room, anyway? I though we had all agreed to send them home for good by the end of the 70's.
I strongly disagree with that throw-away comment. The only perfect security is at absolute zero with everyone is dead. Is that what you want?
-I like my women like I like my tea: green-
You:Then why would any well-run Unix shop also use mailhub? Why do Unix MSPs implement that functionality? Why does every well-known figure in Unix mail recommend using that functionality for this purpose?
There's nothing wrong with a mailhub, as long as it works with published standards. What's happening in the big dumb company world is that admins are closing port 25 on their mail servers and eliminating SMTP in favor of some kind of M$ Exchange mess. As the administrator here told me, "I'll look into opening that port (he did not know which one) for SMTP on the Exchange server, but I'll have to find out it that poses any security risk." This replaces well known sturdy software with the worst of class, Exchange on the server and Outlook or IE on the desktop.
This is just another anti-competitive thing M$ has come up with for it's partners. Why anyone would listen to them and get themselves that much more locked in after their repeated failures is beyond me.
Friends don't help friends install M$ junk.
This is exactly the kind of problem I'm talking about. It's M$ policy to block all but their crappy client software and they are starting to talk about it as a security measure. Soon, the only way to dissapear the person who could not patch/upgrade/turn on the Exchange box without blowing up SMTP is going to be to dissapear the box.
Friends don't help friends install M$ junk.
Yes, I explained that games.slashdot.org does not CONTAIN games in any form, but just news ABOUT games, but they haven't responded. They're a bunch of twits.
And what part of your work duties require you to follow news about games during work hours?
If none, you shouldn't be paid from the hours you spend reading slashdot during work hours. And best way for them not to pay, is disabling everything that you don't require for your work.
If it is your task to follow slashdot and similar forums, then there should be change on policies. Otherwise, it's their money they pay you do to your tasks required. And they make the calls what is accepted and what is not.
1.- So you were willing to email something (email is not secure and it is not guaranteed that a message is delivered) but could not send it with a messaging company? Sorry, but give me a frigging fucking brake. It sounds to me more like you decided to get a freebie with the IT restrictions as an excuse. Oh yea, you ignored ftp, sftp and the post box down the road (don't fucking tell me it is not safe. You were emailing the damn thing, you are defenseless there).
2.- Tell your IT people that I say they are dumb. Honestly. But also the bussiness side of things is at fault. If you are not able to make a bussiness case for handling deployment of security patches more efficiently your bussiness should also question how capable they are.
3.- Correct actions, wrong approach. What they did (reorganize access to a resource) is impecably correct, there should no be user whining about it. What is absolutely unnaceptable is the lack of notice. What does not surprise me is the obvious understaffing: IT may have quite a lot of power nowadays, but that does not mean that they get the resources they need. This is the fault of the bussiness side of things that keeps considering IT a cost and treat it as waste of money.
4.- Read above. Perhaps yout IT people were ready to implement single password sing on but are understaffed? The best indication of this is having all the technical resources ready but nobody to implement things. Your IT poeple are a bit dumb, but the bussiness side of things is obviously not providing the resources required to keep things running smoothly.
IANAL but write like a drunk one.
You were in the wrong. Period.
You either had a machine that was not allowed or failed to provide enough information to the support drones.
IF you reached a point in which they did not know what Linux is, it is your fault (or your department's or whoever was responsible to make sure the XP drones knew abou leenucs) that they did not have that information.
IANAL but write like a drunk one.
Sorry, but what you are saying is utter nonsense.
A computer, specially for corporate users costs peanuts. It is a very negligible cost, and if the Linux-XP guy is a rare ocurrence, the cost for additional machines small on the great scheme of things, or he can have as second machine one of the many in any medium sized enterprise that is upgraded. Your cost argument is a non issue.
As is the inconveniencing. How it is inconveniencing somebody to ensure this person has access to both environments at the same time? The dual booting means only one or the other is available. What a fucking inconvenience. And even if it was inconvenient, the minimal distress caused has to be contrasted with the security issue of not patching boxes timely. And you know what? I would be damned to let a bit of inconveniencing get on the way of the security of my organization.
2 machines are not twice the admin time, one dual boot machine may be, but two machines aligned to supported configurations are a non issue from the administrative point of view: once you have a solution that escalates to 50 machines (or 100, 100, or 10000), adding one more machine adds no burden.
So it is 3 strikes, you are out matey.
IANAL but write like a drunk one.
If your SOX assumption is correct, that would be the BEST thing I have ever heard about SOX. Every time the auditors come by us, all we do is take raw data and polish it into report form for them! So I suspect they sit in the corner and play solitare, you would think that auditors would WANT the raw data so that we could not fudge any facts. Everything I have seen tells me SOX is a joke and does nothing for real security.(with the exception of your statement)
Linux Works
Public key encryption and the like have given us some powerful tools with regard to security. However, I think too often people (sysadmins) are given to view those standards as a minimum requirement. Usually, out of practicality, the best schemes are compromised by not taking reality into account. Whether we're talking about passwords or private keys, the likelihood of me, as a user, introducing a severe security flaw into the system is in direct proportion to the inconvenience of the secrity policies.
If I have one password, I'll keep it secret. If I have to remember 20 passwords, be sure that they'll all be on a piece of paper somewhere around my desk. If I'm to be the sole keeper of a private key, let it be known that I won't keep it secret (I like to go on vacation every now and then).
Although nearly perfect tools for security do exist, they're more often than not not perfect in the real world. The legal standard of reasonableness is much lower than the technical standard. Somewhere within these comments someone lamented that because an email system blocked a file with an unknown extension, that that person had to fly to another country with a CD. Someone responded that they could've just mailed it. Yeah, like Snail Mail is secure.
Do you enter an ATM PIN at the drugstore? Does anything shield the view of that from the person behind you in line? Has anybody taken anything with your social security number out of your mailbox in the last month? You can't know, can you?
These sorts of things are not new. But overly draconian security policies can actually make things worse.
Subject says all.
The bright spot for me is the accessability of the work network when I'm remote via VPN RSA key type methods. This is one big plus. There are terrible downsides. At one point my company outsourced IT to a large company with a three letter acronym... lets call it "HAL". For most large companies this would be fine, but for a technology company like the one I work for it was a disaster. We are still only now recovering from that decision I believe, and have returned IT to local control. The largest issue I see is in the old days, engineering groups like the ones I worked in, did our own system administration, and we had large capitol budgets to purchase $12,000 per seat engineering Unix workstations. Recently we have had to wait in line to get a purchase approved for a $600 PC running Windoze. And then many of the IT service people have no idea of what we need. For example, I needed a RAID 0 (striped for speed) 2 disk machine setup for data crunching of very large files. This was delayed for weeks as no one knew how to image the drive. In the old days, they would have shipped me the CPU, and I would have configured it myself. Even today, if I have an IT issue, my call goes to some corporate "call center" very possibly in India, and a ticket id is assigned. My favorite was when I had forgotton my Unix login, I emailed IT to get my password reset. They called me back to ask me what my userID was. I was going to give them the UserID of the CEO as a joke... they had my EMAIL ID, but couldn't look up my user id? Hmmm... what has the world come to.
Ross Youngblood
In a website-development environment nonetheless. It's the biggest joke ever.
I'm eventually going to meet in front of a committee to plead my case for FireFox. Talking about bureaucracy.
Not to mention that we'll probably have to buy third-party software to fulfill functions that Firefox's extensions were doing quite happily for free.
Okay, we'll just test for Internet Explorer.
Who in their right mind does any type of backup in the middle of the day?
Good grief... why don't you write a big letter to the VP and include it with you resignation... your organization sounds like a horrible place to work.
and you won't have many problems or complaints
Just because people don't bother to complain because you're too much of an ass to help them get their work done (seriously, reinstalling windows every night after you begged to get a box that can read a fricken excel document?) doesn't mean they don't have complaints/problems.
It just means you're an ass.