Has Corporate Info Security Gotten Out of Hand?

KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"

It's all possible...

[jabella]

Security like most things, is a balancing act. Being able to manage the 'pain vs. protection' factor is the key to all of it, and unfortunately no tools seem to have the sliding adjustment with those options on it.

Ideally security will allow everything that's vital while not stepping on any services that are required. With most companies, what is 'required' ends up being pared down as the security net gets closed down tighter.

Nostalgia is one thing -- how many of us worked on systems that had telnet / ftp open to the outside without a firewall? I know I did back in the day. When management is behind security initiatives, being able to work on the business isses ("No, we CAN'T disable FTP!") becomes less of a problem.

Regarding individual workstations -- putting the burden on end-users doesn't seem to be a common (thankfully) configuration in the companies I've seen. Most larger places are doing automated patch management and deployment now. I know quite a few places where every single system (desktop and production) is patched within a 15 day window. While it's not bleeding edge, this relatively fast schedule combined with the concept of 'defense in depth' goes a long way to preventing issues. I know places that haven't lost a machine to a virus in YEARS.

Security that's preventing legitimate work from being done needs to be adjusted. All of the problems you've mentioned are fixable.

They need to be more strict. It's still too lax.

A couple years ago, right around May Day, we were nailed with the Sasser worm at work. It didn't take much for it to spread, and boy did it spread fast that weekend. Every XP box was hit, although the NT 4 Workstations and Servers didn't even burp. Thankfully we still had an NT box and a Solaris box handy while the chaos occurred. The 'Net just isn't safe anymore without proper protection, especially inside the corporations. It doesn't surprise me that they are gradually shifting toward Linux in the upcoming years at where I work.

A slow transition is better than sticking with the current situation.

Re:Technology

[CleverFox]

Being a corporate IT security at large corporation I can tell you why google groups are blocked. If I am looking at porn on alt.binaries.erotica and a female co-worker walks up behind me she could sue for sexual harassment and say the company did not take adequate measures to prevent this situation. Basically they fear a lawsuit.

Re:Try a University

But I bet you they let DNS through...
http://freshmeat.net/projects/nstx/

Re:Management?

[canuck57]

The only real problem is overzealous proxy servers, ...

Not really, often it best to deny, evaluate and permit with business cause. Provided the response is usually positive where the business need is legitimate then their is not an issue. Any security system will need to be tuned to work correctly. And often users fall into the trap of buying products that abuse protocols to circumvent security without regard to company policy.

The enemy within is in my experience a 50/50 split with the enemy outside. These tools are needed to prosecute criminal and negligent employee behaviors. Some examples I have freequently seen:

• Insider trading of company secrets
• Posting of internal information on Yahoo and other board and mails services
• Had a manager watching video porn consuming the network bandwidth while he was bitching at I/T because the lines were slow and the clerks could not do order input.
• Much like the last point, the clerks will call while they are all listening to the radio and complain because the servers are slow... they don't understand nor give a damm that 100 people in an office listening to radio designed for 1 cable modem drives costs up -- they don't know how dumb they come off to I/T. And their managers didn't have the spine to say no.
• Had one more advanced user who bypassed the proxy with a VPN type software using SSL. He thought he would not be noticed so we watched his terminal. He was using file shares relayed from his home system and watching, you got it - porn.
• Caught one person posting personal comments about the CEO on a message board.
• Figured out which user posted the companies address book right onto a known spammers web board as it would be "more convenient".
• Had one one user who used their internal priveleges to load seti on 12 shared UNIX systems. The company thought their CPUs were slow and were preparing to buy more.
• Had one internal developer who back doored some applications for stuff I can't say, but cost the company a million to clean up.
• Had one case where every Windows server bar none was compromised and controlled from the outside. The real kicker is that the systems were compromised from the inside and then controlled from the outside to serve Warez. Got my first copy of W2000 before it was released!
• Had one user who would run a "spam" program while working on his PC. He was caught because the companies domain was blacklisted.
• and many more...

So remember this when you bitch about security. The behavior above was detected by security tools. And this type of behavior in corporate America costs companies lots and reduces the security of your job. Security is to enable you to do your job AND is there to prevent the 1/100 bad asses from getting inside to do your company harm. And the opposite is true, to prevent the 1/100 bad asses you have hired from compromising your company.

And if you don't think your threat exists from the inside, your either a very small trustworthy group or your just not looking.

Bureaucracy at its best.

[IAAP]

hy are people who don't comprehend - or can't communicate - this employed in an IT organization??

You sir, need to accept the bureaucratic nature of large organizations. There have been a few times that I've had to do some really asinine things in order to keep my job. I knew it was bullshit, my coworkers knew it was BS, and the poor SOB on the other end really knew it was BS. But, if either strayed from policy it was our asses. Why was this policy in place? Because the higher ups didn't want to take the time for all of the inevitable exceptions that occur.

The solution? Acceptance - Zen practice. Or, start your own organizaton - if possible. Entrepreneurship!

There's a reason why small companies are the ones that are creating most of the jobs. There's a reason why small companies are the innovators. There's a reason ... you get the idea.

Security vs. Users vs. the Big Bad World

[whoppo]

A decade ago it was not unusual for corporate networks to have little or no restrictions on end users. Workstations, servers and even printers had publicly routable addresses and free access to the internet as it was. Back then we had to deal with relatively few miscreants... the occasional "ping of death", "teardrop" or the dreaded "smurf" attack. Malicious activities could be deflected by a few simple firewall rules.

Flip the calendar ahead 10 years... The internet is ripe with malicious content. Organized groups of crackers, writing exploit code for every system vulnerability imaginable... Script kiddies gaining "respect" relative to the number of machines they can compromise for addition to their bot-nets... Spammers building their armies of compromised boxes to anonymously sell viagra and fake rolexes... the list goes on and on. In short, the need for network security is real and sometimes the end user is inconvenienced in the process of running a tight ship.

In an ideal corporate world, the bad guys would stay out and the users would have everything they want. In the real world there is a balancing act that weighs a security "best effort" against business needs. It sounds to me as if the original poster's company is in the early stages of making this happen. Security measures are being taken and users are feeling the pain. The next step is for the users to identify the needs that are not being met and challenge their management and IT resources to provide for those needs while making a best effort to do so securely. This, unfortunately, often involves plenty of corporate political bullshit and associated headaches, but if you can show a LEGIT business need, it should make it through the process.

I manage all internet connectiity and perimeter security for a very large healthcare foundation that includes several hospitals, physicians offices and research facilities. Not a day goes by without some kind of request for additional access to some resource. Most are reasonable and can be accomodated with little or no impact on security. Some are not so reasonable politely rejected with a comprehensive explanation of why it's not gonna happen and where applicable, alternative solutions are offered.

As for the original poster's situation... should end users be applying system patches? hell no. IT folks get paid to do that. Should individual workstations be sending SMTP traffic beyond the network perimeter? hell no! IT folks should make a suitably secured SMTP gateway available. Should users be able to go anywhere on the 'net they want? hell no! The company pays for the bandwidth and owns the workstations... they can say "no" to anything they consider to be unrelated to doing business. If users need to get somewhere on the filtered list, it should be easy enough to justify it to management. Do the homework and make your case... you'll get much farther than someone that just pisses and moans about how restrictive those IT bastards are.

  Best of luck.

Re:Technology

[cmacb]

As far as I know Google Groups doesn't carry binaries of any kind, nor do they carry and of the groups in which you would likely find text porn. They do have technical groups back to the beginning of time though and I've used them more than once for technical research.

Re:Technology

[Gary+Destruction]

In your case, if 90% of your solutions come from groups then you really should invest in some Cisco and Microsoft certification to teach you how to administer properly.

MCSE = Memormized Content; Secured Exam. That's exactly what it is. Those exams don't teach you a damn thing. There are so many different situations you can run into that there's no way any exam could possibly cover them all. Did you know that some EventSystem errors in the Event Viewer can be caused by a faulty disk controller? You're not going to learn that from an exam. Microsoft doesn't even have that answer. The best answers are the ones that come from real life experience. Sites like EventID.net and Google Groups have answers that come from people who've seen the problem first hand.

Re:Firefox just banned - help me!

[xlv]

The idea is that the IT staff would use the .msi to deploy Firefox on all workstations and thus would be responsible to push updates of the software the same way they're doing it for other software applications. The end user would then not have to install and manage/update anything. So it's just a matter of adding one package to the managed applications. Note: I haven't done this myself but that's the way it should work or at least one possible use of the .msi files...

Re:Well, here's a war story that happened today:

[Animats]

That's what comes from distributing a webcast in a proprietary format with DRM. If it was a plain MPEG 4 stream, there are unprivileged programs that could play it. But players with DRM need extra privileges, so they can get their hooks deep into the system.

You actually have to pay to watch this thing. Not only that, there's a charge for each person watching .

Re:Management?

1) Actually, we do have an external FTP server. To put a file on it you have to fill out a form with basic info like how long the file must reside on the server. You also have to attach a business justification and get it signed by your manager. You then send the request along with a CD through inter-office mail. Someone then reviews the request, and assuming they don't have any problems with it (like "the file's too big" or "you can't keep it on the server that long" or "I don't think we should allow external access for that file"), then they send you a temporary username and password you can give to the customer. I did this once before, only the customer had difficulty retrieving the file because they don't allow you to list directories on the FTP server. You have to know the name of the file in advance. Typically, we'll send customers a ftp:// URL with the username, password, and full path and hope they just paste it into a web browser. However, if they try to use a normal FTP client, they typically have problems. In any case, it generally takes a few days to a week to actually get the file on the server so it wasn't an option in the case I mentioned. 2) In this case, the simulations were not distributed across multiple PCs. However, we had to keep the PC connected to the network because the test scripts called software that had to contact our license server. Also, we are unable to log into the PCs when they are disconnected from the network. Local accounts aren't allowed. You have to log in to the domain server. In the past, I have used an NT password utility disk to change the local administrator account's password on a few machines so that we could take a PC off the network and log in, but this is definitely frowned upon. 3/4) No disagreement. Our IT department is out of control.