Has Corporate Info Security Gotten Out of Hand?

KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"

Technology

[biocute]

I think overall mankind's productivity has increased thanks to the technology. I can't say if the IT world would be more convenient if 95% of us were using Linux.

It's like when cars were first introduced, there were not speed limits, cars were hardly locked and tyres were hardly threaded......

As cars become more common, more people died in car accidents, so you can't drive too fast anymore, must wear seatbelts and cannot drive drunk.

As car thefts become a norm, we must lock our cars, when that's not enough, we need to put on the steering lock, alarm, then immobalizer, and now the security datadot. However, I think overall we do benefit from the introduction of vehicles.

Re:Technology

[eobanb]

The issue is not with the equivalent of locking your car. The issue is draconian policies like arbitrary blocking of sites like Google Groups. Therefore, I feel that your analogy isn't right for article in that it assumes that "well there are good and bad things about computers, but the good outweighs the bad." No one's arguing that point. Instead it's more like, "well there are good and bad security policies. At what point does it become simply stupid?"

Re:Technology

[Pig+Hogger]

How can blocking Google Groups be seen as draconian. They have no place in a responsible workplace. They are only filled with warez requests, AOL Me Toos, kiddie porn and hentai anyway.

You must be one of those pointy-haired bosses to say that Google Groups ain't got no business at work.

Whenever I work as a sysadmin, 90% of the solutions I apply to problems come from Google Groups.

Seems pretty reasonable to me...

[heatdeath]

individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access

I don't think this is unreasonable at all. What's the downside of enforcing a little rigor in your employees, when the alternative is having your entire corporate network become a zombie farm overnight controlled by a mob boss in Russia named Vladamir?

Re:one time, for security's sake

[badriram]

Well if IT installed linux, well they should not be doing something that stupid. However if you decided to install Linux, and the IT folks maintain your computer, i would have to agree with them. Unless you work at a software company, developing apps, or a sys admin you are outta luck.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:one time, for security's sake

[Thuktun]

Hmmm, but my machine is a linux machine! [...] Hmmmm, but my machine is a linux machine! [...] Fortunately I had a dual-boot, so I was able to comply.

Yeah, weird that they might want a machine running Windows XP to be updated. You might have Linux on the machine, but you also had Windows XP, and it sounds like it was missing security patches.

And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix.

And you apparently had a machine with Windows XP missing some (possibly significant) security patches sitting on their network.

I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.

Re:one time, for security's sake

[Vellmont]

He said his responsibilities were heavily around Unix. I kinda doubt he's some low level secretary that wants to install linux for fun. Why not give him the benefit of the doubt and assume he's not in the wrong here?

I'm guessing the problem is one of compartmentalization. The IT department doesn't talk to the production department, and so doesn't know there's some people that are running linux and not XP. The standard drone-like response of "We're sorry, but until you're machine accepts the updates we can't re-enable the port." really sounds to me like extreme compartmentalization.

Try a University

[froschmann]

Heh, my Christian University is a lot worse than that. We have mandatory antivirus (which seems to run scans at the most inconvienent times. Cancel them and you get kicked off the network.) We also have to run all traffic through a HTTP proxy, because they block all outgoing port 80 traffic. The HTTP proxy logs all traffic which is then sent to our deans and hall directors, as well as kept on record forever. In addition, it blocks such disgusting websites as Ebaumsworld, and hackaday (hacking is illegal, kids). It can be loads of fun trying to get programs without proxy support to work. We also get AIM file transfer (for my non-geek friends from home) disabled, along with bittorrent and pretty much every non HTTP protocol. They even have a packet shaper which detects traffic on the wrong ports and blocks it, so forget about using a proxy. Internet access at schoool can be much worse than at a workplace... Thank the gods for PGP and dial-up!

They were right.

[lheal]

You should have simply rebooted to the XP side and run the updates. If you want the luxury of a dual-boot system, you should be willing to maintain both halves.

My policy for dual-boot machines is this: No. You can have two machines. I'll get you two monitors you can use dual-head on each machine, a KVM, your own switch, and I'll even clean the goo off your keyboard. But I won't manage a dual boot machine, and I don't want them on my network.

Why?

• One side is always down, meaning network monitors need special work
• Either both sides share one IP address, or each gets its own. Either figure out which one is running, or figure out which address to use.
• It requires physical intervention (or extraordinary hacks) to reboot remotely to the other OS
• I can't just wax the whole thing if something goes wrong
• Rebooting implies root access for whoever is around
• In short, they're a PITA

Unplug, people.

[ubiquitin]

Security has very little to do with updating your virus definitions hourly, and everything to do with knowing when to just unplug the box and find another way to get the job done. What's your risk model? Point granted: the network is a demanding mistress. But fortunately, everyday risk is often handled best by the simplest of means. Stop instant messaging the person one cubicle owner, and get to know your local coffeeshop owner. Or neighborhood banker.

Why it's stupid

[Gorimek]

The stupid part of the story (as told by the poster) is that these IT "professionals" didn't seem to understand that Linux is incompatible with XP.

Why are people who don't comprehend - or can't communicate - this employed in an IT organization??

Had they just explained things the way you explain them in your post, there would be no problem.

Re:Management?

[rblancarte]

I very much agree with what you are saying here. I mean, what I see in the message posted is some poor IT policies. Just picking it apart (just like you did):

Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.

I am pretty sure that most people agree, this is not acceptable, and 10 years ago, this would also be considered dangerous.

Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups)

First off, blocking objectional sites is a good thing. There are a number of things in a work environment that are unacceptable. Sure, some good sites will be gotten as well, but the IT department should have a policy such that you can ask for sites to be allowed if they are being blocked and really shouldn't be. Considering the information on Google Groups, I think that you are looking at a site that really should be allowed.

our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP

Time to get new anti-virus software. Good AV software, will allow you to scan message in- and out- bound via POP, IMAP and SMTP.

individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline

Very poor policy. This should be handled by professional IT workers. Not because the end user doesn't know what is going on, they might, however, something could go wrong, and someone better equiped to handle those issues should be on hand for them. Like the parent said, at this point, you could even have these patches be automated.

The main message asked about other companies, so ... I used to be an IT worker for an international law firm (before returning to school). Everything that was just described would have never happened at that place. The IT staff handled all computer issues. With most of the security being done in a way that was transparent to the end users. AV software - they didn't notice it, and it auto updated itself. Firewall - blocked objectional sites, but there was a policy to allow them, because some times it was necessary to view them (sometimes you have to serve legal documents to the porn companies). And patches were handled by the IT staff, usually in off hours.
To me you have an IT staff for a reason, they are there to handle computer issues. They should not be there to be some draconian department that weilds their power as if they are doing you a favor. They are there to handle your computer problems. They should also take some of the responsibility for that as well, which includes handling most of the issues that you listed.

RonB

Shades of stupidity

[Savage-Rabbit]

Yeah, weird that they might want a machine running Windows XP to be updated. You might have Linux on the machine, but you also had Windows XP, and it sounds like it was missing security patches.

The fact that he hadn't noticed the loginscripts for over a week indicates to me that the didn't use his XP installation at work alot and even then how can you assert it wasn't patched? He may even have had to wait until a patch becaeme available to qualify for a connection because his XP installation was already fully patches! Off hand I am guessing this guy probably got issued a laptop from his employer and used installed Linux on it for day to day for home as well as for work use dual booted with XP for mostly for gaming and perhaps for that once-in-a-blue-moon that he couldn't get something done at work with Wine+[Random M$ application] and for Gaming.

I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.

It is stupid because they could have exempted him from their Windows specific policy quite easily. It is stupid because they may even have given him a hard time because they didn't even know how to exempt a non Windows boxen from their MS specific setup. All it would have taken was to send somebody up stairs to check out his setup for security and if it was OK adapt the policy. If you are an IT tech that works alot around Engineers, non-MS admins or Programmers you are going to have to get used to cases like this (ie. escaped mental patients who use Linux or OS.X in a corporate environment) and unless you find out how to cater to people running non-MS Operating systems you will quickly find out that you haven't got any friends willing to do you a favor when you really need it (ie. when you have screwed up and need a quick fix from the local nerds).

Changing with the times

[justin_w_hall]

Disclaimer: I work on the security team for a rather large (Fortune 5) corporation.

I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.

Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.

Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.

Then MS05-039 is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.

Then Zotob.E gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?

Because no one takes security seriously until it's too late.

From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.

I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."

I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF, where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from.

Re:unconvincing.

[bitslinger_42]

Insightful? You gotta be kidding!

I have been a corporate security professional for over 10 years, and the only people that I ever get whines from like the parent are typically engineers or IT people who either believe that a) they are God's gift to computers and/or b) the rules don't apply to them. I may seem a bit pissy here, but it just burns me to read posts like this from people who clearly have never tried to think about security from the perspective of the business protecting its assets.

Contrary to what most people seem to think, companies do not exist for the convience of the employees. It is the other way around. Employees have jobs to do what the company tells them to. If the policies at your company don't allow for any way for you to do your job, talk to management. More than likely, either an alternative solution exists, or the business function you're trying to do hasn't come up before and security will have to figure out how to incorporate it. If the problem is that the official method of doing your job isn't as convenient, as cool, or as uber as what you'd like to do, then either get over it or get a different job. Corporate policies and standards are put in place to homogenize the environment, ease support, and maintain regulatory compliance. They are not put in place, at least in my company, to inconvenience employees. In fact, the point behind security efforts in my environment is to enable the business to do everything they need to do, but in a manner that doesn't put the company at risk. Some times, this means that one business unit will have to accept a less-than-optimal solution because of more pressing issues at another, but we haven't been faced yet with a situation where there's been no way to safely do a valid business function.

In large corporations, in particular, security decisions are frequently a balance between the needs of very different business units. For example, a unit that provides credit functions to customers in the US is regulated by the Gramm-Leach-Bliley Act, but a manufacturing unit in the same corporation wouldn't be normally. GLBA may apply to both, however, unless there is some system in place to prevent mistakes at the manufacturing unit from affecting the credit unit. So, while encrypted, authenticated wireless access may not be convenient for an engineer at the manufacturing unit, without internal firewalls to segment security zones, encrypted, authenticated wireless is the only option.

Don't get me wrong, we do things I don't agree with. Proxy blocking, for example, seems pointless to me. Surfing porn from a company system is not a technical issue, it is an HR issue. Have a policy that states what is acceptable, give one warning per user, then fire their ass. Believe me, Internet usage reports get much cleaner when someone at a site has been fired recently, regardless of what the proxy is blocking.

Oh, yeah. The so-called draconian policies we have in place have created an environment where a really, really bad virus outbreak is 2-3 machines worldwide. Before we went down this path, there were worms that affected thousands of systems all around the world. We also have a very, very low incidence of harassment issues, we have five-nines uptime on our production systems, we've never had to completely sever our Internet connections to deal with security threats, and we've managed to balance security and business function well enough that end-users rarely have to contact the help desk because a security measure is preventing them from doing their job. Things may not work this well at other companies, but whinging on /. isn't likely to change that anyway.

Re:Management?

[maxwell+demon]

1) A bug in one of our products affects an important customer. Engineering works feverishly to release updated firmware to fix the problem. As soon as the fix is validated, we e-mail it to the customer, but they never get the attachment. Why? IT decided to block attachments for unknown file types. The director of my division calls IT and compains. The response: "Sorry, that's our new policy." Our solution: I fly to Germany to hand deliver the updated firmware on a CD. Cost to the company: about $4000 in travel, 2 days of my time, and a customer who thinks we're crazy.

Did the director tell the IT department about your specific file type, so they could just add that to the white list of allowed attachments instead of just allowing all sorts of attachments? If he did, and they refused to add that file type, it's their fault. If he didn't, then it's his fault. BTW, hand delivery is indeed crazy: If an email attachment had beed enough, surely mailing them a CD-R with the patches would have done it as well, and would surely have cost you less. But even for email, there might be solutions, like uuencode (which makes the file part of the mail text instead of an attachment, and therefore might not be detected/blocked by the automatic filters).

2) We are completing the timing analysis for a new ASIC. The simulations take about a week to complete, and if they are interrupted we have to start over. The only problem is that every time we start the tests, IT deploys a new security patch and forces a reboot of the PC before the testing can complete. This happens repeatedly and results in a 2 month delay in getting the chips made. We make up some of that lost time, but the project still slips by more than a month. As a result, we were contractually obligated to refund $200,000 of the NRE we got for doing the work since we missed our dates.

Did you talk to the IT department about this? Would it have been an option to take the PC from the net during the testing period, and then apply all securiy patches in one bulk before reconnecting it?

3) We use ClearCase for source code control. Everyone in the company with a unix account had access to the source code and could check in and check out files. Our IT department decided this was a security risk -- reasonable, I suppose. To correct the problem, without notice they disabled access for everyone. They then sent out an email saying that anyone who needed access had to fill out a form, get it signed by a manager, and fax it to their department. They were so bombarded with these requests that it took about 3 weeks to process them all and get everyone's access restored. It took them about 2 weeks to get to mine. During that time, my company paid me a fat salary to sit at my desk and learn how to work a rubik's cube. I can now work a rubik's cube in about 90 seconds, but this is of questionable value to my company.

Ok, this one is clearly a stupid action from your IT department.

4) To increase password security, our IT department implemented a new password policy. All passwords must be at least 8 characters long, contain at least one uppercase character, one lowercase character, and one number or symbol. All passwords must be changed every 30 days. When changing your password, you can't use any of the last 10 passwords you have used. Every system that requires a login must use a different password (I have a windows login, a unix login, a SAP login, and a login for an internal bug tracking tool). Ironically, all of these systems use LDAP authentication which was implemented about 2 years ago so that we could use the SAME password for all our accounts. If you enter the wrong password 5 times, your account gets locked out and you have to issue a ticket to the help desk to get your account restored. This usually takes about a day. The result of this new policy: people write their passwords on post-it notes and stick it on their monitor because they

Re:Management?

[Alioth]

Someone needs to get hold of your IT department and tell them they don't work in a vacuum. It *is* possible to design a good security, update, patch etc. policy - but it HAS to be done in conjunction with the rest of the business (and the rest of the business must at least understand a little bit about information security and the need for an orderly process). Your IT department management is incompetent by the sounds of it.

Re:Management?

[cowbutt]

Seconded. Good information security should ideally be transparent, and with a bit of work on the part of the people implementing it, often can be. Sometimes, it's even possible for the good security to facilitate working practices that wouldn't have previously been considered possible.

Re:Management?

[dclydew]

In your first two examples, I think that the security team was being entirely reasonable. Files should not be transmitted via email, tools like FTP/SFTP appear much more suited for such work. Using the right tools, often improves security. In the second instance, taking the system off of the network while building should fix the problem. I wouldn't be surprised if the third example had to do with SOX, since we had to do something similar here. All systems had to have a managed trail that could tell us which employees had access, when they accessed and what they accessed. On a number of older systems, we found lots of generic ID's that were being used by multiple employees. We didn't have the luxury of slowly fixing this issue. We were told by the auditors that it HAD to HAPPEN IMMEDIATELY, or we would fail complaince.

The password thing sounds bad. 8 characters is ok (though not really mush more secure these days), no repeating of old passwords is ok (again not great), but 30 days is very bad. 30 days to lead to two problems. 1) People write it down on sticky notes; B) People make easy to remember "MyFebPwd1" "MyMarchPwd1" etc.

It sounds like the person who made your password policy could do with a dose of accurate information about the usability of passwords. However, the other stuff seems reasonable to me.

The quest for the IT downsizing?

[Pac]

From your examples, it looks like your whole IT deparment is working very hard to be downsized or outsourced. From my experience, the minute a smart VP or CEO (or, a common case, an external consultant who has the VP or the CEO's ear) notices and documents the kind of impact they are having in the bottom line, lots of high and middle heads will start rolling. Having inflexible rules when your market is evolving or constantly changing (and when your market is global it is always changing and evolving) is so dumb it hurts - when have we called the high priests back to the computer room, anyway? I though we had all agreed to send them home for good by the end of the 70's.