Slashdot Mirror
Has Corporate Info Security Gotten Out of Hand?
KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"
Well if IT installed linux, well they should not be doing something that stupid. However if you decided to install Linux, and the IT folks maintain your computer, i would have to agree with them. Unless you work at a software company, developing apps, or a sys admin you are outta luck.
Comment removed based on user account deletion
Hmmm, but my machine is a linux machine! [...] Hmmmm, but my machine is a linux machine! [...] Fortunately I had a dual-boot, so I was able to comply.
Yeah, weird that they might want a machine running Windows XP to be updated. You might have Linux on the machine, but you also had Windows XP, and it sounds like it was missing security patches.
And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix.
And you apparently had a machine with Windows XP missing some (possibly significant) security patches sitting on their network.
I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.
You should have simply rebooted to the XP side and run the updates. If you want the luxury of a dual-boot system, you should be willing to maintain both halves.
My policy for dual-boot machines is this: No. You can have two machines. I'll get you two monitors you can use dual-head on each machine, a KVM, your own switch, and I'll even clean the goo off your keyboard. But I won't manage a dual boot machine, and I don't want them on my network.
Why?
Raise your children as if you were teaching them to raise your grandchildren, because you are.
The stupid part of the story (as told by the poster) is that these IT "professionals" didn't seem to understand that Linux is incompatible with XP.
Why are people who don't comprehend - or can't communicate - this employed in an IT organization??
Had they just explained things the way you explain them in your post, there would be no problem.
Whenever I work as a sysadmin, 90% of the solutions I apply to problems come from Google Groups.
Disclaimer: I work on the security team for a rather large (Fortune 5) corporation.
I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.
Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.
Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.
Then MS05-039 is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.
Then Zotob.E gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?
Because no one takes security seriously until it's too late.
From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.
I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."
I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF, where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from.
---
"how can the same street intersect with itself? i must be at the nexus of the universe!" - cosmo kramer
Someone needs to get hold of your IT department and tell them they don't work in a vacuum. It *is* possible to design a good security, update, patch etc. policy - but it HAS to be done in conjunction with the rest of the business (and the rest of the business must at least understand a little bit about information security and the need for an orderly process). Your IT department management is incompetent by the sounds of it.
Oolite: Elite-like game. For Mac, Linux and Windows
Seconded. Good information security should ideally be transparent, and with a bit of work on the part of the people implementing it, often can be. Sometimes, it's even possible for the good security to facilitate working practices that wouldn't have previously been considered possible.
In your first two examples, I think that the security team was being entirely reasonable. Files should not be transmitted via email, tools like FTP/SFTP appear much more suited for such work. Using the right tools, often improves security. In the second instance, taking the system off of the network while building should fix the problem. I wouldn't be surprised if the third example had to do with SOX, since we had to do something similar here. All systems had to have a managed trail that could tell us which employees had access, when they accessed and what they accessed. On a number of older systems, we found lots of generic ID's that were being used by multiple employees. We didn't have the luxury of slowly fixing this issue. We were told by the auditors that it HAD to HAPPEN IMMEDIATELY, or we would fail complaince.
The password thing sounds bad. 8 characters is ok (though not really mush more secure these days), no repeating of old passwords is ok (again not great), but 30 days is very bad. 30 days to lead to two problems. 1) People write it down on sticky notes; B) People make easy to remember "MyFebPwd1" "MyMarchPwd1" etc.
It sounds like the person who made your password policy could do with a dose of accurate information about the usability of passwords. However, the other stuff seems reasonable to me.
Get a life, not a lifestyle. - Hikem Bey