Has Corporate Info Security Gotten Out of Hand?

KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"

Management?

[Tadrith]

The only real problem is overzealous proxy servers, which can be tough to configure, but should have a whitelist of some sort... the rest of the problems mentioned are problems that have solutions. There are plenty of corporate-level antivirus solutions that will allow the control of virus scanning policies so that you could enable the sending of e-mail through SMTP. If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem. There are also plenty of options for keeping up on patches that would relieve the users of this responsibility. Even in the case of Windows, Microsoft distributes a free "private" version of Windows Update, called Windows Server Update Services that can be deployed on a network. This version allows you to choose when and how which patches are distributed; all you have to do is point your computers to the server. Assuming you are running a Windows network, the settings for the Windows Update can be deployed via Group Policy without ever having to visit a workstation. Workstations can be scheduled to update themselves without taking control away from the IT department in regards to which patches they want installed.

Most of that was assuming you are running a Windows-based network. I am not as familiar with Linux software, but I know that similar services are available for Linux as well. In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.

Re:Management?

[bhmit1]

If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem.

Being a consultant, I've seen a wide variety of security policies from my various clients. I've had countless clients that have strict restrictions on where you can get over the network out of concern that you may transmit confidential data, but then let you walk in and out the door with a laptop as you please. That same client provided vpn access for remote support, but blocked ssh over the vpn because that would allow an ftp like (scp) access while leaving telnet open. I've been to places that refused to give me internet access even though it was the prefered way to receive support for their application and the only way to search the knowledge base. I've started on a project with a team of people, and more desktops (not even counting our own laptops) than network jacks. After waiting several weeks for a couple new jacks to be installed with three of us sharing one PC, I gave up and got a cheap network hub (this was several years ago) but was told that it wasn't allowed because they couldn't be sure it hasn't been compromised. I've been places where they wouldn't give me a badge to get in the door and no one was assigned to the front desk, so the unlucky guy sitting by the side door got used to hearing the banging and letting anyone in without any idea of who they were.

Of course, for every bad client, there's one that lets me remotely connect to my home network, makes sure I have a badge with access to everywhere I need to be, and promptly makes a backup and changes the root password before providing me full access to the server that I need to configure. It's all a question of cost of security breach vs cost of security enforcement.

To me, none of these things are worth being upset about. Yes, they are annoying, but it's the clients decision to make things more difficult, and therefore, more expensive. I simply do the best I can with the resources available. Of course it would be nice if the policies considered the threat instead of only the past exploits. Then they would realize that someone trying to carrying a stack of files out the door is no worse than the guy that walked by with the flash drive in his pocket.

Re:Management?

I agree that some level of security is needed to prevent threats from both inside and outside the company. However, the goals of IT and security organizations often don't seem to align with the main goal of all companies -- to make money. At the company I work for, most departments are focused on improving efficiency, improving product quality, and keeping our customers happy. All things that are necessary for a business to be successful. However, the IT organization seems to be focused only on taking every precaution to keep the network running smoothly without regard to the impact on the rest of the business. When one of IT's policies conflicts with a legitimate business need, there's nothing I can do about it. There's nothing my manager can do about it. There's nothing his manager can do about it. There's nothing the director of engineering can do about it. The only thing the VP above him can do about it is try to work out an agreement with the VP in charge of the IT management chain or complain to the CEO. So basically, when IT's policies screw us, we just have to bend over and take it. Here are a few recent examples:

1) A bug in one of our products affects an important customer. Engineering works feverishly to release updated firmware to fix the problem. As soon as the fix is validated, we e-mail it to the customer, but they never get the attachment. Why? IT decided to block attachments for unknown file types. The director of my division calls IT and compains. The response: "Sorry, that's our new policy." Our solution: I fly to Germany to hand deliver the updated firmware on a CD. Cost to the company: about $4000 in travel, 2 days of my time, and a customer who thinks we're crazy.

2) We are completing the timing analysis for a new ASIC. The simulations take about a week to complete, and if they are interrupted we have to start over. The only problem is that every time we start the tests, IT deploys a new security patch and forces a reboot of the PC before the testing can complete. This happens repeatedly and results in a 2 month delay in getting the chips made. We make up some of that lost time, but the project still slips by more than a month. As a result, we were contractually obligated to refund $200,000 of the NRE we got for doing the work since we missed our dates.

3) We use ClearCase for source code control. Everyone in the company with a unix account had access to the source code and could check in and check out files. Our IT department decided this was a security risk -- reasonable, I suppose. To correct the problem, without notice they disabled access for everyone. They then sent out an email saying that anyone who needed access had to fill out a form, get it signed by a manager, and fax it to their department. They were so bombarded with these requests that it took about 3 weeks to process them all and get everyone's access restored. It took them about 2 weeks to get to mine. During that time, my company paid me a fat salary to sit at my desk and learn how to work a rubik's cube. I can now work a rubik's cube in about 90 seconds, but this is of questionable value to my company.

4) To increase password security, our IT department implemented a new password policy. All passwords must be at least 8 characters long, contain at least one uppercase character, one lowercase character, and one number or symbol. All passwords must be changed every 30 days. When changing your password, you can't use any of the last 10 passwords you have used. Every system that requires a login must use a different password (I have a windows login, a unix login, a SAP login, and a login for an internal bug tracking tool). Ironically, all of these systems use LDAP authentication which was implemented about 2 years ago so that we could use the SAME password for all our accounts. If you enter the wrong password 5 times, your account gets locked out and you have to issue a ticket to the help desk to get your account restored. This usually takes about a day. The result of

Re:Management?

1) You really think there is a file server accessible from outside in a place as described is his posting?

2) How about distributed simulations that also need access to some central NAS, so all components involved can not be isolated from the rest of the network?

Re:Management?

[maxwell+demon]

Instead of whitelisting only known safe file types (which is easier for them), surely they could blacklist known dangerous file types (which is harder).

I don't think blacklisting file types would have been the right solution. And I'm willing to bet that they didn't choose whitelisting because it's less work (whitelists have to be kept up-to-date as well), but because it's more secure.

However, I think the correct solution would be not to just filter the attachments, but to send a confirmation mail to the sender (e.g. "Your mail contains an attachment 'firmware.bin' which is of an unknown filetype. Did you really intend to send that file?") Now, if it's a virus, then you would not have attached the file yourself, so you surely would answer "no" and the attachment can be deleted. However, it you really intended to attach that (as in the case of the firmware), then you'll answer yes. Since a virus will surely not reply such a confirmation mail (after all, how should it know that it is one), it's safe. It even contains the CYA factor, because if you explicitly confirm a mail attachment which is/contains a virus, then it's clearly your fault, not the IT department's. Most probably this could be automated, thus also reducing the workload of the IT department.

one time, for security's sake

[yagu]

One time for security's sake my office ethernet port was turned off by IT. Figuring it to be some outage I called support (hah!), and they looked up my IP address and said yes the port had been turned off because my machine had refused to accept recent XP updates.

Hmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port. I asked why I hadn't been notified -- they said ALL XP login scripts had been posting the notice for over a week, I had been given "plenty" of warning!

Hmmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port.

Fortunately I had a dual-boot, so I was able to comply.

But, ironic that one of their (in my opinion) least vulnerable machines on the network was mine.

(And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix... so I wasn't in violation of any policy (such as they existed).)

Speak for yourself...

[MicroBerto]

What "we"?? The company I work at does none of those things, and the network runs almost perfectly. There is a balance.

But also realize how much the worms of 2003 and 2004 cost corporations. I saw it first hand when working in a plant, and it was seriously disastrous. I can understand why they don't want that to happen again.

If surfing "bad" sites is THAT important to you, perhaps its time to get your resume out to a company that trusts its employees more. Or quit complaining to a bunch of slashdotters and present a true solution that benefits everyone. There are ways to have both security and usability.

My experience is the opposite

[brokeninside]

Everywhere I've worked seven to ten years ago (1995-1999) made IT workers who wanted Internet access sign special forms that had to be okayed by three levels of management before Internet access was granted. And once granted, it was heavily monitored.

Four to seven years ago (2000-2002) getting Infobahn access was far easier, but most companies still required that you use their proxy so that they could monitor who visited which sites and who spent more time posting to /. that checking code into CVS.

But lately, Internet is usually just taken for granted. At most you have have to worry about firewalls that don't let ports other than the standard http and https ports in or out. And that is fairly easy to bypass by anyone with a home machine.

Personally

[oh_the_humanity]

Being a memeber of the IT dept. at a school district , i am glad our secuirty policies are as stringent as they are. when you have a few thousands teenagers trying to download as much spyware and pr0n as possible. Now you may say most business dont have teenagers as employees, but even the teachers need to be protected from themselves because they dont know any better. What im getting at , is if he thinks its hard to get stuff with his security policies wait one week without them and see what he can do.

Your complaints are unconvincing.

[Saint+Aardvark]

• Your company's proxy policy is a matter of policy at your company -- complain to them about it! If it's preventing you from getting work done, you should have no problem convincing them -- and if you do, light a fire under your manager; that's what managers are there for.
• "the sending of email via SMTP" -- Maybe I'm misinterpreting this, but if you mean "our desktops and servers have to pass email to the designated relay", then I'm completely unsympathetic. If your complaint is about poor performance, complain about that -- but your desktop and your production machines are not mail servers!
• "forced to apply security patches with little or no notice" -- I can guaran-fucking-tee you that each time that happens there is a wave of complaints to your IT department. And yet they keep doing it anyway. They're either heartless, bastard pyschopaths with no concept of sympathy, or it's important to apply these patches. Human nature being what it is, I'm willing to bet they think it's important...no one lets themselves in for a shitstorm voluntarily just 'cos it's, you know, second Tuesday of the month.

And, why, yes I am a network administrator, thanks. I'm lucky so far -- it's a small company, people are well-behaved, and I don't have to implement the policies you describe. I set up times for patches, there's no proxy yet and not too many firewall restrictions.

But if this place gets to be big enough that I can't count on collective intelligence and/or social pressure to keep people doing the right thing, I'm going to have to seriously consider policies just like the ones you describe, in order to keep things running as they need to -- because your complaints about the network not working 'cos of the latest virus outbreak are going to be a fuck of a lot louder than your complaints about your desktop machine not being allowed to be a mail server.

This has been the status quo in DoD security for a

And not just on the IT side. Arbitrary security requirements often slow progress tremendously if the don't halt it altogether. It's grown its own huge beaurocracy & career path. And heaven help you if you question anything security requires. I've literally been told that I'm "unamerican" because I questioned a particularly useless security requirement that arbitrarily levied on us. And you wonder why I post this AC?

And the economic cost is enormous - I used to work in a major acquisition system program office (SPO). Various security costs amounted to the biggest budget line item in the program, although they were careful not to show it that way on any single chart. And that didn't account for military personell dedicated to security, as they didn't come out of that cost. And it certainly didn't account for the huge drain on productivity it caused.

Fair security poorly adminstered

[ayelvington]

I work in a .mil environment with managed images and very good security. What I'm reading is that your company is still in the learning phase when it comes to customer service balanced with security.

We operate under a standard image architecture with updates and patches pushed out across the enterprise. Proxy servers are a necessary evil, but we are very reasonable on our block lists. (North Korean sites are discouraged along with Ebay...) This is for our unclassified network...

We learned the hard way too. Our first generation of machines were issued with padlocks on the cases and no CDROM drives...

Our IT system never compromises operations for security, and it never has to. Your IT staff may need a bit of fresh air, a few customer-centered workshops, and maybe some field trips to see how others work.

I feel your pain and wish you the best.

ay

The right balance is...

[canuck57]

What is the right balance between security and productivity, in the corporate IT environment?

Simple, more security. As more secure systems tend to run more reliably (less bugs) and with lower maintenance (removing root kits)than do less secure systems. Knowing most corporate environments, security tends to be lax.

Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.

Yes, it was better more than ten years ago. If your computer was connected to the internet and caused someone problems you got kicked off for a week or two to think about it. Some were even blacklisted. And few if any ran Microsoft products as their gateways or terminals.

But the fact is with many hundreds of millions of Internet users today practicing self administration of an inherently insecure OS and trusting everything they click on -- without regard to others or their companies costs, security has had to evolve. And believe it or not, firewalls existed 10 years ago.

Then along comes the modern cowboy on an unmonitored cable connection hacking people for sport and profit. People hack computers just to send spam, and the system/ISP do nothing. They have long since abandoned kicking them off. The result is the problem is mow rampant.

have we become so secure that we're stifling our own ability to get things done?

Not at all, I have always kept important stuff on UNIX and Linux, and professionally manage them like I do at work. They haven't been hacked or wormed. I also tend to use "safe" tools as they also fail less as well are more secure.

But the optimum answer to be secure is to use securable tools and secure practices in what you do with your computer, something like safe sex.

my employment

general manager of a franchise location-- think 'mcdonalds' but it was not foodservice.

chain (under the guise of 'uniformity' but really as a means to screw every last blood cent out of the franchisees) made mandatory for EVERY SITE in the flock a satellite internet connection, at $150.00 per month.

prior to that, I'd been running on a consumer class verizon dsl account for 30 a month- for me only.

of course, as soon as this high speed (incredible ping) service became mandatory, the owners refused to pay for the 30$ dsl

ya know what- the franchise blocked among others, groups.google.com and refused to unblock any site on the forbidden list.
with 4k locations total, they didn't care jack about one request, and there was no way to get it reversed.

Local govt network admin here....

I'm the network admin for a small city government and I have to fight hand, tooth and nail to keep acceptable security practices in place. My users, and the senior management also, are constantly trying to get me to basically negate the most essential security because they'd rather have more convenience and if something goes wrong, then they don't give a rat's patootie that I'll be the one getting punished. The users keep wanting full routability from their desktop to the public Internet without any firewall in place, the senior management wants me to place a bunch of unprotected Windows servers onto the raw Internet outside the firewall, everyone complains about spam, and then when they finally get me the funding to buy a Barracuda, they have me configure it to let over half the spam blaze right thru it anyway. Oh, and when anything bad happens because I was ordered to bore a hole thru what's left of my firewall to satisfy some clerk's need for more convenience to access some ftp site or whatever, it suddenly becomes my fault for allowing our network to become vulnerable. And here's the clincher... one of our own desktop support techs got caught using one of the cops' computers to download a bunch of porn, that somehow became my fault too even though I am not permitted to have any authority over the police dept network security or access controls.

It's tough when you are forced to bear all the responsibility, yet have no effective authority in matters of network security. I say give you network admins more power and authority... after all the company network (or govt org's network) is a business tool that was put in place for the purpose of conducting valid business, not for the users entertaining themselves on the Internet.

Re:Technology

[pete6677]

What if you were sitting at your desk "reading" a Penthouse instead? Or looking at porn pictures on your computer that you brought in on a flash drive? Where would the company's liability end? I'd say firing an employee that generated complaints by looking at porn in the office would be adequate.

It could be worse...

You're upset over your access to the Interent?

We have no e-mail, no web access, no ftp, nothing. We have no networking at all!

I work on a combat vessel. None of our systems are networked -- at all. The Commander won't allow it. We're defending a civilian fleet and every member of our enemy forces, literally every one, knows enough about computers that they could infect any of our systems with some of the nastiest computer viruses you've ever seen. The XO, on one occasion, allowed them to network a few computers to calculate our course so we could catch up to the rest of the fleet and it resulted in a firewall weak enough for the enemy to penetrate the system. They almost brought down all the systems on the entire vessel. At one point (the start of the recent hostilities), a number of our fighters were completely disabled and taken out by the enemy because their onboard computers were targeted, knocked offline, and the fighters left defenseless and were picked off one by one.

So if you're complaining about having to deal with web proxies and firewalls, be happy you're not serving on our ship.

Except for extreme overzealousness...

[kadathseeker]

really, the only people that aren't a security risk without security disabled can easily get around it, if they need (or want...) to. The average luser will cause more problems than this security will. The key to this though, is punishment of those who circumvent security. At my school, I regularly aid even teachers in getting freemail access, around the filter, etc. They trust me because they know I'm smart enough to do this, and not do anything stupid with my 'superpowers'. Most of them are well aware that the security there is bad and the IT staff unskilled (with few exceptions) enough that if I really had ill will in my heart there's not much they could do to stop or even catch me. My cousin's school used to be like this, but then a new administrator came along and changed the rules. My cousin was found using a proxy that SOMEONE ELSE had once, A YEAR AGO, used to look at ONE pr0n site and was suspended for a week (and grounded). The biggest irony is that he used the proxy to get to a site he NEEDED for his assignment. I don't hate stupid people (everyone is stupid in some ways) but everyone hates having an idiot in charge and being unable to avoid their work. With a bad restaraunt, you can go elsewhere, with a bad leader, your options are limited (esp. when you don't get a say in determining the leader).

Re:Not a problem with technology.

[TheSkyIsPurple]

(a) We actually have an area where I currently work that is explicitly setup for NSFW content... because that's actually part of their job. They have to sign a bunch of waivers, I think there's even a psych test involved, and it's in a secured area of the building with nothing facing windows or the entry doors. 'tis an odd environment to be around.

(b) Funny... A large place I worked at actually had policies against personal equipment at work, partially for situations like this.

We required that all equipment is ours... bring your own stuff in, get a warning. If it's still hooked up after a reasonable period of time (hour or so depending) you get one more chance. After that, you are taking it out, along with the rest of your stuff and your last paycheck.

Porn liability

[typical]

Being a corporate IT security at large corporation I can tell you why google groups are blocked. If I am looking at porn on alt.binaries.erotica and a female co-worker walks up behind me she could sue for sexual harassment and say the company did not take adequate measures to prevent this situation.

My understanding is the hoopola about "if you don't block pornography, you're liable" is nonsense that's heavily propogated by vendors of filtering software. The case that claims about liability are based on is the '91 ruling in Robinson v. Jacksonville Shipyards, Inc. Here, the plaintiff was being directly targeted and porn was being publically pervasively placed throughout the workplace. That's a *far* cry from someone walking in and seeing a pornographic image on someone's computer monitor. That's even *further* away from a company being liable because they actually aren't buying a product to do filtering.

My impression is that most of the people that install these packages get sold a bill of goods by the filtering people "Lawsuits! Lawsuits!" The IT people pass the possibility of a lawsuit on up, some higher-up decides that the software is cheap insurance against a lawsuit, and buys it.

Frankly, companies don't need to worry about liability from not filtering porn (IANAL and all that). They might need to worry about employees being off-task (I mean, come on -- if you're browsing porn, you are *not* doing work). However, I've been incredibly frusterated by stuff in the past (like pages containing "wine" in the URL being blocked -- when I'm trying to look up constants in WINE's header files), with information about HTTP tunneling that I needed for writing some software that had to interoperate with a firewall being blocked (as "criminal activity", impressively enough, along with anything involving a "proxy"), and so forth. Companies aren't avoiding liability at all -- they're trying to control employees, and keep them from goofing off at work. I'm not saying that there's necessarily anything wrong with that that, but it's just not really a liability issue. I've seen people blow time chatting with their friends on non-work related stuff on AIM, and I can understand that there's a desire to not let the computer be an entertainment device.

However, I've got a much better solution. Have software that skims browsing history, flags anything suspicious, and allows an employee's boss to take a gander at it (if he really wants to). Oh, and *tell* the employee that you plan to do this -- the idea is to prevent abuse. I don't have a problem with my boss seeing a complete log of my at-work browsing history -- I do have a real problem with IT blocking things. I don't abuse my work connection, and it's really irritating to be treated as if I have because someone somewhere *has* done so.

Basically, I think that it's probably unreasonable to prevent the following types of Internet usage in a regular work environment, at least from a security/liability standpoint:

* Outbound TCP connections, other than maybe to port 25. The whole world is not HTTP.

* Requests to DNS servers other than the company one (why on *earth* do people do this?)

* Outbound SSH connections (a special case of the above that's particularly annoying -- sometimes I need to get at my addressbook or something else on my home computer). (There is a small potential security issue here in that someone could set up X11 port forwarding, and have a compromised outside box keylog or screenshot their workstation machine desktop) but goddamn it, the risk is awfully small and the loss of functionality enormous. This is not James Bond, and armies of ninja hackers are not out trying to take screenshots of desktops.

* Access to webpages. Good *God*. If you have to log them, fine, but for Chrissake, do not filter. It's *so* irritating.

Real security risks? Worms, dubious software that people intentionally install, people simply taking confidential (*actually* confidentially, not doc

Well I...

[Firehed]

I have my PCs connected to the net with through a router (that, of course, has a firewall built in) and that's it. No AV, no anti-crapware, no software firewall, and all of my passwords are stored in the password-remembering thing that Firefox has. And I've yet to have my PC hacked or my life heisted. None of those inexplicable slowdowns or popups that are indicative of crapware'd computers.

But at school (which is as close to a "corporate" environment as I can get), it's another story. We have a (horrifically unstable, read: if you touch it in the wrong place, the hard drive disconnects) proxy server as a pr0nfilter, about three different - all ineffective - AV/AS/AA software setups. We use some stupid Novell launcher that makes it impossible to do anything productive and very difficult just to waste time (Adobe reader isn't associated with PDFs, so you can't open them... extrapolate that level of difficulty to trying to code a standards-compliant idiotproof website with php and stylesheets using notepad and you'll relive my last two months). They'll kick you off the network if you look at the IT department the wrong way.

They put the newest machines in the lab where they teach keyboarding, but leave the slowest machines I've used in the last ten years in the CAD lab. I mean, damn. I've heard the hard drives dying on those things. You think they try and make it impossible to do anything.

And where does it get us for security? Absolutely f'ing nowhere. I still get more spam at school than the rest of my half-dozen email accounts combined, have effectively zero productivity, and all my popups are instead replaced with script debugging errors. Meanwhile, files seem to dissapear out of my network storage, and about eight different CrapWare! toolbars are installed on every copy of IE (no, they won't even consider letting us use firefox).

So, their fifteen steps of added security has done absolutely nothing productive. It makes the computers (most of which don't even meet the minimum requirements for XP, but that didn't stop them!) EVEN slower, makes it harder to do anything, and I still am nervous about logging in to check my email on my own webserver (as they blocked gmail with the pr0nfilter). Basically, they did all the stupid crap the government makes them do to comply with the CIPA so they can keep getting (and wasting) federal funding. I flat-out refuse to work on anything of real importance on their computers, because even if security is moderately reasonable, reliability is near-zero.

Sure, I can't look at pr0n at school (as if I'd want to, their 17" LCDs are all forced into 800x600 anyways, and have some of the worst constrast I've seen, not to mention a good portion are shattered), but I certainly can't do a project for a health class either. That's all we have to show for tons of "security" measures that all translate into ineffective anti-stupidity measures.

I remember, back in the day, the school security measures were take your floppy to the tech guy's office and have them make sure it doesn't have any viruses on it before using it. And if you wanted to open your .htm files in wordpad, you could. Nothing ever dissapeared and identities weren't stolen. Heck, there wasn't even spam. I'm glad I have real computers at home...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Corporate "IT Environment:" the technical side

[sabotage_assasin]

Maybe a good example of the corporate IT environment will be the example of my (recently) former company: a major computer manufacturer. I signed a nondisclosure agreement, so I won't give anything blatant away, but you can draw your own intelligent conclusions. I agree with most of the comments made: that company policy and actual security are two very different things. My point is, that a company that deals with computer manufacture and OEM releases of Windows should know better. All companies have small beginnings, and people talked about the good old days when I came to the team. But by the time I got there, people in product development had computers with no cd/floppy drives and locked cases so they "couldn't steal the RAM" (all pitiful 64 MB of it) and you had to save all your work on the network where everyone else could access it if they really felt like looking. My machine had an 8 GB hard drive. After my OS, normal security measures and applications, not to mention management-inspired insanities, what was I supposed to do with the remaining 1 GB of my "brand new" computer's hard drive space? To be fair, in 1997, it was running on a Win95 network, but in 2002 it was still running on the same basic infrastructure. For security reasons. Management was so terrified of theft of ideas and possible piracy (like people didn't have their own broadband at home) that security searched you and your belongings every day for discs/diskettes. No more notebooks or working at a place other than work. Not even for management. You had to check out discs and RAM for a system in the lab, which was the only place that had computers with drives outside the server room, the actual manufacturing floor, and six offices used on rotation by managers. This was primarily for demonstrations when you were teaching tech support staff about new products, services, or OS releases. I had to introduce serial ATA to 30 people at a time in my building, while being monitored by security and recorded, with a checked out copy of a Windows XP beta edition and one stripped-down computer case because that was all that they were willing to give me. And then came WinXP. All the systems complex-wide were falling apart, being 4-7 years old, so they upgraded every box to 128 MB RAM and 8 GB hard drives. Then they installed the OS as soon as it was released. Needless to say, systems were crashing everywhere, none of the company-wide software applications were even XP-compatible, and there was a general state of chaos. There were real security holes everywhere, but corporate HQ touted their trend-forward steps for their shareholders. For a year this particular location operated in total darkness while their crippled and villified 10-person IT team tried to allocate resources and time to fix everything. Not only did Corporate expect IT to magically fix everything; they expected an entire manufacturing, customer service and tech support center to operate with unreliable documentation tools, poor shipping fulfillment software and customer information database vulnerabilities. Things are running more smoothly now, but this event illustrates the problems with so many companies, both tech-related and not. Most corporate-level managers still think it's 1985 and things are as simple as MSDOS 6.0. They can program in QBASIC. If they had any technical experience, it's long out of date. These are the people who set the policies that drive your IT practices, especially in larger companies. Kudos to all the businesses that still give their IT staff the power to use their own discretion, but they are becoming rarer every day. In the end it's not the intelligence of the end-user that needs to change; it's the education level and experience of the person setting technical policy that needs to change. If this means the company's CEO spending a 2-week internship in Engineering, why not? He's still getting paid. If the VP of sales needs to understand that she can't guarantee a client that her company uses this or that security protocol, fly her down to a local sysadmin's office for a month. Corporate practices need to change before industry standards will change. Until then, we all just need to hang in there.

Draw a line - and make it dark.

[darrell73]

I'm going to attempt to answer this question. I've been in schools and government and I see the slide toward using "SECURITY" as a way of managing workers. And I think this has to stop.

I'll explain what I mean. Security, as most employers define it, is to keep the IT resources available for "Legitimate Use". Now with firewalls and proxies you can define for the employees exactly WHAT legitimate use is. Except you need another IT department to deal with monitoring blacklists, removing sites from blacklists for legitimate purposes and analysing logs - assuming you want the the system to work effectively AND maintain productivity. And all this in the name of Security.

How about taking a step back and looking at the bigger picture. Here in Australia we have laws that determine what we can and can't see. Various magazines can only be sold to adults and pretty much everything comes with a classification rating. On top of that we have various other legislation that basically says "Don't discriminate" and this means no girlie posters/magazines where someone may be offended. And workplaces, abiding by that legislation, have procedures to follow in the case of a breach of one of these laws.

SO! Why block these websites? If someone detects this (either by logs OR by walking past) then there is a clear procedure to follow. Why should something being viewed on a computer screen be any different than printed. The answer is - BECAUSE SYSADMINS HAVE THE TOOLS TO STOP IT!

I disagree with using these tools because it is a "quick fix" solution for management (a handball if you will) which becomes one of the biggest headaches for the IT department. If you already have the procedures, then follow them!

I'll extend this further by taking the given example of Google Groups. For what reason is this being banned? Does it contravene any legislation? NO! Does it contravene any Human Resource policy? NO! What it does do is allow staff to spend time not doing work. Now, I seem to recall that, once upon a time, workers not doing work were sacked! If you were in derelict of your duty, a reprimand was issued. After this it was "Here is the door". So follow this well established procedure. Don't force staff into a shoe box. Reward good workers with latitude and get rid of the dead wood!

So the answer to your question is - Make a clear distinction between what is necessary for security and what is purely management not wanting to manage. Security is about patching machines, antivirus and appropriate controls. Security is NOT about content management. Yes, there are some grey areas (like email and firewalls) but if you can make that distinction then lineballs become easier to deal with.

**Please note that I have a different opinion where minors are concerned.

Re:Changing with the times

[Lehk228]

a few windows pentium 4's can be nasty, a unix server is far worse.

While i was attending binghamton university as a freshman a SINGLE unix server got owned. it annihilated the entire dual OC3 campus network. for nearly 3 days.

From the Info Sec trenches

[KDN]

Just thought you might like to know what its like on the information security side of the shop. At times it feels like being on the Titantic, that no matter what you do the boat is going down. Anti-Virus for example. We have it on the sendmail servers, on the exchange servers, on the file servers, and the desktops. Yet every day we see viruses on the internal network. I have programs that scan the firewall logs looking for worm activity. Several times a day it picks up an email worm, or a SMB based worm, or something else. We see applications that ONLY WORK if all the security settings are turned off. We have seen one application that REQUIRES the Microsoft SQL sa password to be blank! We have seen vendors recommend turning off anti-virus "because it slows down the machine". We had to fight with Microsoft for several years because they strongly recommended AGAINST deploying antivirus on servers. They claimed that it was unnecessary and would slow down the services too much. When we did deploy it, it cleaned out THIRTY THOUSAND VIRUSES (yes in the day time I work for a big company). We have seen consultant laptops trying to infect other machines on the internal network. We have had to fight tooth and nail to get sysadmins to allow us to run vulnerabilty scans on their systems. At least once a week we have to review an application that wants to add a firewall ruleset that turns the firewall into swiss cheese. We see sysadmins telneting into servers as root. We see applications with lots of access controls on the web front end. But you can access the database back end and bypass both the controls and the audit logs. Heck the application even allowed extended stored procedures. Surprised the application owner when we could run "dir" on his database server. We have seen applications that require IE with ActiveX and all the security settings set to low or off to work.

But you know, inspite of all the above, I would say that information security is now taken more seriously than before. When we point out vulnerabilities at least now we get a little respect. Not much, but its more than before. Now applications are supposed to be scanned before they go into production. It used to be it took almost a year to deploy a single critical patch. Now it can get done in under a week.

Default Linux, beg for Windows

[cazzazullu]

That is how it works at our company. The default is linux. All "regular joe's" have linux on their desktop. All servers are linux. If you begin and you don't know linux, that's your problem, learn it. But you can have windows, if you have VERY good reasons (e.g. secretaries that receive MS-office documents all the time). These windows-machines are completely locked down. You can do exactly what you wanted your windows-machine for, but nothing more. Also, these machines are reinstalled every single night (ghost) with a new image maintained by the IT-department (so daily updates).
The linux-machines are gentoo-based, and are also tuned. Nothing too much in there, but what is there simply works. These machines can also be automatically installed by just connecting them to the network and booting from a usb-stick, or remotely from a server.

Combine this with a little education of your users, a little trust, a security-model not based on the "hard shell soft inside" model, but the "insiders can also seriously mess things up" model, a decent network-infrastructure (e.g. managed switches, fast uplink) and some guys that really know how to setup and secure a server or a network, and you won't have many problems or complaints.

Re:They were wrong and you're lazy!

[Malor]

It's absolutely trivial to admin one more standard Windows or Linux box remotely.

It is NOT trivial to try to remotely deal with a dual-boot environment.

His list of reasons were very solid, backed by experience. Your 'rebuttal' is crap. Twice the machines is HALF the cost... because MOST of the cost of a machine is maintenance. Unless the machines are just appallingly expensive, most secondary computers would pay for themselves by about the fifth manual patch visit. All the user has to do is leave both computers on all the time. Every place I've ever worked has left ALL machines on all the time.

VMWare images are easy to deal with. They look just like the other machines on the network, although perhaps not always running. You don't have to do anything special to support them; they just work. You can think of them like laptops. It's a total non-issue.

If you supervise IT employees, I feel very bad for them. If any of those theoretical employees are reading this: get the hell out. There are sane bosses in the world.