Slashdot Mirror
Has Corporate Info Security Gotten Out of Hand?
KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"
The only real problem is overzealous proxy servers, which can be tough to configure, but should have a whitelist of some sort... the rest of the problems mentioned are problems that have solutions. There are plenty of corporate-level antivirus solutions that will allow the control of virus scanning policies so that you could enable the sending of e-mail through SMTP. If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem. There are also plenty of options for keeping up on patches that would relieve the users of this responsibility. Even in the case of Windows, Microsoft distributes a free "private" version of Windows Update, called Windows Server Update Services that can be deployed on a network. This version allows you to choose when and how which patches are distributed; all you have to do is point your computers to the server. Assuming you are running a Windows network, the settings for the Windows Update can be deployed via Group Policy without ever having to visit a workstation. Workstations can be scheduled to update themselves without taking control away from the IT department in regards to which patches they want installed.
Most of that was assuming you are running a Windows-based network. I am not as familiar with Linux software, but I know that similar services are available for Linux as well. In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.
I think overall mankind's productivity has increased thanks to the technology. I can't say if the IT world would be more convenient if 95% of us were using Linux.
It's like when cars were first introduced, there were not speed limits, cars were hardly locked and tyres were hardly threaded......
As cars become more common, more people died in car accidents, so you can't drive too fast anymore, must wear seatbelts and cannot drive drunk.
As car thefts become a norm, we must lock our cars, when that's not enough, we need to put on the steering lock, alarm, then immobalizer, and now the security datadot. However, I think overall we do benefit from the introduction of vehicles.
Virtual Betting on Facebook for non-geeks.
Security like most things, is a balancing act. Being able to manage the 'pain vs. protection' factor is the key to all of it, and unfortunately no tools seem to have the sliding adjustment with those options on it.
Ideally security will allow everything that's vital while not stepping on any services that are required. With most companies, what is 'required' ends up being pared down as the security net gets closed down tighter.
Nostalgia is one thing -- how many of us worked on systems that had telnet / ftp open to the outside without a firewall? I know I did back in the day. When management is behind security initiatives, being able to work on the business isses ("No, we CAN'T disable FTP!") becomes less of a problem.
Regarding individual workstations -- putting the burden on end-users doesn't seem to be a common (thankfully) configuration in the companies I've seen. Most larger places are doing automated patch management and deployment now. I know quite a few places where every single system (desktop and production) is patched within a 15 day window. While it's not bleeding edge, this relatively fast schedule combined with the concept of 'defense in depth' goes a long way to preventing issues. I know places that haven't lost a machine to a virus in YEARS.
Security that's preventing legitimate work from being done needs to be adjusted. All of the problems you've mentioned are fixable.
One time for security's sake my office ethernet port was turned off by IT. Figuring it to be some outage I called support (hah!), and they looked up my IP address and said yes the port had been turned off because my machine had refused to accept recent XP updates.
Hmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port. I asked why I hadn't been notified -- they said ALL XP login scripts had been posting the notice for over a week, I had been given "plenty" of warning!
Hmmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port.
Fortunately I had a dual-boot, so I was able to comply.
But, ironic that one of their (in my opinion) least vulnerable machines on the network was mine.
(And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix... so I wasn't in violation of any policy (such as they existed).)
individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access
I don't think this is unreasonable at all. What's the downside of enforcing a little rigor in your employees, when the alternative is having your entire corporate network become a zombie farm overnight controlled by a mob boss in Russia named Vladamir?
I'm sorry. The number you have reached is imaginary. Please rotate your phone 90 degrees and try again.
But also realize how much the worms of 2003 and 2004 cost corporations. I saw it first hand when working in a plant, and it was seriously disastrous. I can understand why they don't want that to happen again.
If surfing "bad" sites is THAT important to you, perhaps its time to get your resume out to a company that trusts its employees more. Or quit complaining to a bunch of slashdotters and present a true solution that benefits everyone. There are ways to have both security and usability.
Berto
What is the situation like at other companies?
I'd love to tell you but that would be a breach of security.
Everywhere I've worked seven to ten years ago (1995-1999) made IT workers who wanted Internet access sign special forms that had to be okayed by three levels of management before Internet access was granted. And once granted, it was heavily monitored.
/. that checking code into CVS.
Four to seven years ago (2000-2002) getting Infobahn access was far easier, but most companies still required that you use their proxy so that they could monitor who visited which sites and who spent more time posting to
But lately, Internet is usually just taken for granted. At most you have have to worry about firewalls that don't let ports other than the standard http and https ports in or out. And that is fairly easy to bypass by anyone with a home machine.
- Google Groups doesn't sound like a business website. That's "bad" from a management perspective.
- SMTP blocking would not be needed if users didn't keep clicking on emails from the "FBI" "CIA" , etc. Besides that, it's easy to configure an AV policy to exempt legitimage SMTP usage.
- Updates can and should be applied automatically and without user intervention. If a reboot is required a nightly shutdown policy will suffice.
I'd love to live in a happy land where all computers can be open and free but unfortunately malicious crackers, crappy programming and ignorant users have made that an impossibility these days.
Being a memeber of the IT dept. at a school district , i am glad our secuirty policies are as stringent as they are. when you have a few thousands teenagers trying to download as much spyware and pr0n as possible. Now you may say most business dont have teenagers as employees, but even the teachers need to be protected from themselves because they dont know any better. What im getting at , is if he thinks its hard to get stuff with his security policies wait one week without them and see what he can do.
"When they invent bitch slaps that can go through a monitor you better f'ing duck" --deft (253558)
Comment removed based on user account deletion
And, why, yes I am a network administrator, thanks. I'm lucky so far -- it's a small company, people are well-behaved, and I don't have to implement the policies you describe. I set up times for patches, there's no proxy yet and not too many firewall restrictions.
But if this place gets to be big enough that I can't count on collective intelligence and/or social pressure to keep people doing the right thing, I'm going to have to seriously consider policies just like the ones you describe, in order to keep things running as they need to -- because your complaints about the network not working 'cos of the latest virus outbreak are going to be a fuck of a lot louder than your complaints about your desktop machine not being allowed to be a mail server.
Carousel is a lie!
I work in a .mil environment with managed images and very good security. What I'm reading is that your company is still in the learning phase when it comes to customer service balanced with security.
We operate under a standard image architecture with updates and patches pushed out across the enterprise. Proxy servers are a necessary evil, but we are very reasonable on our block lists. (North Korean sites are discouraged along with Ebay...) This is for our unclassified network...
We learned the hard way too. Our first generation of machines were issued with padlocks on the cases and no CDROM drives...
Our IT system never compromises operations for security, and it never has to. Your IT staff may need a bit of fresh air, a few customer-centered workshops, and maybe some field trips to see how others work.
I feel your pain and wish you the best.
ay
What is the right balance between security and productivity, in the corporate IT environment?
Simple, more security. As more secure systems tend to run more reliably (less bugs) and with lower maintenance (removing root kits)than do less secure systems. Knowing most corporate environments, security tends to be lax.
Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.
Yes, it was better more than ten years ago. If your computer was connected to the internet and caused someone problems you got kicked off for a week or two to think about it. Some were even blacklisted. And few if any ran Microsoft products as their gateways or terminals.
But the fact is with many hundreds of millions of Internet users today practicing self administration of an inherently insecure OS and trusting everything they click on -- without regard to others or their companies costs, security has had to evolve. And believe it or not, firewalls existed 10 years ago.
Then along comes the modern cowboy on an unmonitored cable connection hacking people for sport and profit. People hack computers just to send spam, and the system/ISP do nothing. They have long since abandoned kicking them off. The result is the problem is mow rampant.
have we become so secure that we're stifling our own ability to get things done?
Not at all, I have always kept important stuff on UNIX and Linux, and professionally manage them like I do at work. They haven't been hacked or wormed. I also tend to use "safe" tools as they also fail less as well are more secure.
But the optimum answer to be secure is to use securable tools and secure practices in what you do with your computer, something like safe sex.
Heh, my Christian University is a lot worse than that. We have mandatory antivirus (which seems to run scans at the most inconvienent times. Cancel them and you get kicked off the network.) We also have to run all traffic through a HTTP proxy, because they block all outgoing port 80 traffic. The HTTP proxy logs all traffic which is then sent to our deans and hall directors, as well as kept on record forever. In addition, it blocks such disgusting websites as Ebaumsworld, and hackaday (hacking is illegal, kids). It can be loads of fun trying to get programs without proxy support to work. We also get AIM file transfer (for my non-geek friends from home) disabled, along with bittorrent and pretty much every non HTTP protocol. They even have a packet shaper which detects traffic on the wrong ports and blocks it, so forget about using a proxy. Internet access at schoool can be much worse than at a workplace... Thank the gods for PGP and dial-up!
" Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice,"
Of course its out of hand. Companies, as well as individuals pay alot of money for computers. If we bought a car that needed patching every week to run properly it would be called a lemon. And we have lemon laws. If we bought a TV that needed to be patched every week to work properly we have a warantee to help resolve the issues with that product.
While the computer itself works fine, its the OS and Applications that need constant patching. When the OS makers and Application sellers are held to the same standards as other products are, then maybe you will see your cost of doing buisness with computers go down.
This has been another valuable and informative opinion from:
Catahoula!
You should have simply rebooted to the XP side and run the updates. If you want the luxury of a dual-boot system, you should be willing to maintain both halves.
My policy for dual-boot machines is this: No. You can have two machines. I'll get you two monitors you can use dual-head on each machine, a KVM, your own switch, and I'll even clean the goo off your keyboard. But I won't manage a dual boot machine, and I don't want them on my network.
Why?
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Security has very little to do with updating your virus definitions hourly, and everything to do with knowing when to just unplug the box and find another way to get the job done. What's your risk model? Point granted: the network is a demanding mistress. But fortunately, everyday risk is often handled best by the simplest of means. Stop instant messaging the person one cubicle owner, and get to know your local coffeeshop owner. Or neighborhood banker.
http://tinyurl.com/4ny52
The stupid part of the story (as told by the poster) is that these IT "professionals" didn't seem to understand that Linux is incompatible with XP.
Why are people who don't comprehend - or can't communicate - this employed in an IT organization??
Had they just explained things the way you explain them in your post, there would be no problem.
Yes, security is most definitely being used as the stick to beat end-users down as far as 'distractions' go. I have had the fortunate experience to work for a company where the motto is:
"It's the result that matters."
If you spend time on slashdot or other forums during the day that's ok (and most definitely not filtered) -- but at the end of the month you have XYZ to get done. If you get it done by working nights / weekends that's your prerogative. Flexibility like this is one of the reasons why we've had zero turnover in my department in almost 5 years.
The tighter companies restrict internet usage and employee behavior, the less personally attached to the company (and their work) the people get, at least in my experience. Companies with fanatic employees can do great things. Companies with people that feel oppressed are just places to work.
The first problem you mentioned is what we always call 'management by magazine.' Some exec saw something on cnn / in a magazine / at his country club and wants to know what it's not being run. Thankfully most executives are adverse to spending money -- and in this case it's usually a good way to end some of the ideas they bring to the table.
Speaking of the idea of 'having something just to have it' -- I think this is a problem that's being pushed along by things like SOX / PCI / CISP / and other compliance programs. "We're required to have intrusion detection" so people get out a checkbook and make rash decisions just to put a check in a column.
really, the only people that aren't a security risk without security disabled can easily get around it, if they need (or want...) to. The average luser will cause more problems than this security will. The key to this though, is punishment of those who circumvent security. At my school, I regularly aid even teachers in getting freemail access, around the filter, etc. They trust me because they know I'm smart enough to do this, and not do anything stupid with my 'superpowers'. Most of them are well aware that the security there is bad and the IT staff unskilled (with few exceptions) enough that if I really had ill will in my heart there's not much they could do to stop or even catch me. My cousin's school used to be like this, but then a new administrator came along and changed the rules. My cousin was found using a proxy that SOMEONE ELSE had once, A YEAR AGO, used to look at ONE pr0n site and was suspended for a week (and grounded). The biggest irony is that he used the proxy to get to a site he NEEDED for his assignment. I don't hate stupid people (everyone is stupid in some ways) but everyone hates having an idiot in charge and being unable to avoid their work. With a bad restaraunt, you can go elsewhere, with a bad leader, your options are limited (esp. when you don't get a say in determining the leader).
The 'Net is a waste of time, and that's exactly what's right about it. - William Gibson
Yeah, weird that they might want a machine running Windows XP to be updated. You might have Linux on the machine, but you also had Windows XP, and it sounds like it was missing security patches.
The fact that he hadn't noticed the loginscripts for over a week indicates to me that the didn't use his XP installation at work alot and even then how can you assert it wasn't patched? He may even have had to wait until a patch becaeme available to qualify for a connection because his XP installation was already fully patches! Off hand I am guessing this guy probably got issued a laptop from his employer and used installed Linux on it for day to day for home as well as for work use dual booted with XP for mostly for gaming and perhaps for that once-in-a-blue-moon that he couldn't get something done at work with Wine+[Random M$ application] and for Gaming.
I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.
It is stupid because they could have exempted him from their Windows specific policy quite easily. It is stupid because they may even have given him a hard time because they didn't even know how to exempt a non Windows boxen from their MS specific setup. All it would have taken was to send somebody up stairs to check out his setup for security and if it was OK adapt the policy. If you are an IT tech that works alot around Engineers, non-MS admins or Programmers you are going to have to get used to cases like this (ie. escaped mental patients who use Linux or OS.X in a corporate environment) and unless you find out how to cater to people running non-MS Operating systems you will quickly find out that you haven't got any friends willing to do you a favor when you really need it (ie. when you have screwed up and need a quick fix from the local nerds).
Only to idiots, are orders laws.
-- Henning von Tresckow
You sir, need to accept the bureaucratic nature of large organizations. There have been a few times that I've had to do some really asinine things in order to keep my job. I knew it was bullshit, my coworkers knew it was BS, and the poor SOB on the other end really knew it was BS. But, if either strayed from policy it was our asses. Why was this policy in place? Because the higher ups didn't want to take the time for all of the inevitable exceptions that occur.
The solution? Acceptance - Zen practice. Or, start your own organizaton - if possible. Entrepreneurship!
There's a reason why small companies are the ones that are creating most of the jobs. There's a reason why small companies are the innovators. There's a reason ... you get the idea.
Disclaimer: I work on the security team for a rather large (Fortune 5) corporation.
I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.
Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.
Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.
Then MS05-039 is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.
Then Zotob.E gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?
Because no one takes security seriously until it's too late.
From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.
I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."
I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF, where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from.
---
"how can the same street intersect with itself? i must be at the nexus of the universe!" - cosmo kramer
You seem to forget two things:
(a) Freedom cuts both ways. People have freedom of expression, and people have the freedom of employees to prevent themselves from being exposed to porn in the workplace. If you're looking at porn at work, you're taking the latter right away from all your coworkers. Which do you take away: the right that one person enjoys, or the right that many people enjoy? Perhaps a poor explanation, but the principle is valid.
(b) The workplace is not a free environment. You are working for someone, on THEIR property. What you do on your own time is your own business. What you do on company property is very much the company's business.
Freedom does not mean "I can do whatever the hell I want, whenever the hell I want, wherever the hell I want," at least if it is to be applied to more than one person.
--S
-- sigs cause cancer.
A decade ago it was not unusual for corporate networks to have little or no restrictions on end users. Workstations, servers and even printers had publicly routable addresses and free access to the internet as it was. Back then we had to deal with relatively few miscreants... the occasional "ping of death", "teardrop" or the dreaded "smurf" attack. Malicious activities could be deflected by a few simple firewall rules.
Flip the calendar ahead 10 years... The internet is ripe with malicious content. Organized groups of crackers, writing exploit code for every system vulnerability imaginable... Script kiddies gaining "respect" relative to the number of machines they can compromise for addition to their bot-nets... Spammers building their armies of compromised boxes to anonymously sell viagra and fake rolexes... the list goes on and on. In short, the need for network security is real and sometimes the end user is inconvenienced in the process of running a tight ship.
In an ideal corporate world, the bad guys would stay out and the users would have everything they want. In the real world there is a balancing act that weighs a security "best effort" against business needs. It sounds to me as if the original poster's company is in the early stages of making this happen. Security measures are being taken and users are feeling the pain. The next step is for the users to identify the needs that are not being met and challenge their management and IT resources to provide for those needs while making a best effort to do so securely. This, unfortunately, often involves plenty of corporate political bullshit and associated headaches, but if you can show a LEGIT business need, it should make it through the process.
I manage all internet connectiity and perimeter security for a very large healthcare foundation that includes several hospitals, physicians offices and research facilities. Not a day goes by without some kind of request for additional access to some resource. Most are reasonable and can be accomodated with little or no impact on security. Some are not so reasonable politely rejected with a comprehensive explanation of why it's not gonna happen and where applicable, alternative solutions are offered.
As for the original poster's situation... should end users be applying system patches? hell no. IT folks get paid to do that. Should individual workstations be sending SMTP traffic beyond the network perimeter? hell no! IT folks should make a suitably secured SMTP gateway available. Should users be able to go anywhere on the 'net they want? hell no! The company pays for the bandwidth and owns the workstations... they can say "no" to anything they consider to be unrelated to doing business. If users need to get somewhere on the filtered list, it should be easy enough to justify it to management. Do the homework and make your case... you'll get much farther than someone that just pisses and moans about how restrictive those IT bastards are.
Best of luck.
chown -R us
I work in a bank. If we fuck up IT security, someone loses a lot of money. The only place more stressful is a hospital. Someone fucks up IT security there, people die.
IT security was a bit of a joke 7 years ago. It isn't funny any more.
Hoist Number One and Number Six.
(a) We actually have an area where I currently work that is explicitly setup for NSFW content... because that's actually part of their job. They have to sign a bunch of waivers, I think there's even a psych test involved, and it's in a secured area of the building with nothing facing windows or the entry doors. 'tis an odd environment to be around.
(b) Funny... A large place I worked at actually had policies against personal equipment at work, partially for situations like this.
We required that all equipment is ours... bring your own stuff in, get a warning. If it's still hooked up after a reasonable period of time (hour or so depending) you get one more chance. After that, you are taking it out, along with the rest of your stuff and your last paycheck.
Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.
Looking back 10 years ago, your biggest threat was someone bringing a virus-infected floppy disk into work and taking down one of the 20 computers in your 50-person office. But hey, if you want to connect your PC to the Internet with no proxy, no firewall, and no virus protection, then be my guest. I doubt your PC lasts 24 hours before it becomes unusable.
Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups;
And also very likely thousands of hacking, piracy, virus, worm, spyware, and phishing-related sites.
our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP
If it really is a legitimate purpose, you shouldn't have any problems being granted an exception for your specific case. Everywhere I have ever worked has done so.
and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline.
Ah, now I see. Your administration is incompetent. Under no circumstances should end users be installing security patches. They should be installed by administrators (if not automatically), and there shouldn't be any concern about cutting off non-compliant PCs because there won't be any. Anything less isn't security at all.
have we become so secure that we're stifling our own ability to get things done?
We haven't, but it sounds like the folks running the show at your place may have. But it also sounds like they don't know what they're doing either.
Being a corporate IT security at large corporation I can tell you why google groups are blocked. If I am looking at porn on alt.binaries.erotica and a female co-worker walks up behind me she could sue for sexual harassment and say the company did not take adequate measures to prevent this situation.
My understanding is the hoopola about "if you don't block pornography, you're liable" is nonsense that's heavily propogated by vendors of filtering software. The case that claims about liability are based on is the '91 ruling in Robinson v. Jacksonville Shipyards, Inc. Here, the plaintiff was being directly targeted and porn was being publically pervasively placed throughout the workplace. That's a *far* cry from someone walking in and seeing a pornographic image on someone's computer monitor. That's even *further* away from a company being liable because they actually aren't buying a product to do filtering.
My impression is that most of the people that install these packages get sold a bill of goods by the filtering people "Lawsuits! Lawsuits!" The IT people pass the possibility of a lawsuit on up, some higher-up decides that the software is cheap insurance against a lawsuit, and buys it.
Frankly, companies don't need to worry about liability from not filtering porn (IANAL and all that). They might need to worry about employees being off-task (I mean, come on -- if you're browsing porn, you are *not* doing work). However, I've been incredibly frusterated by stuff in the past (like pages containing "wine" in the URL being blocked -- when I'm trying to look up constants in WINE's header files), with information about HTTP tunneling that I needed for writing some software that had to interoperate with a firewall being blocked (as "criminal activity", impressively enough, along with anything involving a "proxy"), and so forth. Companies aren't avoiding liability at all -- they're trying to control employees, and keep them from goofing off at work. I'm not saying that there's necessarily anything wrong with that that, but it's just not really a liability issue. I've seen people blow time chatting with their friends on non-work related stuff on AIM, and I can understand that there's a desire to not let the computer be an entertainment device.
However, I've got a much better solution. Have software that skims browsing history, flags anything suspicious, and allows an employee's boss to take a gander at it (if he really wants to). Oh, and *tell* the employee that you plan to do this -- the idea is to prevent abuse. I don't have a problem with my boss seeing a complete log of my at-work browsing history -- I do have a real problem with IT blocking things. I don't abuse my work connection, and it's really irritating to be treated as if I have because someone somewhere *has* done so.
Basically, I think that it's probably unreasonable to prevent the following types of Internet usage in a regular work environment, at least from a security/liability standpoint:
* Outbound TCP connections, other than maybe to port 25. The whole world is not HTTP.
* Requests to DNS servers other than the company one (why on *earth* do people do this?)
* Outbound SSH connections (a special case of the above that's particularly annoying -- sometimes I need to get at my addressbook or something else on my home computer). (There is a small potential security issue here in that someone could set up X11 port forwarding, and have a compromised outside box keylog or screenshot their workstation machine desktop) but goddamn it, the risk is awfully small and the loss of functionality enormous. This is not James Bond, and armies of ninja hackers are not out trying to take screenshots of desktops.
* Access to webpages. Good *God*. If you have to log them, fine, but for Chrissake, do not filter. It's *so* irritating.
Real security risks? Worms, dubious software that people intentionally install, people simply taking confidential (*actually* confidentially, not doc
Any program relying on (nontrivial) preemptive multithreading will be buggy.
But at school (which is as close to a "corporate" environment as I can get), it's another story. We have a (horrifically unstable, read: if you touch it in the wrong place, the hard drive disconnects) proxy server as a pr0nfilter, about three different - all ineffective - AV/AS/AA software setups. We use some stupid Novell launcher that makes it impossible to do anything productive and very difficult just to waste time (Adobe reader isn't associated with PDFs, so you can't open them... extrapolate that level of difficulty to trying to code a standards-compliant idiotproof website with php and stylesheets using notepad and you'll relive my last two months). They'll kick you off the network if you look at the IT department the wrong way.
They put the newest machines in the lab where they teach keyboarding, but leave the slowest machines I've used in the last ten years in the CAD lab. I mean, damn. I've heard the hard drives dying on those things. You think they try and make it impossible to do anything.
And where does it get us for security? Absolutely f'ing nowhere. I still get more spam at school than the rest of my half-dozen email accounts combined, have effectively zero productivity, and all my popups are instead replaced with script debugging errors. Meanwhile, files seem to dissapear out of my network storage, and about eight different CrapWare! toolbars are installed on every copy of IE (no, they won't even consider letting us use firefox).
So, their fifteen steps of added security has done absolutely nothing productive. It makes the computers (most of which don't even meet the minimum requirements for XP, but that didn't stop them!) EVEN slower, makes it harder to do anything, and I still am nervous about logging in to check my email on my own webserver (as they blocked gmail with the pr0nfilter). Basically, they did all the stupid crap the government makes them do to comply with the CIPA so they can keep getting (and wasting) federal funding. I flat-out refuse to work on anything of real importance on their computers, because even if security is moderately reasonable, reliability is near-zero.
Sure, I can't look at pr0n at school (as if I'd want to, their 17" LCDs are all forced into 800x600 anyways, and have some of the worst constrast I've seen, not to mention a good portion are shattered), but I certainly can't do a project for a health class either. That's all we have to show for tons of "security" measures that all translate into ineffective anti-stupidity measures.
I remember, back in the day, the school security measures were take your floppy to the tech guy's office and have them make sure it doesn't have any viruses on it before using it. And if you wanted to open your .htm files in wordpad, you could. Nothing ever dissapeared and identities weren't stolen. Heck, there wasn't even spam. I'm glad I have real computers at home...
How are sites slashdotted when nobody reads TFAs?
Comment removed based on user account deletion
Insightful? You gotta be kidding!
I have been a corporate security professional for over 10 years, and the only people that I ever get whines from like the parent are typically engineers or IT people who either believe that a) they are God's gift to computers and/or b) the rules don't apply to them. I may seem a bit pissy here, but it just burns me to read posts like this from people who clearly have never tried to think about security from the perspective of the business protecting its assets.
Contrary to what most people seem to think, companies do not exist for the convience of the employees. It is the other way around. Employees have jobs to do what the company tells them to. If the policies at your company don't allow for any way for you to do your job, talk to management. More than likely, either an alternative solution exists, or the business function you're trying to do hasn't come up before and security will have to figure out how to incorporate it. If the problem is that the official method of doing your job isn't as convenient, as cool, or as uber as what you'd like to do, then either get over it or get a different job. Corporate policies and standards are put in place to homogenize the environment, ease support, and maintain regulatory compliance. They are not put in place, at least in my company, to inconvenience employees. In fact, the point behind security efforts in my environment is to enable the business to do everything they need to do, but in a manner that doesn't put the company at risk. Some times, this means that one business unit will have to accept a less-than-optimal solution because of more pressing issues at another, but we haven't been faced yet with a situation where there's been no way to safely do a valid business function.
In large corporations, in particular, security decisions are frequently a balance between the needs of very different business units. For example, a unit that provides credit functions to customers in the US is regulated by the Gramm-Leach-Bliley Act, but a manufacturing unit in the same corporation wouldn't be normally. GLBA may apply to both, however, unless there is some system in place to prevent mistakes at the manufacturing unit from affecting the credit unit. So, while encrypted, authenticated wireless access may not be convenient for an engineer at the manufacturing unit, without internal firewalls to segment security zones, encrypted, authenticated wireless is the only option.
Don't get me wrong, we do things I don't agree with. Proxy blocking, for example, seems pointless to me. Surfing porn from a company system is not a technical issue, it is an HR issue. Have a policy that states what is acceptable, give one warning per user, then fire their ass. Believe me, Internet usage reports get much cleaner when someone at a site has been fired recently, regardless of what the proxy is blocking.
Oh, yeah. The so-called draconian policies we have in place have created an environment where a really, really bad virus outbreak is 2-3 machines worldwide. Before we went down this path, there were worms that affected thousands of systems all around the world. We also have a very, very low incidence of harassment issues, we have five-nines uptime on our production systems, we've never had to completely sever our Internet connections to deal with security threats, and we've managed to balance security and business function well enough that end-users rarely have to contact the help desk because a security measure is preventing them from doing their job. Things may not work this well at other companies, but whinging on /. isn't likely to change that anyway.
Maybe a good example of the corporate IT environment will be the example of my (recently) former company: a major computer manufacturer. I signed a nondisclosure agreement, so I won't give anything blatant away, but you can draw your own intelligent conclusions. I agree with most of the comments made: that company policy and actual security are two very different things. My point is, that a company that deals with computer manufacture and OEM releases of Windows should know better. All companies have small beginnings, and people talked about the good old days when I came to the team. But by the time I got there, people in product development had computers with no cd/floppy drives and locked cases so they "couldn't steal the RAM" (all pitiful 64 MB of it) and you had to save all your work on the network where everyone else could access it if they really felt like looking. My machine had an 8 GB hard drive. After my OS, normal security measures and applications, not to mention management-inspired insanities, what was I supposed to do with the remaining 1 GB of my "brand new" computer's hard drive space? To be fair, in 1997, it was running on a Win95 network, but in 2002 it was still running on the same basic infrastructure. For security reasons. Management was so terrified of theft of ideas and possible piracy (like people didn't have their own broadband at home) that security searched you and your belongings every day for discs/diskettes. No more notebooks or working at a place other than work. Not even for management. You had to check out discs and RAM for a system in the lab, which was the only place that had computers with drives outside the server room, the actual manufacturing floor, and six offices used on rotation by managers. This was primarily for demonstrations when you were teaching tech support staff about new products, services, or OS releases. I had to introduce serial ATA to 30 people at a time in my building, while being monitored by security and recorded, with a checked out copy of a Windows XP beta edition and one stripped-down computer case because that was all that they were willing to give me. And then came WinXP. All the systems complex-wide were falling apart, being 4-7 years old, so they upgraded every box to 128 MB RAM and 8 GB hard drives. Then they installed the OS as soon as it was released. Needless to say, systems were crashing everywhere, none of the company-wide software applications were even XP-compatible, and there was a general state of chaos. There were real security holes everywhere, but corporate HQ touted their trend-forward steps for their shareholders. For a year this particular location operated in total darkness while their crippled and villified 10-person IT team tried to allocate resources and time to fix everything. Not only did Corporate expect IT to magically fix everything; they expected an entire manufacturing, customer service and tech support center to operate with unreliable documentation tools, poor shipping fulfillment software and customer information database vulnerabilities. Things are running more smoothly now, but this event illustrates the problems with so many companies, both tech-related and not. Most corporate-level managers still think it's 1985 and things are as simple as MSDOS 6.0. They can program in QBASIC. If they had any technical experience, it's long out of date. These are the people who set the policies that drive your IT practices, especially in larger companies. Kudos to all the businesses that still give their IT staff the power to use their own discretion, but they are becoming rarer every day. In the end it's not the intelligence of the end-user that needs to change; it's the education level and experience of the person setting technical policy that needs to change. If this means the company's CEO spending a 2-week internship in Engineering, why not? He's still getting paid. If the VP of sales needs to understand that she can't guarantee a client that her company uses this or that security protocol, fly her down to a local sysadmin's office for a month. Corporate practices need to change before industry standards will change. Until then, we all just need to hang in there.
I'm going to attempt to answer this question. I've been in schools and government and I see the slide toward using "SECURITY" as a way of managing workers. And I think this has to stop.
I'll explain what I mean. Security, as most employers define it, is to keep the IT resources available for "Legitimate Use". Now with firewalls and proxies you can define for the employees exactly WHAT legitimate use is. Except you need another IT department to deal with monitoring blacklists, removing sites from blacklists for legitimate purposes and analysing logs - assuming you want the the system to work effectively AND maintain productivity. And all this in the name of Security.
How about taking a step back and looking at the bigger picture. Here in Australia we have laws that determine what we can and can't see. Various magazines can only be sold to adults and pretty much everything comes with a classification rating. On top of that we have various other legislation that basically says "Don't discriminate" and this means no girlie posters/magazines where someone may be offended. And workplaces, abiding by that legislation, have procedures to follow in the case of a breach of one of these laws.
SO! Why block these websites? If someone detects this (either by logs OR by walking past) then there is a clear procedure to follow. Why should something being viewed on a computer screen be any different than printed. The answer is - BECAUSE SYSADMINS HAVE THE TOOLS TO STOP IT!
I disagree with using these tools because it is a "quick fix" solution for management (a handball if you will) which becomes one of the biggest headaches for the IT department. If you already have the procedures, then follow them!
I'll extend this further by taking the given example of Google Groups. For what reason is this being banned? Does it contravene any legislation? NO! Does it contravene any Human Resource policy? NO! What it does do is allow staff to spend time not doing work. Now, I seem to recall that, once upon a time, workers not doing work were sacked! If you were in derelict of your duty, a reprimand was issued. After this it was "Here is the door". So follow this well established procedure. Don't force staff into a shoe box. Reward good workers with latitude and get rid of the dead wood!
So the answer to your question is - Make a clear distinction between what is necessary for security and what is purely management not wanting to manage. Security is about patching machines, antivirus and appropriate controls. Security is NOT about content management. Yes, there are some grey areas (like email and firewalls) but if you can make that distinction then lineballs become easier to deal with.
**Please note that I have a different opinion where minors are concerned.
First, I doubt any user owns any of the computers at your company. Stop thinking of the computer in your office or your backpack as YOUR computer. But don't stop there -- correct your thinking while you're at it: start thinking of that computer as a SERVICE the company provides to its employees to do what and ONLY what the company wants you to do.
You do NOT have ANY rights regarding that computer, the software installed on it, how it runs, etc. You also should NOT be browsing the web for personal enjoyment or reading personal email.
Face reality - you are there to do a job and any time you spend doing something else is time you are being unethical. Do you think your colleagues on the GM assembly lines have ANY sympathy for your whining? They have every minute of their working day scripted by the timing of the line, down to how long they get in the bathroom. Most IT workers in the US spend 80% of their day surfing the web or chatting online, then go home and bitch about how the IT group cut off AOL access.
You are there to DO WHAT YOU ARE TOLD and to SERVE THE COMPANY TO EARN YOUR PAY. You are NOT there to go to websites the company doesn't ask you to visit. Do what you're told or find a better job, if you really think you can.
I am soooo sick of whiny white-collar workers who think they really work after surfing the web all day - you'd think none of those people knows a person with a real job.
Yes, you *can* be too-secure. "Too much security" occurs when you can't get work done -- as is your case. The only *real* question facing corporate IT is "what amount of liberty is necessary to perform the duties of the employee requesting that access?" In true totalitarian style, the old computer security saying "that which is not expressly-permitted is forbidden" is the basic principle of current corporate IT security.
We have this same problem where I work. Thank shitty MSFT security for the current mess...
On a related, more-general note, security and liberty are *always* at odds. They logically must be: if you are restricted from performing action A, then you are not at liberty to perform action A. Simple as that.
For a real-world example: if you are locked-out of somebody's home, then you are not free to open the door to that home. The home is secure against your entry (at least from this particular vector).
Frankly, he who wants to be both safe and free will never have what cannot be.
Is Capitalism Good for the Poor?
You actually have to pay to watch this thing. Not only that, there's a charge for each person watching .
But you know, inspite of all the above, I would say that information security is now taken more seriously than before. When we point out vulnerabilities at least now we get a little respect. Not much, but its more than before. Now applications are supposed to be scanned before they go into production. It used to be it took almost a year to deploy a single critical patch. Now it can get done in under a week.
That is how it works at our company. The default is linux. All "regular joe's" have linux on their desktop. All servers are linux. If you begin and you don't know linux, that's your problem, learn it. But you can have windows, if you have VERY good reasons (e.g. secretaries that receive MS-office documents all the time). These windows-machines are completely locked down. You can do exactly what you wanted your windows-machine for, but nothing more. Also, these machines are reinstalled every single night (ghost) with a new image maintained by the IT-department (so daily updates).
The linux-machines are gentoo-based, and are also tuned. Nothing too much in there, but what is there simply works. These machines can also be automatically installed by just connecting them to the network and booting from a usb-stick, or remotely from a server.
Combine this with a little education of your users, a little trust, a security-model not based on the "hard shell soft inside" model, but the "insiders can also seriously mess things up" model, a decent network-infrastructure (e.g. managed switches, fast uplink) and some guys that really know how to setup and secure a server or a network, and you won't have many problems or complaints.
int main(void) {while(1) fork(); return 0;}
It's absolutely trivial to admin one more standard Windows or Linux box remotely.
It is NOT trivial to try to remotely deal with a dual-boot environment.
His list of reasons were very solid, backed by experience. Your 'rebuttal' is crap. Twice the machines is HALF the cost... because MOST of the cost of a machine is maintenance. Unless the machines are just appallingly expensive, most secondary computers would pay for themselves by about the fifth manual patch visit. All the user has to do is leave both computers on all the time. Every place I've ever worked has left ALL machines on all the time.
VMWare images are easy to deal with. They look just like the other machines on the network, although perhaps not always running. You don't have to do anything special to support them; they just work. You can think of them like laptops. It's a total non-issue.
If you supervise IT employees, I feel very bad for them. If any of those theoretical employees are reading this: get the hell out. There are sane bosses in the world.
From your examples, it looks like your whole IT deparment is working very hard to be downsized or outsourced. From my experience, the minute a smart VP or CEO (or, a common case, an external consultant who has the VP or the CEO's ear) notices and documents the kind of impact they are having in the bottom line, lots of high and middle heads will start rolling. Having inflexible rules when your market is evolving or constantly changing (and when your market is global it is always changing and evolving) is so dumb it hurts - when have we called the high priests back to the computer room, anyway? I though we had all agreed to send them home for good by the end of the 70's.