Slashdot Mirror
Has Corporate Info Security Gotten Out of Hand?
KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"
The only real problem is overzealous proxy servers, which can be tough to configure, but should have a whitelist of some sort... the rest of the problems mentioned are problems that have solutions. There are plenty of corporate-level antivirus solutions that will allow the control of virus scanning policies so that you could enable the sending of e-mail through SMTP. If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem. There are also plenty of options for keeping up on patches that would relieve the users of this responsibility. Even in the case of Windows, Microsoft distributes a free "private" version of Windows Update, called Windows Server Update Services that can be deployed on a network. This version allows you to choose when and how which patches are distributed; all you have to do is point your computers to the server. Assuming you are running a Windows network, the settings for the Windows Update can be deployed via Group Policy without ever having to visit a workstation. Workstations can be scheduled to update themselves without taking control away from the IT department in regards to which patches they want installed.
Most of that was assuming you are running a Windows-based network. I am not as familiar with Linux software, but I know that similar services are available for Linux as well. In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.
I think overall mankind's productivity has increased thanks to the technology. I can't say if the IT world would be more convenient if 95% of us were using Linux.
It's like when cars were first introduced, there were not speed limits, cars were hardly locked and tyres were hardly threaded......
As cars become more common, more people died in car accidents, so you can't drive too fast anymore, must wear seatbelts and cannot drive drunk.
As car thefts become a norm, we must lock our cars, when that's not enough, we need to put on the steering lock, alarm, then immobalizer, and now the security datadot. However, I think overall we do benefit from the introduction of vehicles.
Virtual Betting on Facebook for non-geeks.
Security like most things, is a balancing act. Being able to manage the 'pain vs. protection' factor is the key to all of it, and unfortunately no tools seem to have the sliding adjustment with those options on it.
Ideally security will allow everything that's vital while not stepping on any services that are required. With most companies, what is 'required' ends up being pared down as the security net gets closed down tighter.
Nostalgia is one thing -- how many of us worked on systems that had telnet / ftp open to the outside without a firewall? I know I did back in the day. When management is behind security initiatives, being able to work on the business isses ("No, we CAN'T disable FTP!") becomes less of a problem.
Regarding individual workstations -- putting the burden on end-users doesn't seem to be a common (thankfully) configuration in the companies I've seen. Most larger places are doing automated patch management and deployment now. I know quite a few places where every single system (desktop and production) is patched within a 15 day window. While it's not bleeding edge, this relatively fast schedule combined with the concept of 'defense in depth' goes a long way to preventing issues. I know places that haven't lost a machine to a virus in YEARS.
Security that's preventing legitimate work from being done needs to be adjusted. All of the problems you've mentioned are fixable.
One time for security's sake my office ethernet port was turned off by IT. Figuring it to be some outage I called support (hah!), and they looked up my IP address and said yes the port had been turned off because my machine had refused to accept recent XP updates.
Hmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port. I asked why I hadn't been notified -- they said ALL XP login scripts had been posting the notice for over a week, I had been given "plenty" of warning!
Hmmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port.
Fortunately I had a dual-boot, so I was able to comply.
But, ironic that one of their (in my opinion) least vulnerable machines on the network was mine.
(And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix... so I wasn't in violation of any policy (such as they existed).)
individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access
I don't think this is unreasonable at all. What's the downside of enforcing a little rigor in your employees, when the alternative is having your entire corporate network become a zombie farm overnight controlled by a mob boss in Russia named Vladamir?
I'm sorry. The number you have reached is imaginary. Please rotate your phone 90 degrees and try again.
But also realize how much the worms of 2003 and 2004 cost corporations. I saw it first hand when working in a plant, and it was seriously disastrous. I can understand why they don't want that to happen again.
If surfing "bad" sites is THAT important to you, perhaps its time to get your resume out to a company that trusts its employees more. Or quit complaining to a bunch of slashdotters and present a true solution that benefits everyone. There are ways to have both security and usability.
Berto
What is the situation like at other companies?
I'd love to tell you but that would be a breach of security.
Comment removed based on user account deletion
And, why, yes I am a network administrator, thanks. I'm lucky so far -- it's a small company, people are well-behaved, and I don't have to implement the policies you describe. I set up times for patches, there's no proxy yet and not too many firewall restrictions.
But if this place gets to be big enough that I can't count on collective intelligence and/or social pressure to keep people doing the right thing, I'm going to have to seriously consider policies just like the ones you describe, in order to keep things running as they need to -- because your complaints about the network not working 'cos of the latest virus outbreak are going to be a fuck of a lot louder than your complaints about your desktop machine not being allowed to be a mail server.
Carousel is a lie!
I work in a .mil environment with managed images and very good security. What I'm reading is that your company is still in the learning phase when it comes to customer service balanced with security.
We operate under a standard image architecture with updates and patches pushed out across the enterprise. Proxy servers are a necessary evil, but we are very reasonable on our block lists. (North Korean sites are discouraged along with Ebay...) This is for our unclassified network...
We learned the hard way too. Our first generation of machines were issued with padlocks on the cases and no CDROM drives...
Our IT system never compromises operations for security, and it never has to. Your IT staff may need a bit of fresh air, a few customer-centered workshops, and maybe some field trips to see how others work.
I feel your pain and wish you the best.
ay
What is the right balance between security and productivity, in the corporate IT environment?
Simple, more security. As more secure systems tend to run more reliably (less bugs) and with lower maintenance (removing root kits)than do less secure systems. Knowing most corporate environments, security tends to be lax.
Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.
Yes, it was better more than ten years ago. If your computer was connected to the internet and caused someone problems you got kicked off for a week or two to think about it. Some were even blacklisted. And few if any ran Microsoft products as their gateways or terminals.
But the fact is with many hundreds of millions of Internet users today practicing self administration of an inherently insecure OS and trusting everything they click on -- without regard to others or their companies costs, security has had to evolve. And believe it or not, firewalls existed 10 years ago.
Then along comes the modern cowboy on an unmonitored cable connection hacking people for sport and profit. People hack computers just to send spam, and the system/ISP do nothing. They have long since abandoned kicking them off. The result is the problem is mow rampant.
have we become so secure that we're stifling our own ability to get things done?
Not at all, I have always kept important stuff on UNIX and Linux, and professionally manage them like I do at work. They haven't been hacked or wormed. I also tend to use "safe" tools as they also fail less as well are more secure.
But the optimum answer to be secure is to use securable tools and secure practices in what you do with your computer, something like safe sex.
Heh, my Christian University is a lot worse than that. We have mandatory antivirus (which seems to run scans at the most inconvienent times. Cancel them and you get kicked off the network.) We also have to run all traffic through a HTTP proxy, because they block all outgoing port 80 traffic. The HTTP proxy logs all traffic which is then sent to our deans and hall directors, as well as kept on record forever. In addition, it blocks such disgusting websites as Ebaumsworld, and hackaday (hacking is illegal, kids). It can be loads of fun trying to get programs without proxy support to work. We also get AIM file transfer (for my non-geek friends from home) disabled, along with bittorrent and pretty much every non HTTP protocol. They even have a packet shaper which detects traffic on the wrong ports and blocks it, so forget about using a proxy. Internet access at schoool can be much worse than at a workplace... Thank the gods for PGP and dial-up!
You should have simply rebooted to the XP side and run the updates. If you want the luxury of a dual-boot system, you should be willing to maintain both halves.
My policy for dual-boot machines is this: No. You can have two machines. I'll get you two monitors you can use dual-head on each machine, a KVM, your own switch, and I'll even clean the goo off your keyboard. But I won't manage a dual boot machine, and I don't want them on my network.
Why?
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Security has very little to do with updating your virus definitions hourly, and everything to do with knowing when to just unplug the box and find another way to get the job done. What's your risk model? Point granted: the network is a demanding mistress. But fortunately, everyday risk is often handled best by the simplest of means. Stop instant messaging the person one cubicle owner, and get to know your local coffeeshop owner. Or neighborhood banker.
http://tinyurl.com/4ny52
The stupid part of the story (as told by the poster) is that these IT "professionals" didn't seem to understand that Linux is incompatible with XP.
Why are people who don't comprehend - or can't communicate - this employed in an IT organization??
Had they just explained things the way you explain them in your post, there would be no problem.
Yeah, weird that they might want a machine running Windows XP to be updated. You might have Linux on the machine, but you also had Windows XP, and it sounds like it was missing security patches.
The fact that he hadn't noticed the loginscripts for over a week indicates to me that the didn't use his XP installation at work alot and even then how can you assert it wasn't patched? He may even have had to wait until a patch becaeme available to qualify for a connection because his XP installation was already fully patches! Off hand I am guessing this guy probably got issued a laptop from his employer and used installed Linux on it for day to day for home as well as for work use dual booted with XP for mostly for gaming and perhaps for that once-in-a-blue-moon that he couldn't get something done at work with Wine+[Random M$ application] and for Gaming.
I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.
It is stupid because they could have exempted him from their Windows specific policy quite easily. It is stupid because they may even have given him a hard time because they didn't even know how to exempt a non Windows boxen from their MS specific setup. All it would have taken was to send somebody up stairs to check out his setup for security and if it was OK adapt the policy. If you are an IT tech that works alot around Engineers, non-MS admins or Programmers you are going to have to get used to cases like this (ie. escaped mental patients who use Linux or OS.X in a corporate environment) and unless you find out how to cater to people running non-MS Operating systems you will quickly find out that you haven't got any friends willing to do you a favor when you really need it (ie. when you have screwed up and need a quick fix from the local nerds).
Only to idiots, are orders laws.
-- Henning von Tresckow
You sir, need to accept the bureaucratic nature of large organizations. There have been a few times that I've had to do some really asinine things in order to keep my job. I knew it was bullshit, my coworkers knew it was BS, and the poor SOB on the other end really knew it was BS. But, if either strayed from policy it was our asses. Why was this policy in place? Because the higher ups didn't want to take the time for all of the inevitable exceptions that occur.
The solution? Acceptance - Zen practice. Or, start your own organizaton - if possible. Entrepreneurship!
There's a reason why small companies are the ones that are creating most of the jobs. There's a reason why small companies are the innovators. There's a reason ... you get the idea.
Disclaimer: I work on the security team for a rather large (Fortune 5) corporation.
I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.
Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.
Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.
Then MS05-039 is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.
Then Zotob.E gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?
Because no one takes security seriously until it's too late.
From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.
I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."
I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF, where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from.
---
"how can the same street intersect with itself? i must be at the nexus of the universe!" - cosmo kramer
A decade ago it was not unusual for corporate networks to have little or no restrictions on end users. Workstations, servers and even printers had publicly routable addresses and free access to the internet as it was. Back then we had to deal with relatively few miscreants... the occasional "ping of death", "teardrop" or the dreaded "smurf" attack. Malicious activities could be deflected by a few simple firewall rules.
Flip the calendar ahead 10 years... The internet is ripe with malicious content. Organized groups of crackers, writing exploit code for every system vulnerability imaginable... Script kiddies gaining "respect" relative to the number of machines they can compromise for addition to their bot-nets... Spammers building their armies of compromised boxes to anonymously sell viagra and fake rolexes... the list goes on and on. In short, the need for network security is real and sometimes the end user is inconvenienced in the process of running a tight ship.
In an ideal corporate world, the bad guys would stay out and the users would have everything they want. In the real world there is a balancing act that weighs a security "best effort" against business needs. It sounds to me as if the original poster's company is in the early stages of making this happen. Security measures are being taken and users are feeling the pain. The next step is for the users to identify the needs that are not being met and challenge their management and IT resources to provide for those needs while making a best effort to do so securely. This, unfortunately, often involves plenty of corporate political bullshit and associated headaches, but if you can show a LEGIT business need, it should make it through the process.
I manage all internet connectiity and perimeter security for a very large healthcare foundation that includes several hospitals, physicians offices and research facilities. Not a day goes by without some kind of request for additional access to some resource. Most are reasonable and can be accomodated with little or no impact on security. Some are not so reasonable politely rejected with a comprehensive explanation of why it's not gonna happen and where applicable, alternative solutions are offered.
As for the original poster's situation... should end users be applying system patches? hell no. IT folks get paid to do that. Should individual workstations be sending SMTP traffic beyond the network perimeter? hell no! IT folks should make a suitably secured SMTP gateway available. Should users be able to go anywhere on the 'net they want? hell no! The company pays for the bandwidth and owns the workstations... they can say "no" to anything they consider to be unrelated to doing business. If users need to get somewhere on the filtered list, it should be easy enough to justify it to management. Do the homework and make your case... you'll get much farther than someone that just pisses and moans about how restrictive those IT bastards are.
Best of luck.
chown -R us
Being a corporate IT security at large corporation I can tell you why google groups are blocked. If I am looking at porn on alt.binaries.erotica and a female co-worker walks up behind me she could sue for sexual harassment and say the company did not take adequate measures to prevent this situation.
My understanding is the hoopola about "if you don't block pornography, you're liable" is nonsense that's heavily propogated by vendors of filtering software. The case that claims about liability are based on is the '91 ruling in Robinson v. Jacksonville Shipyards, Inc. Here, the plaintiff was being directly targeted and porn was being publically pervasively placed throughout the workplace. That's a *far* cry from someone walking in and seeing a pornographic image on someone's computer monitor. That's even *further* away from a company being liable because they actually aren't buying a product to do filtering.
My impression is that most of the people that install these packages get sold a bill of goods by the filtering people "Lawsuits! Lawsuits!" The IT people pass the possibility of a lawsuit on up, some higher-up decides that the software is cheap insurance against a lawsuit, and buys it.
Frankly, companies don't need to worry about liability from not filtering porn (IANAL and all that). They might need to worry about employees being off-task (I mean, come on -- if you're browsing porn, you are *not* doing work). However, I've been incredibly frusterated by stuff in the past (like pages containing "wine" in the URL being blocked -- when I'm trying to look up constants in WINE's header files), with information about HTTP tunneling that I needed for writing some software that had to interoperate with a firewall being blocked (as "criminal activity", impressively enough, along with anything involving a "proxy"), and so forth. Companies aren't avoiding liability at all -- they're trying to control employees, and keep them from goofing off at work. I'm not saying that there's necessarily anything wrong with that that, but it's just not really a liability issue. I've seen people blow time chatting with their friends on non-work related stuff on AIM, and I can understand that there's a desire to not let the computer be an entertainment device.
However, I've got a much better solution. Have software that skims browsing history, flags anything suspicious, and allows an employee's boss to take a gander at it (if he really wants to). Oh, and *tell* the employee that you plan to do this -- the idea is to prevent abuse. I don't have a problem with my boss seeing a complete log of my at-work browsing history -- I do have a real problem with IT blocking things. I don't abuse my work connection, and it's really irritating to be treated as if I have because someone somewhere *has* done so.
Basically, I think that it's probably unreasonable to prevent the following types of Internet usage in a regular work environment, at least from a security/liability standpoint:
* Outbound TCP connections, other than maybe to port 25. The whole world is not HTTP.
* Requests to DNS servers other than the company one (why on *earth* do people do this?)
* Outbound SSH connections (a special case of the above that's particularly annoying -- sometimes I need to get at my addressbook or something else on my home computer). (There is a small potential security issue here in that someone could set up X11 port forwarding, and have a compromised outside box keylog or screenshot their workstation machine desktop) but goddamn it, the risk is awfully small and the loss of functionality enormous. This is not James Bond, and armies of ninja hackers are not out trying to take screenshots of desktops.
* Access to webpages. Good *God*. If you have to log them, fine, but for Chrissake, do not filter. It's *so* irritating.
Real security risks? Worms, dubious software that people intentionally install, people simply taking confidential (*actually* confidentially, not doc
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Comment removed based on user account deletion
Insightful? You gotta be kidding!
I have been a corporate security professional for over 10 years, and the only people that I ever get whines from like the parent are typically engineers or IT people who either believe that a) they are God's gift to computers and/or b) the rules don't apply to them. I may seem a bit pissy here, but it just burns me to read posts like this from people who clearly have never tried to think about security from the perspective of the business protecting its assets.
Contrary to what most people seem to think, companies do not exist for the convience of the employees. It is the other way around. Employees have jobs to do what the company tells them to. If the policies at your company don't allow for any way for you to do your job, talk to management. More than likely, either an alternative solution exists, or the business function you're trying to do hasn't come up before and security will have to figure out how to incorporate it. If the problem is that the official method of doing your job isn't as convenient, as cool, or as uber as what you'd like to do, then either get over it or get a different job. Corporate policies and standards are put in place to homogenize the environment, ease support, and maintain regulatory compliance. They are not put in place, at least in my company, to inconvenience employees. In fact, the point behind security efforts in my environment is to enable the business to do everything they need to do, but in a manner that doesn't put the company at risk. Some times, this means that one business unit will have to accept a less-than-optimal solution because of more pressing issues at another, but we haven't been faced yet with a situation where there's been no way to safely do a valid business function.
In large corporations, in particular, security decisions are frequently a balance between the needs of very different business units. For example, a unit that provides credit functions to customers in the US is regulated by the Gramm-Leach-Bliley Act, but a manufacturing unit in the same corporation wouldn't be normally. GLBA may apply to both, however, unless there is some system in place to prevent mistakes at the manufacturing unit from affecting the credit unit. So, while encrypted, authenticated wireless access may not be convenient for an engineer at the manufacturing unit, without internal firewalls to segment security zones, encrypted, authenticated wireless is the only option.
Don't get me wrong, we do things I don't agree with. Proxy blocking, for example, seems pointless to me. Surfing porn from a company system is not a technical issue, it is an HR issue. Have a policy that states what is acceptable, give one warning per user, then fire their ass. Believe me, Internet usage reports get much cleaner when someone at a site has been fired recently, regardless of what the proxy is blocking.
Oh, yeah. The so-called draconian policies we have in place have created an environment where a really, really bad virus outbreak is 2-3 machines worldwide. Before we went down this path, there were worms that affected thousands of systems all around the world. We also have a very, very low incidence of harassment issues, we have five-nines uptime on our production systems, we've never had to completely sever our Internet connections to deal with security threats, and we've managed to balance security and business function well enough that end-users rarely have to contact the help desk because a security measure is preventing them from doing their job. Things may not work this well at other companies, but whinging on /. isn't likely to change that anyway.
It's absolutely trivial to admin one more standard Windows or Linux box remotely.
It is NOT trivial to try to remotely deal with a dual-boot environment.
His list of reasons were very solid, backed by experience. Your 'rebuttal' is crap. Twice the machines is HALF the cost... because MOST of the cost of a machine is maintenance. Unless the machines are just appallingly expensive, most secondary computers would pay for themselves by about the fifth manual patch visit. All the user has to do is leave both computers on all the time. Every place I've ever worked has left ALL machines on all the time.
VMWare images are easy to deal with. They look just like the other machines on the network, although perhaps not always running. You don't have to do anything special to support them; they just work. You can think of them like laptops. It's a total non-issue.
If you supervise IT employees, I feel very bad for them. If any of those theoretical employees are reading this: get the hell out. There are sane bosses in the world.
From your examples, it looks like your whole IT deparment is working very hard to be downsized or outsourced. From my experience, the minute a smart VP or CEO (or, a common case, an external consultant who has the VP or the CEO's ear) notices and documents the kind of impact they are having in the bottom line, lots of high and middle heads will start rolling. Having inflexible rules when your market is evolving or constantly changing (and when your market is global it is always changing and evolving) is so dumb it hurts - when have we called the high priests back to the computer room, anyway? I though we had all agreed to send them home for good by the end of the 70's.