Has Corporate Info Security Gotten Out of Hand?

KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"

Management?

[Tadrith]

The only real problem is overzealous proxy servers, which can be tough to configure, but should have a whitelist of some sort... the rest of the problems mentioned are problems that have solutions. There are plenty of corporate-level antivirus solutions that will allow the control of virus scanning policies so that you could enable the sending of e-mail through SMTP. If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem. There are also plenty of options for keeping up on patches that would relieve the users of this responsibility. Even in the case of Windows, Microsoft distributes a free "private" version of Windows Update, called Windows Server Update Services that can be deployed on a network. This version allows you to choose when and how which patches are distributed; all you have to do is point your computers to the server. Assuming you are running a Windows network, the settings for the Windows Update can be deployed via Group Policy without ever having to visit a workstation. Workstations can be scheduled to update themselves without taking control away from the IT department in regards to which patches they want installed.

Most of that was assuming you are running a Windows-based network. I am not as familiar with Linux software, but I know that similar services are available for Linux as well. In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.

Re:Management?

[canuck57]

The only real problem is overzealous proxy servers, ...

Not really, often it best to deny, evaluate and permit with business cause. Provided the response is usually positive where the business need is legitimate then their is not an issue. Any security system will need to be tuned to work correctly. And often users fall into the trap of buying products that abuse protocols to circumvent security without regard to company policy.

The enemy within is in my experience a 50/50 split with the enemy outside. These tools are needed to prosecute criminal and negligent employee behaviors. Some examples I have freequently seen:

• Insider trading of company secrets
• Posting of internal information on Yahoo and other board and mails services
• Had a manager watching video porn consuming the network bandwidth while he was bitching at I/T because the lines were slow and the clerks could not do order input.
• Much like the last point, the clerks will call while they are all listening to the radio and complain because the servers are slow... they don't understand nor give a damm that 100 people in an office listening to radio designed for 1 cable modem drives costs up -- they don't know how dumb they come off to I/T. And their managers didn't have the spine to say no.
• Had one more advanced user who bypassed the proxy with a VPN type software using SSL. He thought he would not be noticed so we watched his terminal. He was using file shares relayed from his home system and watching, you got it - porn.
• Caught one person posting personal comments about the CEO on a message board.
• Figured out which user posted the companies address book right onto a known spammers web board as it would be "more convenient".
• Had one one user who used their internal priveleges to load seti on 12 shared UNIX systems. The company thought their CPUs were slow and were preparing to buy more.
• Had one internal developer who back doored some applications for stuff I can't say, but cost the company a million to clean up.
• Had one case where every Windows server bar none was compromised and controlled from the outside. The real kicker is that the systems were compromised from the inside and then controlled from the outside to serve Warez. Got my first copy of W2000 before it was released!
• Had one user who would run a "spam" program while working on his PC. He was caught because the companies domain was blacklisted.
• and many more...

So remember this when you bitch about security. The behavior above was detected by security tools. And this type of behavior in corporate America costs companies lots and reduces the security of your job. Security is to enable you to do your job AND is there to prevent the 1/100 bad asses from getting inside to do your company harm. And the opposite is true, to prevent the 1/100 bad asses you have hired from compromising your company.

And if you don't think your threat exists from the inside, your either a very small trustworthy group or your just not looking.

Re:Management?

I agree that some level of security is needed to prevent threats from both inside and outside the company. However, the goals of IT and security organizations often don't seem to align with the main goal of all companies -- to make money. At the company I work for, most departments are focused on improving efficiency, improving product quality, and keeping our customers happy. All things that are necessary for a business to be successful. However, the IT organization seems to be focused only on taking every precaution to keep the network running smoothly without regard to the impact on the rest of the business. When one of IT's policies conflicts with a legitimate business need, there's nothing I can do about it. There's nothing my manager can do about it. There's nothing his manager can do about it. There's nothing the director of engineering can do about it. The only thing the VP above him can do about it is try to work out an agreement with the VP in charge of the IT management chain or complain to the CEO. So basically, when IT's policies screw us, we just have to bend over and take it. Here are a few recent examples:

1) A bug in one of our products affects an important customer. Engineering works feverishly to release updated firmware to fix the problem. As soon as the fix is validated, we e-mail it to the customer, but they never get the attachment. Why? IT decided to block attachments for unknown file types. The director of my division calls IT and compains. The response: "Sorry, that's our new policy." Our solution: I fly to Germany to hand deliver the updated firmware on a CD. Cost to the company: about $4000 in travel, 2 days of my time, and a customer who thinks we're crazy.

2) We are completing the timing analysis for a new ASIC. The simulations take about a week to complete, and if they are interrupted we have to start over. The only problem is that every time we start the tests, IT deploys a new security patch and forces a reboot of the PC before the testing can complete. This happens repeatedly and results in a 2 month delay in getting the chips made. We make up some of that lost time, but the project still slips by more than a month. As a result, we were contractually obligated to refund $200,000 of the NRE we got for doing the work since we missed our dates.

3) We use ClearCase for source code control. Everyone in the company with a unix account had access to the source code and could check in and check out files. Our IT department decided this was a security risk -- reasonable, I suppose. To correct the problem, without notice they disabled access for everyone. They then sent out an email saying that anyone who needed access had to fill out a form, get it signed by a manager, and fax it to their department. They were so bombarded with these requests that it took about 3 weeks to process them all and get everyone's access restored. It took them about 2 weeks to get to mine. During that time, my company paid me a fat salary to sit at my desk and learn how to work a rubik's cube. I can now work a rubik's cube in about 90 seconds, but this is of questionable value to my company.

4) To increase password security, our IT department implemented a new password policy. All passwords must be at least 8 characters long, contain at least one uppercase character, one lowercase character, and one number or symbol. All passwords must be changed every 30 days. When changing your password, you can't use any of the last 10 passwords you have used. Every system that requires a login must use a different password (I have a windows login, a unix login, a SAP login, and a login for an internal bug tracking tool). Ironically, all of these systems use LDAP authentication which was implemented about 2 years ago so that we could use the SAME password for all our accounts. If you enter the wrong password 5 times, your account gets locked out and you have to issue a ticket to the help desk to get your account restored. This usually takes about a day. The result of

Re:Management?

[Alioth]

Someone needs to get hold of your IT department and tell them they don't work in a vacuum. It *is* possible to design a good security, update, patch etc. policy - but it HAS to be done in conjunction with the rest of the business (and the rest of the business must at least understand a little bit about information security and the need for an orderly process). Your IT department management is incompetent by the sounds of it.

Re:Management?

[cowbutt]

Seconded. Good information security should ideally be transparent, and with a bit of work on the part of the people implementing it, often can be. Sometimes, it's even possible for the good security to facilitate working practices that wouldn't have previously been considered possible.

Re:Management?

[dclydew]

In your first two examples, I think that the security team was being entirely reasonable. Files should not be transmitted via email, tools like FTP/SFTP appear much more suited for such work. Using the right tools, often improves security. In the second instance, taking the system off of the network while building should fix the problem. I wouldn't be surprised if the third example had to do with SOX, since we had to do something similar here. All systems had to have a managed trail that could tell us which employees had access, when they accessed and what they accessed. On a number of older systems, we found lots of generic ID's that were being used by multiple employees. We didn't have the luxury of slowly fixing this issue. We were told by the auditors that it HAD to HAPPEN IMMEDIATELY, or we would fail complaince.

The password thing sounds bad. 8 characters is ok (though not really mush more secure these days), no repeating of old passwords is ok (again not great), but 30 days is very bad. 30 days to lead to two problems. 1) People write it down on sticky notes; B) People make easy to remember "MyFebPwd1" "MyMarchPwd1" etc.

It sounds like the person who made your password policy could do with a dose of accurate information about the usability of passwords. However, the other stuff seems reasonable to me.

It's all possible...

[jabella]

Security like most things, is a balancing act. Being able to manage the 'pain vs. protection' factor is the key to all of it, and unfortunately no tools seem to have the sliding adjustment with those options on it.

Ideally security will allow everything that's vital while not stepping on any services that are required. With most companies, what is 'required' ends up being pared down as the security net gets closed down tighter.

Nostalgia is one thing -- how many of us worked on systems that had telnet / ftp open to the outside without a firewall? I know I did back in the day. When management is behind security initiatives, being able to work on the business isses ("No, we CAN'T disable FTP!") becomes less of a problem.

Regarding individual workstations -- putting the burden on end-users doesn't seem to be a common (thankfully) configuration in the companies I've seen. Most larger places are doing automated patch management and deployment now. I know quite a few places where every single system (desktop and production) is patched within a 15 day window. While it's not bleeding edge, this relatively fast schedule combined with the concept of 'defense in depth' goes a long way to preventing issues. I know places that haven't lost a machine to a virus in YEARS.

Security that's preventing legitimate work from being done needs to be adjusted. All of the problems you've mentioned are fixable.

one time, for security's sake

[yagu]

One time for security's sake my office ethernet port was turned off by IT. Figuring it to be some outage I called support (hah!), and they looked up my IP address and said yes the port had been turned off because my machine had refused to accept recent XP updates.

Hmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port. I asked why I hadn't been notified -- they said ALL XP login scripts had been posting the notice for over a week, I had been given "plenty" of warning!

Hmmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port.

Fortunately I had a dual-boot, so I was able to comply.

But, ironic that one of their (in my opinion) least vulnerable machines on the network was mine.

(And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix... so I wasn't in violation of any policy (such as they existed).)

Re:one time, for security's sake

[badriram]

Well if IT installed linux, well they should not be doing something that stupid. However if you decided to install Linux, and the IT folks maintain your computer, i would have to agree with them. Unless you work at a software company, developing apps, or a sys admin you are outta luck.

Re:one time, for security's sake

[Thuktun]

Hmmm, but my machine is a linux machine! [...] Hmmmm, but my machine is a linux machine! [...] Fortunately I had a dual-boot, so I was able to comply.

Yeah, weird that they might want a machine running Windows XP to be updated. You might have Linux on the machine, but you also had Windows XP, and it sounds like it was missing security patches.

And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix.

And you apparently had a machine with Windows XP missing some (possibly significant) security patches sitting on their network.

I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.

Speak for yourself...

[MicroBerto]

What "we"?? The company I work at does none of those things, and the network runs almost perfectly. There is a balance.

But also realize how much the worms of 2003 and 2004 cost corporations. I saw it first hand when working in a plant, and it was seriously disastrous. I can understand why they don't want that to happen again.

If surfing "bad" sites is THAT important to you, perhaps its time to get your resume out to a company that trusts its employees more. Or quit complaining to a bunch of slashdotters and present a true solution that benefits everyone. There are ways to have both security and usability.

Sorry...

[Necrotica]

What is the situation like at other companies?

I'd love to tell you but that would be a breach of security.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Your complaints are unconvincing.

[Saint+Aardvark]

• Your company's proxy policy is a matter of policy at your company -- complain to them about it! If it's preventing you from getting work done, you should have no problem convincing them -- and if you do, light a fire under your manager; that's what managers are there for.
• "the sending of email via SMTP" -- Maybe I'm misinterpreting this, but if you mean "our desktops and servers have to pass email to the designated relay", then I'm completely unsympathetic. If your complaint is about poor performance, complain about that -- but your desktop and your production machines are not mail servers!
• "forced to apply security patches with little or no notice" -- I can guaran-fucking-tee you that each time that happens there is a wave of complaints to your IT department. And yet they keep doing it anyway. They're either heartless, bastard pyschopaths with no concept of sympathy, or it's important to apply these patches. Human nature being what it is, I'm willing to bet they think it's important...no one lets themselves in for a shitstorm voluntarily just 'cos it's, you know, second Tuesday of the month.

And, why, yes I am a network administrator, thanks. I'm lucky so far -- it's a small company, people are well-behaved, and I don't have to implement the policies you describe. I set up times for patches, there's no proxy yet and not too many firewall restrictions.

But if this place gets to be big enough that I can't count on collective intelligence and/or social pressure to keep people doing the right thing, I'm going to have to seriously consider policies just like the ones you describe, in order to keep things running as they need to -- because your complaints about the network not working 'cos of the latest virus outbreak are going to be a fuck of a lot louder than your complaints about your desktop machine not being allowed to be a mail server.

Fair security poorly adminstered

[ayelvington]

I work in a .mil environment with managed images and very good security. What I'm reading is that your company is still in the learning phase when it comes to customer service balanced with security.

We operate under a standard image architecture with updates and patches pushed out across the enterprise. Proxy servers are a necessary evil, but we are very reasonable on our block lists. (North Korean sites are discouraged along with Ebay...) This is for our unclassified network...

We learned the hard way too. Our first generation of machines were issued with padlocks on the cases and no CDROM drives...

Our IT system never compromises operations for security, and it never has to. Your IT staff may need a bit of fresh air, a few customer-centered workshops, and maybe some field trips to see how others work.

I feel your pain and wish you the best.

ay

Re:Technology

[CleverFox]

Being a corporate IT security at large corporation I can tell you why google groups are blocked. If I am looking at porn on alt.binaries.erotica and a female co-worker walks up behind me she could sue for sexual harassment and say the company did not take adequate measures to prevent this situation. Basically they fear a lawsuit.

They were right.

[lheal]

You should have simply rebooted to the XP side and run the updates. If you want the luxury of a dual-boot system, you should be willing to maintain both halves.

My policy for dual-boot machines is this: No. You can have two machines. I'll get you two monitors you can use dual-head on each machine, a KVM, your own switch, and I'll even clean the goo off your keyboard. But I won't manage a dual boot machine, and I don't want them on my network.

Why?

• One side is always down, meaning network monitors need special work
• Either both sides share one IP address, or each gets its own. Either figure out which one is running, or figure out which address to use.
• It requires physical intervention (or extraordinary hacks) to reboot remotely to the other OS
• I can't just wax the whole thing if something goes wrong
• Rebooting implies root access for whoever is around
• In short, they're a PITA

Why it's stupid

[Gorimek]

The stupid part of the story (as told by the poster) is that these IT "professionals" didn't seem to understand that Linux is incompatible with XP.

Why are people who don't comprehend - or can't communicate - this employed in an IT organization??

Had they just explained things the way you explain them in your post, there would be no problem.

Re:Technology

[Pig+Hogger]

How can blocking Google Groups be seen as draconian. They have no place in a responsible workplace. They are only filled with warez requests, AOL Me Toos, kiddie porn and hentai anyway.

You must be one of those pointy-haired bosses to say that Google Groups ain't got no business at work.

Whenever I work as a sysadmin, 90% of the solutions I apply to problems come from Google Groups.

Re:Security is Good on Paper

[Pig+Hogger]

Oftentimes management will hand down edicts based on something they've heard or read or even something a customer
...
They may not understand why or how the security measure is preventing legitimate work from getting done.

That's because, in case you haven't noticed, management does not do any legitimate work.

Bureaucracy at its best.

[IAAP]

hy are people who don't comprehend - or can't communicate - this employed in an IT organization??

You sir, need to accept the bureaucratic nature of large organizations. There have been a few times that I've had to do some really asinine things in order to keep my job. I knew it was bullshit, my coworkers knew it was BS, and the poor SOB on the other end really knew it was BS. But, if either strayed from policy it was our asses. Why was this policy in place? Because the higher ups didn't want to take the time for all of the inevitable exceptions that occur.

The solution? Acceptance - Zen practice. Or, start your own organizaton - if possible. Entrepreneurship!

There's a reason why small companies are the ones that are creating most of the jobs. There's a reason why small companies are the innovators. There's a reason ... you get the idea.

Changing with the times

[justin_w_hall]

Disclaimer: I work on the security team for a rather large (Fortune 5) corporation.

I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.

Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.

Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.

Then MS05-039 is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.

Then Zotob.E gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?

Because no one takes security seriously until it's too late.

From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.

I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."

I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF, where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from.