Slashdot Mirror

← Back to Stories (view on slashdot.org)

Balancing Bad Applications vs. Network Security?

Posted by ryuzaki0 on from the rocks-and-hard-places dept.

Darlok asks: "One of our clients recently purchased a new financial software package from a major vendor for their industry. This is not a small mom-and-pop software house. The problem is, like a lot of industry-specific software, there are a considerable number of bugs. What's shocking is that to work around a problem preventing users from logging on, the manufacturer's recommended solution is to grant -Domain Administrator- privileges to all users, and they refuse (or are is unable) to explain that need further (it's bad enough that an increasing amount software seems to require local administrator privileges). Considering the enormous costs involved, how do you explain to Management that they shouldn't run this software until the problem is resolved -- which could be a long time, costing even more money? How do you balance productivity versus security when ANY productivity would give away the keys to the city? What can make an industry-specific software manufacturer pay attention to larger issues when they already have something of a captive audience?"

13 of 93 comments (clear)

  1. Simple terms. by babbling · · Score: 4, Insightful

    Management doesn't want to know the details. Just say there are 'major security concerns'.

    You shouldn't usually sacrifice security for productivity, unless you don't need the security. I suppose Windows is a good example of businesses sacrificing security for productivity, though. In most cases they probably get away with it by having firewalls and the like.

    1. Re:Simple terms. by secolactico · · Score: 4, Insightful

      Management doesn't want to know the details. Just say there are 'major security concerns'.

      Explaint to them that granting domain admin priviledges to everyone means that even the interns they hired to do data entry will have *full* access to every resource on the domain. That includes servers and workstation with sensitive information (incl. upper management's). And that it's just a matter of someone getting up to to go to lunch and not locking their workstation to leave the door wide open to any passerby.

      Problem is, by now your data is in this tool and you need to use it to work. So you'll have to bite the bullet anyway.

      --
      No sig
    2. Re:Simple terms. by Philip+K+Dickhead · · Score: 5, Insightful

      Explain to them that they cannot acheive SOX compliance, and that violations are punishable by jail-terms for responsible c-level officers.

      --
      "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
  2. Dodging the issue, but a workaround? by MagicMike · · Score: 4, Insightful

    Definitely try to whip the vendor into shape, but have you considered running the application in a quarantine area, like a VMware VM?

    It's trivial nowadays at least to set up separate little compartmentalized computers and networks, though I recognize that the carry-cost (virtual services are still supported services and need monitoring and troubleshooting and backups, etc etc) it would at least get around the privilege issue.

    If this is totally non-helpful, sorry, it was the only thing I could think of :-)

  3. Use an analogy... by fredklein · · Score: 4, Insightful

    how do you explain to Management that they shouldn't run this software until the problem is resolved

    "What would you do if you got the door to the breakroom replaced, no one could open it, and the manufacturer's solution was 'Give every single employee a copy of the Master Key for the entire building'?? Well, it's 100 times worse than that."

  4. Very easily fixed by Anonymous Coward · · Score: 3, Insightful

    Put the application in its own domain.

  5. The art of saying "no". by Pig+Hogger · · Score: 2, Insightful
    In business, more than anywhere else, you have to know how to say "no". Sometimes you have to terminate a customer. This could be a good opportunity to do so.

    Enjoy.

  6. Re:Let's name NAMES by LurkerXXX · · Score: 2, Insightful

    So it isn't actually Oracle that is the problem, but moronic consultants. Lay the blame where it belongs.

  7. Simple solution to getting the problem fixed by Skapare · · Score: 4, Insightful

    There is a simple solution to getting the problem fixed. Just post the name of the software package, software company name, and link to their website. Slashdotters will ruin their reputation. And the hackers will find the network exploits that almost certainly exist in that package (and have instant Domain Administrator privilege). The company will either fix the problem or go out of business.

    --
    now we need to go OSS in diesel cars
  8. Re:Sig by Philip+K+Dickhead · · Score: 3, Insightful

    "I've always been a bit confused as to how religious Christians pick which parts of the old testament are still valid."

    Ususally, the parts endowing one's predjudices and fears with devine authority.

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
  9. Re:sudo by Anonymous Coward · · Score: 1, Insightful

    That seems more like su. You still need the admin password.

  10. It's Funny... by thegrassyknowl · · Score: 2, Insightful

    ..that I have been saying for a while that software sucks. Most Windows software requires local admin rights to get anything done these days. So many wankers keep correcting me and saying "we run a large enterprise site and we don't need to give our users any admin rights".

    What they neglect to say is that they also don't give their users anymore than a basic suite of apps like Office and a web browser. When the user needs more (specialised software) there is usually an uphill battle against some anal retentive Windows admin (who should have stayed in his parents basement) and the staff who need some software that needs local admin. Usually the BOFH wins and the staff are left going without, again.

    Fortunately where I work they have realised this and we can pretty much do whatever we want. The admin understands that most users are savvy enough to not bollocks things, and most of the time things don't get bollocksed. I think I work for a bunch of wierdos though because they're the only place who will actually give me local admin on my box.

    Also, fortunately for me, I admin a Unix server so the joys of Winbites don't come up to haunt me too often... yay!

    I think that you should explain to your boss that giving users of moderate computing skill domain-level admin privs is just asking for trouble if a worm or virus makes its way into your network. Just explain that if they don't have admin rights then the damage is localised to their files on their pc. IF they have admin rights the damage can potentially spread to every PC in the enterprise VERY easily!

    Get onto the software company and cancel the cheque/credit card payment. You wouldn't pay for a car that required you to leave your garage unlocked 100% of the time. Why pay for their shit software? For a "large" operation, they certainly sound like a two-bit shit box of a company!

    --
    I drink to make other people interesting!
  11. Re:Difficult situation by Matt+Perry · · Score: 2, Insightful
    When a business purchases software (or anything else) the manufacturer implicitly warrants that the item is suitable for its intended purpose.
    You haven't read an end user license agreement lately, have you? In all the ones that I have seen the manufacturer doesn't guarantee that the software will do anything, including its intended purpose.
    --
    Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.