Slashdot Mirror
Ask Slashdot: Do You Use a Smartphone At Work, Contrary to Policy?
Jason McNew writes: I have been in IT since the late '90s, and began a graduate degree in Cyber Security with Penn State two years ago. I have always been interested in how and why users break policies, despite being trained carefully. I have observed the same phenomena even in highly secure government facilities — I watched people take iPhones into highly sensitive government facilities on several occasions. That led me to wonder to what extent the same problem exists in the private sector: Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property. This question has become the subject of a pilot study I am doing for grad school. So, do you use a smart phone or other PED during work hours, even though you are not supposed to? Please let me know, and I will provide the results in a subsequent submission to Slashdot.
--- Sent from my Verizon Wireless Galaxy S4
Hey Slashdot, do you regularly engage in practices at work that could land you fired or worse? Please, do tell! Please, also post under your real name, preferably a G+ account.
Question 8. What kind of wearable smart devices do you own (check all that apply)?
If I don't check any, I get a "! This question requires an answer." Alert.
I guess I better go get a wearable smart device.
(Other questions have the same problem)
I've worked a lot of places. I work for the government now.
There's two classes of secure workplace. Actually secure, and pretend secure.
Actually secure places have people who search everybody when they come in, may have thugs with guns guarding the place, have proper access controls and actual consequences. Active network monitoring. Plug something unexpected in and security shows up, not the admin. Violation of policies can result in things like jail, detention, civil liabilities, immediate termination, etc.
Pretend secure places have polices, maybe a secure door, and no real consequences.
You ask why users break policies. I guess there can be many reasons but for me anytime a policy gets in the way of accomplishing a task, it gets broken. Now later, a meeting will be called to address the offending policy and what to do next time this event occurs should the policy stay in place.
I know there are hard core rule followers who will say the meeting should be called first. Yeah, sure, if its not time critical or costs you a client. But I've seen strict policies that cost companies money and clients for the sake of being perfect.
It all boils down to convenience and ease of use. I know people that use PED's and dropbox and evernote all despite company policy because it's easier for them and they are more productive with those tools.
Usually they aren't really aware of the risks, just don't care or think it would never happen to them.
same thing can be said about any breach in security protocol. Why do I need separate passwords for all of my websites? I'll never be hacked.
Users don't see the risk regardless of seeing how drilled into their heads it is, and if thery are caught out on it, the nebulous punishment for violation is generally so watered down that they'll just risk it anyways. Your options are: Clear / filter electronics at a security checkpoint, much much harsher and very well known punishments ranging from termination to termination, or radio blocking to kill wireless electronics.
Bye!
There seems to be no "I don't have one" option for tablets or smart watches.
When you see people around you at work who are incompetent in your field, you assume that people throughout the organization are often incompetent in their field. When I worked in government, this wasn't uncommon. So you have a lot of rules, many of which are inconvenient to you. Since the *reasons* for the rules aren't ever published, you write off the inconvenient ones as incompetence; you don't believe they're actually any threat at all, and the punishments are sporadic-at-best, so you ignore the rule.
Taken out of the normal corporate workplace, there are rules against phones on airplanes. For over a decade... they simply didn't matter to the plane, and it was easily observable to any traveller, as often, the person next to you wouldn't turn off a damn thing, and things worked out fine.
The reason for the rule was that one phone a mile in the air could try to connect to hundreds of ground based towers, hosing the whole network. Since you weren't able to connect, you couldn't see that; you just used the phone. But since the *reason* for the rule wasn't really published, and the effects seemed nonexistent, people ignored the rule all the time.
That, and holy hell, phones really aren't a security risk. People are a security risk; if someone's allowed to see the same document a thousand times, they can simply memorize it instead of taking a picture. You need to have people you trust; the government simply runs on the policy that no one can be trusted, and (often!) gets far less competent people because of that... ...which leads back to my first point, which is when you see occasional incompetence around you, you assume the rules were written by someone incompetent.
They want me on 24 hour call, but also want me to turn off the phone when I'm at their site?
They're fucking crazy. Screw them, right in the ear.
Seriously, does _anybody_ actually comply with such insane expectations? To those that answer yes, do you regret not paying attention in school?
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
I worked at a tech company many years ago that had two signs at the front desk: "no cameras," and "no chemicals"
The problem with the first sign was that we made mobile phone handsets and their components. This is the era when phone cameras started to become ubiquitous. But, you literally could not do your job if you obeyed the rule. I remember asking a manager about it. He laughed and told me to ignore it. However, I'm sure if you pissed off the wrong person, some selective enforcement would happen.
The second sign, "no chemicals", was incoherent. I'm a walking sack of chemicals and so are you. There are chemicals in my lunch. In my deodorant. WTF does that even mean?
How else am I supposed to watch porn while masturbating in the toilet?
Of all the firms I've worked at, we've allowed the use of PEDs. From the survey, it seems like the only policy possible was one that bans PEDs. I feel like the survey should specifically ask if PEDs are banned. Because my company has a policy regarding PEDs in place, but they do not ban PEDs. There are device management policies in place instead. I think the survey would benefit from making that distinction.
"Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property." - Citation needed.
Just because it could be used in a particular way does not make it inevitable that it will be used that way. In a citation you need to provide solid evidence that this has occurred and that this is a risk. In cases "I" have heard it was an action of the employee in control of the PEDs that initiated the security/IP theft. In those cases that person had physical access to the assets and would simply have chosen another mechanism for theft if PEDs weren't available.
I use my smartphone at work, but I never log on to the corporate network with it. As such, many of the questions do not make sense.
nope. don't own a smartphone, don't want one. i design computers (libre hardware, FSF-Endorseable) and i've had it up to here with technology and with software, i spend most of my day sitting down in front of a computer, why the f**** would i want to be taking a break walking around... with a device that not only creates up to 2 watts of microwave-grade energy in close proximity to my body but also guarantees that the concept of "break" is entirely destroyed.
i carry a nokia 3310 - reluctantly. it makes phone calls. it does SMS. the battery lasts 10 days even though it's really old. no, the only reason i would carry a smartphone is because i designed it and made it myself, including vetting all the software and choosing what i wanted. the phone would have a *true* aircraft mode where the power would be absolutely cut from the GSM/3G radio.
Slashdot, Do You Use a Smartphone At Work, Contrary to Policy?
...No, I'm not kidding...at one position (where I was a contractor), I got a link to a 'Policies to Follow' online document, when I clicked on the link, I got a 'You are not authorized to view this page' message. So I wasn't authorized to view the policy I was supposed to follow.
At another position, where I was doing device support (i.e. handling all the physical devices) for my team, I tried to connect to corporate email using my company phone (obsolete, with a custom rom), I got two nasty grams from two _different_ company security groups for the connection attempts.
So, to answer the original poster, that item they have may not be their own, and everyone at the company works around the company rules, because they should have been applied to just a section of the company (or have taken into account the differences within company areas)
They monitor the corporate network, and I wouldn't want them to know I watch porn all day instead of working.
I use my employer-issued iPhone — in full accordance with the company policies. Thank you very much for asking.
In Soviet Washington the swamp drains you.
...
yeah well, hopefully this is for a study to determine whether a study is necessary.
With reference to the section of the survey about attitudes, I don't feel any of those things. I mostly think them.
Your survey and questions in this post assume that all private sectors policies forbid use of a personal device. Obviously you have not heard of BYOD, you might want to google it. I work for a fortune 50 corporation and our policy allows users to use there own devices for personal and work related activities during the day. We do require if it is used for work related activities to have a management utility placed on the device so that it can be wiped of sensitive information if needed. Your survey is set to assume that this is not an option so you will get skewed results. I am not acting against corporate policy if I use my personal smartphone device for work related activities.
I have worked in secure govt. facilities, and it wasn't a smart phone issue, it was a PED issue. Phones, iPods, none of them were allowed into the secure area.
More to the question, did you follow the procedures are report the security violations at the government facilities? Or were they joke facilities and didn't actually require a clearance.
Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property.
But, security is a huge threat to productivity. Is it possible that while the employees were being drilled on security, they were being held accountable for productivity and not given tools that were nearly as productive as their PEDs? For example, everyone likes to yell at the guy who's not paying attention to the meeting because he's texting, but they forget that the same technology allows you to send the on call guy to the meeting and have an 95% chance he will be able to actively participate. The alternatives are to have a second meeting or hire another tech so there is one on call and one available for the meeting.
People immersed in security all day sometimes forget that security is about tradeoffs, not eliminating all sources of "insecurity". A good general rule is that if a security policy is being widely ignored, then it is probably not properly aligned with the organization's goals.
The survey is skewed to assume that employers that have policies are those of no PED use policies. My employer allows the use of PEDs freely. We do have a policy too.
No this is the study to determine if we need a study for the study.
"How much is 2 + 2?"
"How much do you want it to be?"
“He’s not deformed, he’s just drunk!”
To me...
I find it interesting that so many people refer to security getting in the way of productivity. What happens of all your security circumventions cause a breach that results in R&D being stolen, the system being hacked and customer personal information released, systems being taken down, etc. These can cause millions of dollars of loss. All your "producivity improvements" may be negated and much more by a breach caused by your failure to follow the rules. I think that the "my productivity is being harmed" people are too focused on their own job and refuse to see the big picture.
First, you need a lot more in-depth. Run the survey by people who do this for a living. You are missing a lot of information. Look for what would be the next question and try to determine if you have any biases in your research.
For example, my company's personal device policy is based on safety more then security. I work for an EPC company and people jinking with devices while working in a construction site might put an eye out (literally) or worse. Let alone accidentally dropping a cellphone from a great height, into concrete, into nuclear containment, into turbine, etc... we have issues with people texting and driving... a crane, forklift, yard dog, etc... These can be bad things. The security and productivity fears of most management is nothing compared to the fears we face in the heavy industry environment. Ever want to explain to a customer why the multi-million dollar turbine was destroyed because someone dropped their cellphone into the system?
We also have security issues, such as SUNSI information. Just don't whip out the phone and start taking pictures willy nilly and we will be fine. If not, have fun with your talk to the nice guys with the guns.
Productivity / control is our last worry. Someone will usually get a talking to if it is really egregious, but usually we don't care if you are getting the job done. The manager who does usually gets a talking to... That said... don't take a picture of your rear on a bucket and post on Facebook about how you don't do any work on the construction site... might be career limiting. Seriously...
In God we trust, all others require data.
People ignore so many policies because there are too many policies as it is. It's just like idea that we've all committed a half dozen felonies before lunch. The policies cover too much, there are too many of them, and too often they are justified with breathless language about security and/or safety.
And most of them aren't even remotely about their claim to be protecting security or safety, they're about creating and/or protecting power centers and fiefdoms and obtaining control over people.
At the end of the day, most people see through them and just ignore them because of their sheer numbers. They know the powers that be don't have the resources, political will or moral authority to enforce most of them up front and will generally just cherry pick them as needed to persecute someone who gets in their way.
The downside is that the legitimate policies or the ones that might actually be beneficial get ignored, too. It's sort of one of the side effects of drug laws -- everything is bad, and when people find out that well, pot isn't really that bad, they end up overdosing on molly or heroin because the people issuing the warnings weren't honest.
This appears to be one of those "conclusion first" studies, especially after seeing all the loaded questions in the survey, (which I could not complete due to the lack of n/a options). I have no confidence in OP's ability to be objective, considering his degree is in security, which relies on companies being overzealous.
I'm a good cook. I'm a fantastic eater. - Steven Brust
I don't own a smartphone. If work issued me a smartphone I would leave it in airplane mode. I don't always wear a tinfoil hat, but when I do, it's because of "smart" devices.
Agreed. Any threat to security and intellectual property that is posed by PEDs is also posed by eyeballs & ears. If you don't hire trustworthy people, you're screwed no matter what policies you put in place.
Support Right To Repair Legislation.
"I watched people take iPhones into highly sensitive government facilities on several occasions"
At least they weren't Android phones!
I've found that even after training, educating etc. that if people feel that they are not in danger of causing what they were taught is a problem, they'll break the rules. It seems to be tied into their own personal risk assessment. I guess you would need a policy of holding onto their phones during work hours by having them pass through a check point, and passing out work phones that have security software installed.
When I'm not provide any work phones, my smartphone is my work phone. Which works out because most of the security people I've talked to say just don't take pictures of things on site.
Your questions really beggars the imagination.
Why do people break the rules.
The Rules:
(1) ...do not apply to me ...are too hard to follow ...do not have a bad consequence
(2)
(3)
I encourage you to ask for a refund of fees and costs from Penn State.
I encourage you to ask for a real assignment and not a made up assignment.
You have become a part of the problem -- Death by Degrees!
Most PED policies refer to personal devices, not company-issued equipment.
User-owned and -managed equipment is inherently risky. We have no auditing capability, no logs, no expectation of reasonable firewall/browser/services configuration, and no access if we suspect the device is compromised or misused.
Granted, you have to be pretty draconian to reduce the likelihood of data exfiltration from your users. But it's at least possible with company-owned assets. Properly configured, only IT will really be able to get anything sensitive out, and adequate auditing will ensure that collusion is necessary to succeed at it.
If you need to prevent data from leaving a network, your task is essentially impossible if personal devices are allowed or the network is not isolated. Granted, these are not sufficient measures---a lot of other things are required---but you need to eliminate personal PEDs and control organizational PEDs quite strictly as one of the first steps.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
So, do you use a smart phone or other PED during work hours, even though you are not supposed to?
Answer: No.
Candid Answer: No.
Meaningful Answer: Yes, I use a smart phone and PED during work hours, and it is sanctioned --both on a company guest access point, and/or with a company VPN client. There exist locations within the company that are not sanctioned for use -- and they are appropriately labeled -- "personal electronic devices entering this room are subject to destruction." I have never seen a breach.
Setup a WiFi access point once without asking for an embedded system demo. It was not connected to any office systems/networks so there was no real security risk. In theory the channel used had to be coordinated to avoid interference with the official network (this takes days/weeks to have done). I simply selected a 5GHz channel that was free on the spectrum analyser and WiFi scanner.
Demo was due in 3 hours, cancelling it would have had far worse repercussions than a theoretical 30 minute slowdown of the office network.
I'm a manager for a small tech support operation. One of our policies is no using phones while at the support desk. A few staff get reprimanded about it every few months.
The reason for the policy is two fold:
1) Customers should feel welcome when they approach the shop, and staff should be ready to answer any questions without having to say "let me put this away first".
2) If someone is struggling with the organization but isn't doing anything else explicitly wrong, the policy can be leveraged to open conversations on how to get the employee up to speed.. and if that doesn't work, the policy can be leveraged to open conversations on how the employee should leave the organization.
To be perfectly honest, I'd guess almost 100% of the staff use their phones, but 80% of staff are sufficiently subtle about it so as not to get caught. It's the remaining 20% that have problems, openly flaunt the rules and often have other problems that also need addressing, too.
Asking people to comply is a dumb policy and doesn't work. It's the facility's responsibility to maintain security. At the Pentagon, for instance, you can barely get a cell signal once you're in the walls because the building materials block the signals. There are a few spots where you can get a reliable signal, but for the most part if you're not by a window(and there aren't many), you're basically not getting access. On top of that rather natural effect, they sweep for broadcast wifi signals and such and you're required to turn in electronics when you walk into certain secure areas(and they will check you in those areas).
I worked for a place once that had signs up everywhere. Pretty silly ones, guy in a trench coat reminiscent of the old Windows 95 screensaver peddling "prohibited" goods. These included Floppy disks, walk men, pagers, beepers, etc. And this was only a few years ago...
I work for several customers where it might be a thing to forbid smartphones, but they do not, essentially because they understand that such a prohibition would do more harm than good. IT security by Authoritarianism (forbid everything risky) basically always fails. Either it does not achieve its security goals or it kills productivity. The former is the typical thing in the private sector, the second is what typically happens in government.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
How else can I send photos of the secret prototypes back to mother Russia?
Do not look at laser with remaining good eye.
Very much this. Also, people want to get work done, and are in fact obligated to do so. If IT security is standing in their way, then they work around it. This is a well-known (to people that actually have a clue, many in IT security do not) "insecurity caused by security measures" effect. Example: People cannot sent email with encrypted data. Hence they send sensitive stuff unencrypted and most still gets past the scanners. That, of course, makes things worse. Or "passwords must be changed every 4 weeks". Result: People use the worst passwords possible and write them down. Not good.
When done right, then restrictions must always be accompanied with a workable alternative to get the desired effect. If the alternative is too much hassle or does not work well, people will break the rules.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Sure, I'll give you my name and tell you I violated company policy. That can't end badly.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
People also ignore policy because they understand it and realize that it's stupid. My personal favorite is avoiding Internet Exploder. I've seen colleagues out of action for days because of stuff injected into their systems from apparently quite legitimate websites.
Now in the bigger corps I can see reason for extra rules. They seek to reduce any task to the level where it only requires a trained monkey. So you end up with nothing but trained monkeys. You don't want those kinds of users thinking for themselves and acting out.
A Pirate and a Puritan look the same on a balance sheet.
and I get my jobs or tasks via smartphone ONLY. I still use a laptop to do most of the work......
I also bring my own hookers and drugs.
“He’s not deformed, he’s just drunk!”
wtf does shit like this belong on /.
nasty hipster shitbags with your HR drone slop
just FUCK OFF already
My hobby is to identify the holes in security schemes in the first week I start at a new job. It's so laughable, from obvious holes left wide open to practices that are not enforced or easily circumvented. The security circus, whether private or governmental, is the greatest show on earth.
Whenever I talk about security, I find that I often need to point out that security is not an absolute thing. It's not as though things are either secure or insecure. Security is a practice of making access difficult and risky for unauthorized people, in proportion to the importance of what's being protected, while also making access easy and safe for authorized people, in proportion to the importance that they have access. You can "secure" the contents of a computer by shredding the drive, or filling it with concrete and dumping it into the Marianas Trench, but that's not actually good security.
Viewing security helps make sense of a number of common security problems, including the problem of people breaking policies. People are much more likely to break security polices when there is not a good balance between blocking unauthorized access and allowing authorized access. The example that always comes to mind is a scenario that I witnessed early in my career:
I worked for a company that was very interested in security, and they had card readers and keypads on various doors throughout the building. At one point, they decided to improve security by regularly changing the codes on the doors. The result is that employees couldn't remember all the codes, so employees started emailing the codes around and putting them on post-it notes, sometimes right next to the door. Of course, this was a huge problem, so the company tried cracking down, which resulted in people regularly getting locked out of their office and other work areas, and people couldn't do their jobs. To get around the problem, people started posting the codes in public areas, emailing the codes around, and sometimes putting a post-it with the code right next to the door. In the end, the most secure solution was to "lessen security" by ending the policy of changing the codes on most of the doors.
Since seeing that whole thing play out, I've seen the same basic concept in various other forms. Companies will "increase security" by making everyone jump through hoops to store files on the file server, and the result is that people store documents on their own laptops instead. Companies will "increase security" by having password policies including regular password rotation, and a bunch of users will rotate through passwords like "P@ssw0rd1", "P@ssw0rd2", and "P@ssw0rd3". The truth is that "security" is a balancing act. If your policies are not balanced and appropriate for the needs of the situation, then people won't follow them. If you really want to ban cell phones, then what you're protecting had better be important enough to search everyone coming in, confiscating any phones that you find, and punishing those who try to circumvent security.
Established correct processes ensure a harmonious work environment. Deviating from the planned path is a strong indication of poor planning or training, a flawed process or any combination of the three.
My workplace requires a personal electronic device. The survey seems to assume that any "PED policy" would be a ban or restriction. What about the opposite case?
There are also a lot of workplaces where the policy is not "you can't use it" but "you are required to keep it patched/secure", and that also seems to be a missing case.
Any threat to security and intellectual property that is posed by PEDs is also posed by eyeballs & ears
You don't get a Manning or Snowden-scale breach from people memorizing documents. Hiring trustworthy people is key, but there's no reason to make it easy for people to walk out with the crown jewels when you (inevitably) make a mistake of trust.
This is Penn State. At least he isn't studying something in the shower.
You might as well ask Do you text while driving?
It amounts to the same thing.
Personal convenience over following the rules.
When I used to go to automotive plants, they'd search your bags and you weren't allowed to bring cameras in. Once everyone got a cell phone with a camera, they just gave up.
When we had our first kid (2008) they'd look at you a bit snarky if you had a cell phone in the hospital. By the time we had our third kid, there were medical interns texting in the surgical room (it was a C-section). Nobody batted an eye if you had a cell phone, though the signs were still up. In my doctor's office, he uses some kind of program to manage all the patient medical files, and there's a terminal (it's a Mac actually) in every examination room. He leaves it logged in even though there are theoretically steep penalties for violating patient confidentiality. Just looking at the screen you can see his whole schedule for the day. When he comes in, he doesn't have to type a password or anything to start entering data about my visit. Devices like insulin pumps are known to allow wireless connections without authentication, and even if there was authentication, let's face it, it's probably broken.
Not long ago I was doing searches for industrial equipment manufacturer names on Shodan and ended up connected to one of those big wind turbines, somewhere in the middle of the US. No authentication. It was a monitoring dashboard and I didn't poke around, just closed it, but there were suspicious links/buttons on there to access the industrial controls, such as the PLC.
There are so many vectors: web browsing, phishing, thumb drives and phones brought in from the outside, pwnies, wireless, executives taking laptops home or even to China, spoofed OS updates, hardware infected as the point of manufacturing, and those are just some of the ones we know about. There is no real security.
"I have never let my schooling interfere with my education." - Mark Twain
One company I occasionally do contract work for seems to have solved this by designing their new engineering office building to be constructed mostly of steel, including metal slats as sun shades on the windows. As a result, it's damn near impossible to connect to a mobile phone network while inside.
I was hired as a consultant for a US state agency with ridiculously extreme security. I was hired to do extremely specialized work, required reference material and unfiltered internet access for research, and unix tools for text processing. I ran an SSH tunnel to my home linux box to give me those things.
They busted me after asking some difficult-to-answer questions about how I was able to accomplish certain tasks in 1/10 of the allotted time, and how to provide the same tools to the employees.
My company issued phone is a smart phone. I don't have a "desk phone". If I did, it would connect to our Asterisk box, not directly to a POTS line. We have WiFi all over the building, both a RADIUS-authenticated SSID and one for less secure stuff that just has a shared WPA password. Some things are only available via the wired Ethernet. What keeps us more secure than banning smartphones is hiring people who wouldn't steal and sell the company's source code and proprietary information.
A targeted threat that broke into an employee's phone then connected to the firewalled WiFi then got past the firewall and into the rest of the systems is really complex. It'd probably actually be simpler to target the developers' VMs where the source code lives.
Three parts to my post here. Part 1: WHAT do people (often) do that's against security policy. Part 2: WHY do people (or at least, me, and people I know) do it. Part 3: Soapbox ("wot I think"), aka why I think this type of policy is silly and what I'd do differently.
Part 1: The "what"
- (Obvious, since it's in TFS) Using your smartphone/tablet while at your desk, assuming that's disallowed by policy. .NET IL, etc. often fly "under the radar" of programs that try to detect and prevent the installation of unauthorized software.
- Bypassing the firewall/proxy at work by routing through a remote server or VPN, using, e.g. stunnel, OpenVPN, or whatever else can be hacked up (worst case, build a website that accepts a remote webpage as a URL and tunnels all the resources through it).
- Installing/running software, whether it shows up in Add/Remove programs or not, that isn't explicitly approved by IT management. Example: portable apps, VB Scripts, Java class files or JARs,
Part 2: The "why" (from the perspective of employees)
- People who want to "get work done", but need to access information out there on the intarwebz that happens to be blocked by an arbitrary and capricious firewall program, will acquire code, programs, or even just plain *knowledge* from remote third-parties, will do so using either proxy-bypassing, tunneling, or third-party Internet connections (like the 3G/4G data connection on their phone).
Often, people will perceive the monolithic "IT" organization as opaque, impenetrable, overly bureaucratic, and taking way too much time, money and resources to acquire the software needed, permit the actions needed, whitelist the knowledge sites needed, etc. in order for people to get work done. They may also have the idea (real or perceived) that the IT organization would actually prohibit the action they're trying to take, but they may feel that their decision is actually in the company's best interests.
They may (or may not) go through their own vetting process of the knowledge/software they are acquiring in order to determine if it is malicious or not, and once satisfied, they may implement it under the nose of IT. They might be doing this because they feel that the IT organization is being overly cautious or needlessly paranoid or poorly informed about the knowledge/software/code they are acquiring, and, given a limited amount of time and budget, they need to get their work done or they will be on the hook for not having it done when the deadline hits. I'll assign this category of activity the term "skunkworks" for the sake of brevity, with the general idea that these activities are actively beneficial to the organization, come with a low risk, generally have very little impact on IT infrastructure, and very high upside for the company.
- People who want to participate in social networking, banking, personal email, etc. in cases where these services are blocked from their work computer, will often access them from a personal device, OR from the work device after taking the measures mentioned above. They are not willing to leave the work area in order to tell their spouse to order pizza tonight, order tickets to a baseball game, or check if they'll overdraw their checking account by stopping by the store tonight. This might also extend to watching a short Youtube video for pleasure, e.g. if you remember a meme and want to share it with a coworker because a conversation you had made you think of it.
They may feel that their actions are harmless to the company and benefit them, and are unwilling to give up this freedom for the sake of the company, because they need to live their lives and can't work eight hours straight like a robot without interruptions from real life. After all, even if they adhered strictly to the policy, they would have to spend a lot of time temporarily out of the office to handle these issues; the issues don't go away just because the employee is compliant with policy - their pr
we know your breaking the rules. you know the implications. tell us what you are doing and why, as we escort you from the facility.
Citation needed.. Sorry Hillary's private server was scrubbed and not inspected. Citation for improper communications and back room deals is not found.
Many IT departments know data is leaking as the effect is seen. The Edward Snowden type leak is what a lot of companies are afraid of.
The big questions are if you have secure documents and data, are they on systems isolated from open USB ports, bluetooth, etc? Is all the devices on the secure network locked down for protection from unauthorized connections? Is the normal office IT secure?
If I am on break and pull out a smart phone and look up the Slashdot headlines, there should be no problem. If I connect my Office Laptop to my personal hotspot so I can work at home, this is a serious security problem. Doing the latter should be grounds for immediate dismissal.
The truth shall set you free!
Posting anonymously because it would be easy to track me down otherwise.
I work at a DoD contractor and hold a security clearance. I also have access to secure areas that require at least secret level and above. Here's what we are allowed and not allowed to do:
Nothing is allowed in the secure areas that can record or transmit. That includes floppies, USB, tape recorders, etc. Nothing allowed that transmits, this was recently expanded to include smartwatches and Fitbit devices. I wanted to ask them about the smart key fobs cars come with nowadays, but that would be self-defeating. In the past I was allowed to certify and bring in an iPod touch in (1st gen) because it had no camera or microphone and it did not really function as USB storage. Back then we were allowed to do so if we turned off the wireless capability. I also did not carry a charging cable. Now, nothing gets in, and I don't blame them.
If you accidentally walk in with a phone, no one has a fit - you just get it out of there immediately.
In the open areas, we can bring pretty much anything. Smartphones and even a personal laptop are OK, but you might get questioned on the latter to justify why you brought it - pretty much because you cannot do anything with it there. The only restriction on smartphones is they stay off of the company network and guest network. Also, using the camera or recording function is forbidden without a special security permit/tag.
He'll be able to figure it out. There's no reason to go full autist.
The powers that be have decided that certain sites shouldn't be accessable on our work systems, like Google Docs. So, naturally when I get orders to do something from management and the instructions are on Google Docs, management start looking at each other like a bunch of fools who just realized that they told me to do something and then banned me from being allowed to have the documents they told me to use to do it.
When faced with management stupidity, a phone is a pretty handy option.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
That policy is not going to survive as people start augmenting their eyes and brains.
The augmentations will be part of your medical record and evaluations. You will not be working in a secure facility if the augmentations do not abide by its rules.
Well ignoring government facilities where lives are on the line and which don't pay well anyway, shadow IT is a way of life in most of the free world. IT policies are usually insane in most large Wall St. operations. It has been a game amongst many users to figure out how quickly we can circumvent some lame heavy handed rule from on-high. IT either works with us, or it works orthogonal to us, but either way what we want done gets done.
Finally I'm in a place where IT doesn't get in my way, and I don't have to do anything wrong. More importantly when I discover a problem in their network, they actually take me seriously and it turns out sometimes I'm even right and a router is misconfigured. We get along well. Of course my company probably does have both more IT personnel and more resources for them than your average wall st. smash & grab operation.
Other than emulating a pen and paper (eg copying data from a display), If someone's "PED" can interface with my network in such a meaningful way I suck at my job.
Likewise, company issued "PEDs" aren't nearly as under IT's control as they think it is. Corporate phones with unencrypted MSL codes stored in flash, shitty low entropy 'hardware' encryption, debugging ttys... You really think any given company is going to succeed at locking these devices down where their manufacturers can not?
Increasingly with current not to mention future technological advances our devices are extensions and augmentations of our brain more and more directly. So expecting a person to not have those devices or have them turned off is effectively asking them to do a partial lobotomy and to decrease their effectiveness. This is increasingly going to be seen as an old fashioned and quite short sighted affront and rightly so.
Most parts of the building are smartphone 'ok' but there are labs that are not. Outside the labs are cubbies with keylocks. You're supposed to put your phone in a cubby... The times i've violated the rule were purely accidental where someone has dragged me away from my desk to help them with something and the excursion ends up in one of the labs and I forget that my phone is in my pocket.. I've never taken the phone out of my pocket to use it though it did ring once causing everyone to look over and mock me until I sheepishly left...
Other parts of the building where the phones are allowed; the phones get used because the corporate firewall prevents us from doing actual work so we have to download stuff onto our phones and then e-mail it to our corporate accounts... The corporate climate for making firewall rules which permit people to be productive is non-existant. And you wonder why military gear is expensive? But I digress.
I made the distinction between necessary and sufficient measures for a reason.
It's not about making it impossible to steal data. There will always be at least one way. No one in IT security believes anything is perfectly protected. Maybe idiots, but there are idiots in every profession.
The purpose of security measures is to raise the bar on the time, effort, and skill required to steal data or halt services.
Organizations that need to secure a particular set of data will not make that data accessible via smartphones. Smartphones are networked and generally owned by employees, either of which is a show-stopper. The security issues with individual handsets and with GSM/CDMA just pile the shit deeper.
The handset manufacturers are where Microsoft was in the 80s and 90s---everyone wants their product, and no one knows it's important enough to demand security. So they churn out broken crap for everyone to buy as soon as their contracts are up. Sooner or later there will a reckoning, and the security will get better. I'm waiting for a worm to knock an entire region offline for ATT/Verizon/Sprint---maybe then security and good design will matter enough.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
> I have always been interested in how and why users break policies,
> despite being trained carefully.
Well this is a different question than topic subject about mobile devices. They break it because they can I guess.
> I watched people take iPhones into highly sensitive government facilities on several occasions.
They were not as highly sensitive then. If they were there would be actually some guards at the doors searching people to prohibit bringing in devices such as smartphones.
It is quite easy - you can build a really big fence. Like 20m high but if nobody is going to watch over it there would be a guy with 20m ladder... so I guess you get security wrong. If there is a policy prohibiting iPhones in certain area - do execute that policy and have guards executing it physically.
> That led me to wonder to what extent the same problem exists in the
> private sector:
It depends but usually not. If it is concerning REALLY SENSITIVE AND PRECIOUS DATA like medical research, military contractors, finance and so on - then yes the problem exists. But usually in private sector the data is just not so sensitive to protect it with such costly measures.
> Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property.
Nah. They are not. If they are then you are doing something wrong.
> So, do you use a smart phone or other PED during work hours,
> even though you are not supposed to?
No. That is I can use my smartphone whenever I want. No company policy forbids me that and I know nobody that has similar policy in place. In my opinion you have reached a wrong target to ask that question.
Our company has a strict no cell policy, period. Most everyone in my department ignores that. We often must work alone under hazardous conditions, which is against state law (a law the company largely ignores). So we often carry our own communication lifelines with us.
At the company I work for, smart phone use at work is actively encouraged. A large part of this is because some of what my company does is develop smart phone apps, so we're encouraged to use the devices in order to be more familiar with them.
Many of the comments I see keep blaming IT for the policies but the commenters should look closer at the history of policies. I've worked in manufacturing, telecom engineering, and financial industries. Many of the user complaints about policies were policies that originated from HR dept, Compliance dept, or government regulations and IT was directed to implement and enforce the policies.
Any device can be compromised and used for nefarious purposes. Especially an unmanaged personal device needlessly carried into a secure facility.
I'm working at a medium sized company, and the problem with security policy here is that it not designed for the needs of the company at all - the security info people simply copy the policies of some other similar but bigger corporation. Because the best way to CYA is to simply say: "But they do it that way".
Best Coupons & Offers from Hundred's of Online Stores, Makemytrip, Flipkart, Snapdeal, Amazon, Ebay Coupons & more!
Best Coupons & Offers from Hundred's of Online Stores, Makemytrip, Flipkart, Snapdeal, Amazon, Ebay Coupons & more!
If you watched people take in iPhones then then you weren’t working in a secure facility. Actual secure facilities have men with guns who randomly search people on entrance and exit. If they find a phone you’re fired and, possibly, going to prison.
"Physics is to math as sex is to masturbation." -R. Feynman
In Austin, Texas, General Motor has a call center for complaining customer. We don't work for GM, we work for a contractor so GM don't have to deal a union. Several people had forgotten to silence their cell phones on the "production floor" (a massive room in about 300 agents). It rings and you have fired on the spot, immediately walked out the door.
Three people has being carried out the door due to heart attacks or stroke in the late few years. Yeah, we have stress. We work in hell for monsters.
... We let people bring the phones in... we simply make it physically impossible for them to connect to secure systems.
The wifi is an entirely separate network maintained for people to do whatever with their phones or personal laptops. The actual secure network is wired... and has a lot of internal security on it making it hard to connect to anything without the admin authorizing the connection.
So you can bring your phone and go nuts with it. It won't connect to any of the work stations. You can plug the USB in and all it will do is provide power. You can't do a file transfer via USB. You can plug mice or keyboards into those ports. That works. File transfer... no. You also can't install anything on them either. You also can't use company workstations to go to apple.com and download the drivers. And even if you could, you couldn't download the drivers to the workstation. You could download them to a file server. But they'd have to be executed form the file server... and the workstations can only run executables and scripts that are on the white list. If the executable is not named a certain thing, in a certain folder, and fits certain other perameters.... it will not run. Period.
And again... you couldn't go to apple.com in the first place.
Point is... you can't connect an iphone to the workstation to transfer files in either direction. Same thing for thumb drives or anything of that nature.
The workstations are locked down such that you can use internal company databases, use a few programs that are understood to be important for certain tasks and access a whitelisted series of webpages that are run under similiarly parnaoid principles.
Let me be very clear here, any network that is so insecure that some stupid user can walk in, stick a thumb drive into a machine they have access to, and steal information or corrupt the network... that's not a secure network. That's rookie bullshit.
If your techs don't know how to tweak USB drivers to control what the USB can and cannot do... then consider locking the workstations in little cages so the users can't physically get at the ports. And if any ports are exposed still... consider filling them with epoxy or simply popping the case open and unplugging the ports from the motherboard assuming they're on a break out board.
Long story short, users in a high security environment should not be able to copy things on to USB sticks, CDRs, or whatever. As in... CANNOT. Not "not allow".. not "against company policy"... not "did you read the memo"... I mean "not" as in this is a three foot thick titanium bank vault that opens on a time lock type "no fucking unauthorized access".
That's how you do security. And one more thing. If you don't have someone in the office that is paid to maintain a fire arm and the skill to use it properly... you are also not in a high security environment.
Real high security means everything needs to be wired up tight enough that it will give the "Mission Impossible Force" trouble... and if they get caught... you need to be able to put a pistol against their heads and tell them to back away slowly from the server.
This sounds extreme to people that don't understand high security. For those that understand high security this is humdrum. Its Tuesday. Its this:
https://www.youtube.com/watch?...
Extreme? If you're not used to it. If you're being as paranoid as possible at all times then it becomes normal.
I am told to assume all employees could be stealing, sabotaging, or spying.
I assume everyone is a cheat, a liar, and a thief. Not because I really think they are that, but because that is the job. I give someone access, and I have to make sure they can't fuck over the system. As in... CANNOT.
Many say it can't be stopped... those that say that simply don't know that it can be done if you're willing to not pussy foot around and be serious about it.
Its funny how there are ideologies even in tech. I'm about to get bombarded by people that say it is BLASPHEMY to say you can lock a system down this tightly. HERESY... cannot be done... not one of them has ever tried.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Jitterbug germane.
Tracy Johnson
Old fashioned text games hosted below:
http://empire.openmpe.com/
BT
We know you're unemployed. No employee would get away with wasting so much of the working day angrily shouting at people they don't know on slashdot. You think too highly of yourself when you tell yourself that you can get this one past the crowd here.