Protecting jobs?

Stainless_Steel

First of all, I'm not trolling. I'm genuinely interested in peoples thoughts on my opinion of IT security.

In my place of work, IT security policies make you tear your hair out. From delaying projects right through to not being able to use a memory stick or burn a DVD.

Are all these policies and nuisances created to keep IT people in jobs? I previously worked in a large multi national where I had admin rights on my laptop! And they have more intellectual property than anyone in Ireland.

Discuss? I will chime in with more views if people wanna discuss.

Thanks

ifah

hmmm - where to start

lock down usb/dvd to prevent unauthorised transportation of confidential data

admin rights on laptop - ever have an issue with your laptop and not be able to get it resolved because of all the crap on there ?

keeping things standard especially in large organisations is key to streamlining service and minimizing disruption to user/business processes

well designed/defined security policies should protect and support the business.

Stainless_Steel

ifah wrote: »

hmmm - where to start

lock down usb/dvd to prevent unauthorised transportation of confidential data

admin rights on laptop - ever have an issue with your laptop and not be able to get it resolved because of all the crap on there ?

keeping things standard especially in large organisations is key to streamlining service and minimizing disruption to user/business processes

well designed/defined security policies should protect and support the business.

The USB/lock down doesn't have merit. Sure you could just print off Confidential data or write it down if you were bothered.

No issue with admin rights. I had it in two jobs and it meant the laptop was actually useful. I got to decide what applications I needed. Not some IT crowd that always bought the dearest one with the cover-your-ar$e support contract.

Agree re keeping things standard. So use the same hardware and OS should suffice there.

You mention 'protect and support' the business. Have you not seen any cases where security policy restricts and delays other departments from getting on with what is quite often the core business of an organisation?

Why is it that some multinationals have one guy managing security quite liberally and practically, whereas other smaller companies require 10 guys to enforce policies? And why do IT security departments decide what a person should have access to? E.g. If my boss wants a DVD burned every week, surely IT have a duty to support me and not restrict me? It's not their call to decide if i am burning confidential data.

Any more thoughts from anyone? Or am the only person who feels IT security is not cost effective?

FruitLover

Stainless_Steel wrote: »

Or am the only person who feels IT security is not cost effective?

Depends on the situation, it's impossible to answer 'yes' or 'no'.

But here's a little story to give some perspective on the potential importance of IT security policies: I used to work for a contracting company supporting a very large international corporation. Once they had a global-scale virus outbreak on their internal networks due to a combination of bad firewall management and lack of end-user security. The cleanup took several days of constant work between my company and four different continental teams of corporate staff who directed national IT managers who directed regional IT managers who directed local techs etc etc to isolate and clean infected sites. Thousands of man-hours down the toilet.

I'd imagine the cost of that particular farce outweighed what it would have cost to arrange policies to stop the dumbass who brought in the infected USB stick that kicked it all off.

ifah

Stainless_Steel wrote: »

The USB/lock down doesn't have merit. Sure you could just print off Confidential data or write it down if you were bothered.

Theres a big difference in printing/writing out thousands/millions of confidential data items rather than plugging in a usb key/sd card half the size of a stamp and downloading an entire corporate database onto it. - your argument doesn't hold any water, whereas if theres a good security policy supported by good endpoint security in place which allows specific pre-registered encrypted keys be used then no problem, as long as the endpoint security also tracks/logs how data is entering/exiting the organisation.

Stainless_Steel wrote: »

No issue with admin rights. I had it in two jobs and it meant the laptop was actually useful. I got to decide what applications I needed. Not some IT crowd that always bought the dearest one with the cover-your-ar$e support contract.

Admin rights - how were you deciding what applications were useful ? Just downloading / installing freeware/shareware/pirated software ......., maybe allow a couple of exceptions on your personal firewall, disable antivirus scans because they're slowing down you laptop while you want to watch your ripped copy of Avatar ?

Stainless_Steel wrote: »

Agree re keeping things standard. So use the same hardware and OS should suffice there.

Using the same hardware/os is only scratching the surface of standards, what about encryption, application delivery, asset management, hot desking, asset sharing ?

Stainless_Steel wrote: »

You mention 'protect and support' the business. Have you not seen any cases where security policy restricts and delays other departments from getting on with what is quite often the core business of an organisation?

Of course - and the IT guys need to be flexible to adapt to this, but not at the risk of compromising the company's systems or data

Stainless_Steel wrote: »

Why is it that some multinationals have one guy managing security quite liberally and practically, whereas other smaller companies require 10 guys to enforce policies? And why do IT security departments decide what a person should have access to? E.g. If my boss wants a DVD burned every week, surely IT have a duty to support me and not restrict me? It's not their call to decide if i am burning confidential data.

I'd love to see any multinational that only has 1 person designing/ building / managing the IT Infrastructures in any type of competent fashion.
The IT Security guys are only there to enforce policies that have been agreed by senior management.
Has your boss ever raised an exception request to get you permission to burn a dvd ?

Stainless_Steel

Good to see some good points on the discussion.

Regarding your story fruitlover, I am not saying don't have anti-virus. Buy the best and always have sig files up to date. Fully support this.

Ifah, regarding corporate database, I think people that are given access to confidential data should be trusted or not in the job at all. I have a lot more IP knowledge in my head than any database could show. I know our competitors would love to chat to me rather than have a copy of a database. But accept your point partially.

I didn't do anything dodgy with my admin rights. I downloaded iTunes, which was allowed. I couldn't mess with AV settings. If I messed up the laptop with dodgy crap re IT guy would have just fixed it. The company viewed my happiness more important than restoring a laptop. But I never had an issue.

I think, like my boss does, that the decision to transfer data which is owned by our department is our call, not IT's. He has many rows with head of IT over this.

My boss approves derrogations every week for me yes. But even at that IT security give the usual condescending spiel. They question every request. Their exact words - "we don't think you need this". Eh...I'm telling you I do.

Our IT department think they are HR.

Chip on shoulder or what? LOL. I just can't agree with having jobs created for new policies that never posed a threat for years and years. Especially when all databases are moving to servers with simple web based client access. Fully trackable for who is looking up what.

hmmm

Stainless_Steel wrote: »

Regarding your story fruitlover, I am not saying don't have anti-virus. Buy the best and always have sig files up to date. Fully support this.

Bear in mind that sig files are only updated after a virus has become known to the AV company which has often been a few days after a virus has spread. A lot of technical security policies are about dealing with the threat of an unknown virus. Those policies would include restricting admin rights, locking down desktops, patching, restricting Internet access etc. The risk may be relatively low, but the impact could potentially be disastrous if a virus spread within your company.

Ifah, regarding corporate database, I think people that are given access to confidential data should be trusted or not in the job at all.

That's naive in the extreme. There is a difference between being given access to data in a controlled manner and being allowed to do anything you want with this data, anywhere. Our users can access confidential data, but their access is tracked, they are not allowed download large lumps of data, and they are certainly not allowed use it off-site except on a computer that is secured as per company policies.

I didn't do anything dodgy with my admin rights. I downloaded iTunes, which was allowed. I couldn't mess with AV settings. If I messed up the laptop with dodgy crap re IT guy would have just fixed it.

The trouble is that the IT department is not in a position to be making risk judgements about every single person. You may be trustworthy and competent, but your co-worker may not and your IT department has no way of knowing in advance. Back when we had everyone with admin rights on their machines, we had to deal with endless amounts of crap fixing PCs that "mysteriously" stopped working and people screaming at us that it was all our fault

I think, like my boss does, that the decision to transfer data which is owned by our department is our call, not IT's. He has many rows with head of IT over this.

That depends on what the impact would be on your company if the data is lost/stolen/mis-used. If the data turns up on Ebay, the press is going to blame your company, not you or your department. Regulators will impose fines on the company, not on you or your boss. You or your boss could be gob****es, how do IT know. The company has to set policies as best it sees fit.

But even at that IT security give the usual condescending spiel. They question every request. Their exact words - "we don't think you need this". Eh...I'm telling you I do.

It's their job to challenge the requests and question why the access is needed. Frankly the only condescension I'm hearing is from you, no wonder they monitor you closely.

kippy

Stainless_Steel wrote: »

Good to see some good points on the discussion.

Regarding your story fruitlover, I am not saying don't have anti-virus. Buy the best and always have sig files up to date. Fully support this.

Ifah, regarding corporate database, I think people that are given access to confidential data should be trusted or not in the job at all. I have a lot more IP knowledge in my head than any database could show. I know our competitors would love to chat to me rather than have a copy of a database. But accept your point partially.

I didn't do anything dodgy with my admin rights. I downloaded iTunes, which was allowed. I couldn't mess with AV settings. If I messed up the laptop with dodgy crap re IT guy would have just fixed it. The company viewed my happiness more important than restoring a laptop. But I never had an issue.

I think, like my boss does, that the decision to transfer data which is owned by our department is our call, not IT's. He has many rows with head of IT over this.

My boss approves derrogations every week for me yes. But even at that IT security give the usual condescending spiel. They question every request. Their exact words - "we don't think you need this". Eh...I'm telling you I do.

Our IT department think they are HR.

Chip on shoulder or what? LOL. I just can't agree with having jobs created for new policies that never posed a threat for years and years. Especially when all databases are moving to servers with simple web based client access. Fully trackable for who is looking up what.

Okay,
You appear to believe you are relatively tech savy and as such lack of admin rights are a bit of an annoyance for you.
However, the majority of users I personally support are not tech savy. Give them admin rights on the PC and see these people install everything from extra av scanners to extra virus' and indeed a whole heap of crap in between - google chrome, Weather toolbars and tickets amoung other stuff is faily common to see on a non locked down PC.

USB keys are a massive security risk, far more than you seem to realise, as are weak passwords, open laptops and weak policy.

Its all well and good saying that these things "slow down" business, but they very plainly do not.
I've worked in organisations before where one user has brought in some virus on their USB key and the virus spread across the network on PC's where users have admin rights, next thing the factory had to CLOSE for two days to protect sensitive data.


Standardisation and security reduce the overheads and costs to business' in much the same way as improvements in software and hardware have as well.

These are not just to keep people in jobs, they are a massive requirement and are aimed at all staff.
There are lots of people out there who believe they are techie like yourself and cause people like me no end of hassle.

wolfric

Easiest way to get something malicious into an organisation/company is just drop a usb key somewhere and sure someone will pick it up and try it out. Or if they're trained well they'll hand it into IT who will then put it into THEIR pc. Note the whole admin rights comes into play right about now. Can you honestly say if you found a usb stick, nobody in your company would find out what's on it?

When you get down to it, lack of admin rights means:

Harder to break your computer
Without admin rights, most pc builds are standardised. Any problems require 1 solution which applies to the whole company. Add in additional software/settings to the mix and every problem is unique and requires unique time.
Any information exchange inside the company can be monitored. After you take it out (via usb etc), they no longer know if someone grabbed a copy without your knowledge.

I was working somewhere where all internet sites were blocked by default and were allowed on a case by case basis. Have to say it was annoying at the start but god after a while, you work so much more efficiently.

Capt'n Midnight

Admin rights - this is a nightmare when BSA come visiting also means some people hose thier computers on a regular basis ( usually the ones who think they know it all )

Media burning - one reason for this is to stop people sending unapproved stuff to clients, on a high value job one mistake could easily be more than someone's annual wages

also if you have less freedom then you waste less time doing stuff that insn't work

and if people have standard installs then it means they can move to a different machine or have their reimaged by the time they get back from coffee break

back in the day when laptop users had admin rights I used to reckon that 3 laptop users with admin rights took as much support as three site offices on the WAN

Phractal

Not allowing USB or DVD/CD is just good security policy at work. As a previous poster said, easiest way to get in someplace is probably leave a USB key designed to open a Meterpreter shell remotely to a listener sitting around and wait for someone to pop it in their box. Then you are inside the network and can work from there!

I mean ****, when I noticed all the computers with open USB ports in the university, my evil side smiled and thought 'USB spread botnet' before I began to think of ways to stop such things from going about the place.

Hell, I probably wouldnt allow 'net access to people who didn't need it to work if I was writing policies, or at least have some serious heavy duty monitoring and IDS systems in place, along with allowing only traffic from web-pages that are actually NEEDED.

Perhaps also policy could entail internet access only through a Linux distro inside VMware!

Then again, there is a point on the graph where security gets in the way of work I suppose...

ElBarco

I used to work IT in a company that brought this policy in. Before that we were spending a huge amount of time cleaning up hosed machines after people installed whatever crap they came across on the internet.

After a couple of months things were working out much better. We had one user who was regularly complaining to the head of IT that he couldn't work without admin rights. We denied it a couple of times and then the worker in question brought the issue to the CEO and we were told to give him full rights.

Two weeks later that users laptop was in broken; he told us it was our fault (and mentioned this to the CEO again). I spend a day sorting the issue (eventually wiping and restoring from backups). When I returned it to the user he asked what had happened. I mentioned a couple of websites he'd been on. After he went as white as a ghost he took the machine back. I asked him would he like me to update the CEO and he flipped. Never asked for admin rights again though.

That aside, it's only good sense to have a consistent environment for everyones sake. Trying to troubleshoot business critical issues that are impacted because someone has installed itunes or whatever they come across can cause an awful lot of time to be lost.

ToxicPaddy

Stainless_Steel wrote: »

In my place of work, IT security policies make you tear your hair out. From delaying projects right through to not being able to use a memory stick or burn a DVD.

I have to admit, when I started work in IT I was sceptical of the whole security thing too. Yes I understood the need for firewalls etc but not internal network security.

In the years I have been working, I have seen the following:

• 2 x Developers trying to make off with code of a new product before its released 1 was arrested and later admitted he had a buyer already for the code..
• 1 x admin person trying to get into confidential personal information belonging to other employees
• 1 x Salesperson trying to take home a database of confidential clients as he wanted to move to a competitor and take the client information over to increase his worth to the competitor.

All were stopped by internal security measures including no CD/DVD writers being enabled. No external usb keys being allowed connect to PC's and all file sharing sites being blocked.

Added to that, limiting the attachment sizes of emails and blocking external email accounts such as gmail/hotmail/yahoo mail etc.

Its saved some companies a lot of money. IT Security are there to save the a company's information being compromised both externally and internally.

Stainless_Steel wrote: »

I previously worked in a large multi national where I had admin rights on my laptop!

That's unusual to say the least. A senior manager used to demand admin rights to his laptop in one place I worked.

One day he came in complaining that his laptop was running slow. I had a look at it and it was riddled with viruses and malware. He was giving it to one of his kids to chat to their mates online using MSN etc.. they had downloaded every piece of crap you could find.

If he had connected that to the network, I can only imagine the damage it could have done.

As much of a pain as it can be dealing with some IT Security people, its a necessary evil.. Imagine how much money and man hours or work would be lost if a network was compromised and code or customer data stolen?

Tox

ToxicPaddy

Stainless_Steel wrote: »

The USB/lock down doesn't have merit. Sure you could just print off Confidential data or write it down if you were bothered.

There could be 100'000's lines of code in an application or a database could have millions of entries, printing something like that is never an option, but you can copy these over to an USB key in a few minutes..

Still think it doesn't have merit?

ToxicPaddy

Stainless_Steel wrote: »

You mention 'protect and support' the business. Have you not seen any cases where security policy restricts and delays other departments from getting on with what is quite often the core business of an organisation?

True, this does happen, but the costs are usually a lot smaller than if the data was lost or compromised..

Stainless_Steel wrote: »

Why is it that some multinationals have one guy managing security quite liberally and practically, whereas other smaller companies require 10 guys to enforce policies?

Larger companies usually have large IT divisions and a dedicated team of IT security people who's job is just to do that all day. Smaller companies may only have a handful of IT staff and its their job to do everything from fixing PC's, maintaining a network, security policies, backups etc..

Stainless_Steel wrote: »

And why do IT security departments decide what a person should have access to? E.g. If my boss wants a DVD burned every week, surely IT have a duty to support me and not restrict me? It's not their call to decide if i am burning confidential data.

You'll find that these policies aren't dictated by the IT dept but by someone higher up the food chain.. Most IT managers are there to advise and inform the senior management of the issues relation to certain situations as they have the knowledge and its the senior management who make the call on this. This has always been the case in every company I have worked for.

Granted, when the proverbial sh*t hits the fan, if something goes wrong, you'll see management ducking and diving and the IT dept getting the brunt of the blame even though they may have made recommendations to the management who duly ignored them.. again, I've seen this happen numerous times.

Stainless_Steel wrote: »

Any more thoughts from anyone? Or am the only person who feels IT security is not cost effective?

Like any position, you get good and bad people doing the jobs, if an anyway competent person is doing their job in any dept correctly and to the best of their ability it usually keeps thing running smoothly, but you can't always guarantee that.

If you're not happy with the way things are going with the IT department in your company, maybe its time to talk to the IT manager or someone above him to see if a compromise can be reached to get things to run more smoothly.

At the end of the day because I work in IT, I'm always going to be a little bias toward the IT side of a debate on this topic.. but my comments above are what I think of this whole argument, whether it convinces you or not is another thing..

syklops

I just started working as Security Analyst for a fairly well known software company, and have worked in the industry for many years, so I think I am qualified to comment.

In my interview I was asked "What is the purpose of IT Security". I said it's purpose was to protect company assets cost effectively. They must have been happy with my answer because they gave me the job.

Unfortunately, in many companies, management forget what the infosec team and their policies are for, and the team get bogged down in many areas they should not be. For example, I was at a breakfast meeting hosted by the infosec team a few years ago. An employee asked why were various websites such as facebook blocked. The answer that came was because the IT department didnt want people spending all their time surfing the internet. In my opinion that's the incorrect answer, and its the wrong message to send out too. It is not the job of infosec to think of ways of preventing people from wasting their time, though many people feel other wise. Once the infosec team gets bogged down into those kinds of issues, then things do start to get silly.

In what way have projects been delayed by infosec policies? I'm curious.

ToxicPaddy

syklops wrote: »

...The answer that came was because the IT department didnt want people spending all their time surfing the internet.

Its not the IT departments job to monitor other employees work rate, thats their managers jobs but I have seen this a number of times by upper management.

They set the criteria, IT implement these criteria and then when someone asks a question which management feel uncomfortable telling the truth about they point the finger at IT to deflect the blame as it doesn't make them look like the bad guys in that scenario.. :rolleyes:

syklops

ToxicPaddy wrote: »

Its not the IT departments job to monitor other employees work rate, thats their managers jobs but I have seen this a number of times by upper management.

They set the criteria, IT implement these criteria and then when someone asks a question which management feel uncomfortable telling the truth about they point the finger at IT to deflect the blame as it doesn't make them look like the bad guys in that scenario.. :rolleyes:

The infosec team really does get a bad rep in some companies. Luckily in the company I work in we dont get much in the way of hassle, but that is probably because we are quite a tech-savvy company so your average employee understands why we have the policies we do.

Plus we dont block anything just for the sake of it and there are links on our wiki pages explaining why each thing is blocked.

tricky D

Stainless_Steel wrote: »

Ifah, regarding corporate database, I think people that are given access to confidential data should be trusted or not in the job at all.

How do you measure trust? There's an interesting stat in the CSI Computer Crime and Security Survey 2009:

Twenty-five percent of respondents felt that over 60 percent of their financial losses were due to non-malicious actions by insiders.

That's non-malicious actions by many who are trusted.

Then there's the overall actions by employees which in total account for 60-70% of actual losses according to the last FBI survey I read.

Phractal

Is it just me or is one of the funniest security holes a box that still is rockin a 56k modem sitting in the corner AND hooked up to the network?

I mean... wardialling would get one into that along with some other old school stuff. And seeing as I didn't get broadband until midway through my 'education' I may still remember what I am doing.

Hmmmm. Dial into the box (very old fashioned lol) and then use that as a jump-off point.

Perhaps security policy should dictate no 'obsolete' parts kicking about... Also... Some nmap scans I looked at showed me an open TELNET port AND SSH. Now what be the easier target?

Low hanging fruit...

Not naming places or sites because that would be against the rules, just making a point here.

syklops

Phractal wrote: »

Is it just me or is one of the funniest security holes a box that still is rockin a 56k modem sitting in the corner AND hooked up to the network?

I mean... wardialling would get one into that along with some other old school stuff. And seeing as I didn't get broadband until midway through my 'education' I may still remember what I am doing.

Hmmmm. Dial into the box (very old fashioned lol) and then use that as a jump-off point.

Perhaps security policy should dictate no 'obsolete' parts kicking about... Also... Some nmap scans I looked at showed me an open TELNET port AND SSH. Now what be the easier target?

Low hanging fruit...

Not naming places or sites because that would be against the rules, just making a point here.

You're not the only one. One of the first things I did when I arrived in my current job was ask when the last war dial test was.
.
War dialling by malicious users is coming back in a big way.

You mention 'security policy' like it is a static entity. Unfortunately its not. Every company has its own policy and thats where a lot of the holes begin.