Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Very sensitive subject but what would IT security be like in government bodies

  • 27-03-2014 9:09am
    #1
    Registered Users, Registered Users 2 Posts: 1,977 ✭✭✭


    In particular the garda....and their sensitive information....

    In particular due to the concept of corporate espionage as opposed to some script kiddie.

    Thanks.


Comments

  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Why?


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Government bodies take this stuff very seriously.


  • Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭AnCatDubh


    euser1984 wrote: »
    In particular the garda....and their sensitive information....

    In particular due to the concept of corporate espionage as opposed to some script kiddie.

    Thanks.

    I think the IT Security may be the least of their worries at the present time, though this is the organisation where email is only a recent (ok, a few years now) phenomenon - this, I believe, due to risk aversion. I'm not knocking it btw, in fact it may have been the entirely right thing for them to do at the time given the setup of their operations.

    The bigger threat for them as is in the public domain at the moment is obviously the enemy within, and even if its not an 'enemy' within, a friend within may cause significant collateral damage - reputational or otherwise. On a deeper level in an open and democratic society we should be able to embrace such exposures. We should also have a mature media industry. um....

    I gather they will take this stuff really seriously. I also believe that no system is infallable so potential there, probably; but i'd expect that you'd want to be throwing some serious resource to achieve it.


  • Registered Users, Registered Users 2 Posts: 8,063 ✭✭✭Hitchens


    euser1984 wrote: »
    In particular the garda....and their sensitive information....

    In particular due to the concept of corporate espionage as opposed to some script kiddie.

    Thanks.

    this is Ireland.................'nuff said! ;)


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Hitchens wrote: »
    this is Ireland.................'nuff said! ;)

    You'd be surprised.

    As ANCatDubh said, large parts of the Gardai are behind the fore in many ways from a technological point of view, the upshot of which is they are less vulnerable to many forms of attack than their private sector counterparts.

    Other government departments I have worked with took IT Security very seriously, dedicating large amounts of budget and manpower to it.

    Of the security reviews/audits I have done in the past year, if I were to compare government organisations over private sector organisations, it was better in the government departments 90% of the time. I'm not at liberty to say which organisations of course.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 8,063 ✭✭✭Hitchens


    syklops wrote: »
    I'm not at liberty to say which organisations of course.

    of course, .........hush, hush, National Security etc.........say no more! :cool:


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Hitchens wrote: »
    of course, .........hush, hush, National Security etc.........say no more! :cool:

    NDA's are standard fare.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Hitchens wrote: »
    of course, .........hush, hush, National Security etc.........say no more! :cool:

    Its called a non-disclosure agreement. I can't talk about either the government or private sector organisations.


  • Registered Users, Registered Users 2 Posts: 8,063 ✭✭✭Hitchens


    syklops wrote: »
    Its called a non-disclosure agreement. I can't talk about either the government or private sector organisations.

    I onnit yo! :pac:


  • Closed Accounts Posts: 6,925 ✭✭✭RainyDay


    I know of one Government department (a fairly sensitive one) which only recently forced password expiration, but still has no password complexity rules, so passwords are normally changed from 'Newpassword1' to 'Newpassword2' or maybe even 'Newpassword3' before being written down on a yellow sticky note and stuck on the monitor.

    They might as well leave the keys under the mat.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Password exiration is (IMO) a waste of time pain in the arse. The idea behind it is fine (if the password is compromised, limit the damage by limiting the duration). There are a few flaws with that though which I wont go into, but anyway. Yeah, people should be given guidelines on what constitutes a good, memorable password that wont need expiration. I also think everyone should use keepass, personally.


  • Registered Users, Registered Users 2 Posts: 155 ✭✭eddiehen


    Khannie wrote: »
    Password exiration is (IMO) a waste of time pain in the arse. The idea behind it is fine (if the password is compromised, limit the damage by limiting the duration). There are a few flaws with that though which I wont go into, but anyway. Yeah, people should be given guidelines on what constitutes a good, memorable password that wont need expiration. I also think everyone should use keepass, personally.


    I would totally agree. Password complexity over password expiration time all day long. The overhead of password resets (which would essentially force the user to change the password to something they would remember and therefore something more obvious and therefore more hackable by a dictionary crack) is just counterproductive.

    Installing keepass would require local admin rights too (or at least access to SourceForge - blocked by some transparent proxies), as an aside. If you cannot trust a user to set a complex password and let them remember that for 90 days, then you should not give them access to programs which could make registry changes (sorry, windows hat on here)


  • Registered Users, Registered Users 2 Posts: 11,205 ✭✭✭✭hmmm


    Government departments vary, some are good, some are not. Budgets can be large, but oftentimes it's wasted buying shiny boxes as a "tick the box" exercise - in particular there used to be an end of year rush to buy equipment to ensure that budget was not lost for the year after. You'll often find a very good and knowledgeable security head, but staff who have transferred into security from completely unrelated roles (because of public sector rules) - it's obviously not ideal to have firewall admins who were office clerks the year before. Most of the people I meet are pretty diligent and hard working, but you need more than diligence to be effective at security.


  • Closed Accounts Posts: 6,925 ✭✭✭RainyDay


    Khannie wrote: »
    Password exiration is (IMO) a waste of time pain in the arse. The idea behind it is fine (if the password is compromised, limit the damage by limiting the duration). There are a few flaws with that though which I wont go into, but anyway.
    I disagree. The idea works - by changing the password, you explicitly cut off any access by others. Also, when passwords get shared from time to time (which of course shouldn't happen, but does happen), it limits the time period that others have access.
    Khannie wrote: »
    Yeah, people should be given guidelines on what constitutes a good, memorable password that wont need expiration.
    I agree with all except the 'no expiration' bit. There are a few good sites that have examples of how to create memorable yet strong passwords.
    Khannie wrote: »
    I also think everyone should use keepass, personally.
    It's unlikely to be a realistic option in a corporate environment, where the organisation would need to do a full security review of keepass before handing over the keys to the business to them. Better to work towards single-sign-on, strong passwords and expiration every 60 days or so.


Advertisement