IT Security: Podium place or first round shame?

Re: Balance

Of course, the other way to secure user desktops is to remove the users, but you hippies aren't happy with that either.

Re: Balance

There's a very easy way to secure desktops. Fit a remote-enabled shock collar to each User's neck. Any time the user gives his username/password to a co-worker, tells the customer "oh sure, I'll load that USB stick on my machine since it is for some reason not working on those client access machines," turns off his virus scanner, or any other rather obvious or stupid violations of basic security, you shock them until you can smell it down the hall.

They'd catch on eventually.

Security has to be usable, but users have to be willing to play within the rules. The more they try to circumvent the existing and established ways of handling security, the more rights we will ahve to take away from them, until there ARE no ways of circumventing it.

You are going to give away your password? I'll shorten the legnth that it is valid, and up the complexity requirements. You are going to plug the client USB stick into your machine, when we disabled USB access to the client access machines for a reason? Okey dokey, we'll take away your USB access too. You are going to leave yourself signed in to websites at public locations? We'll shorten the timeout down to virtually nothing. You are going to turn off the virus scanner becuase someone told you "it slows down the computer?" We'll take away user rights to control that application.

Users whining about "security measures are an inconvienience" while they bring thier trojan-infected, virus-ridden compromised spam-bot to work for me to fix because they "can't play mahjong on that cool new website anymore" simply *do not get a vote.*

I am not going to feel sorry if there is a 10 second inconvienience for you five or six times a day that will in the end prevent a massive security breech, privacy loss, or help me avoid a data recovery scenario.

Or, to put it even more bluntly: downtime costs the company more than replacing your sorry ass would.

Think on it, and have a nice day.

Re: Balance

Come on AC, you paint Boomer's point too clearly. Besides you're not offering any real security - the Big man would probably just boot ERD Tool, back-out those silly registry settings, create his own local administrator (for future quick fixes), delete those untrusted corporate issued signing certs, and change the rights on a couple of DLL files so that Group Policy was no longer a concern of his. If you were lucky he'd probably stop there, but after you took away his USB access he was delighted to come to the rescue of the local executive assistant pool and liberate their PC's (they were so pleased with him when they could load their favourite kitten-oriented screen savers, when they could load programs faster without that dreadful anti-whatever software, and when their machines no longer played patch-bingo each month).

@Mother Hubbard

If there was a "user" on my network capable of that, I'd either hire him into my department, get him fired as competition, or, more likely, quietly let him get away with it. My theory is that if, as random Joe sales drone you actually know that much about computers, you DESERVE the right to load your kitten screen saver. I will at that point either hire you into my staff, where you can have as many kitten screen savers as you want, or ensure your quick termination as a threat to company security.

The attitude that "convenience is more important than security." Disabling the ability to use the kitten screensaver lets you see who will complain, or try to work around it. When you find those 'special' users, you write them down on your list of people to hunt, and you hound them out of the company, to insanity, or into submission. Whichever happens first.

Lock 'em in the lift. Randomly re-direct their phones. Anything it takes for them to understand that I will not let the bruised ego and hurt feelers of some completely replaceable sales drone cost the company (potentially) millions of dollars, and as a result, myself and all my staff their jobs. Their need for convenience and personal instantaneous gratification could result in a data loss or privacy breech that costs the company so much that people from all over get fired. As Reg readers, we know how those stories go. If the security restrictions truly impact the legitimate workflow of an individual, or department, then it is IT’s job to find a way to preserve security while offering a smoother, easier way for them to accomplish their tasks. I take that part of my job very seriously, as functionality and ease of use are primary and legitimate concerns.

Yet, if it comse down to the hurt feelers of some irrelevant and completely replaceable drone, or the job security of myself, my staff, and even the irrelevant drones from other departments...

...well, screw the drone.

The needs of the many outweigh the ego of the retard.

(Also, I did see the sarcasm in your post, but it’s far more amusing to presume there as none, as it gives me another opening to rant. While my described security measures in the previous post are only a fraction of what in reality should and often are implemented, they are examples of the ones that people often try to get around. "Real security" in relation to computers starts with the principle of LEAST privilege, something the damned hippy users bawwwww about far too often. Reality has to live somewhere between a true implementation of the principle of least privilege and letter the drones run amok. I still say the best company is one with as few drones as possible. For those who take offence at the concept of the principle of least privilege, chances are your jobs are simple and meaningless. The kind robots will be doing soon.)

Life 101

AC, you've lost the security challenge before you've altered even a single binary digit in defense.

You see a difference between your "staff" and "irrelevant drones from other departments". I haven't seen a corporate activity that has been precluded from the outsourcing market-place -- right through to, and including, the CEO. We are all just corporate drones poised to become redundant to a cheaper alternative, but neigh one of us want to believe that.

"Real security", in relation to anything, comes from an environment of trust, respect, nurture and education. Justice keeps the peace. Integrity keeps the faith. You can take away a man's will to fight if you provide him with no enemy, and keep him content. And the reverse is true.

I disagree with Big Boomer as I am yet to see an enterprise that has been hardened to a degree that is commensurate with the effort required to pry and jimmy it for the market (street) value of its information assets. But that wasn't all of Boomer's point. He has authored a declaration - an affirmation that your aggravation will create (and therefore, is) your enemy, not halt him. And to that end, I agree with Mr Big.

@Mother Hubbard

We are all drones in one way or another. The difference between the IT staff and the drones from other departments is that our jobs involve access to the controls over those computers, and the ability to restrict, or un-restrict access to information. We are just as replaceable as any of the other cogs in the great machine of business.

Yet, just as I would not be granted access to the payroll records of our company, nor the production statistics or budgets, the staff don't get to turn off their Virus Scanners. Most people would love to know what Bob over in Cube 27 makes. They would love to know where the money in the company goes, and why their department didn't get what they asked for.

Segmentation of responsibilities and duties however means that everyone who is not a member of the IT department is simply "other" in terms of access. Even within the IT department, different members have differing levels of access to different resources.

Anyone who tries to circumvent security precautions simply for their convenience *is* the enemy. Just as my trying to obtain payroll records or information would make our accountants hunt us in the night with pointy sticks.

The greatest threat to the company's information security right now is me, because I have the most access. In order to mitigate the damage any one person could do, you start with the person with the most access, and find ways to remove their ability to break or copy everything. Every truly critical piece of information I could get access to requires someone else to sign in as well. This is to ensure that I can't go check the payroll records, or view the budgets. Backups are segmented, with no member of the IT department able to purge all copies of a backup set, as well as the main systems.

Security is impossible to achieve in an absolute fashion. It's all about mitigating risk. My statements are not to be taken that I view my staff (or myself) as something other than disposable or replaceable. It's simply our job to make sure that the OTHER disposable, replicable elements of the company don't delete anything important, or make off with the digital gold.

Since that's what the job is, and since is the livelihoods of my staff and myself on the line, anyone and everyone that is a potential threat to that is the enemy. You want to believe that security can come from trust, and friendship, goodwill and fluffy bunnies, well, I can’t stop you in believing that. Hell, you might even be right, and I may very well be wrong.

I will, however, continue to view everyone with suspicion, and operate as close to the principle of least privilege as I can get away with. Sales drone #84 does not require access to the SQL server. Marketing Droid #31 does not require access to the customer Credit Card information accounting keeps for monthly billing. Accounting droid #7 does not require access to the manufacturing software. At no point do any of the disposable cogs need access to facebook, youtube, or randompornsite.com. The fewer of them there are, the fewer there are to worry about, and the fewer there are trying to break the rules.

Understand that outside of work, I am quite a nice fellow, gregarious, friendly, sociable, kind to my neighbours, and helpful to my friends. In the workplace, however, it isn’t personal, it’s business. My job is to make sure they don’t cost me, or anyone else in the company, our jobs.

Very few people like that idea, but very few companies take security seriously enough. How many millions of records lost by how many different companies and governments in the past 8 months alone?

Just thoughts…