November 16, 2007 at 11:12 am
Bob Hoffman (11/16/2007)
Simple technology solution:Use only NT Terminal Server as your network OS with users getting only thin clients.
Can you say privilege escalation attack? And once I escalate to admin, I'm punching out off-site... all under the context of an administrative account. Therefore, non-repudiation fails. There have more than a handful of priv. esc. vulnerabilities that require local logon privs. That's one of the issues with Terminal Services/Citrix: you get the local logon. Not to say that's not a good idea, as Terminal Services/Citrix usually have a great ROI for an organization, but just to point out that even from a technology perspective you can still beat technology with technology.
K. Brian Kelley
@kbriankelley
November 16, 2007 at 11:17 am
Peter Schott (11/16/2007)
Steve Jones - Editor (11/16/2007) People don't respect security when it's a pain and it gets in their way. They don't see the risk of something happening as a problem.
I think this sums it up pretty well. A lot of people don't really care about trying to steal and the dishonest will find ways. However, putting place policies that make it harder to do real work will generally lead to people finding ways around those policies or just not working as hard/well/efficiently as they would otherwise. Really insane policies may even drive people away just to find someplace where they can work without so much trouble.
This is why security awareness is so important. However, most people think they know it already so usually until you prove the point with a demontrated test, you don't get their attention. We did that recently with our admins. We have a screen saver policy that forces screen saver lock after X minutes and some of them had become too reliant on it. Therefore, one of the security guys started slipping into cubes right after they walked out and sending an email to the person and to the security team to prove the point. Now the admins are paranoid and are locking their workstations as they get up, even if they are only going a couple of cubes down.
K. Brian Kelley
@kbriankelley
November 16, 2007 at 1:28 pm
K. Brian Kelley (11/16/2007)
...We did that recently with our admins. We have a screen saver policy that forces screen saver lock after X minutes and some of them had become too reliant on it. Therefore, one of the security guys started slipping into cubes right after they walked out and sending an email to the person and to the security team to prove the point. Now the admins are paranoid and are locking their workstations as they get up, even if they are only going a couple of cubes down.
I spent nine years doing database administration & development and network administration for a police department. SOP was when you walked away from your workstation, you did a Windows key-L and locked it. When I started at my current gig, I do the same thing, and the guy next to me finally noticed that my workstation was always locked and was wondering how I did it. Now a lot of people do it, though quite a few rely on the screen saver to lock their system.
We, the system administrators, also had two PC's on our desk with a KVM switch. We would log in to one as admin without internet access and the other as a user with internet access. Virtualization wasn't really viable back then.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
November 16, 2007 at 2:02 pm
This is why all companies whould have policies on the management and protection of information that spells out the different classes of data (company use, private, etc) and what steps are neccesary to safeguard each class. Make the penalties for violations clear, and enforce them.
Only grant access to data if it is required for the person's job. Personnel data shoul dbe very restricted.
Most of this is common sense.
November 19, 2007 at 3:16 pm
Well funny story about the company where I once worked. We had to test due to a data center move. As part of the test they shut off the network to a group of PCs. These PCs had no way to connect to our shared files nor did they have floppy or disk drives. These PCs were completely on an Island for all intense and purposes. We then asked if we could have some USB drives at our disposal to move the files we needed to accurately test the data center. Anyhow we were told that they were afraid to buy us USB devices because we could steal data however out the other side of their mouth they encouraged us to bring in our own USB sticks to move data. In that instance the fear or theft was just an excuse they knew would be difficult to refute.
August 31, 2012 at 1:47 am
This security is the norm for us - only company supplied encrypted USB sticks will work on the machines, no cd or DVD or usb ports or bluetooth/infrared etc. Wall ports are blocked so you can't plug in or move a pc without IT help and can only plug in company supplied equipment which has standard builds, "windows L" keyboard locking is standard practice, most people can't write to their C drive or install anything (My Documents and profile things go on network server drive for portability) and there's a strong firewall and no wireless links allowed. All internet sites for email and social networking (and ebay etc) are blocked.
We have a few ADSL machines totally unconnected to the network where the privileged few can download updates etc. or access otherwise blocked websites.
It's generally not a problem. Work is for work and home is separate. Mobile phones are not banned as they can't be connected so personal messages and emails etc are accessible that way. If something is needed for work there's administrators who can access things. It prevents far more problems than it causes and with standard builds you know what software everyone has, so no coding for different browsers etc.
August 31, 2012 at 6:37 am
Does it make sense to ban personal storage devices?
In a corporate environemnt, there is rarely a legitimate need for employees to be downloading stuff from the network to a "personal storage" device. In the vast majority of cases, employees who do this are not trying to do anything illegal, perhaps they are just wanting to copy their photos or MP3 music files to their work PC. A developer may think that having a portable copy of a database on this laptop will make him more productive. However, in both of these cases there is no real business need, and it presents risk to the company.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 31, 2012 at 8:16 am
Eric M Russell (8/31/2012)
Does it make sense to ban personal storage devices?
In a corporate environemnt, there is rarely a legitimate need for employees to be downloading stuff from the network to a "personal storage" device. In the vast majority of cases, employees who do this are not trying to do anything illegal, perhaps they are just wanting to copy their photos or MP3 music files to their work PC. A developer may think that having a portable copy of a database on this laptop will make him more productive. However, in both of these cases there is no real business need, and it presents risk to the company.
I'm afraid that, to me, that sounds rather sweeping. Thinking back over the years at the number of times various people at my company have had to move files around and where a memory stick or similar was the most appropriate vehicle, I'm convinced that:
I fully accept your assertion may be entirely appropriate to your business, but it's not for mine, and unless you want to argue that you know my company better than I do, you're going to have to take my word for it. I'm not trying to have a go at you, incidentally; just trying to point out your post comes across as rather inflexible to me.
Semper in excretia, suus solum profundum variat
August 31, 2012 at 8:32 am
majorbloodnock (8/31/2012)
Eric M Russell (8/31/2012)
Does it make sense to ban personal storage devices?
In a corporate environemnt, there is rarely a legitimate need for employees to be downloading stuff from the network to a "personal storage" device. In the vast majority of cases, employees who do this are not trying to do anything illegal, perhaps they are just wanting to copy their photos or MP3 music files to their work PC. A developer may think that having a portable copy of a database on this laptop will make him more productive. However, in both of these cases there is no real business need, and it presents risk to the company.
I'm afraid that, to me, that sounds rather sweeping. Thinking back over the years at the number of times various people at my company have had to move files around and where a memory stick or similar was the most appropriate vehicle, I'm convinced that:
- in some businesses there is often a legitimate need
- business is rarely tidy, so there will always be legitimate exceptions to any rule
- "personal storage device" is something of a misnomer; "portable storage device" is probably closer to the mark
- It's dangerous to make assumptions about other situations based on set of circumstances.
I fully accept your assertion may be entirely appropriate to your business, but it's not for mine, and unless you want to argue that you know my company better than I do, you're going to have to take my word for it. I'm not trying to have a go at you, incidentally; just trying to point out your post comes across as rather inflexible to me.
In a corporate environment, if employees are routinely moving files around using portable devices (like from one PC to another), then that would indicate there is something lacking in their network environment. If they need access to files, then they should put in a request to IT help desk to have permissions added for that network folder. If there is some special event, like when an employee is assigned a new PC and they are in the process of copying things from their old PC, then they should again request assistance from IT support.
If we're talking about a small company, like a consulting form with a handful of employees where everyone manages their own IT, then that different. I can see in that situation where portable storage would be routinely needed.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 31, 2012 at 8:40 am
Eric M Russell (8/31/2012)
majorbloodnock (8/31/2012)
Eric M Russell (8/31/2012)
In a corporate environemnt, there is rarely a legitimate need for employees to be downloading stuff from the network to a "personal storage" device. In the vast majority of cases, employees who do this are not trying to do anything illegal, perhaps they are just wanting to copy their photos or MP3 music files to their work PC. A developer may think that having a portable copy of a database on this laptop will make him more productive. However, in both of these cases there is no real business need, and it presents risk to the company.I'm afraid that, to me, that sounds rather sweeping. Thinking back over the years at the number of times various people at my company have had to move files around and where a memory stick or similar was the most appropriate vehicle, I'm convinced that:
- in some businesses there is often a legitimate need
- business is rarely tidy, so there will always be legitimate exceptions to any rule
- "personal storage device" is something of a misnomer; "portable storage device" is probably closer to the mark
- It's dangerous to make assumptions about other situations based on set of circumstances.
I fully accept your assertion may be entirely appropriate to your business, but it's not for mine, and unless you want to argue that you know my company better than I do, you're going to have to take my word for it. I'm not trying to have a go at you, incidentally; just trying to point out your post comes across as rather inflexible to me.
In a corporate environment, if employees are routinely moving files around using portable devices (like from one PC to another), then that would indicate there is something lacking in their network environment. If they need access to files, then they should put in a request to IT help desk to have permissions added for that network folder. If there is some special event, like when an employee is assigned a new PC and they are in the process of copying things from their old PC, then they should again request assistance from IT support.
If we're talking about a small company, like a consulting form with a handful of employees where everyone manages their own IT, then that different. I can see in that situation where portable storage would be routinely needed.
Does that mean you do intend to try convincing me you know more about my business than I do?
Semper in excretia, suus solum profundum variat
August 31, 2012 at 8:52 am
majorbloodnock (8/31/2012)
Eric M Russell (8/31/2012)
majorbloodnock (8/31/2012)
Eric M Russell (8/31/2012)
In a corporate environemnt, there is rarely a legitimate need for employees to be downloading stuff from the network to a "personal storage" device. In the vast majority of cases, employees who do this are not trying to do anything illegal, perhaps they are just wanting to copy their photos or MP3 music files to their work PC. A developer may think that having a portable copy of a database on this laptop will make him more productive. However, in both of these cases there is no real business need, and it presents risk to the company.I'm afraid that, to me, that sounds rather sweeping. Thinking back over the years at the number of times various people at my company have had to move files around and where a memory stick or similar was the most appropriate vehicle, I'm convinced that:
- in some businesses there is often a legitimate need
- business is rarely tidy, so there will always be legitimate exceptions to any rule
- "personal storage device" is something of a misnomer; "portable storage device" is probably closer to the mark
- It's dangerous to make assumptions about other situations based on set of circumstances.
I fully accept your assertion may be entirely appropriate to your business, but it's not for mine, and unless you want to argue that you know my company better than I do, you're going to have to take my word for it. I'm not trying to have a go at you, incidentally; just trying to point out your post comes across as rather inflexible to me.
In a corporate environment, if employees are routinely moving files around using portable devices (like from one PC to another), then that would indicate there is something lacking in their network environment. If they need access to files, then they should put in a request to IT help desk to have permissions added for that network folder. If there is some special event, like when an employee is assigned a new PC and they are in the process of copying things from their old PC, then they should again request assistance from IT support.
If we're talking about a small company, like a consulting form with a handful of employees where everyone manages their own IT, then that different. I can see in that situation where portable storage would be routinely needed.
Does that mean you do intend to try convincing me you know more about my business than I do?
I offer advice only from my own personal experience; I just toss it into the mix and readers can balance whatever I write with the experiences and advice of others. My point is that the prevailing opinion of most corporations that deal with sensitive data (banks, healthcare, government, etc.) is that employees should generally be restricted from downloading data from their networked PCs to portable storage devices or (even worse) 3rd party cloud storage websites like DropBox or SkyDrive. The potential risk outweighs whatever marginal benefit.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 31, 2012 at 9:05 am
Eric M Russell (8/31/2012)
I offer advice only from my own personal experience; I just toss it into the mix and readers can balance whatever I write with the experiences and advice of others. My point is that the prevailing opinion of most corporations that deal with sensitive data (banks, healthcare, government, etc.) is that employees should generally be restricted from downloading data from their networked PCs to portable storage devices or (even worse) 3rd party cloud storage websites like DropBox or SkyDrive. The potential risk outweighs whatever marginal benefit.
There I can now agree, Eric. The "generally" inserts enough flexibility to allow for exceptional circumstances, and in my experience there are always exceptions.
Semper in excretia, suus solum profundum variat
August 31, 2012 at 9:20 am
majorbloodnock (8/31/2012)
Eric M Russell (8/31/2012)
I offer advice only from my own personal experience; I just toss it into the mix and readers can balance whatever I write with the experiences and advice of others. My point is that the prevailing opinion of most corporations that deal with sensitive data (banks, healthcare, government, etc.) is that employees should generally be restricted from downloading data from their networked PCs to portable storage devices or (even worse) 3rd party cloud storage websites like DropBox or SkyDrive. The potential risk outweighs whatever marginal benefit.
There I can now agree, Eric. The "generally" inserts enough flexibility to allow for exceptional circumstances, and in my experience there are always exceptions.
From the first post, I though I had left enough wiggle room to cover special situations where an employee might need to use portable storage. However, I don't think that corporations should allow employees freedom to plug-in portable storage devices whenever they choose and then simply request that they only use it when needed. The firewall should block access to remote cloud storage or FTP sites, and by default the workstations should be configured to deny install of USB storage devices.
http://support.microsoft.com/kb/823732
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 31, 2012 at 10:41 am
I see companies get increasingly interested in BYOD (Bring your own device).
There are a number of senior business execs who like the portability of iPads and the ability to intersperse notes, photos etc.
They may be using an iPad app to put together a presentation and then want to upload this to the network and the obvious progression to downloading spreadsheet and other data to enhance their presentation.
What we really need is some form of wireless private cloud so if you use mobile devices all work is stored seamlessly in that private cloud and not on the device itself. Move out of reception range and the device simply cannot access the work done on the premises.
The problem security people face is that the people who want to use iPads etc are the most senior people in the organisation. No Mr CEO you can't use your iPad/Nexus 7.....I'll get my coat:ermm:
September 3, 2012 at 6:11 am
David.Poole (8/31/2012)
The problem security people face is that the people who want to use iPads etc are the most senior people in the organisation. No Mr CEO you can't use your iPad/Nexus 7.....I'll get my coat:ermm:
Couldn't agree more! The 'do as I say, not as I do' attitude is something I not worked out to have try and negate or to leverage for my own advantage. One day I'll find a way and I'll be able to get sqlpass.org, that notorious 'online community', whitelisted by Risk!
Viewing 15 posts - 31 through 45 (of 45 total)
You must be logged in to reply to this topic. Login to reply