July 7, 2008 at 2:13 pm
Comments posted to this topic are about the item Land Mines
July 8, 2008 at 6:51 am
Thanks for sharing the 'Top 10' article, Steve. I thought the sections on response after a breach were interesting; particularly the recommendation of a response team. When the question of security comes up, most people start looking to prevent the problem with procedural fixes and software solutions (and that's a fine start, of course). We rarely raise the question though of what we'll do after a breach occurs. That part of the equation normally gets a panicked and unplanned series of reactions.
___________________________________________________
“Politicians are like diapers. They both need changing regularly and for the same reason.”
July 8, 2008 at 9:08 am
Steve,
It is not just that we are complacent: we need to respond to our user communities. Personally, I change my primary passwords monthly, but I cannot remember my passwords - I use a formula. Thus, I can "remember" last month's passwords, next month's password, or the password from fourteen months ago. But I am a professional, with the college degrees to convince HR to believe it. Our users, however, run the gamut from multi-degreed PhDs to ninth-grade drop-outs. To them, the computer is just a tool they use to get their job done. Any thing that makes this tool harder to use generates resistance - everything from loud complaints to upper management to simple noncompliance, especially where the non-computerized part of the workload is very heavy. Many of our physical plant and medical services staff find themselves working overtime to get their job done. When the jobs do not get done, management gets real upset, because that effects the bottom line immediately. They punish IT and our users. Our users blame us. Unfortunately, seamless and invisible security tools and procedures do not yet exist.
July 8, 2008 at 9:22 am
Read the article, forwarded it to the IS Security Team, and we will discuss it in the next meeting.
Nice find and thanks for the informaiton.
Miles...
Not all gray hairs are Dinosaurs!
July 8, 2008 at 9:44 am
Robert,
I definitely appreciate that work needs to get done. That's why I don't want to impose more work on people. If I have something I want them to change, I need to find a better way for them to do things. I try to push people towards PasswordSafe because it's a small, easily transported application, no install, that can help remember passwords. It doesn't take much time to use, and once you get used to it, it works very well. Not as quickly as memorizing passwords, but that small effort adds a lot of security.
To me this is where most security solutions fall down. they add benefit, but with a lot of work. It would be good to have someone trying hard to make sure that they make things easier to do.
July 8, 2008 at 10:04 am
Nice reference ....... 🙂
Friendly conversation sometimes become bvery dangerous......
July 8, 2008 at 10:38 am
Steve,
You make it sound so simple. My user community logs in once and leaves the system logged in, even when they are nowhere near their computer! When we implemented automatic logout on inactivity, we were screamed at by our users from the loading dock all the way up to the boardroom! Of course, we were ordered to remove the automatic logout. Technology can only implement security solutions. We, as IT professionals, do not have the authority to force a security mentality on our employers that allows the solutions to work.
July 8, 2008 at 11:04 am
Robert,
It's certainly not simple. I've seen people fight this issue in hospitals as well.
The login is hard. It really takes some long conversations with management and users to come to a solution. Maybe the floor is secure enough that it doesn't matter. Maybe there should be a lower privleged account used for everyone on the floor.
Or maybe there are other technological ways (RFID cards, etc.) to quickly log in.
Security is always a compromise and it's about managing risk. At some point you take some risks, but you want to understand them. And be sure your boss understands them so you're not unnecessarily blamed.
July 9, 2008 at 1:39 am
Robert Domitz (7/8/2008)
Steve,You make it sound so simple. My user community logs in once and leaves the system logged in, even when they are nowhere near their computer! When we implemented automatic logout on inactivity, we were screamed at by our users from the loading dock all the way up to the boardroom! Of course, we were ordered to remove the automatic logout. Technology can only implement security solutions. We, as IT professionals, do not have the authority to force a security mentality on our employers that allows the solutions to work.
I agree. Security is a business problem, not an IT problem. As such, it requires a business mandate and a business policy (in a formal document, properly published and advertised), and it needs to be actively enforced. IT is just the mechanism for the technological aspects of this security policy, and the IT department is simply the technological enforcer. Any efforts to start with the technological changes is wrong - it has to be a business decision first, and IT involvement has to be a consequence of that decision, not the other way round.
And it's also a big mistake to assume all security is IT based. If someone can walk into an office off the street without being challenged, and the door to the computer suite isn't properly secured, what good is a best-practice password changing policy?
Semper in excretia, suus solum profundum variat
July 9, 2008 at 8:23 am
I've been in environments where security was severe, where security was lax, and where security was misapplied.
In the severe security environment, everyone from the bottom up paid attention to it. We would drill security procedures, from prevention to remediation to mitigation, regularly. Not just computer system security, but physical facility security. It was part of the habit, and security issues were rarely a problem, and when they were, they were fixed fast.
In the lax environment, shortly after I left, I heard that all the managers and most of the employees were fired, because of some employee theft situations that came to light. I'm told that the managers heard about this first, and opened the warehouse doors and let employees take as much stock home as they wanted (this was a retail store). Security was so poor that they couldn't even prosecute anyone, because there was no evidence trail indicating that anyone had done anything wrong. It was a mess.
In the place where security was misapplied, management never let employees know any of their discussions or decisions, even ones that would have benefited from employee feedback. It was ordinary for marketing campaigns to be launched under such internal secrecy, that the way salespeople found out about them was customers calling in to ask about the new deals or products. At the same time, customer credit card numbers were stored in e-mails, spreadsheets, and on post-it notes. The server room was locked, and the guy with the key was out of the building more often than not (he wasn't an employee), but that guy found out that our FTP server had been hosting Doom (or some such) for over 6 months. He found out by accident while wondering why the diff backup files were so big. There were times that people were fired, and management would let all the employees know that it was for something really eggregious, but they wouldn't say what, and then would complain about the existence of a rumor-mill. It was almost surreal at times.
Personally, the one I liked best was the heavy security environment. Everyone knew their role regarding security. Everyone took it seriously. That made it easy to handle. It didn't get in the way of getting stuff done, because it was accounted for in project management and in daily routines. Well-defined policies, clearly communicated, properly trained, and applied evenly and routinely, made it easy.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
July 9, 2008 at 8:50 am
Speaking of high security. I worked in a nuclear plant like that. I was friends with the head of security and since I was often going in and out of the plant, which was secured by an airport style metal detector system, I got picked to "test" the system every few months.
Talk about nerve-wracking. The security guys were wound tight and armed with live ammunition, including M-16s in lots of places. Putting a mound of play dough with some wires in my bag and walking in wasn't fun. I got caught a few times and they hassled me pretty good before the head of security walked up. Course, I got through a few more times and I'm sure they got hassled more!
July 9, 2008 at 12:15 pm
I remember one day, I was on the 9th floor, at an "at someone else's desk meeting", working on I-don't-remember-what, when I looked up and noticed a complete stranger looking in the door of the office.
I walked over to her, asked if she was looking for someone, and she was hesitant and mispronounced a few local office accronyms. So I escorted her to the security desk on the first floor. Turned out, security was testing to see what general employees and managers would do if they found a stranger in a secure part of the building. Out of 20 people that she approached, only 2 of us took her to security (the correct procedure), but only 1 took a "package for your computer guys" (that was, believe it or not, actually ticking!), and promised to deliver it. That guy probably still hasn't lived that one down (this was in '92). The rest handled it semi-appropriately, but a training program was launched the next week, based on those drills.
Interestingly enough, the worst failures were all single, male, and hetero. (Security picked an attractive actress to play the role of mad bomber, and kept an eye on her the whole time to make sure nobody did anything harmful when she tried to hand them a ticking package.) Simple, basic social engineering, but it worked.
A year later, security did the same thing (but with a different actress). This time, everyone approached handled it correctly. (This time, they used "process server papers" instead of a ticking package. I was disappointed.)
Not quite the same as trying to sneak playdo past guys with M-16s, but it was still an interesting drill and quite eye-opening.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
July 10, 2008 at 1:09 am
And just in case anyone thinks these are just examples of tests, and that bad things due to lax security never happen in real life, I remember a time when someone got a dayglo jacket and a pair of black trousers, dressed himself up to look semi official and wandered into the company where I was working at the time. He told anyone who cared to listen that he was just checking our fire extinguishers, and wandered throughout the company building. It was only after a couple of reports of wallets/purses going missing that two and two were put together and the police notified. Fortunately, the police recognised the description and knew the bloke who'd done it, but he wasn't seriously challenged once.
Social engineering works, and people do use it.
Semper in excretia, suus solum profundum variat
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply