March 9th, 2005, 09:13 PM
Please excuse my rant...
You might understand...I'm one of only a few security people in a large company. Talking to other employees just doesn't cut it because I'm enemy no. 1 right now.
We didn't have much security at all and now (SOX, HIPAA, etc) we have to implement changes. The first few are password protected screensavers, blocking IM. These bastards are going balistic and we haven't even done the major changes yet like expiring passwords every 60 days. Everyone has listened to their evening news and now is a identity theft expert.
Our department relies on identifiying risk and remediation based on Business needs. We don't implement things that will impact production. Hey, we don't want to be irritating to everyone for our enjoyment! It would be helpful if we had visable Executive support but they just let me take the brunt of the complaints. They are OK with our changes but they keep quiet about it. I know that's the business I'm in but some days my wine collection dwindles down faster than normal.
Whew, thanks for listening. I just need to talk to people who have probably been there too.
March 9th, 2005, 09:17 PM
Amen! It's much easier to go after the big news-making headlines (at least with a policy) then to look at all the little details that make an environment more secure.
Our IT sec folks have a practice of creating policy for everything, then leaving it up to other groups to enforce. That way, if there's a breach they can say "well, that's against policy...not our fault they didn't follow it."
March 9th, 2005, 09:28 PM
Ah yes. I implemented Websense shortly after changing user policy to expire passwords every 30 days, remember 5 password history and mandatory 6 character including 1 special character passwords. A revised AUP which holds users accountable for their password (This was backed by management) so after the first user was suspended for 2 weeks for writing their password on a sticky and posting on the monitor....
Yea I'm the bastard but you wouldn't believe how much bandwidth I have now that streaming media, IM and all that other crap is no longer allowed.
So You have the users bitching. FINE For those who cry the loudest monitor and report on their internet usage. Ask their boss why ebay and target and waste_company_time.com are needed to meet company objectives. Word will get around quick. Also notice that (I'm assuming you are using a good stateful packet device since you are blocking IM traffic) you aren't getting a lot of calls about strange pop up windows and slow internet access.
Now sit back, monitor your network and notice how things change for the better. Ever vigilant -
March 9th, 2005, 09:30 PM
A lot of people flip out at the slightest changes. We have users that freak out when we give them a new lock.
How many calls do you get like "What have you guys done I can't get to this web site?" as if we control every website in the world. News flash not all sites are always accessible on the internet.
The forced MSN messenger upgrade was another "Why are you forcing us to upgrade MSN?" That would be Microsoft not us.
Hang in there. Most of us are in the same boat. You can't spell **** without it.
\"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn
March 9th, 2005, 09:32 PM
Well, you should have been doing all that years ago, from a security rather than a legislation compliance, viewpoint...............I cannot think of anywhere I have worked in the last 10 years where it wasn't the case. If any of your "experts" bother to talk to anyone they know who works in a reasonably professional environment, I am sure they will find that it is the case.
The first few are password protected screensavers, blocking IM. These bastards are going balistic and we haven't even done the major changes yet like expiring passwords every 60 days
Where you do things to comply with the law, they have no argument at all................tell them to lobby their political representatives who passed the laws.
March 9th, 2005, 09:56 PM
I know what you mean. I manage the security for 5 domains, 4 of which I have no administrative control over. You need the buy in of the Administrators... Even if that buy in is only them signing your spiffy new corporate policy that states at the start:-
This is a business network for business use only
and work down the list of things you are banning, blocking and firing for..... In the policy you don't need an explanation of why you are doing anything. Do an expanded version for the Administrators for "sales" purposes. Put it all in terms of time therefore co$t should this policy item be broken. Since you mention HIPPA attach a copy to the back and in front of that place the synopsis of the security regulations - don't forget to point out the potential penalties for a breach of HIPPA and mention the fact that a breach of confidentiality will ruin the organization's reputation which will, in turn, ruin the organization itself.
Once administration signs off on it then implement. Every phone call after that ends with you saying "But it's the company policy... There's nothing I can do"... like a good little "jobsworth". The only thing you need to worry about after that is having the appropriate reason for why X is forbidden followed immediately with "... but tell me, what, exactly, is the business reason for this kind of activity?", when an administrator is forced to challenge you by their whining (L)users. Once you drop that question _be quiet_, silent... say nothing. In this situation the first person to speak loses.... You would be silly to speak. If there is a genuine business reason then you allow it _only_ to specified destinations or _only_ from specified sources or better yet both. You just made them happy, proved you are "flexible" with the policy, proved that you act in the best interest of the company and you are an all around bon oeuf...
The grief slows down really quickly... trust me...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
March 9th, 2005, 09:59 PM
I am in a similar situation at present. Apparently, according to the man who codes (codes = plays around in dreamweaver) our website, me and my co-worker have done the following:
1. We have stolen one mouse.
2. We spilled something onto some laptops that were laid out for a class that was _open to the public_
3. We have taken numerous things from teachers rooms.
hmm... some counter points are in order...
1. This man once accused us of stealing a remote for the television in a certain room. even though what we would have done with this remote for a $3000 tv that none of us would ever own was never explained, we still found the remote in about 30 seconds, it was on top of a cabinet. im thinking he should look a bit harder.
2. We work with computers every day, we know what to do and not to do around them. Also, the fact that they let a bunch of strangers into this class, any of which couldve had a drink or something liquid in their pocket, contributes to the 'we didnt do ****' theory.
3. Im wondering if they even looked for their items. We need to move stuff alot of times, and most of the teachers are gone when we are doing our work. But no, if its not exactly where they left it, it was stolen.
one more thing is that recently a somewhat absent minded worker came in one day to collect donations for the community center. the problem was that the things she took were not being donated. the whole mess was cleared up, but our resident police officer decided to take matters into his own hands. he has changed the locks on all the rooms that contain servers or store technology, and we dont get a key to them, meaning we have keys to everywhere but where we need to get to. when asked how we were supposed to get in to the locked rooms, he said, 'We'll leave the doors open from 2-5pm so you can get in'
correct me if im wong, but does that not DEFEAT THE ENTIRE PURPOSE OF CHANGING THE LOCKS IN THE FIRST PLACE?! with that practice, ANYONE, not just the aforementioned woman, has a three hour window to loot and pillage our techno-feilds. all i can say is 'wtf?'
I know your type, you think "I'll just get me a costume, rip off the neighborhood kids". Next thing you know, you've got a jet shaped like a skull with lasers on the front!
March 9th, 2005, 11:47 PM
That stopped bothering me a long time ago. Showing a little compassion helps win friends but time heals? I use the security approach, I don't shove policies down their throats I tell them like it is and why it's blocked. "Sites are monitored because there are inherent and dangerous security risks involved, espeically since links come in email. I am looking out for you by making sure the servers and network stay operational. We can't have people eating up bandwidth either because at several times a day large files are distributed and it affects eveyone when these files are late. Hey you ever notice how email is sometimes really slow, doesn't that frustrate you? Imagine if you had something really important to do and you couldn't get stuff out." Yadda yadda yadda
Tiger I feel your pain with admins... Personally if I was an admin and I needed some file off the internet in the middle of the night and the site was blocked, I would be furious. In fact, once upon a few jobs ago, I hacked root on a Unix box one night because I couldn't access a process that would restore about 30,000 users billed in minute increments. I "almost" got fired. Next time I won't write "Hacked Root" in a co-workers pink lipstick on the *nix admins monitor. I give admins some slack and watch them. Except for the big no-no like pR0n, hate, racisist, nazi crap, deep hacking crap. That is until the piss me off.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.