The enemy within?

Printable View

April 29th, 2008, 04:03 PM
nihil

The enemy within?

I came across this:

Quote:

Enterprise users are "actively and intentionally" evading IT security controls and ignoring acceptable use policies, according to Palo Alto Networks' first annual "Application Usage and Risk Report."

Quite frightening really?

Quote:

The recent survey results from Palo Alto, a firewall vendor, are based on traffic from 350,000 users in 20 organisations that span the financial services, manufacturing, healthcare, state/local government

Details are here:

http://www.techworld.com/security/ne...m?newsID=12102

OK, I realise that is quite a small sample, and I don't know how representative or unbiased it is, but it does make you wonder?
April 29th, 2008, 08:00 PM
brokencrow

That report covers a lot of ground: 350K users and how many corporations?

I've seen well-funded outfits that ran very tight ships (you'd be fired for even having a USB stick) to underfunded and sloppy outfits where half the employees had local admin rights. A friend at one mfg'ing outfit even told me about an admin that was running a P2P server in one of the backrooms.

It's a jungle out there. I'm curious how Palo Alto collected all those reports. :eek:
April 29th, 2008, 09:36 PM
nihil

Yeah,

350,000 in 20 organisations............... I make that an average of 17,500 each?

Worrying thing is that they mention finance, government and healthcare? they have strict regulatory compliance requirements

:shocked:

EDIT: As for the company ( Palo Alto)they were testing a new generation of their software, so I guess these guys were beta testers or trialists?
April 30th, 2008, 07:10 AM
Cider

Quote:

- External proxies that IT does not support, such as CGIProxy and KProxy, were present in 80 percent of the customer networks.

Rofl ?

Quote:

- Web video and streaming audio consumed significant bandwidth on 100 percent and 95 percent of the sites sampled, respectively.

Erm I might as well post every finding, thats just ridiculous.

In a sense its good because they have to employ decent IT people.

Gore could of maybe got a job sooner :)

Nice find. Thanks.
April 30th, 2008, 07:43 AM
nihil

Yes, but remember my reservation? I think that the reason these outfits were taking part in the trial was because they already knew that they had a problem?
April 30th, 2008, 08:53 PM
brokencrow

Quote:

Originally Posted by nihil

...finance, government and healthcare? they have strict regulatory compliance requirements

Wait a minute...I thought the gov't only ENFORCED strict regulatory
requirements. You mean they're SUBJECT to them, too?

p.s.- I'm talking about in practice, not in theory or court cases.

;)
May 2nd, 2008, 11:08 AM
nihil

Well, I am no expert on US laws, but I was mostly thinking of Sarbanes-Oxley and HIAPPA.

I suspect that the "government" bodies were local government, and they certainly have to comply with Federal laws, where appropriate.

I seem to recall that the Feds get audited each year and a performance ranking is published?

No idea what happens after that............. not a lot I would imagine :D

Quote:

p.s.- I'm talking about in practice, not in theory or court cases.

That is true.......... with corporates and institutions you have a clearly defined target. Government is a very amorphous structure.:eek:
May 2nd, 2008, 03:18 PM
SirDice

To be honest SOX doesn't mean a thing.. I work for a company that has to be SOX compliant. The security around here is crap to say the least. I'm working on a few Solaris boxes and within a week I found several ways to elevate my privileges. Hell, I can even SSH into my home network and tunnel everything through that.. Yes, we have lots of procedures, rules and regulations.. And as long as everything is documented and according to procedure it's ok. Unfortunately this doesn't mean it's secure in any way.
May 2nd, 2008, 04:05 PM
nihil

Quote:

To be honest SOX doesn't mean a thing.

Until you have a security breach? :D

Quote:

And as long as everything is documented and according to procedure it's ok. Unfortunately this doesn't mean it's secure in any way.

That is very true, and the problem is not only in regulations, I see it in certifications (BS, ISO etc.) and methodologies (CMM for example). So long as you have processes and procedures to support them, documentation, and you adhere to the processes and procedures, you will get the certification.

There is no concept of quality and effectiveness.:(