Attention sysadmins! Here’s how to dodge bullets in a post-Ashley Madison world

BYOD...

...is also a really bad idea if you want to firewall people's work lives from their personal ones.

The email dilemma

If you ban webmail, then users are going to be tempted to use their work mail for all their non-work related crap. But it you allow webmail, then it effectively bypasses all the security you have in place. almost all the mail-borne malware contacts we see are through webmail.

We're fairly relaxed about what we allow users to access, we trust users to exercise good judgement. We like them to restrict their non-work internet use to outside working hours, and of course we block things like porn and other high-risk sites. And ads. This approach makes people a bit happier..

..but of course there are always some who utterly, utterly take the piss. I've seen things you people wouldn't believe.

Can I suggest that people don't put password reset tools in play?

I'm not being funny but if you think I'm going to give my mother's maiden name/pet name/first school etc... to my work login then you are mistaken.

To be honest every place and I mean every place I've worked (some very big multinationals) it is a simple phone call with zero checks to reset a password, I would look at that massive security hole if I were you as it would be easy to obtain an I.T. phone number and username. Give it a try today and see if your own company is that easily fooled. You employ first line support monkeys you get peanuts.

Paying a CC bill (mine has a min payment DD set up so I don't need to worry on a specific date) and checking mail is something that you can and should do on your own kit during lunch/after work, it simply isn't time sensitive. People know I have a dedicated "mobile" address for really urgent stuff - but its still better to text me - the mobile address is the only one in my phone, anything else can wait till I am home.

I have never understood why people tie so much of their lives to a company email account, the company could go belly up tomorrow you could be made redundant/ fired.... employment is not guaranteed to remain forever. Then you have to "unknit" your life from the company address - and this could be at short notice.... especially if your personal use is responsible for a major incident happening in the firms IT.

My Partner works for a UK govt Department, No personal email is transacted by him through them, in fact he doesn't even use the onsite internet access that is allowed during a work break, much better to use your own access on your own equipment and avoid all contact with the onsite protocols and rules governing personal use - aka - "If I don't use it - I cant run afoul of it". Whatever hits his inbox comes from the "business" of the Department so he cannot be held liable for this traffic - much of which comes from other offices - its a core part of his job.

Seriously, if you wanna play - bring your own marbles.

Cryptolocker

... that was a weekly occurrence when I worked at the NHS.

Am I not supposed to open the attachment from Bank of America?

How about looking at The Register on work kit ?

I know of someone who had his car registered at the dvla to his office desk, and also applied for a large personal loan giving that as his residential address. That for me takes some severe beating in the "not operating any seperation at all between work and personal life" stakes...

What was funny, was a few years later he was suddenly sacked for inappropriate behaviour to some female member of staff. Must have been fun sorting the aftermath of that one out.

Work pc for professional clienty stuff only here, personal for other with own connection and the only thing joining the two is the kvm. I get more spearphising and malware on the clients equipment as it goes.

I'm sure I'm an edge case

1) I've hosted my own email for the past 19 years, currently on a 1U server in a co-location facility(for the past 4 years or so). Running Postfix + Cyrus IMAP on Debian.

2) I have at least a half dozen domain names where my email addresses are scattered about.

3) I have roughly 340 email addresses (of which about 120 are currently disabled since they haven't been used in some time, simply a comment character in the postfix virtual file). All 340 accounts are accessed using a single login(none of them have their own authentication credentials). I have about 75 different inboxes, again all accessible with one login. Inboxes continue to receive email whether or not I am "subscribed"(IMAP) to them. Some inboxes go months or longer without being checked(like my inbox for el reg). I used to have a 1:1 mapping inbox:address. Last year or the year before I started cutting down on the inboxes and just directing more addresses at fewer inboxes, just to reduce the labor involved, seems to work pretty well.

4) I retired the email address associated with my email login ID (due to 10+ years of spam build up), so even if someone wanted to try you can't determine what even my username might be for email from my email addresses(didn't do it for security reasons just coincidence).

5) I don't do the thing where people say my_email+someuniquestring@mydomain. My email addresses are all <some unique string usually tied to the organization I am dealing with>@(one of my domains).

6) Have never worked at a company that did invasive internet monitoring, first job was the closest they watched http urls(well technically my friend who was in IT watched them the software was on his desktop, the most frequent abuser was one of the VPs trying to find european porn sites to get around the filter this was 15+ years ago). Obviously every company I have worked for I knew the IT staff well, even though I have not been in internal IT in 13 years(and never will be again).

7) have never had a CxO come ask for a root password to anything, sometimes they have as a joke but they know they should not have that information and so do not pursue it beyond the joke phase.

8) With one exception, all of my jobs I was responsible for installing the operating system on my own computer. That one exception I was not, but I had full admin rights(job ended more than a decade ago), and it ran Windows XP I think, I replaced the shell and other things to make it more linux-like, worked really well for me.

9) My linux systems run firefox as a different user using sudo(transparently I just click the icon and it launches under a different user id). A little more secure, though it does take co-ordination some times managing downloads(e.g. I usually can't edit a document I download from firefox without changing permissions on it or copying it to another location).

Has someone taken an emontion pill ?

Come on folks - this is 2015....not 1995.....

There was a car-hire firm in a fly-on-the-wall documentary about 5 to 10 years ago here in Blighty....they gave verbal warnings for sending a single non-work related email and fired for a second..

Do we really want people to segregate their lives that much ?

On a personal level, each company I have worked for (note, not in!) really doesnt care that much about what I do on the internet - as long as its nothing NSFW or dodgy....(e.g. I currently work in financial services and we aren't allowed to trade using the company network).

Do I care if my own company is snooping on what Im doing - simple answer - NO....Ive nothing I need to hide - do I pay my creditcard....yes....but hey - as its not my bank account, they are welcome to pay off my debt anytime they like!

Seriously though - there needs to be a bit of give and take - act like that abhorrent car rental company and folks will be unhappy and just leave....

And working in the big banks, etc where due to reporting requirements, personal phones are banned in some areas and webmail is not allowed - then why not sign up for concert tickets, etc to your work email - just be careful what you click on...

The problem comes with the less techy savvy lusers....and yes, I get it that some folks shouldnt be trusted with a Nokia 6210 let alone an internet connected PC....but in general, if things in the internal network are secured properly, that shouldnt matter...

Should you use your work email for sex....errr no....and I dont care who you are, you should be immediately fired....

Should you use your work email for cinema tickets, tesco.com login, hotels.com, etc - sure, why not .....just make sure you use a different password

Also, the number of companies where my loginid is the same as my email address is shocking - there should be no correlation to me as a user.....and my email address noticeable....

One thing I forbid, unless there are good reason for that...

... is to keep people PC on outside working hours. Exactly because I want to make the window where a successful attack can go unnoticed for too long smaller. Moreover is often just wasted power, and most desktop/laptop hardware is not designed for 24x7 operations.

Sorry if people have to reopen a few application and files... hibernate would work anyway.

Dodge the bullet?

The real way to dodge the bullet is to carefully document all the suggestions and requests for a budget to improve security (because it costs time and money to both obtain the right equipment AND configure things correctly, and keep them correctly configured in the face of multiple threats), and all the refusals by know-it-all managers who once read a marketing tract by Microsoft and believe THAT rather than the people they're actually paying to know the issues. Cries of "you're so pessimistic" and "you should be more of a team player" (which means: don't keep contradicting the utter dead-goat-fellating stupidity of management, although I admit calling the CTO an incompetent idiot in a meeting was probably politically incorrect, even if it was subsequently shown to be completely true, along with "criminal") will be thrown about rather than actually providing a budget or, heaven's help us, management support for any kind of security improvements such as, heaven forfend, passwords that aren't embedded in scripts written by the owner's second-cousin's hairdresser's nephew.

Even then, you won't dodge the bullet. When the shit well and truly hits the fan because some manager or their favourite ignores the carefully crafted policies or demands (or worse, creates) a back door into the system, the sysadmins will yet again invariably be blamed for the mistakes made by management. It's as sure as the sun rising in the morning. Always have a backup plan for your employment, especially if you're stuck in that kind of environment for any length of time.

It doesn't matter. Major corporations are ripe with people that even after getting a briefing on Spearphishing still has the same people violating policy.

When the secretaries of most departments have user and passwords for their bosses because the boss is too lazy to read his own e-mail, nothing is going to change.

My old system required mandatory PW changes every 30 days. I had access to more than 10 systems that didn't allow for using the same password or reuse of a password. You can't write them down, and can't by policy drop them on a thumb drive.

The SOD's at phishme can't take a joke when you zip up their attack and then use another account to send it back. Pretty simple to just look at the headers and squash the attack.