We bet your firm doesn't stick to half of these 10 top IT admin tips IT is perceived in mixed ways by users. Some look on the amazing stuff it does and think there must be witchcraft going on in there somewhere. Others think that because they configured their Wi-Fi printer and Sky box at home, they're a genius of computing. If you're to preserve order, security and governance in the use of your …
In some places, security (and H & S) is used as an excuse for not doing anything. "I can't send you that data ... it might not be secure" "I can't do that for you ... you're not authorised". "I can't access that ... I haven't been given permission".
The first tenet of security is to allow the right people to have access and for everyone who needs to, to know who those people are. After that, comes the need to deny those who shouldn't be allowed.
Actually first you have to properly secure and control access to the information appropriately so you CAN give the right people access, that's normally why people become overly paranoid about data, because thought never went into where and how to secure it initially.
For example a manager may need to see everything on the system, but a secretary only information for one part, if the way the data is store doesn't allow segregation of the data into parts, in other words it's "all or nothing" then that's not much bloody use.
A lot of systems are like this, allow anything to be entered, but allow far too much to then be seen, or even worse seen and no record of it being viewed.
The first tenet of security is to allow the right people to have access and for everyone who needs to, to know who those people are. After that, comes the need to deny those who shouldn't be allowed.
No, the first principle of security is to set up a policy which describes who does what, as that describes the do and do-not boundaries of activity, the risk tolerance of the organisation in the areas where this cannot be defined with precision and the authorisation process to change the policy or sidestep it and accept the risk that creates.
That was, by the way, the original definition of a firewall as well: a device that implements a security policy.
Yep I work for a government department (now as a contractor) and my favourite saying is "Security is also providing access to those who should, as well as denying it to those who shouldn't". It's both BTW, not one first then another.
I do manage to get on well with the local security administrator, who is prepared to find a way to follow the rules but provide the access in a reasonable manner. Just lucky, I guess.
my favourite saying is "Security is also providing access to those who should, as well as denying it to those who shouldn't".
This is really important. Actually I could even make an argument that in almost all cases, proper access is more important than data security. Unless of course your data has real life-and-death implications. For two reasons:
Firslty - you're probably trying to do something. If you can't do that something (whatever it is), then your whole organisation is rendered pointless.
Secondly - if you over-secure everything, so that people can't get their work done - then they'll just break the rules. And then your security it toast.
Obviously this is all subject to sensible risk assessment. Sometimes the risk of the right thing not getting done is less than the risk of the data being leaked or damaged - in which case your security needs to be more inflexible, people need to understand why this is and know they'll get hammered if they break the rules.
This is possible though. You can get people to agree to quite unreasonable procedures, so long as everyone agrees that the risk is high enough to justify the pain. And extra effort, and resources, are dedicated to helping the people on the ground to get their work done.
I give an example. My Mum works with vulnerable children. But as an outside consultant for a very well known charity, seeing as she's retired. They've got their network wrapped up nice and tight. So tightly in fact, that she's been working for them since she retired ten years ago - and only got issued a mobile phone this year. So sure, they can now remote delete this data, and enforce a password on her. But before that she had all the details on her personal phone, with no password.
She wasn't allowed to remote connect to their network (or even connect in the office) until she'd done several of those shitty online courses. But you couldn't get onto those online courses, without access to the network! Ahem. So she had to drive 60 miles to the nearest office, only for some shitty online video course thingy - that was a total bureaucratic waste of time. So because she was unable to connect to their secure (so secure you can't access it) data system, she was emailing stuff to her boss to upload, from her personal email account in the clear. And IT were no help, and just followed their procedures.
Sadly many of these big charities seem to have swallowed all the bureaucratic crap of big corporations and government - mostly I suspect by hoovering up all the crappy middle management types that are unemployable elsewhere - because they pay too many staff.
Chaos would be bad. This information is in some cases very sensitive. But just finding the names and addresses of families with disabled kids is easy - there'll often be stories in the media and charity press releases with names, that you can cross rereference with the phone book. I'd suggest that helping them is probably more important than hindering your frontline people - and there's an argument for keeping the sensitive notes in paper form, and never committing them to computer. But if you must, then you need to commit much more IT resources to the necessary hand-holding.
@I aint Sparticus,
It is also an argument for something pretending to be an organisation to get organised and recognise the needs it has and deal with processes the right way. Your Mum cannot possibly be the first case of her situation, so there should be a secure, agreed process sorted out to deal with such cases and avoid the run around that is apparently needed. Sending file(s) encrypted would be a start! Providing the tools for the job would also be 'useful'.
To be fair to them, the original charity got eaten - due to running short of money/competence. She was taken on as an anomaly, a consultant with considerable (and probably unique) expertise and experience. So our new heroes had no place in their multitude of procedures for a non-employee who was non-office based with a completely random level of caseload. They solved some of that by employing her, but all other procedures seem to have broken down.
That's a problem the article fails to address. The author calls for all procedures to be rigorously enforced on everyone, and exceptions added to procedures. Unless you're a very simple organisation, that's almost bound to fail. Once you get a few cases of it failing, then people will be sharing and writing down passwords - sending emails to and from their own accounts and squirrelling data away heaven knows where.
Your procedure needs to designate certain people who can override the rules quickly, but are capable of doing so with an understanding of the risks, consequences and IT capabilities. And deciding to do this as a one-off, update the procedures to cover this from now on, or to do something as a short-term stop-gap with better secured replacement to follow.
No-one has the resources, or foresight, to get procedures totally correct - and keep them current with changing circumstances. Anyone who claims otherwise is delusional. And while they think they have the best systems in the world, will almost certainly find that they've been circumvented massively at lower levels in order to get stuff done.
Oh, and any IT management who enforces monthly password changes that can't re-use any major elements of the previous one should be beaten to death with their own rulebook. Their inability to understand basic human nature and abilities has rendered them unfit to manage.
Passwords are rubbish anyway. But if that's all the budget allows for, then for God's sake at least engage your brain as to how normal users react to passwords. I know very few people who can remember more than one or two passwords (if even that). In my previous corporate life I had 4 different ones for building access, email, Oracle accounts and the AS400 stock/sales stuff. Some had to be regularly changed - and the AS400 stuff I only used every couple of months, so had no choice but to write down. It wasn't on a post-it note on the monitor though.
"and there's an argument for keeping the sensitive notes in paper form, and never committing them to computer."
It must be a bad argument! The consequence would be anybody who feels they really must have access to them will photocopy them and then there'll be uncontrolled copies around the place. Uncontrolled because there'll be a ban on copying them so all the copies will be sub rosa.
Yep. This isn't fundamentally security, its a simple cost/benefit thing.
Given an exception like this you can either put in the systems , processes, monitoring, staffing and everything else required so that every now and then people don't have to drive 60 miles, or else you accept that every now and then people do.
Guess which one tends to work out cheaper for a small organisation? Its just the money. If you're a small organisation on a tight budget then gonzo level sophisticated systems just don't pay for themselves, and of course the more complicated the security the higher the risk, so the more attention it needs and so it snowballs.
Given efficient admin, business processes etc. a really well managed organisation would work it out so that when the need comes to drive the 60 miles there are a whole raft of useful things they do to make the trip worthwhile, not just a single damn video, but again that's nothing to do with security.
Thanks to HIPAA, I now get content free emails from my doctor and pharmacy, reminding me of an appointment (withholding the date and time), or prescription renewal reminders (withholding name of the medicine).
I ask you, what purpose do these emails serve? Mind you, I have expressly opted in and agreed to a lengthy pile of legalese in order to get them. Yet, apparently, "email is not secure", so names of medications and time of appointments must be withheld, even if I have requested them to be sent to me.
Idiots. And expensive as well.
> "email is not secure"
It could be that HIPAA has something other than your convenience in mind. For example, what if email processing is outsourced to an organisation which has a financial interest in collating what drugs you are taking, or Google starts selling information about your medical history or medicinal usage?
HIPAA is going to look at all data under an organisation's control and if it is going to be controlled, it is controlled, no excuses.
Encrypted email would seem to be the obvious answer, but that's too hard to roll out universally - emailing links to hosted encrypted appointment web pages is probably the best way to go, but far more trouble than sending a vague prompt.
" what if email processing is outsourced to an organisation which has a financial interest in collating what drugs you are taking"
There's a simple answer to that. DON'T DO IT.
Apart from any immediate security issues there's the longer term one. If email purports to come from one organisation but actually comes from another you're training recipients to blindly trust that what it purports to be. In short, you're training them to be phished.
We really need to have signing as a required part of the email protocols. No wonder email isn't secure.
Unfortunately, policies are great until you try to apply them to the senior execs. I've only worked for one company where word came down from the Presidents office that the policies were to be followed by everyone, or else.
In the other businesses, 90% of the infractions were caused by senior staff who were not held accountable for the porn browsing, music / movie storage / download, darkweb crap I had to deal with. Some was ignorance, other would plead ignorance then do it again later on the same day they were cautioned.
> 3. You're responsible for your equipment
I will take no more care of equipment provided than do my employers themselves. E.g., since they've signed up for a "no claims" insurance policy (i.e. cover only for items costing over £2000 each) I wouldn't dream of putting it on my household insurance either.
Companies, especially the larger ones, self-insure on small value stuff (your definition of small may be different to theirs) as the cost/risk is lower than the hassle of paying the premium and making the claim when required.
You don't, and shouldn't, have to insure the company's kit, but you shouldn't be careless either.
.... laptop nicked from the back seat of their car....
Depends how senior the owner is. I know of one who went one better and got his fleet car nicked with the laptop in it. Within a week a new laptop was his and a new Merc on order.
Which was a shame really as a few days later the cops called to say they'd found his car. It was still locked, with the laptop in it, parked about 200 yards from where he thought he'd parked it before getting wankered that evening.....
And, in my opinion, if it's humorous enough (a user once reported the loss of his expensive pager to my team as “We think my three-year-old put it either in the bin or down the bog”) then that's fair game.
No it isn't. Any parent should be aware of keeping important stuff out of a three-year-old's reach.
Children are like idiot savants. The moment you think something is child or idiot proof, it isn't.
My friend's standard technique for getting stuck cds out of the factory car stereo system is to leave the four year old near it for 15 min or so, and he frequently succeeds by hitting the right secret random combination of buttons. It's depressingly reliable.
11. If you use an unattended install or image don't leave the local administrator password in plain text on the hard drive and allow users to access it.
Some may think the above doesn't happen that often but I can assure you there are some big multinationals and some big I.T. suppliers that still do this. One only recently upgraded an office to thin clients that all have the same admin password and what is worse without giving it away it's on the top ten list of most common passwords.
In most offices, someone you know without a badge is more likely meant to be there than someone you don't who has one. Blindly trusting badges is rather like letting in the nice man with the peaked cap who claims he wants to read the meter.
My work issues us with a MacBook Air, after much probing and eventually a f2f meeting with the tech director it came to light that they held us financially responsible for anything, absolutely anything that happened to said piece of kit. When pushed on this I was told that they have a very reasonable insurance scheme to cover for any such damage/loss. I asked if the laptop was necessary for me for my job, they assured me it was, I then suggested that if it was that necessary then they should pay the insurance, they refused and so my MBA currently resides in the bottom drawer of my locked filing cabinet in my office. I use my own laptop.
Well, for one, we lack of context information.
It might well be that the rest of the office is working with beaten off 6 years-old Dells while your department "won" an internal ego contest and got those shiny new MBAs, and the price to pay for that Pirric victory was that insurance fell on your department's head...
Or of course it can be that the company's heads are full of it.
When I worked for EDS I once prevented someone from tailgating. They were very persuasive in their argument as to why they should be allowed through the back door. I explained that as they din't have their pass I couldn't verify that they should be in the building. I was extremely polite to the point of sickly as I explained that they should visit reception and have them allow them entry to the building. I thought nothing of this until I was asked to report to the UK managers office.
Yep, I had prevented the manager from entering her own building. This had made her late for the EMEA meeting as the big directors had visited. They were delighted that I had stopped her, and weirdly I ended up with a gold day for my ruthless door barring.
An anecdote I was told several times over the past year justifying this position. The CEO of a large company, I think it was Target but couldn't be sure, deliberately used to visit the office, and enter the building through the warehouse. If ever he didn't get challenged by the time he made his way into the offices at the other side, he sacked the floor manager.
Had something similar here: Chief Exec wouldn't wear his ID to see who would challenge him. He was pleasantly surprised by the number who did.
He didn't sack anyone for not challenging him, but he did write to their manager to express his concern over security...
An SAS commander in the Malaya emergency supposedly reprimanded the guards at a training camp for not firing on a returning patrol who hadn't properly approached or identified themselves.
He then apparently screwed up in some way himself, and got fired at for his pains. So he reprimanded the guards for missing him...
I've seen this from two different sources, but being a forces story, that has no bearing on whether it's actually true or not...
While on gate guard duty, the RSM took pains to tell us to detain (lock up) anyone who returned to camp in a state of inebriation. They were to be kept detained until the RSM arrived to review the logs and order their release.
Second person to turn up (staggeringly) drunk was... the RSM.
Come morning, he really wasn't happy, but those were his orders...
Who needs to tailgate?
I just go to reception, tell them I've forgotten my pass and they give me a new one, access all areas, no manager checks, no identity verification, access all areas.
And I don't know the receptionist, as she's in a different building from mine.
Security? Wassat?
@ P. Lee "Who needs to tailgate? I just go to reception, tell them I've forgotten my pass and they give me a new one, access all areas, no manager checks, no identity verification, access all areas."
Have an up vote as I've had this experience also. I don't forget my badge that often but when I do I ask the receptionist politely for a temporary badge and it's issued with no checks, no confirmations, NQA. I'm on "Morning" terms with all the receptionists and admins so they all kinda know me, but not well. That means it's wide open for someone they may not recognise but has the smooth talking and well researched social engineering nailed before entering the building.
On a related note - It's depressing to find out how much more of the buildings I can access with a temporary badge (which are usually issued to the cleaning staff each evening) than I can with my own badge as part of the Engineering dept at Paulf & Co.
I had prevented the manager from entering her own building. This had made her late for the EMEA meeting as the big directors had visited. They were delighted that I had stopped her, and weirdly I ended up with a gold day for my ruthless door barring.
Reminds me of a safety/security story from many years ago. (It was at the time of the big storm that Michael Fish famously got wrong). A big R&D site was closed due to storm damage that threatened to bring down sone metal siding. A senior director arrrived, and was turned away at the gate by the site safety officer who was 'only' a mid-level technician when not wearing the safety officer hat. A big row ensured with director doing the "do you know who I am, little man" rant, ultimately ending with a literal "doesn't matter who you are, the site's closed. Fuck off".
Director complained to MD about his treatment, and to the great joy of the technician (& his union) was smacked down for being an asshole and trying to pull rank when the safety officer was correctly doing his job.
.. and when you're RECEIVING information too.
Spam filters are not perfect, especially not when the board is worried about missing that one all-important customer email from someone who evidently writes in a style resembling porno merchants. It means your spam filter can let things through, and the whole idea of a zero-day vulnerability is that tit has been as yet undetected or defences have not yet been rolled out.
Thus, if you get an email with an unexplained invoice and you run MS Office, you way want to avoid opening that attachment (Libre/OpenOffice is generally OK as it doesn't run VB that well). Oh, and if it's from your boss asking you to do something urgently like transferring money or authorising high level access, find a way to check it out of band. Send an SMS or call for confirmation. If he/she objects, just point out that quite a lot of money has disappeared via fakes and you want to spare them that embarrassment..
I used to work for a company that made Pens. Any email about pens would always flag up the spam filter, and cause it to melt down, No combination of training, weighting or rule modification ever produced anything other than an overall spam flag.
Any email containing the words in closeish order "pen is" (self explanatory) "specialist pen is" (cialis penis) "this soft pink pen is hard to manufacture" (this one really did happen) were simply marked as spam, meaning that we had to relax the system, and allow through all other penis, cialis and pink soft and hard items through.
1) Computerized door control systems are IT, which is maybe 90% of doors on commercial properties in the western world. This is a good thing, unless you want to let the geriatric ex-farmhand who gets the minimum-wage night security job to try and troubleshoot database issues.
2) Physical access control is taught as part of infosec training from the lowly Sec+ right up to the almighty CISSP, so we're ideally trained for the job anyway.
3) Almost any company of <250 people has an 'anything with a plug on it is IT' policy. While I'd be entirely happy not to have this responsibility, I am regularly torn away from doing the actual useful things I was very expensively trained to do in order to change lightbulbs and re-fuse plugs. I had hoped this would go away as my hourly rate climbed, but unfortunately my employer appears to think that for the price of an experienced sysadmin he should get a janitor thrown in for free. I just thank god that we don't have an elevator, as if I was left trying to fix that we'd have 5-6 fall deaths per year.
@ Naselus
I work for a mid size company. Actually, I kind of like doing the stupid little stuff. I really don't mind changing a wall thermostat, installing the new dishwasher in the break room, or changing batteries in emergency lights. The kind of stuff that somehow seems to fall under "IT".
It gives me a nice mental break from trying the figure out why Microshit's latest server OS is doing something strange. Or trying to figure out why the shipping software I wrote four years ago screws up only when shipping a 3 pound package to Kurblackistan and the recipient has two K's in their last name!
I recall working as a steward at the commonwealth games many years ago (I was about 18 at the time). We were given a basic 2-day security course covering more or less the same stuff in this article, and then deployed; are main job was to make sure that only people wearing badges got through.
The head of security for that year's Commonwealth games not only did not bring his badge to work, but threw a fit whenever any of the staff he was employing to prevent people without badges strolling around called him up on it. I'd expect that sort of idiocy from general directorate types, but this was a man who had literally spent 40 years training for and working in event security. And it wasn't an embarrassing 1-off occurrence - he simply didn't think he himself would require a badge to identify himself to the 800+ contractors he'd hired to enforce the rules he had written and then insisted on flouting.
I worked on a large 'secure' site that had employee tracking by proximity card. If you tailgated and didn't offer your card to the reader, the system thought you were outside the area you were actually in, so it wouldn't open the door for you when you later 'swiped' from inside. You had to phone security and explain to them what you'd done. After the first lapse, the vast majority people always gave a scan before they went through a controlled door.
(I was sure that security had been given carte-blanche to act like sarcastic dickheads when they got one of those phone calls. It seemed to work though.)
I used to have to go into a server room which had a double entry door system. In between was a pressure pad. If the pad detected more than 100Kg a polite voice used to say "One at a time please". You then had to smile nicely at a camera so security would open the second door.
One time a colleague forgot his server room access card so borrowed someone elses. It's possible if the someone else hadn't been a she he might have got away with it. They were both fired immediatley.
The irony was, I started this by accident (got out of bed late 2nd day on the job and forgot my freshly issued badge, so I took a chance). It took two full weeks before I was challenged by security - all those days I had the badge in my pocket.
Unfortunately for them, the damage was already done.
My job there was to verify site and systems security..
They claimed there had been a remote access to my account blah blah, etc would I log in to this URL to reset my password otherwise my account would be blocked.
As most fishing attempts are filtered, I forwarded this to our IT people, remarking this was a new phishing attempt not filtered by the system. I got a prompt (automated) reply, that "ticket blah blah had been resolved". The phishing attempt came through the filter because it had emanated from the IT guys themselves to educate users. Clearly I am a suspicious enough blighter to pass this rather trivial test, but apparently it is necessary to carry out these tests, because many users apparently fall for it.
I worked for a blue chip where they had an extreme side loading policy - my view was that if I compiled the open source code myself then I wasn't breaching policy but knew better than to ask for confirmation. Others would use standalone laptops with unencrypted hard drives and admin passwords taped to them...
What I'm not is a fucking bouncer. "Challenge them", yeah, no bother, all 65kg of the skinny IT nerd that I am is going to go around challenging people for the good of my employers. The one time it turns out to be a fucking nutter I'm challenging will go really well for me. Yeah, we have occasionally had proper nutters try to get in (my employers have contracts with some rather unpopular companies, I'll say no more).
And do you require a safety officers pay because work also expects you to not do anything hazardous at work, and report any hazardous thing you see?
It's enlightened self interest. Since the intruder might not be after company secrets so much as a mobile phone left on a desk or a purse left in a handbag.
"Is the recipient authorised to receive it?"
It goes far beyond that. Once it's gone it's out of your control. The recipient may be authorised to receive it but how do you know they won't: show it to colleagues who aren't? Print it out and leave it lying about? Keep it on a laptop left lying on the back seat of a car in central London?
This doesn't just apply to email. On my last permie job the vendors of a new warehouse management system said they would need access to the network and it was decided to simply hand them some 2FA device. So the whole company network was now accessible to whoever had this device and the relevant instructions - which were probably written on a label tied to it - and completely beyond our control. I left before the whole thing had gone live so never found out how it turned out.
"IT is perceived in mixed ways by users. Some look on the amazing stuff it does and think there must be witchcraft going on in there somewhere. Others think that because they configured their Wi-Fi printer and Sky box at home, they're a genius of computing."
This paragraph is incomplete. Allow me to finish...
And then, there is the majority. Those ungrateful people think, that just because internet is down and waiting time for new computer is two month and antivirus makes their PC useless and demented password policy is senseless, that IT is not up to the task and should be outsourced by less overpaid monkeys and things will be roughly the same, except monkey cages will not be as smelly and awful.
Mostly they are right.
Even barely competent IT dept is like a black swan. They generally exist only in reg stories.
1) How many outfits have all their IT systems set up correctly - all too often if one person has to provide temporary cover for another, the only way to do so is to log on as that other person. (Or wait weeks for all the authorization tables to be updated, additional user licenses purchased etc.)
2) See (1)
8) Proper procedures are good for routine activities - they are not much good under exceptional conditions.
(Crude example - the payroll printer breaks down on payday - there is no time to follow the "correct procedure" of repairing or replacing it but diverting the print job to a printer in another office allows the time critical payroll job to complete.)
Having "proper procedures" that take too long can result in a company loosing out to more agile competitors.
9) Security is not the second most important thing. Safety, company survival, company profits and company growth are more important. Also in many companies, senior management convenience is counted as far more important than security.
Security is an overhead - (people, software, equipment and employee time) so for most companies, they spend as little as possible on it. This tends to mean that the chief security officer for a company is a fairly low ranked person who can be easily overridden by senior management. (The correct point to stop with security spending in a company is at the point where the loss prevention from increased security no longer exceeds the cost of the increased security.)
Finally if security is applied with too heavy a hand, employee morale and productivity can suffer badly
"Security is not the second most important thing. Safety, company survival, company profits and company growth are more important. Also in many companies, senior management convenience is counted as far more important than security."
You won't get much profit, growth or senior management convenience if you have a leak from the air conditioning in the electronically-locked Boardroom which fails, and kills everyone senior.
You won't get much profit, growth or senior management convenience if you have a leak from the air conditioning in the electronically-locked Boardroom which fails, and kills everyone senior.
Allow me to snark a bit.... Profit would go up since no senior management bonuses would need to be paid out. Growth might increase without senior management sticking their noses in where they have no knowledge or expertise. Hmm... maybe a change in management might be beneficial in many companies as long as they don't hire someone else's flotsam/jetsam.
"You won't get much profit, growth or senior management convenience if you have a leak from the air conditioning in the electronically-locked Boardroom which fails, and kills everyone senior."
If it's that limited it won't do any harm to profits and growth. In fact it might improve them.
In the case of emergency measures, then by all means come up with an emergency plan to keep business running with the authority to do it. that might mean getting a director to write a short note giving your the carte blanche.
Even then you work to mitigate the risk. Dead printer in payroll. Take it from nearest normal office and plug it in the payroll office. Redirecting instead, then someone from personnel guards the printer output tray until its finished printing the payslips. Now in my experience not printing the payroll didn't mean not getting paid but... ymmv.
And if you have an incident then you can use it to improve your procedures for next time. Continual improvement and all that. Add to any procedure " [management role] can override [section numbers] by using [form] countersigned by [senior management figure]"
"Proper procedures are good for routine activities - they are not much good under exceptional conditions."
Your proper procedures should allow for emergency actions but require that the action taken is documented. One reason for employing experienced people is to ensure there's someone available competent to deal with the stuff that doesn't get documented procedures because it's unexpected.
There are some diagnostics that have to be undertaken as the user experiencing the issue. Generally it's best the user is at least present to enter their password when needed, but often they don't want to be - this should be enforced.
I'm against passwords being written down and shared, but it's nigh on impossible to carry out some diagnostic work without having access as the user affected, and in many cases they may not be sharing their password but leaving their computer logged on for you and buggering off for a tea and a chat with a colleague.
Of course, in my opinion, this is not an issue when involving IT staff who have access to, say, AD anyway, and could easily change a password and wreak havoc if they so chose. This is where having auditing switched on is important. It often surprises me the levels of trust assigned to new IT staff as they require access to systems to do their job, but no real background checks can be carried out, save for the usual references.
Agreed there are issues that can only be diagnosed under the users credentials.
But the policy will handle that. The user must remain present during the support service. They cannot be permitted to "just bugger off for coffee". Now I know it's difficult for the PFY in his second week to tell the senior manager they can't just leave their password behind or even just leave the computer logged on, but if the senior manager has signed up to the policy in the first place the company should be behind it and the PFY. It doesn't take long for the right culture to be the norm.
If the user attempts to leave, then just tell them 'no, I need you here for this'. If they still try to leave, then you can leave too. Clearly, whatever they were working on wasn't important enough for them to hang around to get back on with it as quickly as possible, and so it's not really your problem if the issue remains unfixed until they can find time in their busy coffee-making schedule to be around for it.
Most users are happy to let the IT guy be in total control over the situation when they need assistance anyway, regardless of relative rank - directors will often prove to be more inclined to be passive and helpful than anyone else when it comes to this, as they need to get back to work and will do whatever you ask of them if that expedites the fix.
Finally, if any user DOES insist on giving you their password so they can bugger off, then set their account to force them to reset their password at the next opportunity. They very, very quickly learn to stop handing them out when it means having to change their passwords even more regularly.
Where I was working, we in IT did accept passwords and log on credentials for repair. However, when the PC/Laptop/Mobile was handed back, the user had to call into the Security Helldesk for new passwords. All to them, not just the one for the PC.
However, after one IT lad decided to look where he shouldn't have looked, that policy did change. No handing over credentials/passwords. Firing offence even if it was senior management's equipment and they didn't want to hang around. Lots of pressure for us to ignore it until a junior VP was canned for pushing and demanding we fix his box without his being there to login.
Here HR people can get easily overzealous over very small "infringements" (I had to discuss a couple of times because I left the company phone in the car and had to get it - it takes two minutes but if you exit for such time - of course using the badge - they make you spend a 15m permission!), but try to put big ones under the carpet, because usually the culprit goes whining to the nearest unions representative and HR doesn't want any trouble with unions...
Thereby you see the silly minutiae SS-like enforced, while big security and work issues becomes just, "well, we asked him/her gently to be more careful next time..." - and I'm told I have to learn to treat people, and don't report them if I can avoid it (after all, if then something very bad then happens and becomes a big trouble, the responsibility becomes mine, not HR...)
Face outwards, not inwards.
The best IT departments basically look at what they can do to make the organisation work more efficiently/profitably/happily. When you bring them a problem they stare into space, smile, and say - 'i think i can see a way we can resolve that'.
The worst ones have their back to the door and their nose in a corporate procedure manual. On the bright side though, working at an office with an inward facing IT department is a brilliant way to enhance your skills, as you get to learn about all the things they should do, but don't (right up to DIY token ring lan installation on a weekend).
"Everyone I've ever worked with who's responsible for premises or security has bemoaned how hard it is to get people not to “tailgate” – that is to let the person in front swipe their entry card then follow them in without doing so yourself. And anyway, we're all taught that holding doors open for people is good manners. It's a security nightmare, though."
At one place I worked, some guys nicked a large, expensive plasma TV. They walked in, went to the class room (in front of a class full of students), unplugged the TV and walked out with it. Noone questioned them, and the MD and owner of the company held the door open for them as they were leaving!
Some years ago there was a story floating around about a couple of guys who took all the xerox machines from an office block, claiming they were from the company that the machines were leased from. "Machines are up for replacement with new model as per leasing agreement. We'll just remove them now, delivery of the new ones will be in an hour or so."
As to tailgating, a couple of years ago I was on a seminar (TRGS 519, if that means anything to you). One of the participants worked in a nuclear power plant. Lots of areas with two-door security access. System keeps track of who enters, who leaves, whi is still in there. One day he tailgated from one area into another. When he wanted to leave the area, the door system wouldn't let him out because according to the log files he wasn't in there.
Agree with the rest, but not point three.
If you make employees liable for company kit, then you're incentivising lying and decreasing security. If their laptop goes missing, there will be a delay in reporting it while they desperately try to work out if they can get it back. If they can't, you'll likely face completely erroneous accounts of what happened to it. All for the sake of a few hundred quid of kit.
And if you don't, they become reckless about them - not their stuff, no responsibility, who cares about it... once we got the truth because we asked someone to follow us at the police office because we were going to file a report about a stolen PC... and he got scared to file a false report :)
Speaking as someone who has had to swap out a laptop for a rep because "it stopped working" and when I dismantled it (to reuse the screen after another rep broke the screen on theirs) found evidence of liquid based damage (probably coffee) such that the alloy frame was corroded, I tend to the making sure responsibilities are clear from the start position.
That said rep was (to the best of my understanding) let go when it was found he was promoting his own products on company time, suggests that duplicitous reporting of the laptop fault was not a result of company policies.
There are about three people in my enterprise of over 500 who wear their badge as demanded in the Official Memo Re Badges: all the time and above the waist.
The managers typically wear them clipped to a belt (against policy) and the rest, including 100% of the consultants, never display them.
Not only os this a security nightmare, it is fucking rude. How in hell am I supposed to know your name when I need to ask you a question in a meeting?
But now the SAs are insisting on deploying sudo "for security". On some servers. Only for certain staff. And not the SAs.
HASP * in action.
* Half-Arsed Security Procedures. Not intended as anything but a sardonic kick in the nuts from them-wot-can to Teh Luzerz.
I have:
- Told a headteacher of a school "Sorry, you're not allowed access to that information" (They wanted free-reign of the webfilter log but were unable to describe to me why, who, what they were after, did not want records or oversight of THEIR access to the logs, and my policy doesn't allow that. Even if they had demanded it, a list of computer AD accounts, DHCP lease allocations and webfilter logs based on IP would have kept them correlating numbers for weeks. Shockingly, after explaining why and the proper process for such inquiries, they gave up and never asked again.).
- Disabled a staff user account because they shared their access with a colleague (The reason you have access and they don't is because you're allowed to see it and they are not. If that's hindering them in their job, have them ask for more access, don't just grant it to them via your account as a proxy measure).
- Refused to issue new staff members details until I see a signed AUP. Yes, it's petty but I'm not going to have you claim that you didn't know you couldn't just copy all our data onto your USB stick.
- Shut down an entire school's use of a service after it was found with school data on it that we hadn't authorised the dissemination of (someone had typed in all the kids names etc. manually into a third-party website), and which wasn't hosted in the EU. This generated instant and immediate cessation of usage upon discovery, a warning to ALL staff (including cleaners), a review of all services and a staff "amnesty" so they could admit to anything similar they may have done elsewhere. And NONE of that came from me, but from the Data Controller of the school.
Data protection has PERSONAL LIABILITY now. That means if I - or you - allow things, we can go to jail or be fined, besides what happens to the company or our jobs. I ain't going to risk that for your convenience. You want something, you document it. You don't do it properly and / or try to bypass me, I'll just drop you in it. Because then *I'm* covered and have done what I need to do and it's down to you. And even that doesn't excuse what happened to data which is supposed to be in my care and the loss of business reputation because of that.
You think we're being petty, we're not. It's a pain in the butt to do all this stuff and causes nothing but arguments and hassle. We don't do it for fun (maybe some do, but the majority not), we do it because we don't want to end up in court or being fined to oblivion, like DOZENS OF DOCUMENTED CASES.
As well all know, people tend to be the weakest link in most security regimes and the author seems to think that this can change through some sort of mass conditioning. Sadly, humans are the weakest link because we tend not to be obedient little automatons and no amount of nagging will change that. Ever. Instead we must completely re-engineer our security approach that minimising the amount of damage that individuals can do. For example, forget passwords - go for something much harder to share, like fingerprints or other forms of 2FA.
A few years back I was working in Govt. IT and grew tired of lugging their hefty IL3 secured laptop home on the Tube.
My solution was to image the hard disk and run it under VMWare on my home PC. It worked perfectly and wasn't detected; indeed when I raised this scenario as a risk to the IA guys they swore it was impossible.
I am a contractor for a "high profile" sillycon valley company. They have nice access control devices for entering buildings, but after that I keep my badge in my pocket (not displayed) all the time. No challenges (yet).
The previous (other) "high profile" sillycon valley company had similar policies, but after the slot broke off of the badge holder, I did what a cube mate of mine dis, and kept in my wallet. To enter the building, I just brushed my butt next to the reader. Nobody complained there either.
Yes, the current place of work has LOTS of signs that say "No tailgating". I try to be a good boy.
Used to work for an access control manufacturer. Had a high profile customer site that used our kit and had an add-on that would print visitor badges. It was just basically a bit of card with a photo and a barcode - the number could be automatically disabled in the system at the end of the day.
As I was there with the setup/comissioning,I set myself up on the system with my test card - which was a barcode from a Tesco Chicken Sandwich packet. The installer was not pleased - and nicked my test card - bastard.
About 12 years ago I worked in a school.
I demonstrated to a social worker how much information was hidden within word files. All the blood drained from her skin.
Another time I had to try to email a security video viewer executable to the local police. Obviously their firewall blocked it. When I embedded it in a word file it went straight through.
As we've seen countless times in the biggest scandals of our time, one of the most difficult task is to correctly and timely manage full/very potent rights for admins of all kinds and other high level employees.
Otherwise you end up with yet another Panama or Wikileak.
Also, for SMBs at least, you must have clear policies and handling of tape backups, who brings them to the bank or other safe place, how you store them in at least two geographically distant places etc.
It's all down to money, even if most of the points are reasonable.
Have to follow procedure - right up until the point where because various people have been useless, and/or due to insufficient investment, the customer is going to disappear, or it will cost the company/customer real money. Shortcuts are taken, generally quite safely, as most of the procedure in place is in reality useless.
There was a product. A security audit revealed a couple of features that whilst not a particular security risk, were distinctly sub-optimal and should be better implemented. Management raised this as a high importance change, we agreed it was not ideal and should be fixed. Whilst we can fix it, doing so will stop us doing our job effectively. A proper fix involves not only improving security on the features, but considerable amounts of new code so everyone can perform their jobs as well or better, testing, new procedures, new tracking systems, contacting a couple of dozen customers, and a mass roll out of new systems.
We'd love to do this properly - can we have at least a few extra staff to arrange this, and development/support/testing time in the current team? From management came : crickets.
Obviously that was a bit too much to do at once, so the backup plan would be to incrementally fix customers, and gradually roll out changes. Do management think of this? No - they cut the number of team members.
Count me in when staff get a bonus for finding process and security issues and suggesting improvements, even when it has a staff and monetary cost. When there's a nirvana of a performance review that's 'you cost the company lots of money this year, but that's ok as we're now the most secure business in our sector, and believe this reduces our future risk. Have a substantial pay rise' it will be worth bothering to change procedure.
Had a user moan at me about the fact that we have software that blocks write access to USB memory sticks. (I'm a contractor in the IT dept, so even though I'm "IT", I'm not important enough so I suffer with the policies).
Explained that the IT department allows people to create, change, store and transmit data potentially world wide. The Information Governance Dept says "You can't do that!" and forces IT to do what IG says...
The business is the second most important item. Security is somewhere below. I've worked with too many organizations where security dictates the business and consistently blocks the business from being able to effectively operate. There is a difference between protecting against legitimate threats and just being a pain in the ass and stopping the organization from conducting business effectively.
Students at a college where I lectured all got a computer account. They used their name or badge ID and a password to log in. To make it easy to pass this on to hundreds of new students during week one, all had the same initial password - the legendary changeme ! They were told change it whenever they logged in without changing it. Now almost everyone did this, and they got email reminders during the first week or two as well. So initially all your data was mine as well, until you set a new password. Risky? Yes, but most got the message. And they had little or no data to worry about at this stage, apart from emails being sent in their name of course.
BUT
They were also told that at regular intervals they must change their password, the commonest interval being during the second-last week of the last term of the academic year. It used to be the end of every term at one point, but that caused too many problems.
And if they didn't change it during the second-last week? Their password was reset to...
Yes, back to changeme - ALL you data, assignments and emails are now my data, assignments and emails!!! A quick delete of a folder by a nasty student taking advantage of this could result in someone they didn't like failing a course!
This was before I took computing courses, and so when I suggested that this was a very risky thing to do, the IT people told me to go away and leave the qualified people to get on with their work.
I kid you not.
Needless to say I often had panicking students coming to my office as they couldn't log in to get their final assignments printed - their "friends" had logged in and changed the password.
Often these passwords would remain as changeme until the new term started.
"...ISO adjudicator to take away the certification...."
I have been working with ISO QA systems since the early 2000's and I have yet to find a case where non-conformities result in a certification lapse, with the exception of bankrupt companies on the brink of calling the administrators in.
I swear that articles such as these are NOT written (nor recommended) by IT guys, but by those CSO types instead which I had the "fortune" to meet in my life. They seem to want to run everything like the Soviets ran Eastern Europe before 1989: monitoring everyone (including their private communication on social networks of course), giving the least amount of access (he can't do his work properly? Who cares?), encouraging EVERYONE to be suspicious of their colleagues (I've seen such idiotic campaigns alleging that the evil wrongdoer is among the corporate monkeys) and of course to report everyone for anything that seems even remotely suspicious. And then they don't understand why does IT crowd leave that company in flocks like rats abandoning a sinking ship. No sane person would want to (voluntarily) work in such a hostile environment (although mortgage does wonders).
Then there's this statement that has REALLY cracked me up: "Give them a way to do so identifiably but with guaranteed confidentiality (never anonymously – you can't follow up)." ROFLCOPTER Does any sane person actually believe that any information they report would be confidential (even with the false promise of anonymity, let alone without)? Especially when it involves one's own supervisors? Or to turn it around: could anyone believe that if being accused of something they could defend themselves in any reasonable manner? In corporations with cutthroat attitude and morals (or lack thereof)? This is REALLY something that only someone working as a CSO (or for one) can actually believe in. Everybody else is sane enough not to believe any of this BS.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
