I guess some raises and bonuses are in order.
Well, you have to attract and retain the right sort of peopleā¦
Thatās probably the biggest unintentional risk to IT securityā¦
Nobody outguns the insider-threat-IT-guy; but if you want people who have access to juicy information in the normal course of employment, are freqently unsavvy enough to open dubious attachments and the like, and often have enough institutional clout to flout onerous restrictions placed on lesser cube drones, just look at HQ.
yes, MBAs are Master Bullshit Artists, look what happened when we elected one president.
its not just internet security theyāre oblivious to.
What part of āThe rules donāt apply to usā donāt you get?
Not mentioned in that article - the Cs and Vs will often insist on actively downgrading company security measures for their convenience, sometimes to the point where it actively puts everyone else at risk (not just indirectly when they get infected).
I remember one who just turned off the companyās gateway firewall because it was interfering with his music pirating.
Iād be the last to argue that institutional IT isnāt (in some locations) infested with incompetent, hidebound, obstructionists who really shouldnāt be in the industry and/or are basically fucking with you; but one reason why the āenterpriseā IT user experience is so comparatively miserable is that the āhomeā IT experience takes some crazy risks in the service of ease and convenienceā¦ Also, backwards compatibility and legacy systems integration.
āEveryone has to pass through the eye of the needle.
ā¦
Except these people.ā
Oh, yea. Thatās one of my faves. In fact, I was at a place one day when there was a big meeting and some asshole decided that he HAD to have this fucking Elvis song as his āintroā - no one had a copy of it they could find quickly, so the infrastructure IT director became the pussy of all pussies and told the network guy to open the firewall so he could grab it from Lime Wire or whatever. Clearly this story pre-dates itunes/amazon, etcā¦
That was the day I lost all respect for that schlub.
I was in a roundtable meeting at one company where the CEO bitched about security being too tight - in a company regulated by the FDA of all things.
This thread could go on for weeks if just a handful of BB IT readers dropped a few stories. Sometimes itās a damn wonder some companies still function at all.
Seems pretty common. Long ago I was an intern in the office of a universityās president. She didnāt like dealing with email or other computer based tasks, so Iād read her emails to her and let her dictate responses. This gave me access to all of her email. She also didnāt like using the universityās enrollment management system, so I was tasked with that too. Since IT wouldnāt give me more than the most basic access, she gave me her account credentials, which allowed me full access to all records for all students and alumni. While I never got up to any hijinks, it would have been easy to do on a massive scale undetected.
Many systems I set up during my consulting years had tons of exceptions built in for executives and their administrative staff. When CEO Bob is out of town, you canāt have an approval holding everything up, so secretary Sam had an exception that let him do unlimited approvals. Since CEO Bob might be out of town or just out on the golf course at any moment, there was no restrictions on secretary Samās ability to be CEO.
Often the problem is that the systems are initially designed with the theoretical way people think a company operates rather than the reality of how it operates. Once the system goes in place and the difference is discovered, holes are poked all over the place so those actually doing work can get it done. If youāre a poor slob who isnāt well connected in the company, good luck on getting one of those holes poked for you. Near the executive suite? Poke away!
This happens everywhere. For years I worked in a bank, preparing the cash that went straigt to ATMās all over the state. On one hand, they would drill into us how important that being the last line of defense in counterfeit detection, itās important that we scruitinize every bill thatās flagged by the machines; on the other hand, if weāre not keeping up production, we must be slacking off.
If a supervisor ran a currency counter that beeped too much, she would turn off all of the detectors so that she wouldnāt be iconvenienced. If anything bogus got through to the ATMās, all they cared about was that it came through my office.
Every time you get cash out of an ATM, check the bills on the spot, no matter what the PR department tells you.
Can I flag a comment TIL?
The same basic principle is at play with national security. It has ever been that the āpurchasersā of national security information (kings, queens, politicians, etc) were/are able to play fast and loose with the information they obtained (even - and especially - when doing so explicitly risked ongoing national security) in ways that got/gets peons executed, or at least sent to the Tower.
A number of years ago, I was working to stand up a SOC team, for an organization that was just standing up IDS/IPS and SIEM (obviously, now that you have it, you need people to interpret it. ā¦ )
I had noticed that some of the brute-force SSH assaults were coming so hot and heavy, that they approached saturating some of our smaller circuits and firewalls. So I noted the fact, and included it as part of an argument to enable rate-limitation on the firewalls (a fairly standard measure for dealing with DDOSs and brute force attackers. . . )
I then get called onto the carpet at end of day, a day or two later, where manglement is fretting over my āadmissionā that we were nearly DDOSed. I told them, no, I saw a potential problem, and wanted to fix it BEFORE it rose to DDOS levels. They would not let me leave until I added nearly a page of weasel-words, to the already-plain statement that this was a PREVENTATIVE measure because I saw the POTENTIAL for some occasional DDOSās in the future.
The same group INSISTED that I had not detected a trojan, that the workstation in question had tested clean, etc.
Until an outside audit group found the Trojan I had detected, AND the email chain of them denying what I had found.
Now, in a NORMAL world, I would have gotten a small bonus and a promotion. . .but what REALLY happened was at the end of the option year, they dropped the SOC Lead position, saying it was un-needed. . . . and so, once again, I found that no good deed goes unpunished. . .
Thinking about this some more, it seems that once people get to a certain level - be it in politics, intelligence, or business - they cease to think that they are part of the organisation (be it government, spook city, or corporation) and that the organisation is theirs, their plaything, to do with as they will. They donāt have to follow the rules, because they set the rules, and itās effectively impossible for them to ābreakā the rules, because the rules are whatever they deem them to be. āWhen the President does it, that means it is not illegalā is the most public example, but far from the only one. Enron is another excellent example.
So, senior execs arenāt a threat to IT security at all. IT security is exists to serve them, so if they deem that IT security is an embuggerance, well, letās not forget which is the horse and which is the cart. IT security can go to hell. And if the senior exec should royally screw the pooch ā¦ shrug the next senior exec position is only a golden parachute away.
No surprises here. Iāve seen this so many times I couldāve just screamed. But, I didnāt. I just turned into a mega-bitch diva. Working as a consultant for many years showed me the horror show that exists many times.
Perhaps the worst company-company abuse was a company I worked for that charged a well-off Native American tribe close to a half million to install their new accounting system - which was a beta. And no back-ups of the original data was done! And yet, they love to say ārisk-managementā in their round table meetings.
Or, a federal agency that had accounts existing for workers who hadnāt been there is as much as 7 years, plus current accounts with killer access to sensitive information. Why? Because despite having hundreds of IT people on staff, theyād happily pull them off-task at any time to do special favors for execs until there was nothing left for the essentials. And then, they fell in love with their Blackberries - one of the crappest platforms I have ever encountered. More manpower lost.
I think the very worst were the 2 federal employees who harrassed a contractor so heavily that one day, he just went home and blew his brains out. Literally. They neither knew nor cared that the guy already had a history of depression and was being treated, but it wasnāt enough to get past what he had to deal with every day. It does happen. Kind of made all the rest of the malware and virii and executive entitlement pale in comparison.
I suppose I could chime in with some of the silliness Iāve seen over the years, but instead Iāll give props to my boss: she doesnāt insist on any special treatment or IT privileges. She doesnāt even have local admin on her laptop, and doesnāt ever whine about it, either.
tl;dr: not everyone with āPresidentā on their business card is a clue-free moron; just most of them.
Does it strike you that, due to the vast majority of clueless idiots, the type of boss like you have now becomeā¦I dunno, almost saintly to us in a way?
As someone in IT Iāve got to say; āTell me something I donāt knowā.
