I guess some raises and bonuses are in order.
Well, you have to attract and retain the right sort of people...
That's probably the biggest unintentional risk to IT security...
Nobody outguns the insider-threat-IT-guy; but if you want people who have access to juicy information in the normal course of employment, are freqently unsavvy enough to open dubious attachments and the like, and often have enough institutional clout to flout onerous restrictions placed on lesser cube drones, just look at HQ.
yes, MBAs are Master Bullshit Artists, look what happened when we elected one president.
its not just internet security they're oblivious to.
What part of "The rules don't apply to us" don't you get?
Not mentioned in that article - the C*s and V*s will often insist on actively downgrading company security measures for their convenience, sometimes to the point where it actively puts everyone else at risk (not just indirectly when they get infected).
I remember one who just turned off the company's gateway firewall because it was interfering with his music pirating.
I'd be the last to argue that institutional IT isn't (in some locations) infested with incompetent, hidebound, obstructionists who really shouldn't be in the industry and/or are basically fucking with you; but one reason why the 'enterprise' IT user experience is so comparatively miserable is that the 'home' IT experience takes some crazy risks in the service of ease and convenience... Also, backwards compatibility and legacy systems integration.
"Everyone has to pass through the eye of the needle.
Except these people."
Oh, yea. That's one of my faves. In fact, I was at a place one day when there was a big meeting and some asshole decided that he HAD to have this fucking Elvis song as his "intro" - no one had a copy of it they could find quickly, so the infrastructure IT director became the pussy of all pussies and told the network guy to open the firewall so he could grab it from Lime Wire or whatever. Clearly this story pre-dates itunes/amazon, etc..
That was the day I lost all respect for that schlub.
I was in a roundtable meeting at one company where the CEO bitched about security being too tight - in a company regulated by the FDA of all things.
This thread could go on for weeks if just a handful of BB IT readers dropped a few stories. Sometimes it's a damn wonder some companies still function at all.
Seems pretty common. Long ago I was an intern in the office of a university's president. She didn't like dealing with email or other computer based tasks, so I'd read her emails to her and let her dictate responses. This gave me access to all of her email. She also didn't like using the university's enrollment management system, so I was tasked with that too. Since IT wouldn't give me more than the most basic access, she gave me her account credentials, which allowed me full access to all records for all students and alumni. While I never got up to any hijinks, it would have been easy to do on a massive scale undetected.
Many systems I set up during my consulting years had tons of exceptions built in for executives and their administrative staff. When CEO Bob is out of town, you can't have an approval holding everything up, so secretary Sam had an exception that let him do unlimited approvals. Since CEO Bob might be out of town or just out on the golf course at any moment, there was no restrictions on secretary Sam's ability to be CEO.
Often the problem is that the systems are initially designed with the theoretical way people think a company operates rather than the reality of how it operates. Once the system goes in place and the difference is discovered, holes are poked all over the place so those actually doing work can get it done. If you're a poor slob who isn't well connected in the company, good luck on getting one of those holes poked for you. Near the executive suite? Poke away!
This happens everywhere. For years I worked in a bank, preparing the cash that went straigt to ATM's all over the state. On one hand, they would drill into us how important that being the last line of defense in counterfeit detection, it's important that we scruitinize every bill that's flagged by the machines; on the other hand, if we're not keeping up production, we must be slacking off.
If a supervisor ran a currency counter that beeped too much, she would turn off all of the detectors so that she wouldn't be iconvenienced. If anything bogus got through to the ATM's, all they cared about was that it came through my office.
Every time you get cash out of an ATM, check the bills on the spot, no matter what the PR department tells you.
Can I flag a comment TIL?
The same basic principle is at play with national security. It has ever been that the "purchasers" of national security information (kings, queens, politicians, etc) were/are able to play fast and loose with the information they obtained (even - and especially - when doing so explicitly risked ongoing national security) in ways that got/gets peons executed, or at least sent to the Tower.
A number of years ago, I was working to stand up a SOC team, for an organization that was just standing up IDS/IPS and SIEM (obviously, now that you have it, you need people to interpret it. .. )
I had noticed that some of the brute-force SSH assaults were coming so hot and heavy, that they approached saturating some of our smaller circuits and firewalls. So I noted the fact, and included it as part of an argument to enable rate-limitation on the firewalls (a fairly standard measure for dealing with DDOSs and brute force attackers. . . )
I then get called onto the carpet at end of day, a day or two later, where manglement is fretting over my "admission" that we were nearly DDOSed. I told them, no, I saw a potential problem, and wanted to fix it BEFORE it rose to DDOS levels. They would not let me leave until I added nearly a page of weasel-words, to the already-plain statement that this was a PREVENTATIVE measure because I saw the POTENTIAL for some occasional DDOS's in the future.
The same group INSISTED that I had not detected a trojan, that the workstation in question had tested clean, etc.
Until an outside audit group found the Trojan I had detected, AND the email chain of them denying what I had found.
Now, in a NORMAL world, I would have gotten a small bonus and a promotion. . .but what REALLY happened was at the end of the option year, they dropped the SOC Lead position, saying it was un-needed. . . . and so, once again, I found that no good deed goes unpunished. . .
Thinking about this some more, it seems that once people get to a certain level - be it in politics, intelligence, or business - they cease to think that they are part of the organisation (be it government, spook city, or corporation) and that the organisation is theirs, their plaything, to do with as they will. They don't have to follow the rules, because they set the rules, and it's effectively impossible for them to "break" the rules, because the rules are whatever they deem them to be. "When the President does it, that means it is not illegal" is the most public example, but far from the only one. Enron is another excellent example.
So, senior execs aren't a threat to IT security at all. IT security is exists to serve them, so if they deem that IT security is an embuggerance, well, let's not forget which is the horse and which is the cart. IT security can go to hell. And if the senior exec should royally screw the pooch ... shrug the next senior exec position is only a golden parachute away.
No surprises here. I've seen this so many times I could've just screamed. But, I didn't. I just turned into a mega-bitch diva. Working as a consultant for many years showed me the horror show that exists many times.
Perhaps the worst company-company abuse was a company I worked for that charged a well-off Native American tribe close to a half million to install their new accounting system - which was a beta. And no back-ups of the original data was done! And yet, they love to say 'risk-management' in their round table meetings.
Or, a federal agency that had accounts existing for workers who hadn't been there is as much as 7 years, plus current accounts with killer access to sensitive information. Why? Because despite having hundreds of IT people on staff, they'd happily pull them off-task at any time to do special favors for execs until there was nothing left for the essentials. And then, they fell in love with their Blackberries - one of the crappest platforms I have ever encountered. More manpower lost.
I think the very worst were the 2 federal employees who harrassed a contractor so heavily that one day, he just went home and blew his brains out. Literally. They neither knew nor cared that the guy already had a history of depression and was being treated, but it wasn't enough to get past what he had to deal with every day. It does happen. Kind of made all the rest of the malware and virii and executive entitlement pale in comparison.
I suppose I could chime in with some of the silliness I’ve seen over the years, but instead I’ll give props to my boss: she doesn’t insist on any special treatment or IT privileges. She doesn’t even have local admin on her laptop, and doesn’t ever whine about it, either.
tl;dr: not everyone with “President” on their business card is a clue-free moron; just most of them.
Does it strike you that, due to the vast majority of clueless idiots, the type of boss like you have now become...I dunno, almost saintly to us in a way?
As someone in IT I've got to say; "Tell me something I don't know".