(At Least) Ten Things The WSJ Got Wrong

I have just been reading an article on the Wall Street Journal site called "Ten Things Your IT Department Won't Tell You." The article is about how and why companies don't let you do certain things on their computers and on their networks, and how you can get around these security controls. The article completely misses the point of the security controls. I'm with the IT department, and I want to tell you why and how the WSJ got it wrong.

Security features are put in place to protect the confidentiality, integrity, and availability of assets of a company. This does not vary much from place to place, this is the stated reason for putting most security measures in place. Most security practitioners don't even view employees' productivity as an asset; if there is a productivity problem, the burden of enforcement lies with the employee's manager or supervisor. From personal experience, I can tell you that I have much better things to do with my time than to try and see who has been trying to get to YouTube or Playboy. But if you circumvent our security measures, I'm required by regulations, guidelines, and company procedures to investigate the incident.

This brings me to one of the biggest things that the WSJ article seems to miss: We can see you doing what you are doing! Many organizations, due to regulations such as HIPAA, SOX, GLBA, PCI DSS, etc. are required to put in place tools to give visibility into electronic communications. This means that wherever you work, you probably have somebody looking over your shoulder. In my organization, we use a monitor that lets us see any unencrypted communication going out to the Internet. We have rules built in the monitor that will log and alert us when certain keywords or other data are transmitted.

For instance we have rules built to detect people circumventing our website blocker by using a proxy site or software. This is relatively easy most of the time because the transmission still goes in cleartext and so the monitor picks up on the site categories. And if you use an encrypted proxy, we can usually still see that because we have access to all of the proxy lists that are available, just like everyone else does. We can still tell that people are circumventing our security tools.

Our policies and the regulations we follow require that these violations to be documented and reported. In many cases, this leads to disciplinary action against en employee. Several people here have been fired for violating our security measures. This does not just include the use of proxy servers, but extends to unauthorized use of USB drives, installing unlicensed and unapproved software, bringing in a laptop to use peer-to-peer software, etc. Just because you are able to do something doesn't mean you are authorized to do it. And just because you get away with it the first time with no repercussions doesn't mean that we don't care or don't know.

Now that I have established that point, let me address the first point that I made: the policies and procedures we institute are not arbitrary! Aside from the regulatory requirements I listed above, we have good reasons for putting in place the restrictions that we do. These policies are designed to reduce support costs, protect the computers and network from viruses and malware, decrease the likelihood of an unintended information disclosure, and reduce bandwidth costs.
So here's "(At Least) Ten Things The WSJ Got Wrong."
1. We don't want you sending big files through email because it is expensive. Do you know how much it costs to buy more disk space for your email server? About $4 per GB (2x 300GB Ultra SCSI 320). If you have a legitimate business purpose for sending a large file, call us up. We'd love to help you and make sure that the file gets sent the right way. Especially if it is a case where the release of the information must be regulated. Just don't ask us to help you forward the latest movie trailer or funny video clip you downloaded.

2. We don't want you to use unauthorized software because it drives support costs up and could get us into a lot of trouble. No, we won't let you use Limewire to download the hottest software, songs, and movies. If the BSA, RIAA, or MPAA catch you, we are the ones who get sued -- that's a huge liability! Not to mention the performance hit on the network and the bandwidth costs.

If something you use or install causes conflicts with one of our applications or changes some obscure settings, are you going to pay to get the computer back up and running properly? Nope, we eat that cost too. We have a limited set of software that we approve because this is what we support and it is what our software vendors support. If IE7 or Firefox won't work with the web application somebody else built, we don't have the resources to fix it.

3. We block certain websites because they could create a hostile workplace, are associated with virues or spyware, or suck up all our bandwidth. If someone visits an adult website and another employee or customer sees it, we can be sued. Do you really need to do that at work anyway?

Quite a few of the websites that we block host viruses or spyware or act as relay points for keystroke loggers. Anti-Virus won't catch everything -- it has to update multiple times per day just to stay abreast of the latest threats, some of which can shut down the protective software altogether.

Streaming video and audio sites can consume huge amounts of bandwidth. Even though they are streamlined for distribution, they can still be hogs if several people are using them at once. For simplicity's sake, let's assume that streaming audio will eat up 64kbps and streaming video uses 128kbps. Some use more, very few use less. And let's assume that your company has a 10mbps connection to the Internet. Some simple math says that 150 listeners or 75 viewers will totally saturate the connection. But this doesn't count those people visiting websites, any applications which require Internet connectivity, email, etc. Not only that, but the streaming media protocols typically try and gulp up as much bandwidth as they can at once, which may generate 5-10x as much traffic at any one time. In practice, if about 20 people on this Internet connection are using YouTube or listening to a radio station, you will notice a big slowdown when visiting websites.

4. Most of the time, clearing out your Internet Browser files doesn't help anyone. If you get a virus or any other nasty malicious software on your computer, clearing out your browser files makes it harder for us to track down and prevent next time. And most of the time, it won't even cover your tracks if you've been someplace you shouldn't have been. There's a reason we've got forensic tools at our disposal. We can usually get that information off your hard drive, and even if we can't your activity is still being logged by our network forensic tools. If you don't want your employer to know what sites you visit, don't go there on his dime.

5. Don't cause a data leak by taking your documents home without checking with us first. Call your IT department and see how they want you to work at home. Odds are, we have a way to do this or can come up with something to allow it. If we can't, talk to your boss about it and make sure they know you'll be working on your own time to increase your productivity. Doing one of these two things will help to make sure you can get your work done and that we can keep the data protected. Email, portable storage, online file sharing, and other methods are NOT designed to keep confidential information safe, they're designed to spread this information as easily as possible! You'll do yourself and your organization a favor if you play by the rules on this one.

6. If you store your work documents online, a hundred bad things can happen to them. In addition to the reasons I mentioned in #5, there are other things that can go wrong with online storage. If you're storing your important files with a free online storage site for a backup or as your only copy, don't. Encrypted data needs a key to unlock it -- are you going to make sure it's safely and securely stored? These things get lost or stolen all the time and then the data is gone or is available to anyone. And online companies don't have the best track record for keeping your data available. Google, who tries to permanently store all online data, has lost accounts, messages, and files many times from Blogger and Gmail. Your organization backs up the data stored with them (or should) and those backups are ensured against loss or theft. This is the right way to go about it.

7. Web mail and instant messenger conversations should never be used to send private or confidential data. Only a few web mail providers, such as Hushmail, provide SSL encrypted communication by default. This means that anything you view in your web mail can be viewed by our monitoring tools. Yup, from that email confirmation when you applied to our competitor to the naughty photos your girlfriend sent you, we can see it. And web mail doesn't have a great record for privacy anyway; Hotmail and Gmail have had several flaws that have allowed attackers to gain access to hundreds or thousands of mailboxes at a time. Not great if you've got any emails with your Social Security Number, bank account number, credit card online account password, etc.

Instant messaging isn't much better. Though you can add encryption to your conversations, the software tends to fail silently, not alerting you to the fact that the messages you're sending are unencrypted. Also, the person on the other side has to have set up their client to encrypt the messages too. If you're going to chat with your buddies, do it outside of work for your own benefit.

8. Forwarding your company email to your personal account is a bad idea. If an email is sent from one email box to another on the same system, the message stays as safe as your email system. However if you forward that outside your organization's security perimeter, it can be very bad news. To begin with, you're probably going to be sending the message unencrypted to your personal mail server. From there, when you check your mail it will probably be unencrypted. Then if that mail is forwarded to your cell phone or PDA it is probaly left unencrypted on the mobile data network. This is just a bad idea all the way around. If getting your email outside of work will help you do work, odds are your IT department and/or your boss will help to accommodate you to increase your productivity. Just ask.

9. Checking personal mail on your company PDA or Blackberry isn't all that bad, just don't expect the IT staff to help you do it. The only places where this would be a bad idea from a security standpoint is in highly secure environments where secret or top secret information is being passed around. But that doesn't just include the military, it also applies to anyone who has access to information that might be highly desirable to others. There are not many viruses out there that target mobile platforms and those that do don't spread by email. However, it is conceivable that a specifically created multi platform virus could work its way into your network this way.

But you'll want to think about things carefully before you do this. Many organizations have a Blackberry Enterprise Server that controls the flow of data to and from the handheld device. So it might be that your mail is going through your company's network to get to you. If that bothers you, don't set it up this way.

10. We don't care about your productivity unless you work for the IT department. Your productivity is your boss's problem. We may help him or her to trace your online activity, but we don't really care. But keep in mind that we can still see what you're doing on the Internet, and part of somebody's job might be to generate reports for managers so that they can see what you are doing.

11. The IT Department should be your friend, not your enemy! Information Technology is a business enabling tool for your organization. We're here to make the business more profitable and to help you do your job. Sometimes it doesn't come across that way, but I can guarantee that this is the way your CEO sees it. If you can make a good case that something would increase your productivity and improve the business appreciably, odds are you can get it implemented.

Just because you don't know a way to do something doesn't mean we don't have a good way to do it. One of the things that strikes me most about these points is that many IT shops already have approved methods to do them. If you have a legitimate business use for doing something, odds are we've got you covered. Whether it's getting to your documents at home, checking email from the road, or surfing the 'net in your free time, ask us! If we can reduce the amount of work we have to and help you out at the same time, it'd be silly not to.

Remember, your IT staff is comprised of people who have the same desires and face the same problems. We have motivations to do things, and figuring those out can help you get what you want. Pitch the same thing two different ways and you can get two different responses. If you are able to let us know how it benefits us, you're much more likely to get your way. Together we can figure out a system that can make it possible. Treat us like a friend and you might be surprised what we'll help you with.

update: There are lots of other good responses to this article out in the Blogosphere, some of which I have listed below. Security violations are up today, as is the paperwork I've now got to do to report them. But this can be a good thing for those of us who are out there protecting our networks. We can help educate the people who have the power to change these things as well as the people who want to get around the security measures. We have to work a little harder on the front end, but it pays off in the long run.

Andy, IT Guy
The Daily Incite
terminal23
RiskAnalys.is
Realtime Community
Layer 8
bloginfosec.com
InfoWorld
IT Security, the view from here

A New Job

As of August 10th, I will no longer be in my old position, and on August 13th, I will begin at a new job with a different company. This job will give me a better chance to work with people in my industry, as well as afford me the chance to travel more. While it was a hard decision, it was ultimately the right choice for me. I loved working with the folks I have and working for my boss, but it is time to move on. Hopefully both this and my travel blog will become more active as I have more relevant experiences to share.

Schneier on the TSA

Bruce Schneier has been quite vocally critical of the Transportation Safety Administration in the past about what he calls "security theater." Well it appears that somebody over there was listening and wanted to address it. That somebody was the head of the administration. He invited Bruce to have a conversation with him and publish it on the blog in order to increase the transparency of the department. The first post in this series shows that even the TSA has a sense of humor about itself and makes a fairly persuasive argument that they actually are trying to keep us safe, not just piss everybody off.

I'm really looking forward to seeing the rest of the conversation and hope that it helps to make the public more aware of the incredibly difficult job that these guys are trying to do. To actually be effective as a government agency requires a ton of work and dedication. But I think the TSA has begun to turn a corner and is headed in the right direction. After seeing their response to the "sippy cup" story, I realized that somebody over there was paying attention. They've got a website up now to set the record straight, or at least tell their side of the story and defend themselves. They've also been vocal about having security that actually, you know, makes us safer rather than just looks good.

Reminder: CitySec Tonight!

REMINDER: CitySec Atlanta tonight! Show up at The Brick Store Pub at 6pm for some HotHillBillySec. Does that sound dirty to anybody else or do I just have a dirty mind?

Google Declares Sister Website "great website"

It's official! My travel blog has been given the extraordinary epithet "great website" by the all-knowing Google. Actually, it wasn't Google, but a search user.

I was digging through my Analytics report this morning and saw this gem:
This says that someone found my website by searching for the term "great website". Two someone, actually. While that is a great compliment, a little looking revealed that it was because I linked to National Geographic's Picture of the Day site and called it great.

I searched the first 20 pages of Google results for my website but couldn't find it. I figured that the people who found the site by that link must have looked awful hard for it. But then I realized that their results were likely different from mine the way the search giant's algorithms work. From what I've read, they calculate probabilities of what you're actually looking for using your unique site visits to guide them. All of this is really just a fancy way of saying "Google tracks you."

There's probably a good post to be made about how Google's privacy policies leave you vulnerable to all kinds of information disclosure vulnerabilities. Or about how these meta search words can be skewed in subtle ways to target less sophistocated users with malware. But I don't have the time right now to work those up, so use those analytical skills I've been urging you to develop.

It's Not In The Blinky Things

I read a really good passage today from a book called "Zen 24/7" by Philip Toshio Sudo. It was talking about how Zen views security. In this philosophy, security is viewed as a part of self-reliance and individual responsibility. You are responsible for your own security because you, and only you, are responsible for you. In this Zen passage, Sudo says "Lose your money, you still have the means to live. Lose your identification, you still have your identity "

The line about money may or may not apply to people in our world, but it will always be relevant to those who live by the simple ways the book advocates. If you lose all of your money, you still have yourself, and you can make the money again. If you are stripped of all your possessions, you are left naked to the bare substance of who you are. If you know yourself as who you are, as opposed to what you own, this is not a crippling turn of events.

The line about identification is a little more difficult and requires some clarification. Sudo is not talking about identity the way security professionals and the media does, in the vein of identity theft. Instead, he and the Zen philosophies think of identity of who you know yourself to be. From this point of view, the word "identification" in the sentence can be thought of as "identity" the way the western world thinks of it. In other words, "Lose your identity, you still have who you are."

Zen is filled with this way of looking at the world: "You are the only one who lives your life and who is wholly in charge of how it comes out, and you can not live for anyone else." "No matter what happens to you, it is all just another step in the path along the journey that is your life." These are two very different ways of thinking to the way we typically look at life. Sometimes we are more connected to other peoples' lives than to our own -- even going so far as to try to tell others how to live them or to let them tell us how to live. But in the end, no one but us lives through the ramifications of our decisions and behaviors. And we cannot live through those that others make.

We tend to think of security as someone else's responsibility, and that is how most voices on the Internet talk about it. It is Amazon's responsibility, or Visa, or the government. But it's not their responsibility to take care of us, it's ours. We can change our behavior so that we only use disposable credit card numbers online or just pay cash to an actual person. We can drive instead of fly, or walk rather than drive. Security always comes at its own price, whether that is money, convenience, or privacy.

So keep these things in mind when you are thinking about security. Not all ways are right for all people. You have to decide what is right for you because you have to do it and live with the results. As Sudo tells us, "The security lies not in the money, the credit card, or the license. It lies in you."

Atlanta CitySec

This is to announce the first Atlanta meeting of a group called CitySec. The group is a loose affiliation of people in the Information Security field who facilitate grass-roots meetings of others in the industry. The meetings are very informal and usually take place in a bar or some similar laid-back setting. Here is more information about the meetings in general:
http://citysec.org/forums/1/topics/9

And the thread for the Atlanta meeting, specifically:
http://citysec.org/forums/1/topics/20

The meeting will be held on Wednesday, July 25th, at 6pm at The Brick Store Pub in Downtown Decatur. Their website is http://www.brickstorepub.com if you need directions or more information. We hope to see you there!

Online Storage Safe Isn't Safe

Online storage has been around for a while. It's the idea that you can put your digital stuff online and access it anywhere. It's a great way to transfer files or to keep a backup of things you don't want to lose. In addition to the sites which will store any filetype, dedicated sites exist to store photo, video, music, and text documents.

We've gotten so used to things being online that some people have put almost all their documents online. I have plenty of pictures and videos stored there and am increasing the percentage of these things that I store there. These services are making it easier and easier to store things online. Youtube even has a feature called Quick Capture that takes video directly from a webcam to the online service without storing it anywhere on your computer first. Eye-Fi is a product that can send photos direct from your camera to many photo sites.

However, this can become a problem if people keep their ONLY copies of documents and media online. This morning, Flickr was inaccessable for me -- I'm not sure if the site was down or if it was a localized issue (update: Yahoo! was down for a while). I was just trying to put up my latest photoblog entry, so it was not a big deal. But imagine if I'd been scheduled to make a presentation and stored my only copy on a site that was down. I've seen similar things happen to presenters, it's not pretty.

I'm able to get to Flickr now, and the presenters were eventually able to work through their technical glitches. But what if the storage site lost all that data? Most of them have clauses in the agreement you have to click through that indemnifies them in case of a loss of this kind. Losing data is more common on the Internet than many people realize, especially with beta services. Big companies are no less susceptible to this than the small startups.

There are also privacy issues with these services. If you post your company's financial reports to Google Docs, your CFO will probably be pretty upset with you. If you accidentally upload very personal photos to one of the photo sharing sites, it may stay there forever. If a prospective employer does a Google search and comes across a video of you in a manner not befitting their standards, they can refuse to hire you. These things are not far fetched, similar things have all happened.

Online media and file storage services are great for convenience and sharing. But you should keep in mind that they are just as susceptible to failure as anything else. And they are just as, in not more, accessible than public records. That goes for any information you might post on the Internet. So keep that in mind when you post the video of yourself drinking tequila with Paris Hilton and link it from your MySpace page. And make sure you've got a backup of anything important you keep online.