Last Tuesday, I was contacted by Vauhini Vara, author of the now infamous WSJ article published last week (FYI, if you haven't listened to the podcast related to the article, it's worth it) with advice on how to circumvent the IT security controls their companies had put in place. The email thanked me for my comments and asked for some help in writing a response to that article. I took a long time creating a response before realizing that I'd gotten way off topic from the request. So I have cleaned it up a bit and posted it below.
The follow up article was published today and is available to everyone for free, just as was the original article. While the latest does give a voice to some of the concerns many security professionals had, it seems to serve mainly to placate those with concerns. I don't believe this is something the author should be faulted for, but merely reflects everyone's interest in seeing the story be over. At the risk of seeming unappeasable, I think that the article lacks the intensity of the first and seems to demonstrate a lack of true understanding of the topic.
Again, I don't see this as Vauhini's fault, she has the near impossible task of taking something some people spend their entire lives doing and tries to boil it down to a couple of hundred words to fit into a column. Without an in depth understanding of the subject and a gift for succinctness (which I don't have), this is incredibly difficult to do. I would imagine that the only way to get this right would be to collaborate with a subject matter expert, allowing editing and revisions. But this is not appropriate to the typical journalistic process.
I won't spend any more time talking about this subject because there will never be complete agreement between IT security people and the employees over where an acceptable boundary is between protecting the organization and ease and freedom of use. There isn't even total agreement between employees or between IT security folks. So this post will, thankfully, be my last on the subject.
More thoughts on the topic
As I mentioned in my earlier post, the IT department is involved in businesses to enable productivity and to contribute to the bottom line. The information security professionals are there to provide technical oversight in the way that the physical security people do. Several things are involved in this oversight, like being involved in the design process, putting in place administrative and technical controls, and auditing the organization's procedures.
The difference between the physical security and information security is that physical security is something we are born and bred to recognize and respond to. Things like protecting valuable assets, restricting access to locations, and preventing attacks are well understood by people because they have had to deal with these issues all their lives. However, when computers are involved, it makes these same principles seem alien. Computers and information networks are incredibly complicated systems and understanding them is too large a task. Therefore it is difficult for people to have an intuitive sense of what security and usability balances are made.
In designing a good access control system, for example, it is widely acknowledged that access to a facility should be granted only to those people who have a need to be there. So systems have been put in place to make sure people walking into the building should be there, whether it is a security guard, an ID badge reader, etc. IT security is no different in practice. When we design, say wireless network, we also want to make sure that these precautions are taken. Having access to an organization's network can be just as damaging, more or less, as having physical access to the home office. While employees may recognize the potential danger in propping open a door to the outside, they may not realize that this is the same principle as bringing in a wireless access point from home.
One of the main interfaces, and problems, people have with IT security is web page filtering. They typically don't view it as anything but trying to keep them productive on the job. So they view circumventing this technology as a relatively benign thing to do, especially if they are taking a break. But productivity is almost certainly not the reason why the web blocker was brought into the network. Malicious content (whether hosted on reputable sites or on maliciously designed sites) and legal precautions (regulatory requirements, sexual discrimination law, etc.) top the list of reasons why IT security departments want to be able to block certain websites.
Along with filtering web content, monitoring Internet traffic is one of the important tasks that IT security personnel perform. In some industries, this is driven more by organizational needs than by regulatory requirements. Many companies and governmental institutions have a need to know what comes in and goes out of their network. Internet monitoring is one tool to help with this. In cases where secret, confidential, or regulated information is involved, knowing if it escapes the network is critical. This can be accidental, like a consultant emailing important documents to himself, or it can be malicious, like a key logging program transmitting credit card numbers a half a world away.
However, web filtering and monitoring devices have been tasked to try and decrease the amount of time employees spend not working while they are at work. And this is when most people come into conflict with the technology. A worker who wants to visit the New York Times webpage and finds it blocked may feel that these technical controls are unreasonable. This may, in turn, cause him or her to try to circumvent them in the process of doing normal business. For example, if an employee needs to send a log file to a vendor and it is too large to go out through the email system, using a web page to host the file might seem like an ideal way to get this done. However, if we pretend in this scenario that the log contains records of all patients admitted to the Emergency Department of a hospital, those records are exposed on the Internet for anyone to access.
With those things in mind, here are some tips to help people to work with, instead of against your IT security people. These positive suggestions will likely work better than their "don't do this" counterparts.
1. We're here to help you help the company make money. That's how we get fat bonuses and better toys! If you have a legitimate business need to do something that we're preventing, talk to us.
2. We love playing with new toys! We'd love to spend 50 grand on new wireless access points and have them around to play with. If you can help us build a business case to do that, we'll work with you.
3. Come to us with your problems and ask us to help. We may know an easier way of doing something through automation or simplification. Give us the opportunity and freedom to be flexible and creative when fixing your problem and we might amaze you!
4. We take our jobs seriously and have pride in our knowledge and skills. If you treat us with professional respect, we will do the same for you. If you are patient and friendly with us, we are more likely to want to help you. If you treat us well consistently, we don't forget it.
5. We enjoy being thanked and appreciated. Some things might take a lot of work or be especially challenging. Thanking us sincerely is the easiest way to show you recognize this. Baked goods and complimenting us to our boss is the best way to get us to work twice as hard for you next time!
Working in IT can give you quite a few good horror stories to share. IT security can produce some especially gruesome ones. Some of the stories are protected by confidentiality agreements or legal order, but many of these would not be safe to print anyway.
I won't give any specific stories about the type of pornography that I have seen in my job, but I have to say that I've seen more things than I could have imagined existed. While I haven't seen anything that would be illegal, I have certainly had my eyes opened to the variety of things that people find erotic.
My organization fought a network worm shortly after I became involved with information security. It wasn't a terribly destructive or widespread one, but we spent over 200 hours cleaning it up. After some investigation, it was determined that the worm exploited a new vulnerability and was probably brought in by someone using a personal laptop.
Several times a day, the Internet monitor alerts me to the fact that someone has sent their own (or sometimes a friend or associate) personal information out on the Internet. Whether it is their tax return being sent to their webmail address, their application for a car or payday loan or job, a background check for a tenant, many people don't realize that the information they send out can be seen by many people they don't intend. Most of the time we, try to contact the person or company responsible for the information to make sure that they are aware of the issue.
Occasionally, we have had viruses or spyware infect computers embedded in products that we are prohibited from working on and to which we do not have access. In these cases, we attempt to contact the vendor and, depending on the severity of the attack, treat the device as if it were nonfunctional, remove it from the workflow, and power it off.
Lack of communication is one of the biggest problems that we have. From things as simple as a vendor needing Internet access to do a presentation to departmental changes that will require hardware moves and substantial changes to organization software, sometimes people don't understand what is involved for us in doing that work. We can't always fix a problem immediately, even if we don't have a full schedule -- they take real time and effort.
Tuesday, August 14, 2007
Sunday, August 05, 2007
How To Explain The Internet To Your Grandmother
In an interview for my new job, I was asked how I would explain the Internet to my Grandmother. Wow, that one caught me unprepared. How would I even go about explaining something which has such great complexity to someone utterly unfamiliar with the concept? How would you do it? How do we explain technology to the technologically challenged?
I began by talking about the physical structure of the Internet: general purpose computing devices connected by optical and copper transmission conduits. I realized that it was wrong, so I began talking about what the Internet does: connecting people, organizations, data stores, etc. That wasn't quite right either, so I went on to explain what the Internet allows: shopping, chatting, referencing information, etc. This was better, but still not great. I made analogies to talking on the phone with a network of friends and to looking up words or concepts in an encyclopedia. Still not perfect, but I made an impression on the interviewer that was good enough to get a job offer.
But the question remained with me and I have thought about it quite a bit. The problem of how to explain anything to anyone is one that almost nobody is talking about how to do this. It really boils down to about three components: a near complete knowledge of the material, adequate knowledge of the audience, and an ability to relate the two. In answering my question, my problem was that I didn't do the latter two very well. I really don't know enough about what problems my Grandmother faces (out of milk, how to take care of a diabetic, what to do on Tuesday afternoon with the Great-Grandkids), how she solves them (going to the store, asking a physician, reading the local paper), how well her solutions take care of the problems (very well, moderately well, poorly), and what outstanding problems she still has (how to keep someone from wanting to eat cookies, nothing going on in town this Tuesday). And so not knowing these things, I cannot adequately explain to her how the Internet works in a way that she will understand as being relevant to her (posting questions on forums, researching helpful websites; lesser known events, new fun things to do around the house). Instead of doing this, I was trying to explain it to her from my point of view and taking only my concerns into account.
After doing some more thinking, I came to the conclusion that I was on the right track with my explanation, but for the wrong reason. I had the general groups right, but the format was all wrong. The key to understanding many systems is to think about them in three layers: What something is, what it does, and what it makes possible. The Internet then is a large number of copper, radio, or optical connections for a large number of general purpose machines around the world. It allows communication between these disparate machines by automated processes or by human users. It makes possible things like shopping, referencing, entertaining, etc. There is overlap between these categories, for example protocols could fit in the "what it is" and the "what it does" but in general, this is a good way to categorize and conceptualize these divisions.
The right way to come at explaining this system is to begin with the higher level, the "what it makes possible" part of the equation -- this is another reason why my explanation failed. Analogies can be an important part of this to make sure the audience understands. So I would begin by explaining to my Grandmother that she can order things online as she could do in a catalog. Or she can research and ask questions of doctors, others taking care of diabetics, researchers, etc. And she could find more local information, so maybe she could find a regular local event that the papers don't bother to include. This way, I have her attention and she is interested in learning how all of this is made possible.
That is when I would begin to explain the details of databases, webfront shopping, user generated content sites, trustworthiness of information, etc. I can tell her how Amazon is able to offer that reprint of a book she read as a girl when no local stores have even seemed to be able to order it for her. I can tell her that she can share her experiences caring for a diabetic with others to help them learn from her great experience. I can show her how her computer is a part of the global network and what that means in terms of responsibilities and freedoms.
Then if she is interested in learning the technical details and inner workings of the Internet (and what Grandmother wouldn't be), I can describe these things. I can talk to her about protocols, the OSI model, and the benefits of optical versus copper for data distribution. As this will probably be later in the day, it will be a perfect time to address these issues as they will ease her way into sleep. We may both pass out simultaneously when I get to the rainbow series of books.
If there is an information security lesson here, it is that you really can explain to others how technology works. You have to know your subject well, know your audience, and know how to connect the two. But the most important part of this is to get the audience interested quickly and draw them in by connecting the audience to the subject in a way that is meaningful to them. You can do this using third layer of my system model, the "what does it make possible" layer. Then you can delve deeper as is appropriate. It might be more difficult at first, but I think that it will become easier with more practice.
I began by talking about the physical structure of the Internet: general purpose computing devices connected by optical and copper transmission conduits. I realized that it was wrong, so I began talking about what the Internet does: connecting people, organizations, data stores, etc. That wasn't quite right either, so I went on to explain what the Internet allows: shopping, chatting, referencing information, etc. This was better, but still not great. I made analogies to talking on the phone with a network of friends and to looking up words or concepts in an encyclopedia. Still not perfect, but I made an impression on the interviewer that was good enough to get a job offer.
But the question remained with me and I have thought about it quite a bit. The problem of how to explain anything to anyone is one that almost nobody is talking about how to do this. It really boils down to about three components: a near complete knowledge of the material, adequate knowledge of the audience, and an ability to relate the two. In answering my question, my problem was that I didn't do the latter two very well. I really don't know enough about what problems my Grandmother faces (out of milk, how to take care of a diabetic, what to do on Tuesday afternoon with the Great-Grandkids), how she solves them (going to the store, asking a physician, reading the local paper), how well her solutions take care of the problems (very well, moderately well, poorly), and what outstanding problems she still has (how to keep someone from wanting to eat cookies, nothing going on in town this Tuesday). And so not knowing these things, I cannot adequately explain to her how the Internet works in a way that she will understand as being relevant to her (posting questions on forums, researching helpful websites; lesser known events, new fun things to do around the house). Instead of doing this, I was trying to explain it to her from my point of view and taking only my concerns into account.
After doing some more thinking, I came to the conclusion that I was on the right track with my explanation, but for the wrong reason. I had the general groups right, but the format was all wrong. The key to understanding many systems is to think about them in three layers: What something is, what it does, and what it makes possible. The Internet then is a large number of copper, radio, or optical connections for a large number of general purpose machines around the world. It allows communication between these disparate machines by automated processes or by human users. It makes possible things like shopping, referencing, entertaining, etc. There is overlap between these categories, for example protocols could fit in the "what it is" and the "what it does" but in general, this is a good way to categorize and conceptualize these divisions.
The right way to come at explaining this system is to begin with the higher level, the "what it makes possible" part of the equation -- this is another reason why my explanation failed. Analogies can be an important part of this to make sure the audience understands. So I would begin by explaining to my Grandmother that she can order things online as she could do in a catalog. Or she can research and ask questions of doctors, others taking care of diabetics, researchers, etc. And she could find more local information, so maybe she could find a regular local event that the papers don't bother to include. This way, I have her attention and she is interested in learning how all of this is made possible.
That is when I would begin to explain the details of databases, webfront shopping, user generated content sites, trustworthiness of information, etc. I can tell her how Amazon is able to offer that reprint of a book she read as a girl when no local stores have even seemed to be able to order it for her. I can tell her that she can share her experiences caring for a diabetic with others to help them learn from her great experience. I can show her how her computer is a part of the global network and what that means in terms of responsibilities and freedoms.
Then if she is interested in learning the technical details and inner workings of the Internet (and what Grandmother wouldn't be), I can describe these things. I can talk to her about protocols, the OSI model, and the benefits of optical versus copper for data distribution. As this will probably be later in the day, it will be a perfect time to address these issues as they will ease her way into sleep. We may both pass out simultaneously when I get to the rainbow series of books.
If there is an information security lesson here, it is that you really can explain to others how technology works. You have to know your subject well, know your audience, and know how to connect the two. But the most important part of this is to get the audience interested quickly and draw them in by connecting the audience to the subject in a way that is meaningful to them. You can do this using third layer of my system model, the "what does it make possible" layer. Then you can delve deeper as is appropriate. It might be more difficult at first, but I think that it will become easier with more practice.
Friday, August 03, 2007
Don't Try To Con A Con Man
Don't try to con a con man. This is the lesson learned from the 1988 movie, Dirty Rotten Scoundrels, starring Steve Martin and Michael Caine. (BTW, Steve's official website wins the prize of funniest and most bizarre of the week, narrowly edging out this one -- it's been a busy week, folks.) This lesson is one of the classic blunders. Unfortunately for one of Dateline NBC's producers, Michelle Madigan, she'd never heard the corollary "never try to social engineer a hacker."
You see, the trouble started when Ms. Madigan decided to try to infiltrate the (in)famous technology security convention, DefCon to get a story about the participants breaking the law. Of course this wouldn't be news, but neither is Dateline NBC (yes, a cheap shot, but c'mon -- have you seen this?). Apparently, the DefCon organizers have their own mole deep inside Dateline HQ who alerted them to the plan and sent along a picture. This photo was displayed before each lecture along with the message that she was attempting to deceptively gather information for a report. Apparently the assistant producer was lured to an ambush, was confronted, fled, and was hounded by people taking photos and videos. Sound familiar?
The takeaway here is that confronting an opponent on their own turf is a great way to get the opposite of the result you want. There have been several legitimate reporters (even kids!) and bloggers who have spoken with the kind of people who populate the virtual back alleys of the Internet. By being open and honest about their intentions, they usually manage to get a worthwhile interview. There are also several bloggers who have misrepresented themselves to get access to material from these people. But they were very careful about doing it and built up a trust relationship. I think the best advice here is to just be forthright and honest and leave the tricky and manipulative stuff to the professionals.
update: Here's a video, complete with crappy crowd participation boos and hisses, amateur videography, paparazzi style ambush journalism, etc. While turnabout is fair play, do you think that she's the only person who's misrepresented herself at DefCon? I doubt it. Show's over, get back to the presentations, folks. That's what we'll all be thinking about on Monday.
Of course, Elliot brings up some good points about her refusing press credentials, the irony of the "spot the Fed" competition she hoped to join, and the fact that even bloggers apply for press passes to avoid this treatment. So maybe I'm off base by thinking that it's only a funny story with the slow news weekend coming up. Decide for yourselves, folks.
You see, the trouble started when Ms. Madigan decided to try to infiltrate the (in)famous technology security convention, DefCon to get a story about the participants breaking the law. Of course this wouldn't be news, but neither is Dateline NBC (yes, a cheap shot, but c'mon -- have you seen this?). Apparently, the DefCon organizers have their own mole deep inside Dateline HQ who alerted them to the plan and sent along a picture. This photo was displayed before each lecture along with the message that she was attempting to deceptively gather information for a report. Apparently the assistant producer was lured to an ambush, was confronted, fled, and was hounded by people taking photos and videos. Sound familiar?
The takeaway here is that confronting an opponent on their own turf is a great way to get the opposite of the result you want. There have been several legitimate reporters (even kids!) and bloggers who have spoken with the kind of people who populate the virtual back alleys of the Internet. By being open and honest about their intentions, they usually manage to get a worthwhile interview. There are also several bloggers who have misrepresented themselves to get access to material from these people. But they were very careful about doing it and built up a trust relationship. I think the best advice here is to just be forthright and honest and leave the tricky and manipulative stuff to the professionals.
update: Here's a video, complete with crappy crowd participation boos and hisses, amateur videography, paparazzi style ambush journalism, etc. While turnabout is fair play, do you think that she's the only person who's misrepresented herself at DefCon? I doubt it. Show's over, get back to the presentations, folks. That's what we'll all be thinking about on Monday.
Of course, Elliot brings up some good points about her refusing press credentials, the irony of the "spot the Fed" competition she hoped to join, and the fact that even bloggers apply for press passes to avoid this treatment. So maybe I'm off base by thinking that it's only a funny story with the slow news weekend coming up. Decide for yourselves, folks.
Tuesday, July 31, 2007
(At Least) Ten Things The WSJ Got Wrong
I have just been reading an article on the Wall Street Journal site called "Ten Things Your IT Department Won't Tell You." The article is about how and why companies don't let you do certain things on their computers and on their networks, and how you can get around these security controls. The article completely misses the point of the security controls. I'm with the IT department, and I want to tell you why and how the WSJ got it wrong.
Security features are put in place to protect the confidentiality, integrity, and availability of assets of a company. This does not vary much from place to place, this is the stated reason for putting most security measures in place. Most security practitioners don't even view employees' productivity as an asset; if there is a productivity problem, the burden of enforcement lies with the employee's manager or supervisor. From personal experience, I can tell you that I have much better things to do with my time than to try and see who has been trying to get to YouTube or Playboy. But if you circumvent our security measures, I'm required by regulations, guidelines, and company procedures to investigate the incident.
This brings me to one of the biggest things that the WSJ article seems to miss: We can see you doing what you are doing! Many organizations, due to regulations such as HIPAA, SOX, GLBA, PCI DSS, etc. are required to put in place tools to give visibility into electronic communications. This means that wherever you work, you probably have somebody looking over your shoulder. In my organization, we use a monitor that lets us see any unencrypted communication going out to the Internet. We have rules built in the monitor that will log and alert us when certain keywords or other data are transmitted.
For instance we have rules built to detect people circumventing our website blocker by using a proxy site or software. This is relatively easy most of the time because the transmission still goes in cleartext and so the monitor picks up on the site categories. And if you use an encrypted proxy, we can usually still see that because we have access to all of the proxy lists that are available, just like everyone else does. We can still tell that people are circumventing our security tools.
Our policies and the regulations we follow require that these violations to be documented and reported. In many cases, this leads to disciplinary action against en employee. Several people here have been fired for violating our security measures. This does not just include the use of proxy servers, but extends to unauthorized use of USB drives, installing unlicensed and unapproved software, bringing in a laptop to use peer-to-peer software, etc. Just because you are able to do something doesn't mean you are authorized to do it. And just because you get away with it the first time with no repercussions doesn't mean that we don't care or don't know.
Now that I have established that point, let me address the first point that I made: the policies and procedures we institute are not arbitrary! Aside from the regulatory requirements I listed above, we have good reasons for putting in place the restrictions that we do. These policies are designed to reduce support costs, protect the computers and network from viruses and malware, decrease the likelihood of an unintended information disclosure, and reduce bandwidth costs.
So here's "(At Least) Ten Things The WSJ Got Wrong."
1. We don't want you sending big files through email because it is expensive. Do you know how much it costs to buy more disk space for your email server? About $4 per GB (2x 300GB Ultra SCSI 320). If you have a legitimate business purpose for sending a large file, call us up. We'd love to help you and make sure that the file gets sent the right way. Especially if it is a case where the release of the information must be regulated. Just don't ask us to help you forward the latest movie trailer or funny video clip you downloaded.
2. We don't want you to use unauthorized software because it drives support costs up and could get us into a lot of trouble. No, we won't let you use Limewire to download the hottest software, songs, and movies. If the BSA, RIAA, or MPAA catch you, we are the ones who get sued -- that's a huge liability! Not to mention the performance hit on the network and the bandwidth costs.
If something you use or install causes conflicts with one of our applications or changes some obscure settings, are you going to pay to get the computer back up and running properly? Nope, we eat that cost too. We have a limited set of software that we approve because this is what we support and it is what our software vendors support. If IE7 or Firefox won't work with the web application somebody else built, we don't have the resources to fix it.
3. We block certain websites because they could create a hostile workplace, are associated with virues or spyware, or suck up all our bandwidth. If someone visits an adult website and another employee or customer sees it, we can be sued. Do you really need to do that at work anyway?
Quite a few of the websites that we block host viruses or spyware or act as relay points for keystroke loggers. Anti-Virus won't catch everything -- it has to update multiple times per day just to stay abreast of the latest threats, some of which can shut down the protective software altogether.
Streaming video and audio sites can consume huge amounts of bandwidth. Even though they are streamlined for distribution, they can still be hogs if several people are using them at once. For simplicity's sake, let's assume that streaming audio will eat up 64kbps and streaming video uses 128kbps. Some use more, very few use less. And let's assume that your company has a 10mbps connection to the Internet. Some simple math says that 150 listeners or 75 viewers will totally saturate the connection. But this doesn't count those people visiting websites, any applications which require Internet connectivity, email, etc. Not only that, but the streaming media protocols typically try and gulp up as much bandwidth as they can at once, which may generate 5-10x as much traffic at any one time. In practice, if about 20 people on this Internet connection are using YouTube or listening to a radio station, you will notice a big slowdown when visiting websites.
4. Most of the time, clearing out your Internet Browser files doesn't help anyone. If you get a virus or any other nasty malicious software on your computer, clearing out your browser files makes it harder for us to track down and prevent next time. And most of the time, it won't even cover your tracks if you've been someplace you shouldn't have been. There's a reason we've got forensic tools at our disposal. We can usually get that information off your hard drive, and even if we can't your activity is still being logged by our network forensic tools. If you don't want your employer to know what sites you visit, don't go there on his dime.
5. Don't cause a data leak by taking your documents home without checking with us first. Call your IT department and see how they want you to work at home. Odds are, we have a way to do this or can come up with something to allow it. If we can't, talk to your boss about it and make sure they know you'll be working on your own time to increase your productivity. Doing one of these two things will help to make sure you can get your work done and that we can keep the data protected. Email, portable storage, online file sharing, and other methods are NOT designed to keep confidential information safe, they're designed to spread this information as easily as possible! You'll do yourself and your organization a favor if you play by the rules on this one.
6. If you store your work documents online, a hundred bad things can happen to them. In addition to the reasons I mentioned in #5, there are other things that can go wrong with online storage. If you're storing your important files with a free online storage site for a backup or as your only copy, don't. Encrypted data needs a key to unlock it -- are you going to make sure it's safely and securely stored? These things get lost or stolen all the time and then the data is gone or is available to anyone. And online companies don't have the best track record for keeping your data available. Google, who tries to permanently store all online data, has lost accounts, messages, and files many times from Blogger and Gmail. Your organization backs up the data stored with them (or should) and those backups are ensured against loss or theft. This is the right way to go about it.
7. Web mail and instant messenger conversations should never be used to send private or confidential data. Only a few web mail providers, such as Hushmail, provide SSL encrypted communication by default. This means that anything you view in your web mail can be viewed by our monitoring tools. Yup, from that email confirmation when you applied to our competitor to the naughty photos your girlfriend sent you, we can see it. And web mail doesn't have a great record for privacy anyway; Hotmail and Gmail have had several flaws that have allowed attackers to gain access to hundreds or thousands of mailboxes at a time. Not great if you've got any emails with your Social Security Number, bank account number, credit card online account password, etc.
Instant messaging isn't much better. Though you can add encryption to your conversations, the software tends to fail silently, not alerting you to the fact that the messages you're sending are unencrypted. Also, the person on the other side has to have set up their client to encrypt the messages too. If you're going to chat with your buddies, do it outside of work for your own benefit.
8. Forwarding your company email to your personal account is a bad idea. If an email is sent from one email box to another on the same system, the message stays as safe as your email system. However if you forward that outside your organization's security perimeter, it can be very bad news. To begin with, you're probably going to be sending the message unencrypted to your personal mail server. From there, when you check your mail it will probably be unencrypted. Then if that mail is forwarded to your cell phone or PDA it is probaly left unencrypted on the mobile data network. This is just a bad idea all the way around. If getting your email outside of work will help you do work, odds are your IT department and/or your boss will help to accommodate you to increase your productivity. Just ask.
9. Checking personal mail on your company PDA or Blackberry isn't all that bad, just don't expect the IT staff to help you do it. The only places where this would be a bad idea from a security standpoint is in highly secure environments where secret or top secret information is being passed around. But that doesn't just include the military, it also applies to anyone who has access to information that might be highly desirable to others. There are not many viruses out there that target mobile platforms and those that do don't spread by email. However, it is conceivable that a specifically created multi platform virus could work its way into your network this way.
But you'll want to think about things carefully before you do this. Many organizations have a Blackberry Enterprise Server that controls the flow of data to and from the handheld device. So it might be that your mail is going through your company's network to get to you. If that bothers you, don't set it up this way.
10. We don't care about your productivity unless you work for the IT department. Your productivity is your boss's problem. We may help him or her to trace your online activity, but we don't really care. But keep in mind that we can still see what you're doing on the Internet, and part of somebody's job might be to generate reports for managers so that they can see what you are doing.
11. The IT Department should be your friend, not your enemy! Information Technology is a business enabling tool for your organization. We're here to make the business more profitable and to help you do your job. Sometimes it doesn't come across that way, but I can guarantee that this is the way your CEO sees it. If you can make a good case that something would increase your productivity and improve the business appreciably, odds are you can get it implemented.
Just because you don't know a way to do something doesn't mean we don't have a good way to do it. One of the things that strikes me most about these points is that many IT shops already have approved methods to do them. If you have a legitimate business use for doing something, odds are we've got you covered. Whether it's getting to your documents at home, checking email from the road, or surfing the 'net in your free time, ask us! If we can reduce the amount of work we have to and help you out at the same time, it'd be silly not to.
Remember, your IT staff is comprised of people who have the same desires and face the same problems. We have motivations to do things, and figuring those out can help you get what you want. Pitch the same thing two different ways and you can get two different responses. If you are able to let us know how it benefits us, you're much more likely to get your way. Together we can figure out a system that can make it possible. Treat us like a friend and you might be surprised what we'll help you with.
update: There are lots of other good responses to this article out in the Blogosphere, some of which I have listed below. Security violations are up today, as is the paperwork I've now got to do to report them. But this can be a good thing for those of us who are out there protecting our networks. We can help educate the people who have the power to change these things as well as the people who want to get around the security measures. We have to work a little harder on the front end, but it pays off in the long run.
Andy, IT Guy
The Daily Incite
terminal23
RiskAnalys.is
Realtime Community
Layer 8
bloginfosec.com
InfoWorld
IT Security, the view from here
Security features are put in place to protect the confidentiality, integrity, and availability of assets of a company. This does not vary much from place to place, this is the stated reason for putting most security measures in place. Most security practitioners don't even view employees' productivity as an asset; if there is a productivity problem, the burden of enforcement lies with the employee's manager or supervisor. From personal experience, I can tell you that I have much better things to do with my time than to try and see who has been trying to get to YouTube or Playboy. But if you circumvent our security measures, I'm required by regulations, guidelines, and company procedures to investigate the incident.
This brings me to one of the biggest things that the WSJ article seems to miss: We can see you doing what you are doing! Many organizations, due to regulations such as HIPAA, SOX, GLBA, PCI DSS, etc. are required to put in place tools to give visibility into electronic communications. This means that wherever you work, you probably have somebody looking over your shoulder. In my organization, we use a monitor that lets us see any unencrypted communication going out to the Internet. We have rules built in the monitor that will log and alert us when certain keywords or other data are transmitted.
For instance we have rules built to detect people circumventing our website blocker by using a proxy site or software. This is relatively easy most of the time because the transmission still goes in cleartext and so the monitor picks up on the site categories. And if you use an encrypted proxy, we can usually still see that because we have access to all of the proxy lists that are available, just like everyone else does. We can still tell that people are circumventing our security tools.
Our policies and the regulations we follow require that these violations to be documented and reported. In many cases, this leads to disciplinary action against en employee. Several people here have been fired for violating our security measures. This does not just include the use of proxy servers, but extends to unauthorized use of USB drives, installing unlicensed and unapproved software, bringing in a laptop to use peer-to-peer software, etc. Just because you are able to do something doesn't mean you are authorized to do it. And just because you get away with it the first time with no repercussions doesn't mean that we don't care or don't know.
Now that I have established that point, let me address the first point that I made: the policies and procedures we institute are not arbitrary! Aside from the regulatory requirements I listed above, we have good reasons for putting in place the restrictions that we do. These policies are designed to reduce support costs, protect the computers and network from viruses and malware, decrease the likelihood of an unintended information disclosure, and reduce bandwidth costs.
So here's "(At Least) Ten Things The WSJ Got Wrong."
1. We don't want you sending big files through email because it is expensive. Do you know how much it costs to buy more disk space for your email server? About $4 per GB (2x 300GB Ultra SCSI 320). If you have a legitimate business purpose for sending a large file, call us up. We'd love to help you and make sure that the file gets sent the right way. Especially if it is a case where the release of the information must be regulated. Just don't ask us to help you forward the latest movie trailer or funny video clip you downloaded.
2. We don't want you to use unauthorized software because it drives support costs up and could get us into a lot of trouble. No, we won't let you use Limewire to download the hottest software, songs, and movies. If the BSA, RIAA, or MPAA catch you, we are the ones who get sued -- that's a huge liability! Not to mention the performance hit on the network and the bandwidth costs.
If something you use or install causes conflicts with one of our applications or changes some obscure settings, are you going to pay to get the computer back up and running properly? Nope, we eat that cost too. We have a limited set of software that we approve because this is what we support and it is what our software vendors support. If IE7 or Firefox won't work with the web application somebody else built, we don't have the resources to fix it.
3. We block certain websites because they could create a hostile workplace, are associated with virues or spyware, or suck up all our bandwidth. If someone visits an adult website and another employee or customer sees it, we can be sued. Do you really need to do that at work anyway?
Quite a few of the websites that we block host viruses or spyware or act as relay points for keystroke loggers. Anti-Virus won't catch everything -- it has to update multiple times per day just to stay abreast of the latest threats, some of which can shut down the protective software altogether.
Streaming video and audio sites can consume huge amounts of bandwidth. Even though they are streamlined for distribution, they can still be hogs if several people are using them at once. For simplicity's sake, let's assume that streaming audio will eat up 64kbps and streaming video uses 128kbps. Some use more, very few use less. And let's assume that your company has a 10mbps connection to the Internet. Some simple math says that 150 listeners or 75 viewers will totally saturate the connection. But this doesn't count those people visiting websites, any applications which require Internet connectivity, email, etc. Not only that, but the streaming media protocols typically try and gulp up as much bandwidth as they can at once, which may generate 5-10x as much traffic at any one time. In practice, if about 20 people on this Internet connection are using YouTube or listening to a radio station, you will notice a big slowdown when visiting websites.
4. Most of the time, clearing out your Internet Browser files doesn't help anyone. If you get a virus or any other nasty malicious software on your computer, clearing out your browser files makes it harder for us to track down and prevent next time. And most of the time, it won't even cover your tracks if you've been someplace you shouldn't have been. There's a reason we've got forensic tools at our disposal. We can usually get that information off your hard drive, and even if we can't your activity is still being logged by our network forensic tools. If you don't want your employer to know what sites you visit, don't go there on his dime.
5. Don't cause a data leak by taking your documents home without checking with us first. Call your IT department and see how they want you to work at home. Odds are, we have a way to do this or can come up with something to allow it. If we can't, talk to your boss about it and make sure they know you'll be working on your own time to increase your productivity. Doing one of these two things will help to make sure you can get your work done and that we can keep the data protected. Email, portable storage, online file sharing, and other methods are NOT designed to keep confidential information safe, they're designed to spread this information as easily as possible! You'll do yourself and your organization a favor if you play by the rules on this one.
6. If you store your work documents online, a hundred bad things can happen to them. In addition to the reasons I mentioned in #5, there are other things that can go wrong with online storage. If you're storing your important files with a free online storage site for a backup or as your only copy, don't. Encrypted data needs a key to unlock it -- are you going to make sure it's safely and securely stored? These things get lost or stolen all the time and then the data is gone or is available to anyone. And online companies don't have the best track record for keeping your data available. Google, who tries to permanently store all online data, has lost accounts, messages, and files many times from Blogger and Gmail. Your organization backs up the data stored with them (or should) and those backups are ensured against loss or theft. This is the right way to go about it.
7. Web mail and instant messenger conversations should never be used to send private or confidential data. Only a few web mail providers, such as Hushmail, provide SSL encrypted communication by default. This means that anything you view in your web mail can be viewed by our monitoring tools. Yup, from that email confirmation when you applied to our competitor to the naughty photos your girlfriend sent you, we can see it. And web mail doesn't have a great record for privacy anyway; Hotmail and Gmail have had several flaws that have allowed attackers to gain access to hundreds or thousands of mailboxes at a time. Not great if you've got any emails with your Social Security Number, bank account number, credit card online account password, etc.
Instant messaging isn't much better. Though you can add encryption to your conversations, the software tends to fail silently, not alerting you to the fact that the messages you're sending are unencrypted. Also, the person on the other side has to have set up their client to encrypt the messages too. If you're going to chat with your buddies, do it outside of work for your own benefit.
8. Forwarding your company email to your personal account is a bad idea. If an email is sent from one email box to another on the same system, the message stays as safe as your email system. However if you forward that outside your organization's security perimeter, it can be very bad news. To begin with, you're probably going to be sending the message unencrypted to your personal mail server. From there, when you check your mail it will probably be unencrypted. Then if that mail is forwarded to your cell phone or PDA it is probaly left unencrypted on the mobile data network. This is just a bad idea all the way around. If getting your email outside of work will help you do work, odds are your IT department and/or your boss will help to accommodate you to increase your productivity. Just ask.
9. Checking personal mail on your company PDA or Blackberry isn't all that bad, just don't expect the IT staff to help you do it. The only places where this would be a bad idea from a security standpoint is in highly secure environments where secret or top secret information is being passed around. But that doesn't just include the military, it also applies to anyone who has access to information that might be highly desirable to others. There are not many viruses out there that target mobile platforms and those that do don't spread by email. However, it is conceivable that a specifically created multi platform virus could work its way into your network this way.
But you'll want to think about things carefully before you do this. Many organizations have a Blackberry Enterprise Server that controls the flow of data to and from the handheld device. So it might be that your mail is going through your company's network to get to you. If that bothers you, don't set it up this way.
10. We don't care about your productivity unless you work for the IT department. Your productivity is your boss's problem. We may help him or her to trace your online activity, but we don't really care. But keep in mind that we can still see what you're doing on the Internet, and part of somebody's job might be to generate reports for managers so that they can see what you are doing.
11. The IT Department should be your friend, not your enemy! Information Technology is a business enabling tool for your organization. We're here to make the business more profitable and to help you do your job. Sometimes it doesn't come across that way, but I can guarantee that this is the way your CEO sees it. If you can make a good case that something would increase your productivity and improve the business appreciably, odds are you can get it implemented.
Just because you don't know a way to do something doesn't mean we don't have a good way to do it. One of the things that strikes me most about these points is that many IT shops already have approved methods to do them. If you have a legitimate business use for doing something, odds are we've got you covered. Whether it's getting to your documents at home, checking email from the road, or surfing the 'net in your free time, ask us! If we can reduce the amount of work we have to and help you out at the same time, it'd be silly not to.
Remember, your IT staff is comprised of people who have the same desires and face the same problems. We have motivations to do things, and figuring those out can help you get what you want. Pitch the same thing two different ways and you can get two different responses. If you are able to let us know how it benefits us, you're much more likely to get your way. Together we can figure out a system that can make it possible. Treat us like a friend and you might be surprised what we'll help you with.
update: There are lots of other good responses to this article out in the Blogosphere, some of which I have listed below. Security violations are up today, as is the paperwork I've now got to do to report them. But this can be a good thing for those of us who are out there protecting our networks. We can help educate the people who have the power to change these things as well as the people who want to get around the security measures. We have to work a little harder on the front end, but it pays off in the long run.
Andy, IT Guy
The Daily Incite
terminal23
RiskAnalys.is
Realtime Community
Layer 8
bloginfosec.com
InfoWorld
IT Security, the view from here
Monday, July 30, 2007
A New Job
As of August 10th, I will no longer be in my old position, and on August 13th, I will begin at a new job with a different company. This job will give me a better chance to work with people in my industry, as well as afford me the chance to travel more. While it was a hard decision, it was ultimately the right choice for me. I loved working with the folks I have and working for my boss, but it is time to move on. Hopefully both this and my travel blog will become more active as I have more relevant experiences to share.
Subscribe to:
Posts (Atom)