Defending yourself against Nazi IT departments

That depends on a lot of factors and is not such a black and white issue.

I can agree here. I have seen your IT Nazis.

Unfortunatly, these last two statements say it all. ...if the IT department cares...that kind of security does not exist... Most IT departments don't have the time/budget/manpower to care about something like this. If you do have this much free time, I envy you.

Some observations.

1. IT security is *NOT* an IT function. It is a security function.
2. Organisations that do not invest time/budget/manpower in 'something like this' invariably invest time/budget/manpower in the subsequent clearup, not to mention the potential losses that could be suffered due to a lack of security/ lack of enforcement.
3. IT departments should be monitored as closely, if not more so than regular users. The OP demonstrated this VERY clearly.

Bogwitch.

In most organizations it is IT that handles the security function.

Agree

True. It doesn't make it right.

Bogwitch.

I would say it does, as it is a centralized point of control.

The problem with an IT department running the organisations security is that it could be compromised more easily. Also, an IT department will tend, IMO, to concentrate on technical countermeasures rather than physical or procedural measures. Additionally, the security department should not be reporting directly to the head of IT as decisions based on expediency may override decisions concerning CI&A.

It is a tricky one, an IT department may have technical skills in excess of a security team but that is down to the HR department to ensure relevant personnel are selected.

The separation of duties principle comes into play here.

Bogwitch.

Below - "care" doesn't enter into the argument.

When I saw the original post in this thread, I thought it was a sock puppet of the skating/internet radio troll. Same useless technique, same advice. The only thing missing was the line that I/T or the bosses would "never _GUESS_ what is going on".

It's not so much the IT departments as the company itself. No IT (or similar level/function) manager should be setting policy without written "direction" (read that as "policy") from on high. That direction should include staffing and budgets, and the basic policy should be reviewed by the legal staff of the company (who may have to defend it in court).

It's also not a single object - like a firewall or proxy server, but is a whole bunch of other things like company policies that the employees are strongly aware of - like "Thou shall not use the network for personal reasons." and "Thou shall not install unapproved hardware and/or software on company computers." among other things. Another item is warning the employees/users that the network is, OR MAY BE monitored at any (or all) time, and that violation of company policies will have consequences.

Boy, ain't THAT the truth.

I don't disagree, but I didn't get the opinion that the O/P was IT. For certain, the O/P was quite clueless about this newsgroup, and failed to even try using a search engine to see what past postings in the group referred to.

Old guy

True, the separation is needed. What is more important is staffing your IT department with people who are more than just plain windows techs. Most window techs/admins no very little about networking/security/telecommunications in general

I didn't make the link myself but I do see what you mean.

No arguement there. Top level support is essential.

Training, too.

Difficult to quantify though! Do you know of any work that attempts to explain the cost/ benefit of pre-emptive security?

Fair point. My assumption was based on the fact that most of the contractors *I* know, work in IT but that's probably more to do with the environment *I* work in. There was also the assumption that the OP had admin rights in order to install the client software or Java, assuming it was necessary to have admin rights!

Bogwitch.

I have to disagree with you there. Yes, it would be useful to have experienced, knowledgeable IT staff but more importantly, they should be trustworthy.

The IT department should know what to look for with regards to a security incident, as should all employees but I believe that a separate security department should have overall responsibility for enforcing security policy and performing audits, etc. and should be suitably experienced.

Bogwitch.

Huh?

In most organizations 'security' doesn't mean the IT department, it means the folks who look after opening and closing the building at night. The folks who look after keys and passcards etc. The last $100 million company I worked at had a system of passcards that gave you access only to certain floors and only during certain times of day. This had the negative feature that with the restrooms in the common area one often had to take the elevator down to the ground floor before returning to your floor when working late. The alternative was to put a small block in the door to hold it open which obviously was frowned on by the security department.

Since then I haven't worked in any office with more than two floors so am not really up on the current technology but none of the folks referred to above worked in the IT department.

Wrong. They MUST be both knowledgeable AND trustworthy. If they're knowledgeable but not trustworthy your security may be breached on the social level. If they're trustworthy but not knowledgeable your security may be breached on the technical level. Either way you lose.

And could you guys *please* learn to trim your quoting?

cu

59cobalt

True - we don't do as much training as we might, but the general class of users we have can make rational decisions about violating the well known policies and the possible consequences. But for the O/P trying to order frilly knickers, we have systems in the employee break areas that are completely isolated from the company network. They have enough software on them to allow our users to do such things, and they have a "guest" account for this purpose. When the user logs out, part of the .logout script clears the cache files and /home/guest/ directory. The systems are running a Linux distribution, "guest" is just an ordinary user whose shell is rbash. Remember the 'cd' command to change directories? This shell doesn't have one, and doesn't accept a directory separator character in any command.

Ask your legal staff. I suspect they know of the benefits.

We're an R&D facility, so most of our contractors are in the support areas - building maintenance, the cafeteria, stores, and the like. At other divisions, there are contractors in the admin areas, and to some extent in the general technical fields. One exception is that we have contractor techs doing general computer maintenance, and software installs.

How many companies are stupid enough to be running windoze in the out-of-box configuration, with the users whining all the time that they need to be admin in order to do anything useful? How many of them are using Internet Explorer for their Internet activities (and just about everything else) because that's the only piece of software they "learned" - which in itself is probably an overstatement.

We're a *nix shop, and the user accounts don't have the capability to alter the system. That makes it harder to set up, but then you don't have to worry about the user trashing the system - they only thing they can trash is their own account, and peer pressure makes sure they don't do that very often. About 4 or 5 percent of our people have a mechanism to do _some_ admin stuff

[compton ~]$ whatis su sudo su (1) - run a shell with substitute user and group IDs sudo (8) - execute a command as another user [compton ~]$

'su' is normally used to become another user (typically the admin user 'root') while sudo can be configured to allow a specific user to do a specific command - and in the paranoid companies, these activities are logged - to a printer.

Old guy

Fair point. I thought it was a given that the staff would have sufficient knowledge to perform their assigned tasks, else they should not have been given the job.

Apologies, I had just come from a group where trimming is frowned apon!

Bogwitch.

Agreed, we have a separate Internet access LAN for just such things. We have controls in place to prevent corporate material from accidentally being introduced to that LAN. I am suprised that you allow anonymous logons to your Internet workstations. How do you maintain accountability?

:) Our legal staff wouldn't know the first thing about cost/ benefit concering Information Security. It's an unusual environment.

Bogwitch.

BernieM skriver:

But the filters have never worked like that, they jusgt make life harder imho. The only thinks that can help agaiste it teh ones getting spyware installed that makes then unwillingly surf to somware they don't like. But on the other hand if soemone can get that into your somputers you have real problems and just getting a p*rn hijack is was I call luck as the attack then probaly didn't stole any important information.

/ Balp

Yes content filtering does make it harder ... to surf non-work related web sites from work. I'm part of an IT team in an insurance company with around

1,100 employees. Our IT security team split the workload associated with releasing quarantined emails and web site classification etc. amongst two people. Staff soon learn what is acceptable and what isn't and understand why restrictions are necessary. Very few that think they have some God given right to sit at their desk and surf the web while someone else does their job.

BernieM skriver:

Sure that rules are necessary, there is very little need to do all kinds of surfing while at work. The Questions is if the automatic filtering adds in benifit och lovers the produtivity more than it's worth. Working with test eviroment for network equipment, i definitly run into the contentfileters dayly when trying to get into doing my work. Hackingtools being the first that fails and siome places that hosts many cites invlcudfing user releted contest in second place. Find the very few that tried to p*rn surf to much during work hours there are much better way to do. I'm not quwestrioning the policy, just the studio ways to techically implement it. A contect filter is a techical sulution to a human problem, these solutions always fails, a social solution is needed. Not a techical one.

/ Balp