Best practices, phaw.

21 Replies to “Best practices, phaw.”

1. “Can anyone in IT tell me why 1,2 and 4 are not standard operating procedure?”
   They are. In any sane shop. Also IDS systems, hardening, etc.
   Pure incompetence. PEBCAK

2. I figured the sticky lead was Norks at work.

3. No, lance pretty much nails it. There are no sane shops. Nobody actually cares about security, in part because there’s rarely a good ROI on it. Leaving classified-security organizations aside for a minute, the cost in productivity, capital/operating expense and loss of agility of implementing good IT security often isn’t worth the financial risk of a data breach.
   Two-factor authentication is actually pretty easy, though. Any enterprise-grade laptop (i.e. not those cheap Pavilions or Inspirons down the Costco) comes with a smartcard reader. Smartcard + PIN is two-factor auth, and it’s faster and easier than remembering a constantly changing password. (I suppose technically in any modern network, it’s two-and-a-half-factor authentication because the laptop needs to be part of the security domain, too).

4. Up to a year ago I was a network technician. Trying to convince really stupid people about security was really frustrating. Millions of dollars at stake and they wouldn’t listen. I brought in my girlfriends 12 year old son and he hacked into our network from an office across the street. I showed them and they still didn’t understand there was a problem.

5. How about not attaching important networks to th epublic internet, or at least use a VPN.

6. It boggles the mind that in order to get the guv’mnt employees (and elected officials!) to use the technology they have to go to the lowest common denominator with regards to security.
   In this day and age there should be more “white hats” utilized in keeping the government networks secure. There is 23 million or so that they spent recovering a mere mill in bogus expense claims that could be properly spent. The technology is there, use it.

7. As an afterthought, it seriously scares me that the Secretary of State for the world’s biggest superpower had the nation’s correspondence on a home server whose admin password was probably “cigar” or “blue_dress”. You know damn well she didn’t have a crack team of IT professionals on 24/7 to maintain it. Geek Squad would have probably been better.

8. Many users can’t even handle one-factor authentication.
   1, 2, and 4 should be standard, but there are more effective ways of detecting problems than parsing logs.

9. Can anyone in IT tell me why 1,2 and 4 are not standard operating procedure?
   When an outside agency needs to tell you to “do the basics”, you know the whole organization is rotted through.
   Reminds me of six sigma, lean production, etc. Tho principles are great, and close monitoring of work processes for continuous improvement is necessary for an efficient enterprise.
   But if your managers really have to LEARN lean, then they aren’t really managers to begin with. For the handful of good managers i have known, they didnt need to be taught this stuff.

10. IT security is a bottomless pit of despair from which the only escape is sweet, sweet death.

11. The same USDA Grade A Government employees are in chage of nukes too. And anthrax.
    Have a nice day.

12. I’ll bet 1/2 the access points and 90% of the shit on open net works are not needed. Gov’t “employees and elected officials are lazy and stupid. What isn’t on open access can’t be hacked. Told my SIL hi IQ tech wiz this 25 years ago, it only took th fool about 15 years to grasp the concept. 2 problems hear, one being it isn’t explained to the users in a manner that they can comprehend, and the other is poor management, and I don’t mean IT management, I am referring to top level departmental management. It’s those ppl that need to impress the need for security on the idiots using the net works

13. “You want me to spend money on stuff I can’t see? Get lost.”
    Senior management only took security seriously if someone even more senior (the board, a liability law suit, etc.) forced it on them. They are like the people on all those home improvement shows, disappointed that they are spending money on stuff the can’t see (upgraded wiring, repairing termite damage, asbestos removal) instead of shiny new granite counter tops and a stainless fridge.
    And nothing (much) will change. They will do a one-time fix on some of it, and then it will be back to the insanity. Because I can’t do my job if I can’t install anything I want on my PC. (We used to say that the engineers were installing “Barbie’s Big Adventure” and we couldn’t stop them. Because engineers.)
    So glad I don’t work in IT any more.

14. It’s like barring the barn door after the horses have fled, and then pretending there are still horses in the barn after the wolves have made it a den.

15. In fairness, Six Sigma and LEAN are for manufacturing environments. Outside of those, they’re at best orthogonal to the problem of efficiency and can often make things worse. IT is worse than women’s fashion for mod-ish fads. About the only thing worse is software “engineering” (Agile delenda est).

16. Well you be happy to know the security is so good in our Canadian departments, you often can’t get work done. It’s a balance, if your security is super great and no one can work, then you are the virus.

17. I’ve worked as a software developer consultant for provincial, federal and then eventually some US federal government agencies and I was pretty surprised to find that the US government agencies were the most incompetent buffoons of them all.

18. Don’t tell me two-factor ID is hard. The banks do it for their commercial customers all. the. time. I have to provide a password and a magic number off a bank-provided hardware dongle. If the dongle isn’t physically present to show a number, you don’t get in.
    If a bloody BANK can do it, the damn NSA can do it. Facepalm.

19. Excellent. Now, go to a different bank company. Does it still work? Now, jump back 15 years, does it still work?
    That’s the reality in today’s networks.
    Every device on the planet has to be supported for today’s users. Every 20 year old proprietary console based MIS system has to be supported because there’s no fscking way Joe’s Widgets is spending another $200k for a product that’s working just fine, thank you.
    Every one of them uses differing authentication methods and modules. You know how we fix that? We use things like Radius, LDAP, Kerberos and Active Directory. What are those? A single source of failure is what I call it. And that’s just to get single factor authentication. To get 2-factor, you have to make so many kludges you don’t even know if the changes are even secure.
    This stuff is not simple, point and click, wham bam thank you Ma’am. Understanding PKI and encryption is not rocket science, but it isn’t far from it. And it costs about the same.
    If you have a strictly enforced homogeneous network, your life is easier. Throw _one_ wireless printer into that and your sysadmin is fsck’ed. Now add mobile. Servers are Unix. What about thin clients? Design just has to have Macs. Sales has to have Windows, everyone needs access to the shared directories and unless it’s wages or layoff docs everything ends up there. It’s easier, you see. None of that is secured with proper permissions, let alone encryption.
    Besides, it’s all waste of time when your users plug-in that USB that Aunt Sue made on her WinXP box at home with the family reunion pictures. You know that box? The one she lets the kids download games and music on? It’s been running real slow lately, but its just old, you see.

20. Did Security Compliance for several years for a large multinational. Was an exercise in frustration and drinking Maalox was common. Worked for the feds for a year and I swear I carried around an antacid line direct to my stomach the whole time. Back to being a *nix sysadmin in the private sector, and although happier the security part of the job still makes me want to look for a punching bag on a regular basis.

21. That’s the price we all pay for falling for the MS Widows and IP communications protocol marketing. Never, ever designed to be secure. Grew from a single user, isolated PC. We rolled on the floor with laughter when MS introduced its “Secure Windows”. So where is the master encryption key? we asked. We can’t tell you, they said. Turned out it’s hidden in the Registry. Had to teach MS that obfuscation is NOT security (they never learned, too expensive to do it right).
    Real security comes with the mainframes and SNA (System Network Architecture) Even PKI (Public Key Infrastructure) is useless if improperly implemented.
    Every new application at our shop had to go through a dreaded “Security Walkthrough” conducted by our Information Security group (me and at least two others). We caught many developers and contractors doing stupid things like storing PW in the clear.
    Sure glad I’m retired now and don’t have to fight these battles anymore.