Wednesday, August 01, 2007

Hello, Mr Darwin!

"Hello, Mr Darwin!" - "Hi there."

IT user "gene pool" will probably lose some of its stupidest critters as a result of reading this WSJ article, which is making round in the security community: "Ten Things Your IT Department Won't Tell You."

It starts like fun for some and like utter nightmare for others: "we use our office PCs to keep up with our lives. We do birthday shopping, check out funny clips on YouTube and catch up with friends by email or instant message."

Niiiice. It gets better:

"There's only one problem with what we're doing: Our employers sometimes don't like it." :-) Geee, I guess "some-other-times" they do :-)

OK, great, now what? This:

"To find out whether it's possible to get around the IT departments, we asked Web experts for some advice. [...] How to surf to blocked sites without leaving any traces, for instance, or carry on instant-message chats without having to download software."

And then it all rolls neatly downhill from there; check out such fun items as "6. HOW TO STORE WORK FILES ONLINE" (A "no-brainer" (indeed you are...): "Use an online-storage service") and "8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY" (Wonder how? Eeeeeasy: "Just set up your work email so that all your emails get forwarded to your personal email account." :-)). Even such gems as "7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL" (answer: encrypt it!) are there.

But you know what? There is nothing wrong with publishing this; such violations are clearly not rocket science. In fact, there are three possible outcomes:
  1. Users do this and are caught, then fined, fired, tortured, shot and otherwise abused. Awesome! :-)
  2. Users do this and are NOT caught since you don't really enforce your policy banning such activities. In fact, you - the security pro - don't even know that they are breaking the rules. Sorry, you suck! You need to get another job before your company is sued ...
  3. Users do this and are NOT caught since they manage to bypass the deployed security controls. Ah, this is a fun one; that is what makes security a "calling, not just a job" for so many. Go back and deploy, tune, log (yes, logging all such activities is important, especially when HR wakes up and swings the ax...) and have fun. 0days and mafia hackers might be more challenging to fight, but users are surely more numerous :-)
Overall, I expect more security bloggers to jump and dropkick this paper. Let the fun begin!


Unknown said...

I'm not yet, but I may post about this article. A few notes...

1. I'd rather see these things written in Maxim and not WSJ. Considering the readership of WSJ, they're likely the dumber (techwise) and more dangerous people to have circumventing policy. If circumvention starts at the top, it absolutely will trickle down.

2. This article illustrates that will I believe in maintaining control of our IT environment, we cannot maintain control of culture and people's lives and how they meet up with technology as a tool. That's just how things are. If people use their computers at work to keep up with their friends and social life, then they need to be able to be allowed to do that, otherwise good talent will leave for happier environments that don't smother them.

3. I really wish that author had at least made mention that while these are all viable circumventions, they employees do need to follow policy and should keep communication open to IT. Not every IT department has had pressure or even requests to alleviate some of these pain points. More people need blackberries in the company to check email remotely? Make a case for it rather than squirrel around people's backs. Oops, that almost turned into a full rant, hehe.

I'd really suggest business users talk to their IT. If they're good professionals, they will listen and try to fix things to be better, or give excellent reasons why they are the way they are. For instance, while people may want to watch YouTube clips, when you choke bandwidth and impair real business, it needs to be blocked.

For IT pros, listen to your trouble tickets and requests; i.e. your users. They may not ask for things outright like being able to send larger files more easily, but their requests will imply as much. Be open, communicative, and try to provide solutions to mgmt so they can properly be allowed or disallowed.

Anton Chuvakin said...

Thx for the comment!

Looks like the feeding frenzy has started up in earnest; a follow-up post is in order...

Anton Chuvakin said...

>I'd really suggest business users
>talk to their IT

That is probably the #1 lesson from all the posts about this piece seen so far ...

Anonymous said...

I think that the fact that this article was published in a mainstream newspaper concerns me. I am worried that infosec is losing the battle and the war... We have all been beating this drum for years and infosec still has no more public support than the local school librarian?

Anton Chuvakin said...

>article was published in a
>mainstream newspaper concerns me.

Well, IT is pretty mainstream nowadays; indeed, I am pretty sure that there will be more policy violations as a result, but the key is how we respond to them: that is why my post mentions "Darwin": users who deserve to lose their job as a result of "following WJS tips" should lose'em indeed.

>I am worried that infosec is
>losing the battle and the war...

The jury is still out on this one :-)

Anonymous said...

If the general consensus is that IT and infosec staff is just 'in the way' then we in infosec have a big, big problem.

Anton Chuvakin said...

Indeed, that is why the whole IT (and IT security)<->user conversation is the main lesson from this whole story...

bw said...

"Sorry, you suck! You need to get another job before your company is sued"

Going by this rule, there would be nobody doing security for organizations who don't have the money or other resources to adequately monitor and police such things. This does not necessarily reflect on the security professional at that organization.

In many places, security has been thought of as physical only until recently (due to regulations, mainstream media attention, etc.). According to your rules, the new hire in charge of InfoSec would probably have to have a large consulting team come in immediately to reconfigure the network, servers, workstations, and implement tools. This costs a bloody fortune and some companies can't afford that outlay immediately.

For some security pros, it might be a struggle to get many of the things mandated by regulatory requirements! And most organizations will want to spread out the costs of security over several years, no matter how effective the people in charge are. Again, this does not reflect on the practitioner; he or she is to be applauded for trying to fix the problem in an organization where it has become such an issue.

On the other hand, if the person truly is clueless, the organization should recognize this and take action. The crappy security pro certainly won't be reading your blog ;)

Anton Chuvakin said...

I apologize for sounding ambiguous...

>Going by this rule, there would be
>nobody doing security for
>organizations who don't have the ..

What I meant is that if you don't PLAN TO ENFORCE the policy (due to lack of resource or any other reason) then don't SET the policy. Working for an org where a policy is strictly worded but loosely - or not at all - enforced does suck ...

Your other points are clearly valid; if one struggles with resources constrains trying to enforce the policy than it fits under my "situation #3", not #2.

>According to your rules, the new
>hire in charge of InfoSec would
>probably have to have a large
>consulting team

No, simply saying "here is the policy; here is how we enforce it now, here is how we will improve next XYZ" will do; doing everything right away is unrealistic. On the other hand, saying, "here is the policy, we have no way to enforce it" to me sounds like "go read the WSJ and send OUR files to Hotmail..."-)

Dr Anton Chuvakin