An idiot will attack your system less predictably, and on a broader front.
(Not mine, picked it up somewhere years ago.)
Discussion on:
View:
Show:
I think what you mean is "what is the difference between a criminal and an idiot" since any real hacker won't be interested in breaking into your system without your permission.
If what you means is "criminal" then use the more accurate word; "criminal".
If what you means is "criminal" then use the more accurate word; "criminal".
Criminal or miscreant is the appropriate term.
Hackers are we good folk who are honest, have integrity and do our best to improve things technically. FAR too many 'news sites' get this terminology incorrect.
Hackers are we good folk who are honest, have integrity and do our best to improve things technically. FAR too many 'news sites' get this terminology incorrect.
Whether the hacker's hat is black or white, he would probably probe the system from outside along predictable paths, You will therefore attempt to protect access to your system along those paths. You can also protect your system from damage by the internal user, but if, for example, the user legitimately and necessarily has access to key parts of your database, do you have credibility checks on input values, for example? I know of one case where an order clerk thought he was ordering 3000 pieces of turf, and ordered 3000000; fortunately the supplier queried it. And how easy is it for somebody to delete your major customer from the database?
He had it right the first time. Stop trying to glorify criminal activity.
hack??er
??? ???[hak-er]
noun
1. a person or thing that hacks.
2. Slang . a person who engages in an activity
without talent or skill
3. Computer Slang .
a. a computer enthusiast.
b. a microcomputer user who attempts
to gain unauthorized access to proprietary
computer systems.
hack??er
??? ???[hak-er]
noun
1. a person or thing that hacks.
2. Slang . a person who engages in an activity
without talent or skill
3. Computer Slang .
a. a computer enthusiast.
b. a microcomputer user who attempts
to gain unauthorized access to proprietary
computer systems.
3b was added BECAUSE of the media's misuse of the term. It was only added due to the fact that people were incorrectly using it so much. That does not make it the correct usage of the word.
He had it right the first time. Stop trying to glorify criminals.
hack??er
??? ???[hak-er]
noun
1. a person or thing that hacks.
2. Slang . a person who engages in an activity
without talent or skill
3. Computer Slang .
a. a computer enthusiast.
b. a microcomputer user who attempts
to gain unauthorized access to proprietary
computer systems.
hack??er
??? ???[hak-er]
noun
1. a person or thing that hacks.
2. Slang . a person who engages in an activity
without talent or skill
3. Computer Slang .
a. a computer enthusiast.
b. a microcomputer user who attempts
to gain unauthorized access to proprietary
computer systems.
It is no wonder that tablets are gaining, since people like Mr. James have not found a way to lock users out of them yet. With controlling attitudes like this, why not just switch to thin clients so that dumb old users basically can't do anything? People achieve your lowest expectation of them, and paranoid "careerists" assume the worst. Innovators hire quality people and let them go. Boo to the controllers!
Sounds like somebody really hates it when they cannot check Facebook or play Farmville at work...You are at w-o-r-k. The tools (computers, servers, Internet connection) are provided to do your j-o-b. The IT Department is doing their job. At the end of the day, when everyone has done their respective jobs, there is a profit and you have a job tomorrow. When a worker inadvertantly brings in a virus on a USB drive or if they are intent on circumventing the "Controllers", the entire network is threatened and if it goes down, work is interrupted, profits are lost and tomorrow, everyone could be unemployed. Mitigating threats and controlling network systems are a matter of survival.
*grumble* stupid IT policies that won't let me hit the "+" button to rate your post...
LOL
Seriously, though, yeah, people forget all the time that "their" work PC isn't really "their" PC. Could be worse, though; had a former employer (tech support call center), where the PC stations were "first come, first served"; you had an assigned "row" that you could sit at (based on your supervisor), but beyond that you almost never sat at the same PC even 2 days in a row.
LOL
Seriously, though, yeah, people forget all the time that "their" work PC isn't really "their" PC. Could be worse, though; had a former employer (tech support call center), where the PC stations were "first come, first served"; you had an assigned "row" that you could sit at (based on your supervisor), but beyond that you almost never sat at the same PC even 2 days in a row.
Indeed, the wow is on you. I am not an IT professional but a proficient user and I can clearly understand the risks of what I do and what others do. You are a clear danger to your organisation's private data and intellectual property with such a wreckless attitude. Sure, users should be allowed to do their jobs, but wrecking an organisation because of their own supreme arrogance and self-importance is clearly not an option for any business that knows what it is doing. We need less of the "I want" culture which has wrecked our economies and finances and return to sensible, responsible attitudes where we get win-win situations, not I win-you lose. And if you think that iPads and all things Apple are immune from security concerns, one day you will have big shock coming your way. You are evidently still spending most of your time in the school playground.
Exploro, it is precisely people like you that create the problems which affect everyone on the network. Let me remind you that the equipment and network which your employer allows you to use is not yours and that any security breach puts all of the company at risk, possibly even facing major fines or loss of business. If you wish to work in what you call an 'innovative' environment, then I encourage you to start your own company, hire 'quality people' and let them go. When your intellectual property gets stolen or the regulators slap you with a huge fine (notice I did not use the word 'if'), don't come crying to Mr. James or the other hard-working security professionals to fix your mess.
... because in iOS, applications are fairly well protected from each other. They have defined, hard limits on their functionality. Are they hackable? Yes. But it's a lot harder to get malware onto them, and much less likely. Windows 8, if you stick with the newfangled Metro/WinRT apps, is also the same way (something that they're taking from Windows Phone 7). When applications can't even open files outside of a few known, shared locations (like "Documents" and "Pictures") or their own local data, it means that I'd feel MUCH more comfortable handing one to a user and letting them download and install applications on their own. Is it still locked down? Yes, but the lockdown on iOS and Windows 8 feel much, much less intrusive that the traditional IT department approach of showing people what they could do, but then popping up "access denied" messages when they try it.
J.Ja
J.Ja
Sounds like someone has fallen foul of the people responsible for keeping the organization running, and is upset they didn't get their way. Business has no time for you compromising systems just because you want a shiny toy. Perhaps you should be working with your IT department instead of against them, and together you could find a solution that fits your organization's needs.
If you went to a friend's house to play console games with them, & you threw the controller against the wall & broke it, would you be surprised if your friend was mad & demanded you pay to replace it, or simply banned you from playing on *his* game system in the future?
That's the situation here. *You* didn't buy your corporate-issued desktop/laptop; the corporation did. *You* aren't paying for the access to the Internet for your corporate PC; the corporation is. *You* aren't the one that has to pay a tech to fix the PC because you tried to install a bunch of spam-ridden software, or wanted to send out gifts to your "friends" in Farmville & screwed up the system; the corporation has to.
What you do with *your* equipment at home is your own business; what you do with the *corporation's* equipment -- especially when they're paying you to work -- is the corporation's business. Don't like the rules? Quit your job...& good luck getting those unemployment benefits (hint: quitting your job usually means you won't get any).
That's the situation here. *You* didn't buy your corporate-issued desktop/laptop; the corporation did. *You* aren't paying for the access to the Internet for your corporate PC; the corporation is. *You* aren't the one that has to pay a tech to fix the PC because you tried to install a bunch of spam-ridden software, or wanted to send out gifts to your "friends" in Farmville & screwed up the system; the corporation has to.
What you do with *your* equipment at home is your own business; what you do with the *corporation's* equipment -- especially when they're paying you to work -- is the corporation's business. Don't like the rules? Quit your job...& good luck getting those unemployment benefits (hint: quitting your job usually means you won't get any).
I read all "10 securit problems" described here, and have only one comment: For an IT manager cover all of this security problems, he must have a heavy server, with many expensive programs, and all employers working on a high restriction level. It's simply unreachable, mainly for small business. But I must consider that this is an "Ideal situation" and must be achieved by all employers and manangers.
I do not fully agree. Many of these are applicable and enforceable in a small company. It just needs someone responsible to set and enforce the standards on each machine.
I'm not sure I disagree with his assessment. It is easy enough to lock things down but to be able to lock things down *and* still be able to retain a reasonable level of productivity may require a level of skill and expense beyond a lot of small businesses' budgets
It is the cat's meow, if you're willing to buy the license. It all but eliminates the need for desktop policies, a huge pain in the neck to administer...and very unpopular to boot. Making the user local administrators isn't such a concern if you turn the computer off, and it's effectively re-imaged when it comes back on....only this is much faster than reimaging.
Of course, you have to emphasize they save their work to the file server...point relevant directories to the right place....but it's a win-win ultimately.
Of course, you have to emphasize they save their work to the file server...point relevant directories to the right place....but it's a win-win ultimately.
This was a good one, at an insurance company I worked at years ago, nationwide network by the way, a manager down at the Winston-Salem data center decided to do a favor for a colleague and open up an incoming port for his email. That it was on the other side of the firewall did not matter or concern him, but it did bring down precisely one half of the nation wide network!!!!!!!!!
If you look at almost every one of these problems from the opposite perspective, they demonstrate how the IT department gets the reputation for blocking productivity. Those complaints make their way up the chain eventually reaching the boardroom where the CIO (or whomever) takes a sound thrashing. In the end this WILL come back to haunt you.
This clearly demonstrates the double-edged sword of IT security. What IT departments have to do is make themselves VERY accessible to the rest of the organization. If you can keep those walls down and provide the services the workers need when they need them, the odds of the above problems biting you drop off significantly.
I've said this over and over, but it always bears repeating. People are like water running downhill. If you get in their way they will find a way around you.
This clearly demonstrates the double-edged sword of IT security. What IT departments have to do is make themselves VERY accessible to the rest of the organization. If you can keep those walls down and provide the services the workers need when they need them, the odds of the above problems biting you drop off significantly.
I've said this over and over, but it always bears repeating. People are like water running downhill. If you get in their way they will find a way around you.
You hit it right on the head. It's very difficult to provide the security that networks require without slowing some users down, especially power users or people in certain job roles (support, software developer, system administrator, and other IT roles immediately some to mind).
This is why I fully support the model of Web applications as much as possible, because the browser acts like a sandbox. For every security bug found in Firefox, Chrome, or even Internet Explorer, there are many more found in Acrobat, Office, and other native applications, and the bugs in local apps can be much more damaging than browser bugs. I also really like the tablet model, so long as the tablets are running iOS or Windows 8, because the development models are such that exploiting an application doesn't let the exploit dominate the system, for the most part.
J.Ja
This is why I fully support the model of Web applications as much as possible, because the browser acts like a sandbox. For every security bug found in Firefox, Chrome, or even Internet Explorer, there are many more found in Acrobat, Office, and other native applications, and the bugs in local apps can be much more damaging than browser bugs. I also really like the tablet model, so long as the tablets are running iOS or Windows 8, because the development models are such that exploiting an application doesn't let the exploit dominate the system, for the most part.
J.Ja
Good point. And the other part of that is upper management that is clueless and says "oh just let them do it, it won't hurt anything"
I hate to admit it, but I've left a few machines unpatched for fear of breaking a high-availability system. They're all Linux systems, so the idea of 'patch' is a bit different, but not enough so that these machines are not vulnerable. I'm sure they are.
What I've done instead is beef up the perimeter, restricted access tightly, moved things off standard ports in some cases and watched them like a hawk. So far so good. But I'm really just rationalizing away my laziness... I think.
Funny thing is my current task is building a new replacement for one of these oldies but goodies. The thing has been up at least 4 years now without a single hiccup. Hard to justify replacing something like this that "just plain works"(tm) but of course that's playing with the "famous last words" category.
BTW good luck with #1. I deal with one office that's infected their network 3 times the exact same way; searching for free mp3s. The second and third times the perpetrator told me "but it wasn't that same site!" ..insult to injury is they had disabled noscript in firefox, another policy violation.
Every time I go there I check all the browsers and usually a couple of them have had noscript disabled. No amount of showing them they can get access to everything they actually need without allowing scripts globally. It's always when they're trying to do something stupid like play an online game or download music or video. They get frustrated in a millisecond and go straight for the "allow scripts globally" button.
I wish there was a way to make setting that one function unavailable to the user, it'd make my life easier.
Some of the folks elsewhere have gone with chromium (aka google chrome) and so far so good, but chrome isn't everyone's cup of tea.
What I've done instead is beef up the perimeter, restricted access tightly, moved things off standard ports in some cases and watched them like a hawk. So far so good. But I'm really just rationalizing away my laziness... I think.
Funny thing is my current task is building a new replacement for one of these oldies but goodies. The thing has been up at least 4 years now without a single hiccup. Hard to justify replacing something like this that "just plain works"(tm) but of course that's playing with the "famous last words" category.
BTW good luck with #1. I deal with one office that's infected their network 3 times the exact same way; searching for free mp3s. The second and third times the perpetrator told me "but it wasn't that same site!" ..insult to injury is they had disabled noscript in firefox, another policy violation.
Every time I go there I check all the browsers and usually a couple of them have had noscript disabled. No amount of showing them they can get access to everything they actually need without allowing scripts globally. It's always when they're trying to do something stupid like play an online game or download music or video. They get frustrated in a millisecond and go straight for the "allow scripts globally" button.
I wish there was a way to make setting that one function unavailable to the user, it'd make my life easier.
Some of the folks elsewhere have gone with chromium (aka google chrome) and so far so good, but chrome isn't everyone's cup of tea.
"
I wish there was a way to make setting that one function unavailable to the user, it'd make my life easier.
"
maybe your handy Hex editor? change "allow globally" to "block everything and notify my IT department."
I wish there was a way to make setting that one function unavailable to the user, it'd make my life easier.
"
maybe your handy Hex editor? change "allow globally" to "block everything and notify my IT department."
#4 is often covered under the phrase, "If it ain't broke, don't fix it".
I agree, that it is a good start, but it is missing an important point. Before you can apply that "rule", you really have to define "broke" and "ain't broke". Simply saying that it is "rock solid" and runs to completion is NOT the full definition of "ain't broke". I've identified and worked on several "ain't broke" non-problems. After a little investigation it turned out that those 'rock solid' processes are also unnecessarily expensive. A little work, tweaking and tuning and taking advantage of "new" features can often optimize them to both run faster (which is normally cheaper too) and less expensively in terms of resources other than clock time.
Security concerns, maintenance costs, normal operating costs are some of the additional concerns that should be considered when defining "ain't broke"
I agree, that it is a good start, but it is missing an important point. Before you can apply that "rule", you really have to define "broke" and "ain't broke". Simply saying that it is "rock solid" and runs to completion is NOT the full definition of "ain't broke". I've identified and worked on several "ain't broke" non-problems. After a little investigation it turned out that those 'rock solid' processes are also unnecessarily expensive. A little work, tweaking and tuning and taking advantage of "new" features can often optimize them to both run faster (which is normally cheaper too) and less expensively in terms of resources other than clock time.
Security concerns, maintenance costs, normal operating costs are some of the additional concerns that should be considered when defining "ain't broke"
If you are required by your job position to obtain an RHCE & above you will find the security problems are not going to happen. When you have a foundation in what you are working with, you tend to build it like it should be built - by the book. You never download and install packages from source, from 3rd party sites and such on production systems. Hence they are under tight PCI compliance regulations and rules.
Use the built in package updater utilities to keep the system 'up 2 date' period.
I have cleaned up environments like this in the past and they are a nightmare to say the least. This is where policies are put in place that equal termination for installing NON production apps on production systems. This was the end result of people doing putting in scripts to prop up crummy (homemade) apps. There is no need for that in a production environment.
Not being able to update Linux distro's because of some 'hacked' up software installed with bumble gum and shoe strings is not very intelligent.
It is nice to be able to use yum update without fear of the system falling apart because someone is too lazy to build it right. This is the basics of system administration, it dos not matter you can write your own code, if it cannot be updated over time what use is it???
Use the built in package updater utilities to keep the system 'up 2 date' period.
I have cleaned up environments like this in the past and they are a nightmare to say the least. This is where policies are put in place that equal termination for installing NON production apps on production systems. This was the end result of people doing putting in scripts to prop up crummy (homemade) apps. There is no need for that in a production environment.
Not being able to update Linux distro's because of some 'hacked' up software installed with bumble gum and shoe strings is not very intelligent.
It is nice to be able to use yum update without fear of the system falling apart because someone is too lazy to build it right. This is the basics of system administration, it dos not matter you can write your own code, if it cannot be updated over time what use is it???
I red hat certified and I've worked in an environment where rhel was king. The bottom line is your bosses are going to be the deciding factor on how much time you you have for best practices.
Most capable it pros...regardless of certs...or even no certs because certs most certainly don't make you capable...are not going to willingly paint themselves in to the corner you describe. It happens because, as usual, the business leadership does not value the idea of doing things right. They want it done now...if bumble gum is quicker....do it bumble gum...or find another job.
Most capable it pros...regardless of certs...or even no certs because certs most certainly don't make you capable...are not going to willingly paint themselves in to the corner you describe. It happens because, as usual, the business leadership does not value the idea of doing things right. They want it done now...if bumble gum is quicker....do it bumble gum...or find another job.
Very sad, but true. FAR too many bosses/employers want 'it' done now, and to hell with 'right'.
the last organization I worked for was under HIPPA rules, and everything we did was law. So our CEO and CIO (of course) could lower the boom if anyone did not cooperate. The funny thing is, it hardly affected the work flow.
Yes, the clients had to learn the new ways, and slow down at first, but because the new secure way of things caused many of our problems to literally drop off the planet; our productivity actually increased. Too bad regular commercial organizations can't see that!
Yes, the clients had to learn the new ways, and slow down at first, but because the new secure way of things caused many of our problems to literally drop off the planet; our productivity actually increased. Too bad regular commercial organizations can't see that!
Another big fiasco is using root, it is not needed when the sudoers file can be utilized with specific access for files being edited if needed. At a previous employer the users at the help desk were logging in as root, and the machines were publicly available via port 22 from the public Internet.
I have seen people using root without care, changing files on the fly and restarting critical services without even making a copy of the file. Needless to say it broke dns and caused an outage, I had to recover a backup copy of the file from the backup server, what a mess.
Unless your CIO gets fed up with system outages, fiasco's of broken system configs and puts in a policy of basically termination with 'tinkering' on the fly without change management procedures you are creating your own worst nightmare of maintaining a pile of garbage.
I have seen people using root without care, changing files on the fly and restarting critical services without even making a copy of the file. Needless to say it broke dns and caused an outage, I had to recover a backup copy of the file from the backup server, what a mess.
Unless your CIO gets fed up with system outages, fiasco's of broken system configs and puts in a policy of basically termination with 'tinkering' on the fly without change management procedures you are creating your own worst nightmare of maintaining a pile of garbage.
Rule number 1. IT is there to serve the users not the users to serve IT.
Invest in IT and you don't have these issues. IT is not a money making venture but putting money in it saves money for your staff, makes for more time that is billable and it doesn't take a lot of the right billable time to pay for the investment. An IT guy is worth between 30 seconds and 2 minutes worth of time per hour for our highest charging users. They are overhead but investing in that overhead and makes the billable guys able to do more. For our best guys we can afford 1 IT guy for each of them, like private assistants and other perks. But then we get it and most don't. Most shops are cutting IT when they should be investing and forcing users to do IT when they shouldn't. If you have any of the symptoms as described in this post your problem isn't users but that you need to invest more in IT.
Invest in IT and you don't have these issues. IT is not a money making venture but putting money in it saves money for your staff, makes for more time that is billable and it doesn't take a lot of the right billable time to pay for the investment. An IT guy is worth between 30 seconds and 2 minutes worth of time per hour for our highest charging users. They are overhead but investing in that overhead and makes the billable guys able to do more. For our best guys we can afford 1 IT guy for each of them, like private assistants and other perks. But then we get it and most don't. Most shops are cutting IT when they should be investing and forcing users to do IT when they shouldn't. If you have any of the symptoms as described in this post your problem isn't users but that you need to invest more in IT.
That it's "us against them". Like #3 for example, where you have captured a key problem with the relationship between IT and users in too many organizations:
???if IT won???t build a Web site for their group, it???s just ???doing them a favor?????? The best way I???ve found to keep these rogue machines in line is with rigorous IP address audits and policies and scanning the network to create a list of machines???
Hm..maybe if IT had built the web site that was needed, or fixed whatever perceived limitation it is that makes the workaround needed? Instead of just making the network even harder to use. Too often I see IT departments taking ownership of the network, instead of owning the job ??? providing the infrastructure and services to keep the entire business running smoothly? It???s a tough job, and one that generally only get???s ???recognition??? when things go wrong???a constant balancing of sometimes conflicting needs within an organization. But maybe, instead of trying to outsmart the engineers who are trying to outsmart you, it is smarter to figure out why they feel the need to outsmart you in the first place. Then fix that.
OK, CIOs...flame away...;0).
???if IT won???t build a Web site for their group, it???s just ???doing them a favor?????? The best way I???ve found to keep these rogue machines in line is with rigorous IP address audits and policies and scanning the network to create a list of machines???
Hm..maybe if IT had built the web site that was needed, or fixed whatever perceived limitation it is that makes the workaround needed? Instead of just making the network even harder to use. Too often I see IT departments taking ownership of the network, instead of owning the job ??? providing the infrastructure and services to keep the entire business running smoothly? It???s a tough job, and one that generally only get???s ???recognition??? when things go wrong???a constant balancing of sometimes conflicting needs within an organization. But maybe, instead of trying to outsmart the engineers who are trying to outsmart you, it is smarter to figure out why they feel the need to outsmart you in the first place. Then fix that.
OK, CIOs...flame away...;0).
...I won't deny. I've been the guy on the lookout for rogue machines. That's what my employers expected....among other things.
The truth be known, in many industries you simply can't let people do what they want. Highly regulated industries come to mind.
But...there's truth in what you said, and the new era is going to cause that "attitude" some problems. People own their own tablets, and mobile broadband, and they can simply bypass you for much of what they want/need. Of course, from my own point of view, and I'm sure from Justin's too, what they're doing over a 3g network is no danger to my lan/wan.
Very often users simply will not accept the fact that there are rules and procedures for using corporate equipment. Sometimes this bureaucracy serves the company's purpose, sometimes it serves a bureaucrats private purpose, which is wrong, but is not unique to IT.
Times are a changing though. It will be interesting to see what the future holds.
The truth be known, in many industries you simply can't let people do what they want. Highly regulated industries come to mind.
But...there's truth in what you said, and the new era is going to cause that "attitude" some problems. People own their own tablets, and mobile broadband, and they can simply bypass you for much of what they want/need. Of course, from my own point of view, and I'm sure from Justin's too, what they're doing over a 3g network is no danger to my lan/wan.
Very often users simply will not accept the fact that there are rules and procedures for using corporate equipment. Sometimes this bureaucracy serves the company's purpose, sometimes it serves a bureaucrats private purpose, which is wrong, but is not unique to IT.
Times are a changing though. It will be interesting to see what the future holds.
"Hm..maybe if IT had built the web site that was needed, or fixed whatever perceived limitation it is that makes the workaround needed? Instead of just making the network even harder to use."
Yes, this is indeed the root cause of the problem, but that's not what this article was about.
That said, IT does fail to deliver needed services all the time, and IT fails to understand the needs of the users, and IT fails to work with users to find the balance.
But, for many IT departments, security is a higher priority than meeting needs, and it HAS to be for a variety of reasons. In those environments, if you have limited resources, cutting users off completely is a better alternative than attempting to meet their needs and doing it wrong, or allowing them to self-service.
J.Ja
Yes, this is indeed the root cause of the problem, but that's not what this article was about.
That said, IT does fail to deliver needed services all the time, and IT fails to understand the needs of the users, and IT fails to work with users to find the balance.But, for many IT departments, security is a higher priority than meeting needs, and it HAS to be for a variety of reasons. In those environments, if you have limited resources, cutting users off completely is a better alternative than attempting to meet their needs and doing it wrong, or allowing them to self-service.
J.Ja
why would IT build it for you? (And if IT did build it, then someone else would complain that IT is wasting resources on unauthorized projects.)
Pasting rich text from applications like Word into text or HTML environments is symptomatic of the more dangerous sorts of incorrect actions for which a good IT department must always be alert. Some things may make you job easier in the short term, but allowing users whatever they think they need at the moment without reserve is exactly the sort of thing that leads to security failures that can damage or destroy a company. I imagine that not having a job probably outweighs not having some extra website that ten people might use.
Pasting rich text from applications like Word into text or HTML environments is symptomatic of the more dangerous sorts of incorrect actions for which a good IT department must always be alert. Some things may make you job easier in the short term, but allowing users whatever they think they need at the moment without reserve is exactly the sort of thing that leads to security failures that can damage or destroy a company. I imagine that not having a job probably outweighs not having some extra website that ten people might use.
Security comes first, no exceptions for me. Build a website? Most users that want something have no clue why they want it or what they are going to do with it. They heard about it or saw it someplace and think it's cool but have no real understanding of what it is or does. If someone wants something they better be able to explain what they want & why instead of wasting my time on follies. Just because someone wants something doesn't mean it's useful or right.
I really think that the trend towards bring your own devices is going to come back to bite someone in the butt. RIM is only dying in the tech blogs. They are still king of enterprise security. Whatever is being used needs to be controlled by IT. Employee-owned Android phones accessing the corporate network are as dangerous as a rogue access point IMHO.
This post is very timely. We are scheduled to raise ICT security issues and solutions to our higher-ups.
Bringing in personal USB modems in the company also poses a threat to the network (if I may add).
Bringing in personal USB modems in the company also poses a threat to the network (if I may add).
It is very useful for me. Thank you so much for sharing. Keep your great post.
offshore banking
offshore banking
It's actually a great and helpful piece of information. I am happy that you shared this helpful information with us. Please stay us informed like this. Thank you for sharing.
private banking
private banking
You can always get state of the art machines and have rigorous policies. However, human nature seems to trump it all. A Simple scan of a jumpdrive on an updated antivirus can save you from transferring bugs to systems that are not as up to date.
I totally see the point of number 4, but it always makes me chuckle:
"There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns ??? there are things we do not know we don't know."
If the only reason that the old servers are bad is because we haven't patched what we know is bad, then the new servers must also be bad because we know that they will need to be patched soon for what we do not yet know (implying the vulnerability is there but we haven't seen it exploited yet). Even after we patch them, there will be things we do not know we do not know that eventually we will find out. It's no wonder people think us IS guys are paranoid - to which I say: Finely tuned paranoia is an essential skill of working in IS.
"There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns ??? there are things we do not know we don't know."
If the only reason that the old servers are bad is because we haven't patched what we know is bad, then the new servers must also be bad because we know that they will need to be patched soon for what we do not yet know (implying the vulnerability is there but we haven't seen it exploited yet). Even after we patch them, there will be things we do not know we do not know that eventually we will find out. It's no wonder people think us IS guys are paranoid - to which I say: Finely tuned paranoia is an essential skill of working in IS.
If you've got a network large enough that people are bringing in unauthorized machines and leaving them connected to the network, then you should be using NAP rather than auditing DHCP all the time.
One thing that isn't listed here are cloud-based services, people using them at work and moving their files into the cloud without permission is a big security headache that is growing larger. What then happens is they leave the company or can't remember where they put the files or give people access to them that shouldn't have access to them, etc.
One thing that isn't listed here are cloud-based services, people using them at work and moving their files into the cloud without permission is a big security headache that is growing larger. What then happens is they leave the company or can't remember where they put the files or give people access to them that shouldn't have access to them, etc.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
