Security·4,687 discussions

Which of these security sins have you committed to “get the job done”?

Locked

Which of these security sins have you committed to “get the job done”?

– Hacked a password without permission
– Opened a port for remote access
– Taken sensitive, unsecured data home
– Other
– None of the above

This is the focus of a new TechRepublic poll. Tell us whether you’ve committed any of these IT security sins when trying to “get the job done”?

Topic

Other

In reply to Which of these security sins have you committed to “get the job done”?

Never taken data home
Have requirements/policies for opening ports
Never hacked a PW without permission, although their immediate manager has given the authorization first.
There have been too many ‘other’ shortcuts that have been made, some would violate the company policy at various places that I have worked. But, these have been with consent from the user or manager of the user in question. In my opinion, these are the only people that should give permission to make certain requests. If both are unavailable, the item can wait, or if needed, a higher up manager, or my manager or that persons departmental manager can give permission as well. But, except for my manager, the management chain must go up in a direct line from the persons system/account that is in question.

Yes ;-)

In reply to Which of these security sins have you committed to “get the job done”?

Ok, not that bad

– Hacked a password without permission
We had a problem where we had a tech leave a site. All the local admin passwords were set to something other than our current rotation. He has also set the domain admin (for the site)password to be something different. Rather than get permission, I needed to get the job done. Nobody knew (until now) that I ever did this.

– Opened a port
We had some serious bandwidth issues at one place. I didn’t directly get permission (eg I was told to just make it work). I split our incoming web traffic across two ports so I could track usage very CLEARLY for my PHB.

– Other
I clustered a couple of old servers together because our poor web server just wasn’t cutting it. Nobody ever knew that is what happened (save for the incoming IT guy). They wouldn’t buy the equipment, so I made due.

Mostly what I’ve done is due to lack of proper management and lack of oversite (or really caring) about the IT deparment.

Number’s one and two,

In reply to Which of these security sins have you committed to “get the job done”?

But never for a client, I have only done it internally.

None

In reply to Which of these security sins have you committed to “get the job done”?

If the environment isn’t receptive to the fix, it doesn’t get done.

Bit of a jobs-worth approach but it’s the best way of doing things.

None of the above….

In reply to Which of these security sins have you committed to “get the job done”?

I have broken password protection, but I had written permission before doing so.

Opening of a port for remote access, only with knowledge and approval of the client. since that remote access could have their system running again faster. and was limited to a specific user id and encryption key.

sensitive data is always secured, so I never do this one.

none of the above – security is not security unless

In reply to Which of these security sins have you committed to “get the job done”?

it is done properly all the time – a breach of security is NOT ‘get the job done’ it is being lazy.

Security is like being pregnant – either you are or you aren’t

none of the above

In reply to Which of these security sins have you committed to “get the job done”?

Anything done is with permission, written permission at that. Do we need to get around certain policies sometimes? Probably but only when the planning was not done correctly. However, that workaround needs to be clearly documented, signed off on, and agreed to.

None

In reply to Which of these security sins have you committed to “get the job done”?

I have to keep my clients secure. So I don’t deviate from standards to get the job done. However some of my clients “don’t care about security” and so I have different standards for different clients.

none, either

In reply to Which of these security sins have you committed to “get the job done”?

Well, depends on what you define as “other”.

My idea of ‘other’

In reply to none, either

Is when you are bending policies in place to attain a goal. But as I have stated, it is always with permission from other managers of the user in question or from the user themself (and sometimes from my managers chain) depending on the situation.
If a policy needs to be bent to get the job done, then the policy is wrong or needs updating. Going through management may still be breaking the policy, but sometimes it is needed. Policies are guidelines and do not cover every situation.

roflmao are you serious

In reply to none, either

seems to me that “other” allows you to define it. geez

None of the above

In reply to Which of these security sins have you committed to “get the job done”?

I most often work in regulated environments. Policies developed in compliance with regulations that are audited can’t be worked around without having to answer uncomfortable questions by your auditors.

I worked in an environment once that demanded that all paper be locked in secure cabinets. Then failed to provide keys for cubicle cabinets. I shredded all paper output on a daily basis.

Came a time when I was asked to produce a document that had published several days before. I reminded the querent that I shred everything daily due to a lack of secure storage. I received a key to my cabinets later that day.

Does other include?

In reply to Which of these security sins have you committed to “get the job done”?

1). Bypassing quality assurance to get quick fix code done?
2). Lol, having a supervisor sign into a specific account so you can do raw updating to database’s to correct bad data?
3). roflmao, running against production data with test code to get a asap, and thats too late done?

Actualy, the only thing that I feel i ever did that was completely wrong was being on production support call. I received a call from an operator with a problem. What was required was to just run some fix code from my userid(i only had that permission). I gave the operator myuserid and password, then changed it when I came into work the next day.

droolin

My Terrible “Other”

In reply to Does other include?

Was working in a consulting firm at the time and my manager calls me at 5:45AM somehow wanting me to get to a client’s office 20 miles away at 6:00AM. Of course I took the opportunity to pound home my much reiterated point on the necessite of a remote access solution.

Anyway, he was serious. I had to get there IMMEDIATELY. So, I took it on myself to call the lone employee at the client site at that hour, told her where to get the keys to the server room + the domain admin credentials, and guided her through the task I had been assigned.

Fortunately my manager appreciated the job being done on time more than he was furious about HOW it actually got done. The client however wasn’t as lenient. I kept my job though 🙂

If I’m asked to do a job

In reply to Which of these security sins have you committed to “get the job done”?

If I’m asked to do a job and you want it done asap I will assume I have permission to do it.

I get results because I refuse to let arbitrary roadblocks stand in my way. If you don’t really want the job done or don’t really need it asap, then don’t ask me to do it.

F: All of the above

In reply to Which of these security sins have you committed to “get the job done”?

I have done all of the above to get the job done but was greatly rewarded for my igenuity and ablity to ‘take the bull by the horns’ to get the job done…btw it was a military base the i was working on( DCAA/DLA Headquarters Fort Belvoir , VA)

A guy at the FBI got fired for hacking admin passwords to speed up work

In reply to F: All of the above

A guy at the FBI just got fired for hacking admin passwords to speed up work, and he might face prison time. An ex-coworker of mine also recently got the axe for simply running a password audit and reporting the weak password to the system administrators.

I agree with what you have done and I commend you, but I want to point out the dangers for people if they do this. Of course, I?ve had to hack a password because we were locked out of an old server and I?ve also had to hack passwords that users forget when they can?t get in their computer.

why did the ex-coworker get the axe?

In reply to A guy at the FBI got fired for hacking admin passwords to speed up work

I’m still not understanding this:
you can run a password audit using MBSA 2.0 and it will report if the passwords on the local machine are weak or strong, it doesn’t actually reveal the password itself. If this ex-coworker did something along these lines, what was the explanation for his dismissal? The fact that he performed the password audit itself, did they view that as a violation of security? Why wouldn’t the local system admins get in trouble for not locking down the user’s machine and local resources so that he couldn’t perform the password audit in the first place?

Just curious.

thx… rob,wpg

None of the above

In reply to Which of these security sins have you committed to “get the job done”?

If the password isn’t immediately available to me I wait for the person responsible to return after all I’m being paid by the hour so I don’t care. 😀

As far as opening a port for remote access I’ve only done this when there was no other way in and always with the knowledge of the owner so I don’t consider this as a [b]Bad Thing to do[/b] but if I was to do something like this without the owners knowledge and for personal gain that would be a different story.

As for the taking data home generally when I do this it’s on a bad HDD that’s been replaced and I need to recover the data so it’s cheaper for the customer to have me remove the HDD from the site and work on it while I can start off another job/s and just allow the recovery program to run in the background I tend not to charge for the time involved when I do things like this and most of the time the drives are encrypted so instead of costing several thousand $ to recover the data it only costs them a small percentage of the proper cost as it hasn’t been a [b]All my Time & Effort Enterprise[/b] so I don’t need to charge for the 75 hours taken to recover the data. Of course if they want me to do it On Site I’m willing but the time wasted there is going to cost them far more than several new top of the range computers. :^0

Of course when I’m paid to do some [b]Penetration Testing[/b] that’s a different story and I’ll do all of the above and more to get in but that’s what they are paying me for.

Col

Number 1

In reply to Which of these security sins have you committed to “get the job done”?

I once had to hack a password without permission in order to get a job accomplished in time. However, no one cared about the methods I used to get the job done. They wanted only the result.

d – None of the Above

In reply to Which of these security sins have you committed to “get the job done”?

Inover a dozen years of administering, I’ve *NEVER* done any f these….

Hank Arnold

Maybe, Not sure

In reply to Which of these security sins have you committed to “get the job done”?

I have hacked passwords and still do on occasion. The permission part can get fuzzy. I now must require better documentation of permission before proceeding just to cover my butt.

I have never performed remote access outside of established policy.

Take sensitive, unsecured data home. Sure, everytime I take my laptop home, but not intentionally. Doesn’t almost everybody? I’m trying to convice the powers that be to deploy disk encryption in the standard build. Realistically, unless you wipe the drive and install a fresh build, you do not what unintentional data has been cached for you by the OS. At a minimum, my network credentials reside cached so I may logon with the same account I use at the office. So, unless you are using encryption, or wiping and reinstalling before taking the laptop home, then you are taking sensitive data home.

Other, possibly. But like the sensitive data issue, analysis will probably reveal more of us are sinners than we would like to believe.

Other

In reply to Which of these security sins have you committed to “get the job done”?

I issue the passwords at my company so I don’t need permission to look them up or reset them. We have a terminal server so I can have remote access whenever I need it as well. Because of the terminal server there’s never any need to take sensitive data home. Some security sins I’m guilty of are reissuing the same password, allowing admin access on a handful of computers to allow server updates to some desktop apps, using non-commercial freeware anti virus, allowing managers to keep lists of their employees’ passwords. Most of these I have argued against, but at the end of the day I just follow orders. If I’ve given my recommendations against these practices, and if a breach occurs, I don’t feel responsible. In this type of situation I let my superior learn the tough lesson. After all, of all people my superior should know better than I do. When possible I follow orders but keep my implementation handy so when a fix is called for, I have it ready to go.

i’ll drink the fifth on this one…..

In reply to Which of these security sins have you committed to “get the job done”?

would you believe all of the above?

well, not all at once.

All that and some

In reply to Which of these security sins have you committed to “get the job done”?

I’m the only IT person in a small company so I pretty much have to do it all. Here’s my rap sheet.
1.Hacked a password to get info on an employee who was jacking customers to take with him when he left.
2.Opened a port for remote access so I could go hame for the evening and finish the job.
3.Taking sensitive data home every day because no one understands the need to off site backup. In my defense this data is always encrypted.
4.Broke in to my own server from home to prove to the general manager that the security suite he purchased without my knowledge was garbage.
5.Hacked the password on several of the above mentioned general manager’s files. This may not count though because I was under orders from the owner.
6.Read employee email, again under orders from the owner and general manager.
That’s all I can think of right now. *sigh* Small company IT is certainly an adventure.

All, and more

In reply to Which of these security sins have you committed to “get the job done”?

Security policies exist to protect my network from someone else…not to keep me from doing my job. I am responsible for the fall-out and I do make it happen.

[Author]

Replies