House of Hackers

J

When is there too much security?

I remember starting out as an intern (not all that long ago it feels, but still). The idea that I could actually do something to affect hundreds or thousands of people a day seemed amazing. I started out doing little things of course, but suddenly realized that the company I worked for made it over complicated to get anything done. The complication was security. I of course understood the need for it, but at the same time found it almost entertaining at the fact that many people could not do their jobs because some of the required programs, or connections were not allowed to them. The strictness of this security was even more entertaining when a couple of us found a way to go "off the grid" so to speak, so that we could finally get necessary access to finish our jobs with out waiting for a week or more just so an administrator could change our specific allowances (which usually only took a few seconds). I must qualify that these were not random occurrences, they were places that we needed access to that were either never on, or only on for specific amounts of time.


In larger companies there is always the need for security. However, when security gets in the way of productivity it seems unecessary to have it to quite that level. If you can't do the work to result in profits, what's the point in keeping the work that exists safe? An out of business company is apparently the only completely secure company in the minds of those admins. Now granted this group was not the brightest. The ones that I work with now are far better in comparison. But it bothers me that such places are probably quite numerous. Many businesses may actually run more efficient if the administrators were just aware of the needs of the user, and while least privelage is important, too little privelage could result in lost work time and a downturn in efficiency for the whole company. It is the administrators job to keep the working users online and safely connected. For most companies that need to worry to this extent, there should be a constant ability to sit down and verify each area of the network and how it is functioning for the users there. What permissions they are needing, and which they don't (as these can change over time). It isn't easy, but that's part of the fun of it.

Share 

Add a Comment

You need to be a member of House of Hackers to add comments!

Join this Ning Network

ph33t Comment by ph33t on June 9, 2008 at 6:47pm
there is a huge difference between someone with physical access to a computer telling the computer to execute code, another piece of code instructing the computer to execute code, and a remote user or process executing code. the o/s doesn't seem to be able to figure it out, so its always asking. if someone has physical access to a computer (encrypted drives not withstanding) there isn't much they can't do regardless of the user rights they have. it is my belief that the o/s itself should distinguish who is doing the executing (am i clicking something?) and manage what it prompts for based on that. There is zero reason on my Vista machine, when I start up an admin control panel app that I should have to be annoyed by a "continue" prompt ... *as long as* the o/s knows that the user actually used the mouse or keyboard to activate the command. bottom line is that things could be a lot smoother.
scorcher821 Comment by scorcher821 on June 5, 2008 at 10:01pm
As far as security vs. productivity is concerned, there must be a balance. You have to optimize your productivity while still having some sort of security oriented network. I suppose you could theorycraft a bunch numbers and estimate the risk of your network being compromised vs. the amount of profit being lost, but that sort of thing can take months if your company is large. However, if you want to have optimal (not maximum) profits and security, that'd be the way to go.
J Comment by J on June 3, 2008 at 5:47pm
Exactly my point. I am not a huge fan of Vista myself, but a few clicks of the mouse are worth not losing every piece of information on my system. You are right about paranoia as well. Lack of trust can become a huge problem even outside of the security issue because people will take it into their daily work and let is cause tie ups in the normal business flow.
Happy-Dude Comment by Happy-Dude on June 3, 2008 at 3:23am
People have too much security when:
--Performance slows (computing wise and when the computer is bogged down)
--When nothing can be accessed (ie.- too strict, such as Websense filter blocking Digg)
--When there becomes practically no more trust amongst people. Paranoia, in other words.

Then again, there are tools such as Vista's UAC which is annoying, but if you bare with it, it can provide you with better security (prevention of root kits in a recent AV-Comparatives site), and still allow user control. Just click -OK- and let it do its thing ...
J Comment by J on June 2, 2008 at 1:28pm
This is all very true. Especially what you said about incompatible duties, however that is usually a one-off. A quick exception to the rule and not the daily work that I am speaking of. The problem is that there are some administrators that simply don't know the correct way to conform to security protocols without accidently shutting off access to necessary functions. This has been very obvious to me in the past few jobs I've had. If someone needs to reach information that is known to be of high importance on a daily basis, that person should be inspected closely and often. When my uncle began working on government contracts they did this and went far into his background before ever allowing him access to anything, and came back on unscheduled checkups for the next several years. After all, social engineering works both ways right?

Legislation thus far hasn't really done anything to cause these problems. A lack of knowledge is usually to blame. Not just knowledge of the security tools, but also of the job descriptions that you are applying those tools. We all know you can't just check every box. Unfortunately a lot of people out there try to :)
dev0id Comment by dev0id on May 31, 2008 at 5:58pm
You are right in your point of view. However, I have to say the following:
Big companies have strong and trusted business processes established. Also, lots of business risks associated with these proceses. Lack of controls related to segregation of incompatible duties, for example, gives opportunity to realize (exploit) the business risks mentioned above.
The most part of companies use risk based approach in securing data. Also, we have to remember that all countermesures implemented (organization, technical) are targeted to secure financial data and do not allow the business to be stopped.
Thanks.
P.S.
Some companies are need to be in compliance with legislation in questions of information security and special security requirements may be regulated by low or contructors.

About

pdp pdp created this Ning Network.

© 2009   Created by pdp on Ning.   Create a Ning Network!

Badges  |  Report an Issue  |  Privacy  |  Terms of Service

Sign in to chat!