IT restrictions should be much more conservatively applied (at least in comparison to what’s happening in my neck of the woods). Hear me out.
Of course, if you restrict something in IT, you have a theoretical increase in security. You’re reducing the attack surface in some way, shape or form. Usually at the cost of productivity. But also at the cost of the the employees’ good will towards the IT department and IT security. Which is an important aspect, since you will never be able to eliminate your attack surface, and employees with good will can be your eyes and ears on the ground.
At my company I’ve watched restrictions getting tighter and tighter. And yes, it’s reduced the attack surface in theory, but holy shit has it ruined my colleagues’ attitude towards IT security. “They’re constantly finding things to make our job harder.” “Honestly, I’m so sick of this shit, let’s not bother reporting this, it’s not my job anyway.” “It will be fine, IT security is taking care of it anyway.” “What can go wrong when are computers are so nailed shut?” It didn’t used to be this way.
I’m not saying all restrictions are wrong, some definitely do make sense. But many of them have just pissed off my colleagues so much that I worry about their cooperation when shit ends up hitting the fan. “WTF were all these restrictions for that castrated our work then? Fix your shit yourself!”
This one definitely drives me nuts, but these days I don’t see how else to keep systems safe. It would be nice and probably be pretty effective if you could just prove to your IT team that you’re not a moron to get reduced restrictions though. Most people I imagine would fail or not even make the effort, so you could be reasonably sure the risk was minimized this way.
You pay me to admin 400 servers on a couple million dollars worth of hardware. Let me install a fucking app on my own machine without 4 levels of bullshit.
Me and the IT admin in my previous job had this understanding, as I dealt with field hardware, and he dealt with the “normal” IT stuff.
Once a merger caused the corporate requirement of only allowing whitelisted apps to run, my laptop was simply disappeared from the requirement list. It made it easier for the both of us. I could be on the other side of the world in sudden need of running some proprietary BS software that had to be whitelisted, and nobody wanted me to have to wake someone up to whitelist stuff.
When you deal with network hardware that cost more than most PCs, and the server clusters cost more than a house, some leeway should be allowed.
you will never be able to eliminate your attack surface, and employees with good will can be your eyes and ears on the ground.
All the good will in the world won’t make up for ignorance. Most people know basically next to nothing about IT security, and will just randomly click shit to make the annoying box go away and/or get to where they think they want to go. And if that involves installing a random virus they’ll happily do it, and be annoyed that it requires their password.
A major part of that is, I think, that desktop OSes are, “by default, insecure” against local software. Like, you install a program on the system, it immediately has access to all of your data.
That wasn’t an unreasonable model in the era when computers weren’t all persistently connected to a network, but now, all it takes is someone getting one piece of malware on the computer, and it’s trivial to exfiltrate all your data. Yes, there are technologies that let you stick software in a sandbox, on desktop OSes, but it’s hard and requires technology knowledge. It’s not a general solution for everyone.
Mobile OSes are better about this in that they have a concept of limiting access that an app has to only some data, but it’s still got a lot of problems; I think that a lot of software shouldn’t have network access at all, some information shouldn’t be readily available, and there should be defense-in-depth, so that a single failure doesn’t compromise everything. I really don’t think that we’ve “solved” this yet, even on mobile OSes.
IT restrictions should be much more conservatively applied (at least in comparison to what’s happening in my neck of the woods). Hear me out.
Of course, if you restrict something in IT, you have a theoretical increase in security. You’re reducing the attack surface in some way, shape or form. Usually at the cost of productivity. But also at the cost of the the employees’ good will towards the IT department and IT security. Which is an important aspect, since you will never be able to eliminate your attack surface, and employees with good will can be your eyes and ears on the ground.
At my company I’ve watched restrictions getting tighter and tighter. And yes, it’s reduced the attack surface in theory, but holy shit has it ruined my colleagues’ attitude towards IT security. “They’re constantly finding things to make our job harder.” “Honestly, I’m so sick of this shit, let’s not bother reporting this, it’s not my job anyway.” “It will be fine, IT security is taking care of it anyway.” “What can go wrong when are computers are so nailed shut?” It didn’t used to be this way.
I’m not saying all restrictions are wrong, some definitely do make sense. But many of them have just pissed off my colleagues so much that I worry about their cooperation when shit ends up hitting the fan. “WTF were all these restrictions for that castrated our work then? Fix your shit yourself!”
This one definitely drives me nuts, but these days I don’t see how else to keep systems safe. It would be nice and probably be pretty effective if you could just prove to your IT team that you’re not a moron to get reduced restrictions though. Most people I imagine would fail or not even make the effort, so you could be reasonably sure the risk was minimized this way.
You pay me to admin 400 servers on a couple million dollars worth of hardware. Let me install a fucking app on my own machine without 4 levels of bullshit.
Me and the IT admin in my previous job had this understanding, as I dealt with field hardware, and he dealt with the “normal” IT stuff.
Once a merger caused the corporate requirement of only allowing whitelisted apps to run, my laptop was simply disappeared from the requirement list. It made it easier for the both of us. I could be on the other side of the world in sudden need of running some proprietary BS software that had to be whitelisted, and nobody wanted me to have to wake someone up to whitelist stuff.
When you deal with network hardware that cost more than most PCs, and the server clusters cost more than a house, some leeway should be allowed.
Until you install solarwinds between 2015 and 2020…
All the good will in the world won’t make up for ignorance. Most people know basically next to nothing about IT security, and will just randomly click shit to make the annoying box go away and/or get to where they think they want to go. And if that involves installing a random virus they’ll happily do it, and be annoyed that it requires their password.
Sure, but the reason isn’t always just security.
We have government contracts and want more. But to get those, they insist on us doing a bunch of security things.
So it sucks for the users, but if we don’t implement the restrictions, we lose the contracts and thus the income.
And as a side benefit, holy shit we are pretty secure. Next annual pentest soon and I’m expecting good things from it!
A major part of that is, I think, that desktop OSes are, “by default, insecure” against local software. Like, you install a program on the system, it immediately has access to all of your data.
That wasn’t an unreasonable model in the era when computers weren’t all persistently connected to a network, but now, all it takes is someone getting one piece of malware on the computer, and it’s trivial to exfiltrate all your data. Yes, there are technologies that let you stick software in a sandbox, on desktop OSes, but it’s hard and requires technology knowledge. It’s not a general solution for everyone.
Mobile OSes are better about this in that they have a concept of limiting access that an app has to only some data, but it’s still got a lot of problems; I think that a lot of software shouldn’t have network access at all, some information shouldn’t be readily available, and there should be defense-in-depth, so that a single failure doesn’t compromise everything. I really don’t think that we’ve “solved” this yet, even on mobile OSes.