If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Some unsecured source)   Step 1: Leave random USB thumb drives and CDs lying around the parking lot of a government facility working with classified materials and secured computers. Step 2: ??? Step 3: Facepalm   (strategypage.com) divider line 148
    More: Fail, flash drives, security clearance, USB  
•       •       •

15371 clicks; posted to Main » on 06 Jul 2011 at 10:09 AM (3 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



148 Comments   (+0 »)
   

Archived thread

First | « | 1 | 2 | 3 | » | Last | Show all
 
2011-07-06 11:07:29 AM

veryunoriginal: Rincewind: Agreed, but they'll give anyone a clearance these days.

A security clearance isn't designed to test for intelligence. A security clearance identifies the person holding it as being an acceptable risk to the employer, i.e. based on their history, criminal record, finances and ideology they are less likely to compromise (or be coerced to compromise) security than an uncleared person.

Having a security clearance doesn't mean you know any more about information security or proper procedures than someone off the street. The HR department should be responsible for weeding out candidates who are too dumb to follow basic rules. After that, making a security breach an fire-able offence might make people think twice before plugging in an unknown USB key into their PC's slot.


Yep. You're right, but so much money is spent on clearance investigations that they're reluctant to either fire anyone or revoke a clearance. I've seen this in action.

Most day-to-day security violations or spillages come from high level employees or General Officers. They're not going anywhere and it's a slap on the wrist when they do get caught.

IA is a losing game. You spend the money, make the policies and wait for it to happen. It will sooner rather than later. Best to have a good clean up plan in place.
 
2011-07-06 11:08:51 AM

Unoriginal_Username: Izunbacol: I can almost see the rationale - find CDRs and flash memory devices in the parking lot, wonder "Why are these here? Is there classified info on here? I should get it inside and check it out before this stuff gets compromised."

Good point but there should be an SOP for that. If something is found bring to a central location to verify


There is. "Report and deliver it to your IASO." And yes, our annual IA training covers this. Some people just can't be trained. Fortunately, most of those will be retiring in the next few years.
 
2011-07-06 11:11:13 AM

fang06554: Sounds like the place in the article either isn't handling classified information, or is doing something terribly wrong.


Yea. It's hiring and clearing morons who pick up random debris in the parking lot and then jam it into their work computers.

At some point, if a user has any access to anything at all, they have to take some responsibility. If you have any access at all to anything then that thing is, on some level, exposed in a way that only you can protect it from misuse. I can certainly protect every bit of data from every idiot in the place, but you're not going to like it when I just walk downstairs and rip all the cables out of all the patch panels, because that's the only way I can protect the place in absolute terms from stupid people: give them no access to anything.

Great, you disabled removable mass storage. What are you going to do when some idiot prints out classified documents, drops them on a conference table somewhere and forgets them, they get into the hands of someone without clearance and then that person runs off with them and plops them on Wikileaks? Is it your fault you didn't disable their access to printers?

Computers are tools that help people do their jobs. When the tools were simpler, just pencils and paper, we trusted the users not to jab out their own eyes. Now the tools are more complex, but they're still just tools, and there still needs to be responsibility and accountability for using those tools. At some point we need to stop making excuses for lazy idiots and start expecting people to have a basic understanding of common, everyday tools they've been using for years or even decades to do their jobs. And if you cannot use those tools properly, you should be fired just as you would be if you were unable to perform any other basic function of your job.
 
2011-07-06 11:14:51 AM

brigid_fitch: kingoomieiii: I work with DOD guys all the time... it's hell and a half getting a screen shot out of a building even on a non-classified project.

Don't blame the DoD guys.


Oh, no, I don't. They all hate it.
 
2011-07-06 11:14:58 AM

Splinshints: Computers are tools that help people do their jobs. When the tools were simpler, just pencils and paper, we trusted the users not to jab out their own eyes. Now the tools are more complex, but they're still just tools, and there still needs to be responsibility and accountability for using those tools. At some point we need to stop making excuses for lazy idiots and start expecting people to have a basic understanding of common, everyday tools they've been using for years or even decades to do their jobs. And if you cannot use those tools properly, you should be fired just as you would be if you were unable to perform any other basic function of your job.


This, so much.
 
2011-07-06 11:18:40 AM

vartian: Again, if I can disable your system with a USB flash drive, you haven't done your job.


You've got that all wrong. It should be "If you've given a top-secret clearance to someone who has no common sense, you haven't done your job."
 
2011-07-06 11:20:53 AM

Splinshints: And if you cannot use those tools properly, you should be fired just as you would be if you were unable to perform any other basic function of your job.


The general poor quality of government managers, coupled with the protections of civil service make it damned hard to fire all but the most blatant violators. Government managers face challenges in evaluating and counselling employees, due to the lack of obvious metrics for many positions, but this is compunded by the sheer lack of real management skills by most supervisors, and their inability to understand the basics of what they need to do to get an employee fired.
 
2011-07-06 11:22:14 AM

PanicMan: brigid_fitch: Did I read that right? If you work at an information-sensitive job, find random CDs & USB drives lying around the parking lot, and decide to use your work computer to see what's on them, it's NOT your fault if a virus was on them? It's the fault of the company for allowing the system to be compromised like that? What kind of BS is that? What moron doesn't know not to plug an unknown storage device into a work computer? My job's hardly a matter of national security but if one of my guys did that, I'd fire him!

It still amazes me how unaware the average person is of basic computer security practices. My boss recently asked a group of us to put all our personal contact information in a spread sheet on a public drive accessable to hundreds of people. Phone numbers, home address, work schedule, etc. I wrote mine down and handed it to him in person.


I'll come at it from the other side (and I guess pretty much restate the main point of this article). I work with defense-related data all the time, but I'm one of the guys who's actually producing the data. I don't have advanced training in protecting it, just as the IT guy doesn't have advanced training in not touching or breathing in the fumes of the stuff I'm making. Instead, we keep the door locked and don't let him in. Problem solved. If I can do something detrimental by being careless, why doesn't the IT guy just prevent me from having the opportunity to be careless in the first place?

/Understand what you're saying about personal data, though.
//No, you don't need my SSN to issue me a parking pass.
 
2011-07-06 11:22:46 AM

Accolade: Who promptly handed it to his secretary to enter into the unsecured spreadsheet.


Probably. It's like I'm speaking a foreign language here. It's incredibly frustrating. It doesn't help that there's a few people below 30, but the majority are 40s and 50s or older.
 
2011-07-06 11:27:02 AM

incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.


You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.
 
2011-07-06 11:29:26 AM
I'm really curious as to the reputable source for this. If anyone has a different link that doesn't wax ecstatic about the brilliance of Apple in a DoD noncompliance article, that would be awesome to the max.

Step 1) Protocol in a facility that handles any level of classified information is to submit to the proper media custodian any media that is not properly labeled for destruction. This is the same when it's Unclassified.

Step 2) there is no step 2. it's just that simple.

There's absolutely nothing to gain from "finding out what classified stuff might be on it."
 
2011-07-06 11:33:55 AM
Apple has grown prosperous by not thinking of their customers as clueless users

Now THAT is FUNNY.
 
2011-07-06 11:37:23 AM

An-Unnecessarily-Long-Name: incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.

You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.


IT guys are the worst. I'm not sure if it's because they all have assburger's or if it's because they realize that they're a dime a dozen.

If I were so negligent in my job that people were able to injure themselves or the company I'd be fired. That's why I restrict access to dangerous areas. The IA department should be required to do the same thing.
 
2011-07-06 11:38:17 AM

THE_JESUS_PANTS: I'm really curious as to the reputable source for this. If anyone has a different link that doesn't wax ecstatic about the brilliance of Apple in a DoD noncompliance article, that would be awesome to the max.

Step 1) Protocol in a facility that handles any level of classified information is to submit to the proper media custodian any media that is not properly labeled for destruction. This is the same when it's Unclassified.

Step 2) there is no step 2. it's just that simple.

There's absolutely nothing to gain from "finding out what classified stuff might be on it."


Bloomberg Article (supposedly more reliable) (new window)
 
2011-07-06 11:40:12 AM

tricycleracer: UberDave: "gummed" USB ports

Savages in this town.


I read that in Hunter S. Thompson's voice...
 
2011-07-06 11:46:43 AM

THE_JESUS_PANTS:
There's absolutely nothing to gain from "finding out what classified stuff might be on it."


Except for the whole finding out who/how is copying classified information onto portable storage then carelessly losing it in the parking lot thing.
 
2011-07-06 11:47:18 AM

32oz High Life: I'll come at it from the other side (and I guess pretty much restate the main point of this article). I work with defense-related data all the time, but I'm one of the guys who's actually producing the data. I don't have advanced training in protecting it, just as the IT guy doesn't have advanced training in not touching or breathing in the fumes of the stuff I'm making. Instead, we keep the door locked and don't let him in. Problem solved. If I can do something detrimental by being careless, why doesn't the IT guy just prevent me from having the opportunity to be careless in the first place?


That's an unreasonably large demand to put on your IT staff, particularly because for a lot of people they have the opportunity to be careless as soon as they sit down at a computer.

Security is always a trade off between usability and protection. Strong security causes people to jump through hoops for the sake of security, and they don't like it. What really needs to happen is a management decision detailing how they deal with this trade off and what their acceptable level of risk is, rather then pushing IT to simultaneously have perfect security and perfect usability.

You can lock your door, but then you need a key to get in. You, the user of the door, needs to be an active participant in the security process for that to work out. There are no door solutions that will allow you and only you through the door but not require a key or other identifying component.
 
2011-07-06 11:49:34 AM

shogun: THE_JESUS_PANTS:
There's absolutely nothing to gain from "finding out what classified stuff might be on it."

Except for the whole finding out who/how is copying classified information onto portable storage then carelessly losing it in the parking lot thing.


Yeah, but unless that's your job description you're just being a gossip. Secure installations always have someone in charge of "crap left lying around". It's his job to figure out what to do with it, not yours.
 
2011-07-06 11:56:47 AM

Fubini: 32oz High Life: I'll come at it from the other side (and I guess pretty much restate the main point of this article). I work with defense-related data all the time, but I'm one of the guys who's actually producing the data. I don't have advanced training in protecting it, just as the IT guy doesn't have advanced training in not touching or breathing in the fumes of the stuff I'm making. Instead, we keep the door locked and don't let him in. Problem solved. If I can do something detrimental by being careless, why doesn't the IT guy just prevent me from having the opportunity to be careless in the first place?

That's an unreasonably large demand to put on your IT staff, particularly because for a lot of people they have the opportunity to be careless as soon as they sit down at a computer.

Security is always a trade off between usability and protection. Strong security causes people to jump through hoops for the sake of security, and they don't like it. What really needs to happen is a management decision detailing how they deal with this trade off and what their acceptable level of risk is, rather then pushing IT to simultaneously have perfect security and perfect usability.

You can lock your door, but then you need a key to get in. You, the user of the door, needs to be an active participant in the security process for that to work out. There are no door solutions that will allow you and only you through the door but not require a key or other identifying component.


That's a good point -- the door tends to be enough to keep people out, but I have no real way of preventing someone from opening the door for someone else.

The fear of death or disfigurement is usually enough to keep people out. Maybe the IT guy could figure out a way to attach a capsule that would release a small amount of poisonous gas anytime someone inserted a non-secure USB drive.
 
2011-07-06 11:59:40 AM

32oz High Life: If I were so negligent in my job that people were able to injure themselves or the company I'd be fired. That's why I restrict access to dangerous areas. The IA department should be required to do the same thing.


Sometimes people need access to dangerous areas to do their job.

When you're a safety engineer you can tell your co-workers "do this or you'll suffer grievous bodily harm or death" and they'll sit up and listen because no one wants to suffer horrific industrial accidents. The people who get hurt from not following safety procedures are either them or people in their immediate area.

When you're in IT you tell your co-workers "do this or we open ourselves to potential security breaches". People get tired of the regulations because they seem arbitrary and there's no immediate consequence for when they violate the regulation. The other problem (though this is common to safety engineers too) is that sometimes people think they're above the rules, e.g. "I don't have to listen to the regulations about removable media because I'm not stupid enough to forget that CD someplace".

The management at these installations need to clearly define the expectation of security and the penalties for breaches of that security. Some places people can be fired on the spot for risky computer behavior, while other places people laugh it off and treat it like a slap on the wrist. Unsurprisingly, that attitude effects the overall security of the installation.
 
2011-07-06 12:00:24 PM

An-Unnecessarily-Long-Name:
You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.


Typical IA stupidity. "They wont follow our rules..we'll make the rules even more annoying, that should make them complient!"

Most workers want to follow the rules, but at the end of the day, when your boss says "Do this"..Joe Worker is going to do it, and tell IA ot go blow themsleves. Sure, some users are vilating security because they are lazy and morons, but others are doing it because the person who evaluates them, their boss, is telling them to do so. This is a direct consequence of lazy thinking when it coesm to devising policies and the general arrogant mindset of Government IA workers, who view users as contemptible peasants..and not the people they should be concerned about. Work with users, you'll get more compliance. Keep the typical IA attitude, and you'll keep having security violations.

Of course, the easiest way for the managers of IA departments to justify more money for their departments is tied to the perception of dire security issues. hmm.....

Oh, off topic here: I think I'm justified in saying someone's PST has grown a tad excessive when I have to break it down and spread it over 8 DVD's. If only there were some form of portable mass storage device that could handle the entire file. Maybe it'll be done by this afternoon
 
2011-07-06 12:00:33 PM

32oz High Life: Fubini: 32oz High Life: I'll come at it from the other side (and I guess pretty much restate the main point of this article). I work with defense-related data all the time, but I'm one of the guys who's actually producing the data. I don't have advanced training in protecting it, just as the IT guy doesn't have advanced training in not touching or breathing in the fumes of the stuff I'm making. Instead, we keep the door locked and don't let him in. Problem solved. If I can do something detrimental by being careless, why doesn't the IT guy just prevent me from having the opportunity to be careless in the first place?

That's an unreasonably large demand to put on your IT staff, particularly because for a lot of people they have the opportunity to be careless as soon as they sit down at a computer.

Security is always a trade off between usability and protection. Strong security causes people to jump through hoops for the sake of security, and they don't like it. What really needs to happen is a management decision detailing how they deal with this trade off and what their acceptable level of risk is, rather then pushing IT to simultaneously have perfect security and perfect usability.

You can lock your door, but then you need a key to get in. You, the user of the door, needs to be an active participant in the security process for that to work out. There are no door solutions that will allow you and only you through the door but not require a key or other identifying component.

That's a good point -- the door tends to be enough to keep people out, but I have no real way of preventing someone from opening the door for someone else.

The fear of death or disfigurement is usually enough to keep people out. Maybe the IT guy could figure out a way to attach a capsule that would release a small amount of poisonous gas anytime someone inserted a non-secure USB drive.


Or maybe an ink-bomb. Public shame really puts people in line.
 
2011-07-06 12:01:19 PM

Fubini: 32oz High Life: I'll come at it from the other side (and I guess pretty much restate the main point of this article). I work with defense-related data all the time, but I'm one of the guys who's actually producing the data. I don't have advanced training in protecting it, just as the IT guy doesn't have advanced training in not touching or breathing in the fumes of the stuff I'm making. Instead, we keep the door locked and don't let him in. Problem solved. If I can do something detrimental by being careless, why doesn't the IT guy just prevent me from having the opportunity to be careless in the first place?

That's an unreasonably large demand to put on your IT staff, particularly because for a lot of people they have the opportunity to be careless as soon as they sit down at a computer.

Security is always a trade off between usability and protection. Strong security causes people to jump through hoops for the sake of security, and they don't like it. What really needs to happen is a management decision detailing how they deal with this trade off and what their acceptable level of risk is, rather then pushing IT to simultaneously have perfect security and perfect usability.

You can lock your door, but then you need a key to get in. You, the user of the door, needs to be an active participant in the security process for that to work out. There are no door solutions that will allow you and only you through the door but not require a key or other identifying component.


Actually, we ran into that exact situation a few years back. Had a locked door, employees had a key card. After ten too many weekend "hey VP I left my card at home come open this so I can work", we put in fingerprint readers. I'm sure someone will lose a finer on the way in to work one day.
 
2011-07-06 12:01:51 PM
Disable auto-run via GPO
Disable thumb drive access in the OS
Disable CD access

Problem solved?

In a large enterprise Auto-run should be off no matter what. In a government facility with classified data, thumb drives should be heavily restricted anyway along with CD access.

Anything that needs to be installed via CD should be ripped from the master and put into whatever package/software delivery solution your company uses. No real need for either.

Thin clients help a little bit too.
 
2011-07-06 12:10:23 PM

incrdbil: An-Unnecessarily-Long-Name:
You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.

Typical IA stupidity. "They wont follow our rules..we'll make the rules even more annoying, that should make them complient!"

Most workers want to follow the rules, but at the end of the day, when your boss says "Do this"..Joe Worker is going to do it, and tell IA ot go blow themsleves. Sure, some users are vilating security because they are lazy and morons, but others are doing it because the person who evaluates them, their boss, is telling them to do so. This is a direct consequence of lazy thinking when it coesm to devising policies and the general arrogant mindset of Government IA workers, who view users as contemptible peasants..and not the people they should be concerned about. Work with users, you'll get more compliance. Keep the typical IA attitude, and you'll keep having security violations.

Of course, the easiest way for the managers of IA departments to justify more money for their departments is tied to the perception of dire security issues. hmm.....

Oh, off topic here: I think I'm justified in saying someone's PST has grown a tad excessive when I have to break it down and spread it over 8 DVD's. If only there were some form of portable mass storage device that could handle the entire file. Maybe it'll be done by this afternoon


Again, the typical attitude of "work" before security. IA depts are massively underfunded, over worked and under appreciated. I hope when you get your identity stolen or you compromise a classified program because you violated a simple rule you think about that from the unemployment line.

Large PST is really your best argument? You simply have no idea what goes into attempting to keep a network secure and useable when your biggest security flaw is lazy employees.
 
2011-07-06 12:13:00 PM

Geeves00: Disable auto-run via GPO
Disable thumb drive access in the OS
Disable CD access

Problem solved?

In a large enterprise Auto-run should be off no matter what. In a government facility with classified data, thumb drives should be heavily restricted anyway along with CD access.
.


Those restrictions on USB storage devices apply to non-classified systems, at least here.
No one should have an issue with USB restrictions on a classified system.
 
2011-07-06 12:13:13 PM

GBB: Step 2: Stick it in the slot.

/duh


...and that's the way you dooooo it!
 
2011-07-06 12:14:24 PM
"It just works" = "Apple users are stupid."
 
2011-07-06 12:14:55 PM
Anybody who picks up a found USB thumb drive and puts it in their computer is asking for it.

/I wonder how much flash powder can fit in a USB thumb drive?
 
2011-07-06 12:16:48 PM

Credy:
Step 1: Don't be a moron and learn something about the equipment you use daily. This also goes for people who don't know the basics of car maintenance. You don't have to be a computer geek or grease monkey to troubleshoot the damn thing and fix common problems.


I've gotten the argument that I need to remember that not everyone is as good with computers as me, and I need to be more understanding and sensitive about that.

I tell them if their job required use of a car and they didn't know how to fill the tank or notice that a tire is flat, they can't whine and say "I'm not a mechanic".

The job has requirements, and most jobs these days require computers or other electronic devices. This is not new news. Viruses, social engineering are topics that often hit mainstream media.

Really? You didn't know you shouldn't fark around on your work computer because you're not a CCNP? This is the answer you're giving me?

Also, (not) plugging in a USB stick is not a question of technical competency. It's a matter of basic listening skills, using your brain, and following directions. The reason you shouldn't plug in an unknown device into your machine isn't because "computers are scary and I don't know how to write a shell script". It's because your boss, HR, and the IT department all said "for God's sake, don't plug outside crap into your computer!"

It's the requirements of the job, people. Learn 'em, and take responsibility.
 
2011-07-06 12:17:34 PM
In graduate school a few years ago we were tasked with doing a red team analysis of the easiest way to gain unauthorized access to government computers. My report said drop a bunch of infected USB drives on keychains with random keys around the parking lot and local lunch spots. My teacher, who worked for DHS, said it was just simple enough to work. Glad to see I was right.

/CSB
 
2011-07-06 12:26:11 PM

WayToBlue: Day_Old_Dutchie

With the secure cloud computing systems out there, coupled with high-bandwidth internet access and VPN tunneling, most corporate/govt computer workstations should not be able to read/write to ANY removable media.

The words "secure" and "cloud" are diametrically opposed to each other.


You aren't too bright are you.
 
2011-07-06 12:26:54 PM

Carth: In graduate school a few years ago we were tasked with doing a red team analysis of the easiest way to gain unauthorized access to government computers. My report said drop a bunch of infected USB drives on keychains with random keys around the parking lot and local lunch spots. My teacher, who worked for DHS, said it was just simple enough to work. Glad to see I was right.

/CSB


Where did you learn that trick from? Thats been around since the days of the floppy drives.
 
2011-07-06 12:31:08 PM

An-Unnecessarily-Long-Name: .

Large PST is really your best argument? You simply have no idea what goes into attempting to keep a network secure and useable when your biggest security flaw is lazy employees.


Not really an argument..more of an complaintsomeone so OCD they want to keep that much old email. Would be nice if they had a useful data back up source though, other than the DVD option.

Our biggest security flaw is poor IA policies that encourage users to vioate them. No policy can eliminate all security violators, but current IA policies push users to do that who would prefer not to do so.
 
2011-07-06 12:34:41 PM

32oz High Life: An-Unnecessarily-Long-Name: incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.

You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.

IT guys are the worst. I'm not sure if it's because they all have assburger's or if it's because they realize that they're a dime a dozen.

If I were so negligent in my job that people were able to injure themselves or the company I'd be fired. That's why I restrict access to dangerous areas. The IA department should be required to do the same thing.


I work for a major fitness company in their IT dept. While it's not chemical weapons manufacturing or anything like that, one of our perks is the ability to fire users that cause network problems. No going to management. We can do it from here.

Granted, we are kind and just in our use of this power, but if a user completely screws the pooch, we can shiatcan them.
 
2011-07-06 12:36:32 PM

Geeves00: Problem solved?


I you really believe that, you have absolutely no business being near anything that requires any knowledge of information and operational security at all.

You can "fix" stupid people doing things like this that way, but theyr'e still stupid, they still lack even a basic awareness of the nature of their own tools, and they still have, apparently, virtually no respect for the sensitivity of the information they've been granted access to. That's the underlying problem, and there is no technical fix for it short of completely removing their access to everything they need to do their job.

You cannot write a fix for any of that into group policy. I can not fix management and hiring problems no matter how much computing power we buy. At some point somebody needs to be accountable for hiring morons who don't know how to use the basic tools required to do their jobs or its inevitable that some moron will misuse their access to expose something that shouldn't be exposed. You cannot simultaneously give people access to sensitive systems required to do their jobs and completely absolve them of the responsibility of protecting those systems. It's not possible. If an idiot has been hired, that idiot becomes the security problem and you can't program a patch for every possible bit of stupidity they'll undertake no matter how hard you try.

If you lay out thumb drives in the parking lot of a secure organization, every last person who picks one up and does anything short of turning it over to the appropriate technical authority should be immediately terminated because there is no fix out there, short of genetic engineering, for their profound lack of ability to perform their job correctly.
 
2011-07-06 12:37:05 PM

incrdbil: An-Unnecessarily-Long-Name: .

Large PST is really your best argument? You simply have no idea what goes into attempting to keep a network secure and useable when your biggest security flaw is lazy employees.

Not really an argument..more of an complaintsomeone so OCD they want to keep that much old email. Would be nice if they had a useful data back up source though, other than the DVD option.

Our biggest security flaw is poor IA policies that encourage users to vioate them. No policy can eliminate all security violators, but current IA policies push users to do that who would prefer not to do so.


Problem is that poor(all) IA policies come from Management. Me as an IA guy has no ability to dictate those policies. Just have to try to educate users who could give a damn less and put out fires from those same lazy slobs.
 
2011-07-06 12:39:28 PM

Izunbacol: I can almost see the rationale - find CDRs and flash memory devices in the parking lot, wonder "Why are these here? Is there classified info on here? I should get it inside and check it out give it to security before this stuff gets compromised."

 
2011-07-06 01:01:41 PM

An-Unnecessarily-Long-Name: Carth: In graduate school a few years ago we were tasked with doing a red team analysis of the easiest way to gain unauthorized access to government computers. My report said drop a bunch of infected USB drives on keychains with random keys around the parking lot and local lunch spots. My teacher, who worked for DHS, said it was just simple enough to work. Glad to see I was right.

/CSB

Where did you learn that trick from? Thats been around since the days of the floppy drives.


AOL perfected it.
 
2011-07-06 01:03:01 PM

olapbill: virtulization is your friend


Exactly what I came in to say.

Step 1 Virtualize your desktops
Step 2 Install zero clients
Step 3 GPO and lock down Zero client to turn off USB devices except keyboards and mice
Step 4 Sit back and watch episodes of the IT Crowd

If anyone needs help virtualizing, I work for a great company! Virtuon-inc.com

/Sr. Sys Admin
 
2011-07-06 01:04:01 PM

An-Unnecessarily-Long-Name: Carth: In graduate school a few years ago we were tasked with doing a red team analysis of the easiest way to gain unauthorized access to government computers. My report said drop a bunch of infected USB drives on keychains with random keys around the parking lot and local lunch spots. My teacher, who worked for DHS, said it was just simple enough to work. Glad to see I was right.

/CSB

Where did you learn that trick from? Thats been around since the days of the floppy drives.


Floppy drives? you young kids. You know how hard it was to code bots on punch cards?
 
2011-07-06 01:05:18 PM

brigid_fitch: PATRIO


I worked at "Secured information government facility". It wasn't that bad.

The obvious:
no internet access on classified computers
no CD or USB read/write privledges
in fact USB drives and CD's were strictly controlled
no personal business (resume, your next novel) on a classified computer

less obvious.
list of cleared .exe's, a struxenet type exe would not have installation authority
and I'm pretty sure they grab the os from a read only image every time you boot.
All work files were saved in networked areas.
All programs were remote installed
Patches were rolled out quickly, I don't know how we managed but usually the vendors ended up just giving us the source code and we would fix the problems our selves.
 
2011-07-06 01:08:27 PM

Splinshints: Geeves00: Problem solved?

I you really believe that, you have absolutely no business being near anything that requires any knowledge of information and operational security at all.


It was meant to be a slightly sarcastic way of preventing the average idiot from from falling to this type of ploy. Remove their access for these devices within the OS/GPO and it can go a long way with keeping systems safe. Fool proof? Of course not. But it can help weed out those that aren't too determined.

As you said, there's no fix for stupid.
 
2011-07-06 01:19:39 PM

dapsychous: 32oz High Life: An-Unnecessarily-Long-Name: incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.

You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.

IT guys are the worst. I'm not sure if it's because they all have assburger's or if it's because they realize that they're a dime a dozen.

If I were so negligent in my job that people were able to injure themselves or the company I'd be fired. That's why I restrict access to dangerous areas. The IA department should be required to do the same thing.

I work for a major fitness company in their IT dept. While it's not chemical weapons manufacturing or anything like that, one of our perks is the ability to fire users that cause network problems. No going to management. We can do it from here.

Granted, we are kind and just in our use of this power, but if a user completely screws the pooch, we can shiatcan them.



That just seems so odd to me (and it's similar to other arguments other farkers are making.) The point of IA should be preventing bad things from happening in the first place, not handing out blame after bad things have already happened. Why not just restrict access from the get go?

Granted, I'm just a simple physicist, but is it really that hard to prevent users from accessing files they shouldn't? Isn't there some kind of firewall doohickey that can keep a user's disk isolated from the rest of the network and only let files that are known to be safe through? In my case, I can put as many warning labels and have as many safety seminars as I please about chemical safety, but I know if I leave a can of toxic material in the lunchroom some doofus is eventually going to open it. I doubt the boss would accept a defense of "but I told them not to."

Aside from nuking from orbit, restricting access is the only way to be sure. If the user disables the safeties to cause problems then fire him/her because it was clearly malicious or utterly moronic.
 
2011-07-06 01:24:31 PM

incrdbil: An-Unnecessarily-Long-Name: .

Large PST is really your best argument? You simply have no idea what goes into attempting to keep a network secure and useable when your biggest security flaw is lazy employees.

Not really an argument..more of an complaintsomeone so OCD they want to keep that much old email. Would be nice if they had a useful data back up source though, other than the DVD option.

Our biggest security flaw is poor IA policies that encourage users to vioate them. No policy can eliminate all security violators, but current IA policies push users to do that who would prefer not to do so.


It's certainly possible to make secure access easier for users, and IT departments love to make the user experience more streamlined and intuitive. But, if you have users violating security policies then those users have zero respect for the sensitivity of their data and shouldn't be working with it anyway.

These rules aren't arbitrary. If you're not willing to do what it takes to use your access responsibly then you should not have access, period. The hallmark of a professional is that they do what it takes to get the job done right, each and every time. If you're going to half-ass your security procedures then you're not a professional and you don't deserve that access.

A few years ago I got my CDL so I could drive a school bus in the course of my duties as a teacher at an after school program. The school district had their own bus barn and team of mechanics taking care of the fleet, but each and every driver (including myself) was required to know the ins and outs of all the hardware on the bus in order to drive them. Let me repeat myself: to drive a school bus you're expected to know and monitor hundreds of pieces of bus equipment, including the visible parts of the engine, transmission, and drive train. It's not rocket science, and it isn't asking too much for an office drone to know the bare-basics of computer security when they're working with sensitive data.

You can either be professional, or you can half-ass it. The choice is yours.
 
2011-07-06 01:25:04 PM

TheyCallThisWork: vartian: Again, if I can disable your system with a USB flash drive, you haven't done your job.

You've got that all wrong. It should be "If you've given a top-secret clearance to someone who has no common sense, you haven't done your job."


And, again, those people will always exist. If you have designed your security system with the assumption that everyone using it is responsible and competent, then you have failed miserably at your job.
 
2011-07-06 01:32:28 PM

32oz High Life: Granted, I'm just a simple physicist, but is it really that hard to prevent users from accessing files they shouldn't? Isn't there some kind of firewall doohickey that can keep a user's disk isolated from the rest of the network and only let files that are known to be safe through? In my case, I can put as many warning labels and have as many safety seminars as I please about chemical safety, but I know if I leave a can of toxic material in the lunchroom some doofus is eventually going to open it. I doubt the boss would accept a defense of "but I told them not to."


The main problem isn't preventing access to unauthorized users... that's actually pretty easy. The hard part is preventing the authorized users from doing something dangerous. The bulk of the problems in this thread are of the second variety.

Giving a user access inherently makes them a security risk.
 
2011-07-06 01:33:32 PM

THE_JESUS_PANTS: Step 1) Protocol in a facility that handles any level of classified information is to submit to the proper media custodian any media that is not properly labeled for destruction. This is the same when it's Unclassified.

Step 2) there is no step 2. it's just that simple.

There's absolutely nothing to gain from "finding out what classified stuff might be on it."


Out of curiosity, I have a sandboxed, non-networked system for checking that kind of thing. And I have a copy of its OS on an unmounted drive in the same system, so if shiat hits the fan, I can reboot in recovery and ghost the good copy back on.
 
2011-07-06 01:36:43 PM

An-Unnecessarily-Long-Name: Carth: In graduate school a few years ago we were tasked with doing a red team analysis of the easiest way to gain unauthorized access to government computers. My report said drop a bunch of infected USB drives on keychains with random keys around the parking lot and local lunch spots. My teacher, who worked for DHS, said it was just simple enough to work. Glad to see I was right.

/CSB

Where did you learn that trick from? Thats been around since the days of the floppy drives.


The fact it wasn't a trick was my point. It is a well known, easy and inexpensive attack that the government was doing almost nothing to prevent.
 
2011-07-06 01:42:56 PM

Fubini: 32oz High Life: Granted, I'm just a simple physicist, but is it really that hard to prevent users from accessing files they shouldn't? Isn't there some kind of firewall doohickey that can keep a user's disk isolated from the rest of the network and only let files that are known to be safe through? In my case, I can put as many warning labels and have as many safety seminars as I please about chemical safety, but I know if I leave a can of toxic material in the lunchroom some doofus is eventually going to open it. I doubt the boss would accept a defense of "but I told them not to."

The main problem isn't preventing access to unauthorized users... that's actually pretty easy. The hard part is preventing the authorized users from doing something dangerous. The bulk of the problems in this thread are of the second variety.

Giving a user access inherently makes them a security risk.


I think vartian summed up my feelings pretty well: If you have designed your security system with the assumption that everyone using it is responsible and competent, then you have failed miserably at your job. Joe Officeworker shouldn't be able to harm your network by plugging in a hard drive he found in the parking lot. Yes, he should know not to do it in the first place, but we both know he will eventually.
 
Displayed 50 of 148 comments

First | « | 1 | 2 | 3 | » | Last | Show all



This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report