Frustrations as an SA

kiki162

I'm in a bit of a frustrating situation. Part of my job duties is to take care of network security along with my SA/ web developer duties. I made a bid to my higher ups about recommendations to change security wise ( remove local admin access for all users, block streaming video, music, changing passwords every 90 days, etc). Basically we need a LOT of stuff done. We have a IT audit coming up and my higher ups said they wanted to see the report before any changes are made. Grrrrrrrr!!!

When I got hired I did the sane thing and was told to keep things the way they are and not to change anything.WTF. Having a 5 char min is asking for trouble, letting temp employees download and stream iTunes hogs the network, I could go on.....


Anyways, I have no clue if anything is going to be done basically because the ppl at the "top of my food chain" don't like change and most of the time have no clue as to what's really going on.

It hasn't gotten to the point where "s*** hits the fan" but its only a matter of time, and I would be in the direct line of fire on that. Makes me wonder if I need to switch to something a little bit more security oriented and has some sort of structure.

Can anyone relate?????

docrice

Most security admins will relate as it's a very common issue. Change tends to involve the thought of "cost" and since senior management generally don't have the same visibility on the low level details that you see, psychologically they tend to be removed from foresight and perceived consequences. If you can't prove to them in business terms the need for better security, I'd say it might be time to move elsewhere or deal with it.

On the other hand, maybe they're actually aware of the issues but are making a business decision to accept the risks, but from what you're saying it doesn't sound like it.

NetworkVeteran

> When I got hired I.. was told to keep things the way they are and not to change anything.
> Basically we need a LOT of stuff done.
> the ppl at the "top of my food chain" don't like change

You are getting frustrated because you're putting your own desires over those of your employer. If they've given you a clear mandate that they don't want major changes, you need to respect, and work within that mandate.

> remove local admin access for all users

I imagine it's not only higher-ups opposed to that change. Eliminating local admin access could impact employee productivity. I know I have successfully fought off or won exceptions vs. IT departments on this point before. If you were to engage in a dialogue and understand where they're coming from, it might help you find changes employees would support.

> letting temp employees download and stream iTunes hogs the network

This has little to do with creating a more secure workplace to benefit your employers.

> and most of the time have no clue as to what's really going on.
> its only a matter of time, and I would be in the direct line of fire

And rightly so, if your employer has no idea what's going on with respect to security. There are many ways to address this, for example a color-coded (red/yellow/green) depiction of your preparedness for seven key types of attack. You also could have accompanied this with an "aggressive" (change 7 items) and "conservative" plan of action (change 3 items). That way, even if you only partially got what you want, your network would be more secure. Also, if a breach happened due to them preferring the conservative approach, you'd be somewhat protected if TSHTF.

kiki162

I guess a lot of my issue stems from where I've come from job wise, where everything and everything is locked down and there were high restrictions. I'm not looking to enable and lock down everything, but if we get down to the basics, then that's fine. There's always trade off.

I've done pretty much all I can trying to explain to middle mgmt on how and why things need to change. We have problems with users installing various software and their activities during work hours. We get e-mails from our "in between network" about high bandwidth usage, yet we can't do anything about it because there's nothing to back it up. I've made suggestions to the current IT policy (which is 7 years old), and that it really needs to be updated.

I would agree with the idea that management tends to be removed unless something happens to them. I totally get that, and respect it, but somewhere in my head, I'm trying to mitigate any issues. Guess I have to wait till this IT audit happens, then figure out the next steps.

Bundiman

It great you made those suggestion but you should write it up as a proposal and submit it to your management. That way when the S*** does hit the fan you have an electronic trail of your efforts.

kiki162

Good point, hopefully something will get across. Paper trail always helps!

bigdogz

kiki,
Look at this as an opportunity where you can shine. The audit may drive the need for change. If the audit is for their customer they may change their mind.
Show them best practices for your environment. You may have to do a great deal of work/research to make your points valid.
OWASP for passwords: https://www.owasp.org/index.php/Password_length_%26_complexity
SANS is another resource.
Show how fast passwords can be broke and name your resources.
Showing a couple of articles on companies loosing thie IP/ or information simular to that of your company/industry when they were hacked could assist.
As far as the temps on itunes this is a business decision. You may want to run a report ONLY for the temps of their online activity for the last 6 months which may show a lack of productivity. You don't want to get everyone mad at you. The reasons for the change is culture is when they actually get attacked or some auditor tells them to do it or some new employee (agreed by management) to get the job done.
This may change the culture for temps. Just remember that management must approve everything so the new policies can be implemented otherwise it could get ugly. Keep a physical copy of your email in a secure location and don't take this personal.

Good Luck!!!

ChooseLife

Great discussion so far and many insightful comments...

Some of the most important points have been already brought up...

NetworkVeteran wrote: »

You are getting frustrated because you're putting your own desires over those of your employer.

docrice wrote: »

...maybe they're actually aware of the issues but are making a business decision to accept the risks...

This is probably the most important point and one that us technical security folks tend to miss. (I know I'm guilty of it at time). We want to eliminate security issues and the idea that business/management decides to simply accept the risk makes us uncomfortable. What we must remember is that the choice is theirs, and in this war (against malicious threats, not management ) our role is not necessarily in making the system perfectly secure but rather in providing the information enabling the management to make an educated decision. This is an uncomfortable idea, but a very important one.
As security professionals, we may fail to identify a risk/threat/vulnerability, assess it, or communicate this information to the management. However, if a risk/threat/vulnerability has been properly identified and reported, responding to it becomes the responsibility of the business.

Bundiman wrote: »

It great you made those suggestion but you should write it up as a proposal and submit it to your management. That way when the S*** does hit the fan you have an electronic trail of your efforts.

Second great point. Correctly and carefully written reports sent to right people make the difference between a "yes" and a "no". They also increase our job security

And finally:

bigdogz wrote: »

Look at this as an opportunity where you can shine.

Your company infosec culture is obviously very different from your own. The way I see it, you have three options:
1) Look for another company with a culture that better suits you. A very sensible solution
2) Accept the culture of this company and adjust yourself to it. Whether you can do this depends on your personality, but from what I've read so far this does not look like a path you prefer.
3) Take up on the challenge and try to change the company culture. This path may be some or all of the following: dangerous (for job security), exhausing (office politics), rewarding (personal growth and satisfacation)

In any case, best of luck!

SteveLord

I am dealing with some of this myself. Starting with shredding and disposal of sensitive materials. You'd be surprised how just locking the shred bins annoyed some. Wait until I put out and enforce clear desks. Then I have a few more issues to make official policy. Our security folks assess us every year and there is always plenty to keep me busy.

dover

Everyone has made great points. The audit is going to be replete with 'findings' that will get at least be brought to executive management attention by an objective third party. But like others have already said, it is up to the execs to determine what level of risk they are willing to accept as an organization. The audit may change some minds, which would give you the chance to implement some of the common-sense security measures the business could likely benefit from. Like others have said, make sure you have your bases covered. If you've had discussions about the current security posture of the organization, and management's responses, document them. You aren't out to point the finger, you just want to show that you have attempted to perform due care and diligence - which is your responsibility perform. You can definitely use the audit findings to strengthen your arguments. In the end though, it is up to executive management to set the tone for security in the organization. If they have dismissed your arguments and they dismiss the audit findings, just do the best you can in the situation you have. Some organizations take pride in the 'openness' of their culture even if it results in significant exposure. I think we all feel your pain and frustration though.

kiki162

bigdogz wrote: »

kiki,
Look at this as an opportunity where you can shine. The audit may drive the need for change. If the audit is for their customer they may change their mind.
Show them best practices for your environment. You may have to do a great deal of work/research to make your points valid.
OWASP for passwords: https://www.owasp.org/index.php/Password_length_%26_complexity
SANS is another resource.
Show how fast passwords can be broke and name your resources.
Showing a couple of articles on companies loosing thie IP/ or information simular to that of your company/industry when they were hacked could assist.
As far as the temps on itunes this is a business decision. You may want to run a report ONLY for the temps of their online activity for the last 6 months which may show a lack of productivity. You don't want to get everyone mad at you. The reasons for the change is culture is when they actually get attacked or some auditor tells them to do it or some new employee (agreed by management) to get the job done.
This may change the culture for temps. Just remember that management must approve everything so the new policies can be implemented otherwise it could get ugly. Keep a physical copy of your email in a secure location and don't take this personal.


Good Luck!!!

That's what I'm thinking. Audits are the best excuse to get things done or changed. I know that once the audit is completed, they will give me a list of things that need to be changed or modified. And on top of that, I'll have to come up with valid reasons why...just like the passwords.

I do agree that there are some trade offs in anything, like the iTunes or websites not being blocked. You do have to step lightly on these things.

kiki162

dover wrote: »

In the end though, it is up to executive management to set the tone for security in the organization. If they have dismissed your arguments and they dismiss the audit findings, just do the best you can in the situation you have. Some organizations take pride in the 'openness' of their culture even if it results in significant exposure. I think we all feel your pain and frustration though.

Yeah having a paper trail, especially where I work is the best backup policy. With the type of people I work with around here, if there's no e-mail trail to back it up you are screwed. True, it's always up to management to determine what they want to present to the higher ups (who are the ultimate deciding factor). I'm just hoping that I can implement something.

cmitchell_00

I know iTunes or any shareware streaming media can be an problem for the network or security. However, I find management don't understand not unless they're impacted directly. I would stick with the company mandate/policy but, sometimes you can perform settle changes where there's no impact. You do want to keep your paper trail for all your work done so; if you need it to revert back or even CYA it will be there. Food for thought.

Nemowolf

Bundiman wrote: »

It great you made those suggestion but you should write it up as a proposal and submit it to your management. That way when the S*** does hit the fan you have an electronic trail of your efforts.

On the note of doing a formal proposal, one of the things i have not seen mentioned is the consideration of ROI. Everything has an ROI, evening security. You could do a quick estimation of the bandwidth being used for non-work related online activities and build a cost analysis of how the people are "wasting" the companies money with excessive bandwidth use. If the users are all admins, try to evaluate with a test case volunteer how much it REALLY impacts and equate that to man hours lost or gained. Many times the business just needs to see the dollars and sense of things before making changes.

NetworkVeteran

Nemowolf wrote: »

You could do a quick estimation of the bandwidth being used for non-work related online activities and build a cost analysis of how the people are "wasting" the companies money with excessive bandwidth use.

I like it. It encourages the OP to assess the real impact of the issue on the company and educate his management--e.g., by measuring the average bandwidth used for music/video, and identifying how much the company could save by switching to a lower-cost Internet plan that does not guarantee its delivery. Of course, make those numbers as real and accurate as possible, as you may be asked to deliver on them if they're big.. or to ignore them if they're small and negligible.

PS - There are less Draconian approaches than total blockage to achieve the same cost savings.