[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 21/08/13 23:05, Simon Avery wrote: > Bah. Gmail client annoys me sometimes. Sorry for the blank reply. > > You make some good points there, but actually that reinforces my base > point. The stereotypical risk factor here is the office cleaner > reading passwords off the monitor where they've been post-it'd. (Is > that a word?) I don't doubt it happens, and anyone doing that really > is being more than a bit silly, but in many situations the human > traffic to a server room, or a comms cupboard, is negligable. Writing > a password on something there (perhaps underneath!) is not really so > risky imo. I know others disagree with that, and perhaps they're right > to. My view on security is one that is somewhat more pragmatic than > others because I work in a relatively low-risk environment handling > files that have little corporate value. I also work with people who > are mostly not specialists with IT equipment and anything that gets in > the way of them doing their job (and I've had some that I've > considered were doing well if they ended up facing the right way on > the chair), means zero productivity. Sometimes they're too embarrassed > to ask about stuff and will sit there doing nothing until they get > shouted at. Hence my attitude which probably raises the hackles on > die-hard secrecy fetishists. Usability first. And also, I kinda like > that every sysadmin has a different approach. Security through > obscurity, cryptography, daily-changing passwords (don't get me > started on *those* ) and every permutation of password strength and > complexity is GREAT. As long as that sysadmin has actually sat down > and thought about their system, their users and their unique > situation, I think that the inevitible compromise they arrive at is > sufficiently different that it may not be immediately guessable by mr > bad guy. (I know this is simplistic, and that the ex or current > employee scenario can null your individuality) But seriously, you > physically tie down every machine? I have never seen that before. > Next time you're in a bank or a hospital (or nearly any public sector office - NHS, Jobcentre, etc) , keep a beady eye out for any public access terminals, or even just staff computers that are in areas potentially accessible by the public: receptionist station, bank lobby, office desks with public access). If you look closely, nearly all of them will not only be cabled down but will have integrated keycard access on the thin client box or the keyboard. Staff tend to keep them on lanyards around their neck and use them for two factor auth - the second they stand up and walk away, leaving you at the desk with the PC - the card will pop out and the machine will lock. They will also be configured as 'hardened', as I mentioned before - if you could hop over the desk with your hacker hat on and mess with them for 30 minutes, you'd normally find the BIOS is locked down, USB/CD non-bootable, etc. GPO on windows will lock you out of attempted local admin logons, etc. You'll literally have to rip open the case or steal it before you can start playing in depth. My longest single job being hospital sysadmin kind of drilled this into me - sure, all the theoretically staff-only areas didn't have (physically) tied down PCs but even though office areas, lecture rooms, analysis labs and so on were behind key coded doors inevitably we'd still get a good few nicked every quarter. Any PC on a trolley for ward use or in direct reach of a patient/visitor was cabled down though. You just get used to it after a while. We even sniffed SNMP traps for network cables getting unplugged in some areas, as it was considered to be a potential sign of end user tampering (i.e., disconnecting from the network before attempting to live boot and swipe the SAM). At home my machines are tethered down because I have to practice what I preach and I don't see why I wouldn't, quite frankly. The whole lot are worth a fortune and even with secured off-premises full backups ready, I'd cry for months if someone stole them all! General random bench top boxes with the sides hanging off for testing disks, etc, obviously aren't secured - I don't care if they get nicked. Considering the top-of-rack quad-socket in the garage cost considerably more than our car (missus has still not fully forgiven me for that) I really want to make it as tamper-proof and as hard-to-nick as possible. These days I'll admit that it's not common for me to be dictating company policy like this - I'll often advise particularly smaller clients with insecure home offices in their garages, or small companies with rented workshops in industrial estates with no security, etc that the couple of hundred quid required to sink ringbolts into the sturdiest bit of concrete they can find and tether their handful of machines down is money well spent (plus security tagging and registration). Only a few months ago an old client from London was broken into and although the little gits swiped every fancy laptop and 27" monitor in the place (small but sucessful graphics shop in a rented office), they did call me to say thanks. Said little gits hadn't brought bolt cutters so every Mac Pro and their two servers + NAS were still there, albeit a bit battered. If you're responsible for insurance as well, secure tagging + tether should help out your rates too. I do try hard to make stuff as user friendly as possible though - just like you say, if you go too far the users will rebel and then all your preparations come to naught. I *have* seen so many post-its with login data stuck to monitors (and underneath keyboards is the most common) that we had to make it an official part of the IT usage policy given to all new employees (you'd get 1 of 3 official warnings if caught). We fired several people for this every year, although sadly not the repeat offenders: professors were the worst of all. They'd leave a public access terminal signed in as them with full access to the patient database or the blood sample results queue and wander away somewhere. Obviously us IT guys weren't allowed to fire them though. Daily rotation of passwords is so evil, even I wouldn't force that on to users! That way definitely lies post-it hell :] Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq