Security 2.0

Published: 2007-11-21
Last Updated: 2007-11-21 14:56:01 UTC
by Joel Esler (Version: 3)
4 comment(s)

Been thinking lately about some of the restrictive policies that corporations, .mil, .gov, and some others have when it comes to security.

Does it work?

Where are we at?  

Are all the extremely restrictive policies in your corporate work environment working?  

What can be relaxed?  Why? 

Do firewalls work?  Network based ones?  Host-Based ones?

Does Web filtering work?  Why?  Why are you filtering the web?  Is it because companies don't want people surfing?   Or is it because companies are afraid of the employee going to "hate" sites.  Or, who knows what they are going to bring back into the network from hackerz.com?

Example: Why in some environments, is Instant Messaging banned?  Is it because of the security risk of people transferring files in and out of the network?  The vulnerabilities in the client?  Or, the inability to limit what people are saying and doing?

Example:  I recently ran across an example where iTunes was not allowed on the network because it was considered P2P.  Is iTunes P2P?  Of course not, but here is an example of where reeducation for the "experts" and the loss of "policy for policy's sake" may be helpful.

We'd like to hear your feedback.  What does Security 2.0 mean to you?  We all have our own opinions, we'd like to hear yours!

 Update:  Thank you all for your feedback, please keep it coming.  We've had some feedback from users that have very restrictive environments (I've chosen not to note anyone's name on this diary entry, to protect the innocent), where even higher-ups in the company watch the desktops of all their employees remotely.  Just to see if they are doing something "they" wouldn't want them to.  What is wrong with a little "me" time while at work?  Is it a security risk to allow me to read cnn.com?  What about those people that work from home?  Are they held to the same standard?  Which could bring me to another point... why don't we have more people telecommuting...  but I digress.

We've had some people write in with some very legitamate concerns.  Now, mind you, I am not advocating that you all run out and install whatever you want, and surf wherever you want, I am saying "why do you have these restrictions?"  If you have restrictions for a legit reason (don't want people going to webmail because viruses can possibly get in via that vector), then fine.  If you don't want people to IM at work because you work for a bank (thank you reader for writing in about this), and the SEC doesn't like "unmonitored communications".  There are companies that make programs/software to monitor IM!  Heck, I use Snort/Sourcefire products to do it!  <okay, that was a semi shameless plug>

I get frustrated when I hear a "rule" or a "policy" that is basically in place for policies sake.  (It's like having a post meeting meeting. Or a pre meeting meeting.  Do you really need to have a meeting about the meeting?  Sorry, pet peeve.)

Keep your emails coming!

Joel Esler

http://handlers.sans.org/jesler

Keywords:
4 comment(s)

Comments

While I'll admit, iTunes is not P2P, we are blocking access to it to reduce the amount of bandwidth used for non-business applications. For this same reason, we have blocked access to most sites hosting any sort of streaming media.
Okay, I can see that. We had another user write in to tell us that they didn't allow iTunes because it would cause alot of issues with having to backup several gigs of music files, per person.
iTunes can quickly cross the line to P2P "like" app. All it takes is for some users to hit edit --> preferences --> sharing and there you go 2 check boxes. Look for shared libraries and share my library. If a user doesn't password their library anyone on the network can now listen and download songs from each other... pretty close to P2P in my book.
But it's not P2P. Just because you can listen to someone else's music does not mean you can GET someone else's music. You are not trading the file, it is no different from streaming radio.

Diary Archives