back to article Polite, helpful? Stop it at once in the name of security

In this article I'm going to talk about the second most important aspect of being an IT manager or engineer. “The second?” I hear you cry. Yes, the second, because the most important aspect is terribly dull and doesn't take 800 words to describe: safety. (And if you think I'm mad, ask yourself whether you'd break down the door …

  1. Graham Marsden
    Meh

    Security helpful...?

    Yes, of course Security has to be given due prominence, especially in these days of the IoT etc, but it should not be so incredibly frustrating when you have to create a password with an upper case letter, a lower case letter, a number, a punctuation symbol, a Norse rune, a colour, a Haiku and a DNA sample and then get told three months later that it needs updating but you can't use *any* of the aforementioned in the new one...

    PS "ask yourself whether you'd break down the door of your secure data store to rescue the guy inside in the event of a fire"

    Or ask the BofH...

    1. Paul Crawford Silver badge
      Trollface

      Re: Security helpful...?

      "ask yourself whether you'd break down the door of your secure data store to rescue the guy inside in the event of a fire"

      Depends, did you set the fire?

      1. Anonymous Coward
        Anonymous Coward

        Re: Security helpful...?

        Dave must be new here. Welcome to El Reg, Dave. Take a browse over to the BOFH section to get up to speed on the health and safety rules.

        Answer to the original question: No, keep the door locked securely and the Halon will take care of the fire... and the original problem.

        1. Triggerfish

          Re: Security helpful...?

          Surely breaking down the door depends on who is actually on the other side.

          1. Steven Raith

            Re: Security helpful...?

            It depends who is on the other side, have I had lunch yet, and are there any more cat videos left on Youtube?

            Those videos won't watch themselves, you know.

            Steven "Just kidding. It's car videos" R

        2. Doctor Syntax Silver badge

          Re: Security helpful...?

          "Dave must be new here."

          No he isn't. Maybe you are.

        3. JerseyDaveC

          Re: Security helpful...?

          Ah, I've been a student of BOFH from the start - even back in the Usenet days, before Simon started writing it for us on Network Week in the 1990s :-)

      2. szielins

        Re: Security helpful...?

        Yeah, some of those simple questions turn out to be kinda tricky. Is the question: (A) would I break down the door, (B) is it company policy for someone to break down the door, or (C) is it documented, subpoenable, and auditable that we throw the security process out the window in the event of a fire?

    2. tfewster
      Facepalm

      Re: Security helpful...?

      I feel your pain, but security tools CAN be helpful - e.g. login management/SSO to manage your userid across all the systems you need access to. InfoSec can grant/revoke access from a central point and you only have one password to change rather than waste a day every month going round all the servers. And InfoSec will get a budget to buy such tools, whereas the existing sysadmins won't, even if they write a business case for improved productivity.

      I'm also quite happy for InfoSec to be able to audit my actions. So they can see it wasn't my properly planned change that broke the system, it was the dork who pushed a "quick fix" out an hour later.

    3. Dan Wilkie

      Re: Security helpful...?

      Correcthorsebatterystaple?

    4. Anonymous Coward
      WTF?

      Re: Security helpful...?

      PS "ask yourself whether you'd break down the door of your secure data store to rescue the guy inside in the event of a fire"

      No, because the door would unlock in the event of a fire alarm, otherwise someone is going to find themselves in court when that person burns to death.

      1. SImon Hobson Bronze badge

        Re: Security helpful...?

        > No, because the door would unlock in the event of a fire alarm

        Well perhaps it should do ...

        >otherwise someone is going to find themselves in court when that person burns to death.

        but that won't help the chap behind the locked door !

  2. Tom Chiverton 1

    TalkTalk

    I'm fairly sure nothing happened to TalkTalk. Some bad press for a time, no real consequences.

    1. Anonymous Coward
      Anonymous Coward

      Re: TalkTalk

      I'm fairly sure nothing happened to TalkTalk.

      You mean "nothing happened to the board of TalkTalk". The company itself estimated the trading impact at £15m and the exceptional costs around £40m. It's interesting to note that ITSec is regarded as an "exceptional" item by the board of TalkTalk, but that mindset is how they got themselves in the crud in the first place. Luckily there's a group of patsies happy to take the losses, and they are called "investors", as a result of which the traded share price for TalkTalk dropped 30% in response to the breach and hasn't recovered those losses yet. In that respect the carelessness of TalkTalk management has cost investors around half a billion quid, a figure that will be realised in cold hard cash over time unless they can restore the share price relative to other stock market investments.

      Now, because most of us are only exposed to the stock market via insurers, pension funds and banks we don't see these losses directly but they're still there, and you're still paying for them in the long term. So, "no real consequences"? I'd say vapourising half a billion quid of investor value was a fairly significant consequence, just not inflicted upon those responsible.

      I'd like to be a director of TalkTalk. All that money, no accountability.

  3. David Nash Silver badge

    Holding the door open

    The only good answer to this is turnstyles or gates that let only one person through at a time. Expecting people to shut the door on colleagues is unrealistic, and even on strangers it's fairly unlikely.

    1. A K Stiles

      Re: Holding the door open

      Yup - used to work in an office like that - smallish, revolving door on a swipe access that would only rotate 180° to allow 1 person through at a time, in or out. If you tried tailgating you'd get caught in the closed off section when the rotation locked again. Always entertaining (?) when some joker would spin the door from the other side when you swiped it, causing you to have to swipe again, and then also explain to the local security audit why you had swiped in twice in rapid succession, without swiping out again. Also entertaining after a fire alarm where you'd have ~100 people trying to re-enter the building simultaneously (They did, sometimes, have the fire-exit door open with a security guard checking id badges, just to speed up the process).

    2. Anonymous Coward
      Unhappy

      Re: Holding the door open

      Our chairman and Directors tend not to wear their door passes.

      I guess I slam the door in their face and then pick up my P45 later on when my role suddenly becomes redundant?

      There's the ideal world and the real world.

      1. Oengus
        Unhappy

        Re: Holding the door open

        "The only good answer to this is turnstyles or gates that let only one person through at a time. "

        I remember one site I worked at that had turnstiles. The security system "knew" whether you were inside or outside and would allow access appropriately; if you were inside it would let you out and vice versa. On occassion, the turnstiles would "click" and block you. Invariably you would be looking to go home on Friday afternoon and the system would have a problem and you couldn't get out. You would have to give your access card to someone outside to "click" you back in and then they would pass your card back through the turnstile before you could get out of the building.

      2. 0laf

        Re: Holding the door open

        ^ That's true that is. They're also the ones that want to use Dropbox (free personal) in the office to move personal files, they want to work on Ipads except when they don't.

        They want security to tick every box except when it means their internet id filtered or they can use the toy of choice.

        And lets just avoid the demands of teacher which are a whole other league.

        Deep breaths and repeat after me, "security is an enabler, security is an enabler, security is an enabler....."

    3. Intractable Potsherd

      Re: Holding the door open

      Following a recent reshuffle, I now have an office on a corridor with a card-based security system (no-one knows why a) I am down that corridor, or b) why it has a security door). The corridor is heavily used for various reasons, and the door is on a very slow closing mechanism (about a minute from open to closed), with no pull handle on the inside. The card reader is buggy as hell, hence unreliable. The practical upshot of all this is that the door is effectively open to all and sundry, because there is no effective way to pull the door closed after going through it, and the buggy card reader means that if anyone did, and the person after them could not get in, the atmosphere would be somewhat fraught. Combined with the apparent lack of need for the security door, it is all very silly, because the default position is to be as nice to people as possible and hold the door open if anyone is within 10 yards of it.

    4. JerseyDaveC

      Re: Holding the door open

      I agree it's hard ... but visit (for example) IBM's office at Hursley and you'll see proof that it can be done.

  4. Anonymous Coward
    Anonymous Coward

    Catch-22

    Used to keep my PC with customer sensitive data air-gapped from the company network. AV updates were installed via hand media.

    Then IT Security told me it MUST be connected to the network to get the new company AV package's updates every few days. Otherwise the new AV would lock me out of using the PC off-line.

  5. Yet Another Anonymous coward Silver badge

    Did that once at HP

    Visited their lab in Bristol. I was late and busting for a pee - didn't see the reception desk so followed somebody through the big sliding glass doors toward the cafe I spied in the distance.

    5min and a bit relieved later I tried to find reception to sign in.

    It was the other side of the big glass doors

    Which wouldn't open from the inside (?)

    And which reception wouldn't open to let me out

    So had to wait for security to come and ask what I was doing in there.

    Fortunately their ideas about how to do cloud was so laughably incompetent (you FTP your data to a server ad then telnet in to run a java app) that I never had to go back.

  6. ciaran

    Surely Ergonomy is more important than Security?!

    Bad ergonomy, everyone has an excuse for going around it.

    Great ergnomy with appropriate security, you teach the right way and everyone helps convince the newbies that its the easiest way.

    Also you can get compliments about how you're making everything work easily.

  7. Anonymous Coward
    Devil

    Easily turned around...

    "Politeness is your enemy."

    No, its not. Lack of education and instructions is. Making people fully aware why keeping the door open even for a colleague could be a bad thing. Many IT guys keep up an unhealthy attitude regarding their policies and users and would easily answer questions about them like: "Because we say so!". Yeah, that's a sure way to motivate your users to help you do your job. Not!

    If you keep creating an "us vs. them" environment then it's in my opinion inevitable that there will be plenty of users who won't take you seriously or would rather ignore you than pay any attention to what you say to them (because all you'd say is that you know best anyway).

    On top of that: weakest link anyone? If opening the door for someone else could indeed be that big of a disaster then I think you have a serious issue with single point of failure.

    Helpfulness is also your enemy.

    Depends. In the above scenario I'd say trying to help your users to understand instead of creating an environment as "We know best" could actually have some good results. Here's not saying that it would apply all the time, but usually these bigger issues start small.

    And you're also ignoring other underlying issues here. When people feel the need to be extra helpful towards their users then isn't it possible that they realize that some procedures are actually doing more harm than good?

    For example: requiring that people use an 8 digit password with all sorts of extra's to make sure it's hard to crack. Yeah, obviously some won't be able to remember that and will write it down. And sure it gets taped to the computer so that they don't risk of loosing it.

    As an IT guy I can see the horror in that scenario. But as someone who can also place themselves in the role of the end user I understand perfectly well why someone would do that.

    Here's another question for you: how likely is it that people would try to crack user passwords from their own terminals, especially considering that there's often a lock out threshold? Also: if the password is easy to remember then there's less chance that the user would write it down. The main area where this could become a problem is if the data got intercepted somehow or if people tried to bruteforce the actual password database. Yet that part often doesn't get as much attention than the user passwords.

    I'm not making this up... plenty of organizations, where Sony is the most obvious example, had very specific polities for user passwords to make sure things were safe. Only to end up getting stored in a plain text file.

    Translated: users need to remember a 10 digit password, while the servers are all open and permanently logged onto as root or administrator, simply because the server room door is locked and only a select few have the key. Sure. So basically the single point of failure has now become 1 simple, yet physical, door. Some call that security, I call that false hope and, as mentioned, a severe single point of failure.

    Of course it's the users who get the most blame.

    1. auburnman

      Re: Easily turned around...

      I would say most people already know that holding a door for someone could be a bad thing, but it is so astronomically unlikely in most workplaces that they will do it anyway because a) it's polite, and b) being the only one to shut the door on strangers or colleagues is a one way ticket to being labelled as a tinfoil hatted nutter and openly mocked.

      If the company really cares about this, they will have secure entry gates like other posters have mentioned. If they haven't, they don't care and are just paying lip service to this threat vector so they can scapegoat an employee if someone does get in this way ("We train all our employees on security matters, unfortunately proper procedure was not observed")

    2. Vic

      Re: Easily turned around...

      plenty of organizations, where Sony is the most obvious example, had very specific polities for user passwords to make sure things were safe

      I used to have a very simple rule for password complexity.

      I would run john against the shadow file overnight. Any accounts that got cracked in less than an hour would be locked...

      It was surprisingly effective - especially as you found out which accounts weren't being used at all[1].

      Vic.

      [1] I had inherited the userset, amongst which were many remote workers. It was quite clear that some of the accounts were dormant, as no-one ever asked me to unlock them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like