Network Security - UTM
-
@Dashrender said:
Do people really need to be connected to FB, twitter, etc while doing a job that does not include those things?
Need to, no. Should we block it? Why? It takes time, money and introduces risks to block it.
Unless you take away their cell phones, pagers, and such when they walk in the door, I'd say this makes no sense. Don't single out services we have a personal feeling about. It undermines IT and management's authority.
There are jobs that need isolation, and they REALLY take those things away and lock you in and have Faraday cages around the office. I've actually worked there. It really happens.
Unless you are doing that, you are not blocking access, you are just making things adversarial in the office.
-
@Dashrender said:
Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.
Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.
If the owners of the company don't agree, that makes IT the enemy.
-
I care less about blocking access to FB, etc because of productivity, that's not an IT concern (in this case), instead I'm concerned with keeping my network safe. Blocking them from anything not specifically business related seems like a prudent thing to do.
Removing external email (or access to their personal email on company machines) seems like a great start in the battle against baddies getting into our network.
-
@Dashrender said:
I care less about blocking access to FB, etc because of productivity, that's not an IT concern (in this case), instead I'm concerned with keeping my network safe. Blocking them from anything not specifically business related seems like a prudent thing to do.
Only seems. Isn't really. FB is not a big infection vector. Making people upset and do weird things and disrespect IT and management, is a huge vector.
-
@Dashrender said:
Removing external email (or access to their personal email on company machines) seems like a great start in the battle against baddies getting into our network.
How do you do that, though? How do you do it without sending them to a different email option? Users will always work around you. Trying to block them is hubris and hubris is the enemy of security.
If you really need to secure people, give them broad access AND an isolated network. Find ways to make things easier for them, not harder.
Being secure means working as partners. The moment the company itself is seen as the enemy, security is no longer a possibility. You are into the realm of everyone acting against one another. You need to get people on the same team. Seeing them as the enemy makes that impossible.
-
@scottalanmiller said:
@Dashrender said:
Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.
Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.
If the owners of the company don't agree, that makes IT the enemy.
I understand why you're saying this, but the fact that users get scammed by phishing attaches and bad websites - are we just suppose to say "f it - we can't stop those things, there is nothing we can do to protect ourselves from them" and just always react to the problems they cause.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.
Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.
If the owners of the company don't agree, that makes IT the enemy.
I understand why you're saying this, but the fact that users get scammed by phishing attaches and bad websites - are we just suppose to say "f it - we can't stop those things, there is nothing we can do to protect ourselves from them" and just always react to the problems they cause.
No, we actually address fixing the problem rather than implementing placebos.
Things that we can't do...
- Not have users
- Not have computers
- Not have people with risks
So given that any attempt to stop one of those three things will ultimately fail, we don't look to those things for security.
Instead we change how we think of security. For example... you are concerned with securing your network. Why the network? What is the risk to "the network?"
Let's say User A does something bad. How are they putting User B or the company in general, or the network, at risk? What are the vectors that are a concern? Start there.
-
getting away from the LAN concept is definitely a plus in this situation. Treating the network connection as untrusted seems to be the only real solution, but not a great one at that.
While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares
-
@Dashrender said:
getting away from the LAN concept is definitely a plus in this situation. Treating the network connection as untrusted seems to be the only real solution, but not a great one at that.
Why not great?
-
@Dashrender said:
While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares
Once they do that, they are past the point of there being anything we can do. That means that we will be infected, without us being involved, from the Internet and none of the security or blocks that you put in place matter.
So not a situation to be concerned about.
-
@scottalanmiller said:
@Dashrender said:
While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares
Once they do that, they are past the point of there being anything we can do. That means that we will be infected, without us being involved, from the Internet and none of the security or blocks that you put in place matter.
So not a situation to be concerned about.
This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.
So you're right, from that point - OwnCloud, SharePoint, etc all we can do it restore from that point.
-
@Dashrender said:
This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.
Great and perfect are not synonymous. It seems like a pretty great solution to me... make everything as secure as the outside connection. It's as full of a solution as there can be. Nothing is perfect, but many things are great.
-
OK what abut from a PCI/Data protection standpoint.
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
-
@scottalanmiller said:
@Dashrender said:
This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.
Great and perfect are not synonymous. It seems like a pretty great solution to me... make everything as secure as the outside connection. It's as full of a solution as there can be. Nothing is perfect, but many things are great.
I give ya that
-
@hobbit666 said:
OK what abut from a PCI/Data protection standpoint.
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
Then the best security would be the best, right? The best is always the best.
-
@hobbit666 said:
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
That depends, does "securing" that resource make the security better or worse? Often it makes it worse.
-
@hobbit666 said:
OK what abut from a PCI/Data protection standpoint.
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
You can, by not trusting the local network at all.. not making it important in any way.
What I mean is no more file shares that are just open, logons for anything that is accessed.
Basically treat your local network as if it's the internet, and then you don't have to worry about it as much.
I think you can still use Active Directory in a setup like this.
-
@hobbit666 Did someone say PCI? Hold everything!
What level of PCI compliance are you working towards? Or has the goal not been set yet?
-
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
-
@JaredBusch said:
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
One huge reason why offline sync clients are a bad thing.
Perhaps a needed thing, but still a bad solution.
It might be better if the files could be saved in a webapp instead through a sync client just dumped into the filesystem.
