Warning, this is a long one. I was asked by a reader to consolidate all of the feedback I got from the Security 2.0 posts and put them into one post. Sure! No problem. However, I got alot. No names though. If you want your name mentioned email me, and I'll edit the post to include your name (if you have a blog or something, and you want me to link to you, provide that info too). Let me just say exactly what I said on PaulDotCom, just because you don't understand the technology, isn't a reason to restrict it. You need to understand the technology, then make a risk assessment of what kind of impact it can have on your network.
To the commentary --
"iTunes is P2P by default on the local subnet, and possibly further with Wide Area Bonjour. ie. out of the box it will search for shared music, and it is one click for a user to share, no selection, their entire iTunes Library. In our University environment we have no shortage of bandwidth, and all protocols are permitted. iTunes is a useful teaching/learning tool. But the Authorities lean heavily on departmental IT admins to lean heavily on users to keep those Sharing buttons clicked OFF. The bogeyman is Copyright."
I disagree. iTunes, IMO, is not P2P. You can't trade music with it, you can, however, stream music from another person's iTunes list on the local network. But there isn't a way that you can trade music via this medium.
"I think one reason we have a restrictive policy set at work is because the default is 'fail'. That is, just because bittorrent is blocked here doesn't mean they've decided to block bittorrent; rather, it means that they haven't decided to open up bittorrent. Another similar reason is the security appliance -- rather than think about some security issues, we appear to simply go with whatever the Cisco box thinks is a reasonable thing to filter, including web pages. Many are blocked, many aren't, but no local thought has been put into most of it. It's a convenient excuse for management -- "justify why we as a business should allow IM" is easier for them than deciding whether or not IM is useful. This way, it actually costs someone's time to open up the hole, and therefore you need a business purpose to justify it. Does it "work"? To answer that I'd have to know what they're really trying to accomplish, and upper management is really trying to accomplish making the business make money -- more specifically? I don't know what they have in mind. Apparently, they don't think I need to know what they have in mind...or I could make a business case for them taking the time to tell me. :)"
Okay, so your organization isn't really against the use of these tools, but you have to have a legit reason to open it. Okay, I can understand that one. No problems there.
"The equipment I monitor is paid for with tax dollars. The public expects County employees to be processing their paperwork, not using tax money to download iTunes or play Internet Poker. By policy, County-related business purposes only."
This one obviously came from a county employee. I can also understand this one. This is more of a business restriction, not so much a "we are disallowing it because we don't understand the security of the technology".
"Web filtering: used to stop malware, legal liability from sexual harrasment (a porn site on a monitor makes an employer liable for creating a "hostile working environment"). Also, filtering logs are used when an employee's productivity is lacking, and they seem to be on web sites instead of working. iTunes, et. al.: Actually, all personal electronic devices were just banned at my company, because one person became annoyed when she tried to get the attention of an employee who was listening to their iPod. This is NOT a small company - it's a $2B multi-national manufacturing firm. This was NOT a security decision. IM: IM is banned because of SOX and IP concerns, along with past incidents of employees using IM and clearly losing productivity. Management does not consider spending any money (or time) for IM monitoring to be a priorpty."
Web filtering -- No porn because of harassment. Okay, I can understand that one. However, let's take a look at another side of that. One of the places where I have worked didn't allow us to go to porn sites. However, where I worked, we had to get exploits, and other random nastyness, to be able to write IDS signatures against them. Most of those sites have some explicit pictures on them. Because of the bureaucracy where I worked, getting a person "unblocked" was an act of God. Even though we had a legit reason. iTunes -- Now that's just stupid. IM -- Okay, that's a legit reason. Insider information. However, I'd rather allow people to do it, and monitor it, then to disallow it totally.
"I can tell you what my Draconian company does from a security standpoint. In terms of actual security, sure we have firewalls, A/V, spyware tools and the like, but that isn't what upper managment cares about. Hell, they're the last people to run they're spyware removal tools or not install unapproved software. No, they like using technology to either monitor us, or limit us in any way possible. According to the president of the company you need to be working every minute of the day and if you can't do something as if he were looking over your shoulder then you shouldn't do it at all (he has said this many times), namely it needs to be work related. All external email is blocked. Corporate email is not allowed for personal use. IM is not allowed, not for any of the reasons you mention, but rather to prevent us from chatting all day. Many websites are blocked. He randomly monitors throughout the day what we are doing via Network Lookout Pro, which shows all of our monitors tiles across his computer screen. If he sees something he doesn't like he zooms in to verify and then will take disciplinary action. He is old fashioned military and thinks you need to constantly keep "the troops" in check. As if allowing them to surf the web a bit or use personal email or IM will hamper their work. Granted excessive use could, but as long as they get their work done who cares!"
I discussed this on PaulDotCom as well. This is just insane! Apparently there is absolutely no reasonable expectation of privacy
"A few examples why we filter web access: Webmail - we block webmail because we can't monitor it properly for exfiltration of PII. In the past we used to block it because we AV scanned email, but not web traffic. Besides running your business out of your yahoo.com email address isn't fitting for an organization our size. Calendar sites - yes, we block google calendar. Why? Because some jackass was syncing his PDA to it and set it as public access. So a journalist was able to see that we had conference calls on the security issues in our SANs and what the conference participation code was. File storage sites - you don't want to know the number of spreadsheets holding customer data we found on these sites. Pr0n - people sue us if they work in a hostile work environment. Gambling - we do business in countries where they're behead you for doing stuff like that, but more importantly, they'll take away our license to operate. I don't mind losing a few employees in a Turkish prison, but I can't give up all of that oil money. Why we filter IM: In a word, regulators. SEC really frowns on traders having unmonitored communications. That, and a week doesn't go by that there isn't an IM worm. Also, I have enough cases open with email harassment, I don't need IM cases as well. iTunes: We don't block this one yet, but I'm working on it. Mainly because I don't have an iPod and I'm jealous. Actually it's because we've been working really hard on information control, encrypting our laptops, adding USB controls. So I really don't want to encourage them to plug a hard drive into my laptops."
Okay. I received another email that said that they don't allow iTunes because the company is not going to pay to have your songs backedup to the local backup server. I had another one write in saying that the company was concerned about Copyright issues. Maybe someone from Apple can talk about this. I know there are Apple employees that read this blog.
"Let security people implement policy instead of people whose eyes roll when you talk about mitigating a risk and think that they should implement every security control possible "because it's there"."
"I would say that, having worked in DoD for the last 10+ years, many times sites/services are blocked for bandwidth conservation or to prevent timewasting by unit members. These include sites such as Pandora, MySpace, Blogspot.com and Itunes. I'm not sure how effective some of these blocks are. For instance, Pandora is blocked but there are dozens of other sites that are easy to find and access. MySpace and Blogspot.com and their ilk were blocked I believe because people spent WAY too much time updating their blogs rather than working. (I overheard conversations regarding how people would spend 6+ hours a day updating their MySpace) Also, I believe information was put on these sites that shouldn't be on the web. But again, is that the best way to moderate this? Blocking the sites addresses the first concern, but not the second as again their are dozens of other social networking/blogging sites to use. Your question about how effective all the regulations and policies are is another matter entirely. Like I said, I've worked in DoD for 10+ years, doing IA for most of that time. Have things gotten better over that time period? Yes and no. DoD is a LOT smarter about IA, but as we all know, it only takes one hole for the bad guys to get in while we have to defend every wall, door, window, nook and cranny. And DoD is not immune to similar demands that occur in the commercial world; namely that the General and/or his staff (CEO equivalents) want to do X and that want to do it now and this app is mission critical and IA doesn't have the power, and isn't included in the planning... you know the story and how hard it is to secure all that. Add to that how fast technology is moving and how hard it is to be REALLY sure that the neat new app you just installed doesn't have a security hole that allows remote access to your domain. And then there are home grown apps and did your developers (contractors or government) really follow best practices (or did they even know about them)? And finally, how can you stop users? Even smart users (see the recent break-ins at the labs in Tennessee and Los Alamos which I believe were attained through spear phishing)? Like I said, it only takes one hole. DoD is a lot smarter, but then so are the bad guys and at the moment, they outnumber us. I don't believe they are smarter than us, but we have limitations they don't. So, the final question is: Is it harder for the bad guys to get into DoD networks with all the current regulations as compared to 5 or 10 years ago? I think so, but without an objective external verification, it's hard to say for sure."
Excellent post. I used to work for DoD too. I think the "fear" of something happening is greater then the emphasis on the actual something happening.
Thank you all for posting your thoughts. If this prompted some more ideas, please feel free to leave it in comments. If you don't know want to post as your name, please feel free to post anonymously.