My work's IS policies have rendered my iPad useless

On this… someone I trust/respect for security advice says both of the following things:

1. Security has to be baked in from the start, not just bolted on afterwards.
2. I love modern Microsoft software.

Every time I have to use MFA for Microsoft Teams on my Mac, I wince at the message “There seems to be a problem reconnecting”. It is very clear to me that the MFA has been bolted on and the core software has no idea of this fact. Other apps do this, too, but Teams is the one I see every day.

My one word epithet for the Microsoft software I have to use every (work) day: sloppy.

I work for a large company in New Zealand. We do not have customers outside of New Zealand. We adhere to these standards. I know this because we get to do recurrent training every year.

This is where most IT depts I have come across falls down - they DO NOT COMMUNICATE properly about upcoming changes that will affect the way people have been working for years and years.

For changes like this, I would love to see concise information on

• what is the current and new threats the organization is facing?
• how can this negatively affect our customers, partners, suppliers and other legal or contractual obligations?
• an emphasis on the technology is inheritly exploitable over blaming users (even if that is indeed a major vector for breaches)
• an overview of the decisions taken, linked to each of the threats it aims to protect against
• a “what does it mean for you” section, informing on how to perform tasks in new ways now that common usage scenarios become impossible and blocked by policy
• training on the new resources and ways-of-working that have changed

The main reason I blow my top is that major changes just turn up on fine Monday morning, with zero explanation or information. With some background, I would probably be less grumpy and more understanding of at least some such changes. Not a good feeling to have zero trust in your IS team, is it

I completely understand what you’re asking for @airwhale, and I don’t think what you’re asking is unreasonable.

From the other side of the fence, I’ve done this and for a single change (Removal of local admin) so few people will read anything of more than a few sentences anymore, that it becomes a waste of time preparing the information. People don’t read it and when the change comes, people still moan and no amount of “we told you this was coming” helps.

I’m not saying everyone is like that, but it’s in the 90+%

The title basically says it all: your iPad. Not a device provided by your employer.

If you want complete freedom, start your own company.

I’ve dealt with corporate IT for my whole professional life (25 years). Never ever had mcuh choice on the soft- and hardware I could use. If any at all. And that’s about it. If they want me to work that way, that’s what I’ll do. Was that ideal? Certainly not! But it’s the way (large) organizations work.

Right now, the only ‘tools’ I have are Word, Excel, Notepad (not Notepad++, mind you) and Microsoft Edge. And I’m supposed to have an IT role. So I build my tools with VBA in Excel. No kiddin’.

That sounds awful; there are better ways to work. I work for a small company and we are pretty lenient with choice of toolset. Big corporations just sound like terrible places to work.

And seem to be getting worse everyday. I started back in the early days when obscurity really could pass for security. As one of a few programmer/installer/support guys in a small company that got bought by a series of ever larger companies, I always had the “keys to the kingdom” for my little corner of the corporate world. But the threat environment has clearly gotten out of hand today.

It really has. In the 90s, a few people would have internet access, and/or there would be a computer in the IT area which had it. Anti Virus was updated monthly, patching also was monthly, via CDs.

In the 2000s, internet was available, but computers were slow and external interfaces to the internet (i.e. attack vectors) were limited, everyone didn’t have Laptops, free wifi wasn’t a thing.

Now, everyone has devices which many are connected to the internet all of the time, perimeter security is dead. Zero day vulnerabilities are a real thing and 18 year old kids can penetrate the networks of companies which spend many, many millions on security.

The threat is very real. Many organisations fail every year due to security incidents.

We measure the number of attacks that our security applicances detect at a medium or higher level in events per second (somewhere around 10 these days). It’s relentless, and that’s just the firehose of (reasonably good/dangerous) network based attacks. Thoes aren’t even the scary ones.

It doesn’t help them, but it makes it easier for me, as the instigator of the change, to sleep soundly.

Just today I was working a fairly serious problem with a business partner and, although feeling a bit of (self) pressure to get it sorted, being my area of ‘expertise’, I wound the pressure back a bunch when I proved to myself that we had warned them this day was coming 6 months ago. Funnily enough, they had their own internal warning a month ago, too. Then I felt way less pressure and just got on with the fun part of the troubleshooting and communicating.

Long post, sorry, feel free to skip, this should probably be a blog, mea culpa.

I have a lot of mixed feelings about the entire security industry. Not because I’m “against security”, but because I worked in it 20 years ago. I got my start building and managing firewalls, IDSs, and even a honeypot or two. Then I worked in PCI environment for years and saw how corrupt a system could get. We used to have to send screenshots of our servers showing that they met standards, but not all servers, just the ones that were “in scope”. And “in scope” could mean whatever we wanted it to mean, so if we knew there were systems that wouldn’t pass muster, those were conspicuously not in scope. I discovered that what passes for corporate security was actually a lot of meaningless busy work. (cataloging threats, documenting mitigation steps, etc… doing that for every threat that comes out is a full time job! Wait a minute…)

On the consumer side I’ve spent years watching security systems like antivirus, anti-malware, etc screw up peoples machines while providing little to no tangible value. Security is an industry that thrives on fear. Watch out! Bad guys everywhere! Never been worse! Better buy my tool! Better hire me or your whole company will fail. Fear and ignorance push the security industry, and I find it hard to trust anyone selling me something by trying to scare me into it.

The other side of that coin is that some of the security industries shenanigans are based in fact. There are serious threats out there, and if you leave doors open where they shouldn’t be you put yourself and your company at risk. I can tail the logs of a public file server and see people trying to get in all day, mostly script-kiddies, automated systems knocking at every door they find, testing for known vulnerabilities. But, if you take security seriously from the start and build systems secure by default using current best practices you can sleep soundly at night.

Stay up to date, stay patched, don’t download anything you don’t know what it is. Stay away from sketchy websites. Be extremely careful opening any kind of attachment in an email or message. Know for sure who you are talking to. The rules aren’t that hard to follow. The main threat you have to watch out for is if software you are running that is publicly accessible has a remotely exploitable vulnerability allowing unauthorized execution of arbitrary code.

Also, my memory says it was way worse in the late 90’s early 2000’s when Windows 95 or XP was on everything and viruses and worms actually were everywhere and a real problem for everyday folks. We’ve learned a lot since then.

One of the main security problems back then is still, IMO, the ordinary user. Kevin Mitnick, probably the best known hacker of the 90’s frequently gained access to his target by conning people into giving it to him. Or by leaving a USB stick (containing malware) labeled “salaries.xls” laying around where someone could find it. (He was later held in solitary confinement without a trial for something like five years for his efforts).

You are correct that “The rules aren’t that hard to follow”. But there are always people who think they know more than they actually do, or that the rules don’t apply to them. And that can lead to policies that can “render an iPad useless”.

Yes! Yes! Yes! I find this is worst among the “high profile hackers gone good” crowd. One of the most difficult parts of working in security is trying to keep people focussed on the basics that matter with an appropriate sense of urgency, as opposed to being freaked out over the hack-du-jour and the currently fashionable solution being peddled.

I find that people like Bruce Schneier, Alex Stamos, Johannes Ullrich, and the hosts of the Risky Business podcast offer much more balanced perspectives, but they aren’t after my money either

It’s far from ideal. No doubt about it. But I get paid for this job. And I like a challenge. To be honest, it gives me a lot a satisfaction when I can create a full ‘application’ including remote api calls with limited means. It helps that I love old technology (think VB(A)) as much a the latest and greatest. It’s the result that counts. Both for me and my client(s).