LITTLEBLACKDOG.COM

Posted: Tue Mar 04, 2008 6:38 am Post subject: Stupid Security Rules

Looking to see if people have some suggestions for stupid computer security rules that people have run across as examples. I've been asked to speak at a local university about computer security and business (The Technical Administration department). I am approaching this from the angle of business people and technical people need to talk before making security rules. IE don't let computer geeks randomly make business impacting changes, and don't let managers dictate computer policy without everybody having a clear understanding of what will really happen.

What originally got me roped into this, and where I am starting off from, was a discussion on password rules. Department of Homeland Security has a rule that passwords will be at least 9 characters, one upper case, one lower case, one special character, not be any word forwards, or backwards, not be any name forwards or backwards, and not begin or end with any year or month value (ie the first or last 2 characters can not be a number). By the way, this must be enforced through technology, not just a policy. If a system can not force compliance for all of these rules, then it fails.

If the password is too complicated, in an attempt to make the system more secure, then the users will write down the password, and make the system drastically less secure. Combine this with a system failing security if it can not enforce those rules, makes for a rule that technically would be good, but when reality is brought in is stupid.

I'm going to talk about that, and stupid 2 factor authentication rules as well. IE a USB, or card, that requires a 15 character password, that gets written down on the device.

Also a bit on SPAM filtering, IE don't block the word VIAGRA if working for a pharmecutical company (I did that one myself). Challenge response for corporate email. IE 2 person challenge response loop.

I could speak all day on TSA and their rules, but I am focusing on computer rules specifically, and wanted to see if any others had some thoughts.

Posted: Tue Mar 04, 2008 8:13 am Post subject:

Not necessarily a stupid security rule but something stupid. Our corporation out sources the helpdesk to Accenture, who then outsources to a company in India. Takes you about an hour to get your password reset. They don't know what a mainframe is or even what Novell Netware is. They ask you if a file server being down is a high priority problem. Hmm, let me see here, no shit Sherlock. Then they will ask you how high of a priority is it. Hmm, lets see here, everybody has been sitting on their ass for an hour not doing their job.

Do we really think we should even trust our network security to some idiots in India! That should be a good topic to cover in your speech.

Posted: Tue Mar 04, 2008 9:31 am Post subject:

The stupidest security rule I can think of immediately was one that dictated screen savers must launch after 60 seconds of non-use, and be pass-protected. That meant that in real life you had to type your password about 200 times a day. It cut poductivity in half.

Posted: Tue Mar 04, 2008 11:18 am Post subject:

It was once proposed at our place to write down all passwords for every machine to be placed inside an envelope in the safe, in case the worst should happen. Considering we have customer machines permanently on site that we don't have access to and Internal Support have access to all business critical things anyway, it seemed a bit pointless. We shot that fucker right down in the most surprisingly civilised fashion at the quarterly team brief.

Posted: Thu Mar 06, 2008 12:45 pm Post subject:

Good stuff everyone, thank you. I know there has got to be more stupid security tricks out there than just this though. Security people tend to do some stupid things. Very Happy

Posted: Thu Mar 06, 2008 1:20 pm Post subject:

Pakiii wrote:
Good stuff everyone, thank you. I know there has got to be more stupid security tricks out there than just this though. Security people tend to do some stupid things.

When I was working for Cox Communications (Now Suddenlink) and went through training for their technical support department I ran into this one. I don't remember exactly what the exercise was, but it involved a windows 2000 test machine and needing an administrator password, which was given to us.

You see IT used Norton Ghost to ghost new machines to a standard OS image. We had test machines, so they had one for Windows 95, 98, ME, 2k, and XP.

At the time, the computers on the call center floor were running windows 98, and as you can imagine, security was pretty much non-existant on them. A few months after I started they built a new call center and we each got new computers, running Windows 2000. All we heard from IT staff was how they were going to lock down these machines, and we wouldn't be able to play games and do the other stuff we were used to doing on them due to group policies and whatnot.

So moving day comes, we roll into the new callcenter, everybody gets on their new computers... and sure enough they're locked down pretty tight. So I'm sitting there thinking about the situation... and something occurs to me.... "Surely not" I say to myself. Then I proceed to log off the computer, change the login to local machine instead of the domain.... put in Administrator for the user name, and then put in the password that was given to us for the Win2k machine in training those many months ago. Badda bing, badda boom.... logged in as Admin locally. They used the same Ghost image.

Surprisingly enough... it took them a good month to figure out what we were doing to accomplish this before it was changed. Smile

Posted: Sun Jun 29, 2008 4:14 am Post subject:

Well I was told to change my password at first login and I did like a good security person (EX) and locked myself out of everything for 2 days.

No-one in the entire company, 5 years old, has tried to change their password at first login and they have discovered through me that it doesn't work.

Also they have a password policy but no-one knows what it is so everyone has a standard password.