Security Blues
-
MehGerbil wrote:
A simple case in point is users sharing login ids. My systems log changes to records but if people are going to pass around user ids then the whole logging mechanism is a waste of time.
How about blocking logons from different IPs in a short period of time? That will discourage people from sharing ids right?
Vasudevan Deepak Kumar Personal Homepage
Tech Gossips
The woods are lovely, dark and deep, But I have promises to keep, And miles to go before I sleep, And miles to go before I sleep! -
The thing that irritates me the most about IT security is that my efforts to protect people's jobs are often opposed by the people whose jobs I'm protecting. Because I work with student data there are a whole host of regulations - serious regulations - about what I can do with the data and how it must be managed. A simple case in point is users sharing login ids. My systems log changes to records but if people are going to pass around user ids then the whole logging mechanism is a waste of time. I should think a person wouldn't want to get smeared with someone else's fraud, but I guess I'm all backwards on that issue. Maybe people like to lose their jobs over other people's malfeasance. I've had people high in manangement say that the rules aren't important and that if there is any blowback it will fall on their shoulders. Yeah, that's a nice story and all but I'm guessing I'd be crushed like a grape long before any poo-storm hit management. I'm supposed to believe a director wouldn't throw me under the bus to save his own arse? Right. This is why people have to keep email archives. :-D
MehGerbil wrote:
I'm supposed to believe a director wouldn't throw me under the bus to save his own arse?
Not a religious type, are you? Well, you're probably right ...
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
Get everything in writing it's called CYA.
VS2010/Atmel Studio 6.0 ToDo Manager Extension
Version 3.0 now available. There is no place like 127.0.0.1:thumbsup: It's common sense, but then ... “It is the obvious which is so difficult to see most of the time. People say 'It's as plain as the nose on your face.' But how much of the nose on your face can you see, unless someone holds a mirror up to you?” ― Isaac Asimov
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
I mean you can apply a bit of heuristics like frequent and concurrent IP logons. May not be a full-fledged foolproof at first shot. You can try rolling out a logon policy for a closed set of (trusted) users and start rolling out for others after gaining a bit of maturity.
Vasudevan Deepak Kumar Personal Homepage
Tech Gossips
The woods are lovely, dark and deep, But I have promises to keep, And miles to go before I sleep, And miles to go before I sleep! -
:thumbsup: It's common sense, but then ... “It is the obvious which is so difficult to see most of the time. People say 'It's as plain as the nose on your face.' But how much of the nose on your face can you see, unless someone holds a mirror up to you?” ― Isaac Asimov
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
Espen Harlinn wrote:
“It is the obvious which is so difficult to see most of the time. People say 'It's as plain as the nose on your face.' But how much of the nose on your face can you see, unless someone holds a mirror up to you?”
True enough and until it happened to me I didn't think it would be necessary.
VS2010/Atmel Studio 6.0 ToDo Manager Extension
Version 3.0 now available. There is no place like 127.0.0.1 -
The thing that irritates me the most about IT security is that my efforts to protect people's jobs are often opposed by the people whose jobs I'm protecting. Because I work with student data there are a whole host of regulations - serious regulations - about what I can do with the data and how it must be managed. A simple case in point is users sharing login ids. My systems log changes to records but if people are going to pass around user ids then the whole logging mechanism is a waste of time. I should think a person wouldn't want to get smeared with someone else's fraud, but I guess I'm all backwards on that issue. Maybe people like to lose their jobs over other people's malfeasance. I've had people high in manangement say that the rules aren't important and that if there is any blowback it will fall on their shoulders. Yeah, that's a nice story and all but I'm guessing I'd be crushed like a grape long before any poo-storm hit management. I'm supposed to believe a director wouldn't throw me under the bus to save his own arse? Right. This is why people have to keep email archives. :-D
MehGerbil wrote:
A simple case in point is users sharing login ids. My systems log changes to records but if people are going to pass around user ids then the whole logging mechanism is a waste of time. I should think a person wouldn't want to get smeared with someone else's fraud, but I guess I'm all backwards on that issue.
Every time I have a party, I bring out my guns, pass them around. You know, to get some more prints on them.
-
The thing that irritates me the most about IT security is that my efforts to protect people's jobs are often opposed by the people whose jobs I'm protecting. Because I work with student data there are a whole host of regulations - serious regulations - about what I can do with the data and how it must be managed. A simple case in point is users sharing login ids. My systems log changes to records but if people are going to pass around user ids then the whole logging mechanism is a waste of time. I should think a person wouldn't want to get smeared with someone else's fraud, but I guess I'm all backwards on that issue. Maybe people like to lose their jobs over other people's malfeasance. I've had people high in manangement say that the rules aren't important and that if there is any blowback it will fall on their shoulders. Yeah, that's a nice story and all but I'm guessing I'd be crushed like a grape long before any poo-storm hit management. I'm supposed to believe a director wouldn't throw me under the bus to save his own arse? Right. This is why people have to keep email archives. :-D
MehGerbil wrote:
This is why people have to keep email archives.
You won't be there to defend yourself when you are blamed. :~
The report of my death was an exaggeration - Mark Twain
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopes -
The thing that irritates me the most about IT security is that my efforts to protect people's jobs are often opposed by the people whose jobs I'm protecting. Because I work with student data there are a whole host of regulations - serious regulations - about what I can do with the data and how it must be managed. A simple case in point is users sharing login ids. My systems log changes to records but if people are going to pass around user ids then the whole logging mechanism is a waste of time. I should think a person wouldn't want to get smeared with someone else's fraud, but I guess I'm all backwards on that issue. Maybe people like to lose their jobs over other people's malfeasance. I've had people high in manangement say that the rules aren't important and that if there is any blowback it will fall on their shoulders. Yeah, that's a nice story and all but I'm guessing I'd be crushed like a grape long before any poo-storm hit management. I'm supposed to believe a director wouldn't throw me under the bus to save his own arse? Right. This is why people have to keep email archives. :-D
MehGerbil wrote:
and that if there is any blowback it will fall on their shoulders.
You can ask them to put that in writing. That protects you mostly as long as the regulations are not laws. If they are laws then still get it in writing, present that to law enforcement and get a record that you gave it to law enforcement (and did so promptly.)
-
The thing that irritates me the most about IT security is that my efforts to protect people's jobs are often opposed by the people whose jobs I'm protecting. Because I work with student data there are a whole host of regulations - serious regulations - about what I can do with the data and how it must be managed. A simple case in point is users sharing login ids. My systems log changes to records but if people are going to pass around user ids then the whole logging mechanism is a waste of time. I should think a person wouldn't want to get smeared with someone else's fraud, but I guess I'm all backwards on that issue. Maybe people like to lose their jobs over other people's malfeasance. I've had people high in manangement say that the rules aren't important and that if there is any blowback it will fall on their shoulders. Yeah, that's a nice story and all but I'm guessing I'd be crushed like a grape long before any poo-storm hit management. I'm supposed to believe a director wouldn't throw me under the bus to save his own arse? Right. This is why people have to keep email archives. :-D