|
So our InfoSec department is only 2 years old, with all but two of the staff being hired in the past 8 months. We were told that IT manages all of our Sophos licenses for servers and endpoints. Alright, cool, fine. We are in the middle of figuring out a better solution to Sophos, and planned to have it in place before our Sophos licenses expired later this year. Suddenly a week ago our CISO gets a flood of emails saying that our linux servers have failed to update Sophos. Why? Because the licenses had expired. A week of trying to figure out what is going on, and both Sophos and our CDW rep being very confused and IT going "we don't see any servers on our console" we finally get the Infrastructure team to admit that they had their own Sophos account that they had set up. The very people who told us "Oh, IT is managing them" had an account that IT had no access to, on a different license schedule, and they IGNORED EVERY SINGLE EMAIL ABOUT THEIR LICENSES EXPIRING. Holy loving poo poo. WHY. Yes, I know that InfoSec should have had more information but getting ANYTHING out of our Infrastructure team is so god drat hard. We still can't even get them to tell us how many servers they have in each environment, because they are so siloed that nobody actually knows anything outside of the little bit that they directly support.
|
#
?
Jan 22, 2022 21:19
|
|
|
|
| # ? May 24, 2024 15:56 |
|
|
Wait does the "infrastructure" team exist outside of "IT"?
|
|
#
?
Jan 23, 2022 00:59
|
|
|
You can tell a lot about a place based on how completely randomly they name their technical teams
|
|
#
?
Jan 23, 2022 01:23
|
|
|
We have one team named MIS.
|
|
#
?
Jan 23, 2022 04:38
|
|
|
GreenNight posted:We have one team named MIS. More like MIStake 
|
|
#
?
Jan 23, 2022 05:08
|
|
|
scott zoloft posted:Just install that poo poo baby gotta get to codin! Ultimately you have the choice of allowing devs to install the tools they need to do their job or have to deal with constant tickets and escalations because you’re being a blocker. All “no” does is build an environment that’s rife with shadow IT and has a reputation as being hostile to work activities that drive the business. IT and security do NOT want to be in that place.
|
|
#
?
Jan 23, 2022 15:26
|
|
|
Devs are the worst at defining need vs want. If the requirement is “install any software on a whim” I will happily be a blocker on this until I retire.
|
|
#
?
Jan 23, 2022 15:33
|
|
|
Devs apparently need to frequently download new libraries/tools tho and may not know what they’ll need until they dive in. If the IT department is slow and you have a block-until-ask posture, that’s gonna gently caress up productivity a lot. I’m amenable to the model of block-until-ask until the dev escalates to their manager and you can get it in writing that they asked, you didn’t give. Thoughts on that?
|
|
#
?
Jan 23, 2022 15:44
|
|
|
Sickening posted:Devs are the worst at defining need vs want. If the requirement is “install any software on a whim” I will happily be a blocker on this until I retire. Listen if you want to keep a list of all possible dev software someone might need and evaluate a request based on that list, go for it but I’m gonna guess you’re more interested in saying “if you want an IDE then you can install Eclipse” and call it a day.
|
|
#
?
Jan 23, 2022 15:47
|
|
|
Sorry, but the choices aren’t “give devs the ability to do whatever they want” and “say no to everything” Especially in tyol 2022 when we have all kinds of tooling to allow us to be more flexible
|
|
#
?
Jan 23, 2022 17:40
|
|
|
You won't know what you need until you install it? Lol good poo poo fire when rdy sir
|
|
#
?
Jan 23, 2022 19:49
|
|
|
Blinkz0rz posted:Listen if you want to keep a list of all possible dev software someone might need and evaluate a request based on that list, Uh you absolutely must do this in a real enterprise environment if you remotely give two shits about security.
|
|
#
?
Jan 23, 2022 20:22
|
|
|
Isn't the IT answer to have a developer image or set of apps that they predetermine (you want all your devs using the same shut) and you just deploy their crap like any other office drone?
|
|
#
?
Jan 23, 2022 20:22
|
|
|
I love the Lens tool for visualizing my kubernetes clusters. Sure, kubectl works, and is what I use for anything serious or complex, but for basic poo poo lens is a great visualization tool for understanding my cluster at a glance.* I heard about it when a coworker on my team said “hey I really like this tool!” and showed it off. His ability to do that, and the gains it realized, would be compromised by “hey IT can you please review this app”, when IT doesn’t know poo poo about kubernetes or poo poo about our environment. Unless the time it takes to approve is very very quick (1 day or less, which just isn’t going to happen), a non-local admin policy heavily constrains development’s ability to innovate and experiment. There are thousands of apps just like Lens that exist to make everyone’s jobs easier. Empowering people to use the tools they want to use buys goodwill, and absolutely improves the ability of every worker to be creative and innovative in the pursuit of solving their problems. The tradeoff is you need to have other robust automated security tooling to minimize the risk of untrusted apps. Allowing someone to use a tool to visualize your cluster is very different than arbitrarily adding a new library or using a new CI/CD tool. There is value in flexibility and value in strict control of development environments. Recognize there is a tradeoff and centralization of authority here consumes time, effort, energy, and money. That’s a tradeoff that may be worth making in larger organizations with more strict security requirements. I acknowledge this brings some security benefits. I don’t think those benefits are without costs, I don’t think they are worth it in many situations for small/medium businesses, and I worry that we are forgetting that everyone’s fundamental and most important job - regardless of department or title - is to make the business money. E: *and yes this should be solved by better monitoring and observability tooling, but that takes time and effort too and sometimes you are focused on other initiatives. Again! There’s an ideal solution here - but one that only works if the organization sufficiently values it to commit the resources to achieve it rather than other things. The Iron Rose fucked around with this message at 20:39 on Jan 23, 2022 |
|
#
?
Jan 23, 2022 20:32
|
|
Cat Army
|
Bob Morales posted:Isn't the IT answer to have a developer image or set of apps that they predetermine (you want all your devs using the same shut) and you just deploy their crap like any other office drone? Yes and same for libraries, if a new library needs to be admitted there's a bunch of automated stuff to generate vuln scans and security scores without intervention from security dudes. edit: It's a tight rope for sure, security's job should be to accommodate developers so they can accomplish what ever, but on the flip side, security can't just say yes to everything without looking because supply chain attacks can and do happen. Defenestrategy fucked around with this message at 20:48 on Jan 23, 2022 |
|
#
?
Jan 23, 2022 20:34
|
|
|
CLAM DOWN posted:Uh you absolutely must do this in a real enterprise environment if you remotely give two shits about security. 100% disagree but I think this is fundamentally the difference between places where software is a byproduct of the lines of business vs those where the business is software.
|
|
#
?
Jan 23, 2022 20:43
|
|
|
Blinkz0rz posted:100% disagree but I think this is fundamentally the difference between places where software is a byproduct of the lines of business vs those where the business is software. It’s actually the difference between places that show up on shodan and those that don’t.
|
|
#
?
Jan 23, 2022 21:13
|
|
|
We whitelist what devs can install, which doesn't cause a ton of friction as Corp IT is quick to approve new software. For libraries, all of our builds are done through gitlab pipelines and we leverage shiftleft to detect any shenanigans instead of whitelisting python and go libraries. I think our director of security would like more control but we run the risk of slowing down developer agility and our internal CA has already caused enough strife with them.
|
|
#
?
Jan 23, 2022 21:23
|
|
|
The Fool posted:It’s actually the difference between places that show up on shodan and those that don’t. It's this. Devs cannot be trusted, simple as that.
|
|
#
?
Jan 23, 2022 23:45
|
|
|
CLAM DOWN posted:It's this. Devs cannot be trusted, simple as that. Don’t you work for a government agency? Refer to my previous post about devs being a byproduct of line-of-business vs being the business. Despite what a lot of folks in this thread seem to think, IT and security are cost centers and building petty fiefdoms that hinder or completely block revenue drivers never ends up well, either in terms of shadow IT or leadership overriding policies by force.
|
|
#
?
Jan 24, 2022 00:35
|
|
|
Keep shouting it, maybe this time it will be convincing.
|
|
#
?
Jan 24, 2022 00:39
|
|
|
Blinkz0rz posted:Don’t you work for a government agency? Refer to my previous post about devs being a byproduct of line-of-business vs being the business. I work in the public sector. Not for the government. I'm not comfortable being any more specific than that due to doxxing concerns. Not trusting devs with local admin or total freedom to install whatever they want is not "blocking a revenue driver" nor asserting a "petty fiefdom". It's fundamental security, safety, and privacy concerns that are essential to prioritize in any enterprise environment no matter what your "product" may be.
|
|
#
?
Jan 24, 2022 00:45
|
|
|
Blinkz0rz posted:Despite what a lot of folks in this thread seem to think, IT and security are cost centers and building petty fiefdoms that hinder or completely block revenue drivers never ends up well, either in terms of shadow IT or leadership overriding policies by force. I’m sorry that you only work with IT departments that haven’t adapted in the last 20 years.
|
|
#
?
Jan 24, 2022 00:47
|
|
|
Gonna throw this out here, I'm dumb. Really dumb. Why is it again giving users local admin to their own workstation a bad idea? I thought this was a much bigger deal in the 90s and 2000s due to worms and all of that or am I mistaken?
|
|
#
?
Jan 24, 2022 00:47
|
|
|
I don't dev or op and am happier for it.
|
|
#
?
Jan 24, 2022 01:07
|
|
|
The Fool posted:I’m sorry that you only work with IT departments that haven’t adapted in the last 20 years. I say this as an outsider but from all observations our IT and InfoSec departments are pretty modernized. Everything is authenticated via SSO including VPN, only authorized devices are allowed access to internal systems, patch management and vulnerability detection is automated, all endpoints are monitored (to my detriment sometimes, ask me about what happens with SentinelOne when you check out a git commit that contains changes in more than 10 files), and suspicious activity notifies users and asks them to verify what they’re doing and prove their identity via MFA that’s tied to our SSO profile. I’m sure there’s more I’m forgetting but this is off the top of my head and only the stuff I’ve seen. If that’s outdated I’d be sincerely curious what modern IT looks like.
|
|
#
?
Jan 24, 2022 01:39
|
|
|
How do you evaluate some dev tool / library / whatever if you don't know the language/environment? Genuine question. I have no expectation/desire to know as much about C# libraries or JS frameworks as a developer needs to, what can you do aside from google search for "$library vulnerabilities"? I feel like there's a valid point in terms of playing politics and picking your battles on security so you don't just get bulldozed constantly, but thankfully I'm not at a point in my career where I have to worry about that. If something seems like a bad idea in terms of security I forward the request to the head of infosec with my concerns and if he ever says to do it (he hasn't yet) I'd save that as CYA material and do it. I don't get paid enough to fight about how to protect/maximize profit for a company that I have no ownership stake in.
|
|
#
?
Jan 24, 2022 03:09
|
|
|
Crosby B. Alfred posted:Gonna throw this out here, I'm dumb. Really dumb. Why is it again giving users local admin to their own workstation a bad idea? I thought this was a much bigger deal in the 90s and 2000s due to worms and all of that or am I mistaken? A user with admin will Run poo poo they think they need from unknown sources Leave ad and spyware boxes checked in installers "Know enough to be dangerous" Be vulnerable to any html attachment attack chaining to MS office or Adobe extensions after being prompted to hit OK Forgo updates indefinitely on office applications and remain being vulnerable to whatever exploit
|
|
#
?
Jan 24, 2022 03:17
|
|
|
Do your devs have access to download things? Do they have access to a compiler as devs should have. Congrats. Devs can install whatever they want. Gimme my 30 day probe IE. I loving swear this thread. (USER WAS PUT ON PROBATION FOR THIS POST)
|
|
#
?
Jan 24, 2022 03:22
|
|
|
Lmao god bless Jaeger
|
|
#
?
Jan 24, 2022 03:38
|
|
|
jaegerx posted:Do your devs have access to download things? Do they have access to a compiler as devs should have. Congrats. Devs can install whatever they want. RIP, but also a viewpoint I hadn't thought of.
|
|
#
?
Jan 24, 2022 03:39
|
|
|
22 Eargesplitten posted:RIP, but also a viewpoint I hadn't thought of. It’s a bad take and he should know better. Yes, it’s possible to download and compile stuff, yes it’s difficult to white list things. It’s about providing guard rails with minimal friction. If your devs are installing whatever they want with no oversight, you’re doing it wrong. If it’s easier for your devs to compile from source than follow procedure, you’re also doing it wrong
|
|
#
?
Jan 24, 2022 03:53
|
|
|
Crosby B. Alfred posted:Gonna throw this out here, I'm dumb. Really dumb. Why is it again giving users local admin to their own workstation a bad idea? I thought this was a much bigger deal in the 90s and 2000s due to worms and all of that or am I mistaken? If you think the worms of the 90's and 00's were bad, let me tell you about this thing called "ransomware"
|
|
#
?
Jan 24, 2022 04:08
|
|
|
This discussion is why when someone asks "What software do we have that is vulnerable to the log4j thing and how many places is it installed on?" most IT departments just go all deer in headlights while quietly panicking. If you don't even know what you have running where, you have no hope of surviving in a world where holding your source code hostage for crypto is big business. This is no different from sales guys whinging about "Why do I have to input my customer's information in the CRM when I have their cell number and daughter's birthday written on a little scrap of paper I keep in my wallet!? You're getting in the way of me making you money!" Source: My company makes literally all their money off execs who realize "Oh poo poo we've been doing [core business activity] with no standardization for our entire existence and now we can't do [really important thing] because we have no idea how to quantify any of it!" jaegerx posted:Do your devs have access to download things? Do they have access to a compiler as devs should have. Congrats. Devs can install whatever they want. You broke him. Are you happy now? If your devs are installing their builds to test on the same machines they're developing on, you have problems KillHour fucked around with this message at 04:31 on Jan 24, 2022 |
|
#
?
Jan 24, 2022 04:10
|
|
|
The Fool posted:It’s a bad take and he should know better. Exactly loving this. It's about creating a way to whitelist and put guardrails in place so they devs do not risk your entire loving environment with recklessness. You put policies in this, you communicate them. If they don't like them, they can discuss it or work somewhere else. If they circumvent that and compile their own poo poo like jaegerx said, they get disciplined. It's an HR problem as much as a security problem at that point. It's also really not that hard. No one has carte blanche to do whatever they want at work. It's work. It's not your own home PC.
|
|
#
?
Jan 24, 2022 04:56
|
|
|
CLAM DOWN posted:Exactly loving this. It's about creating a way to whitelist and put guardrails in place so they devs do not risk your entire loving environment with recklessness. You put policies in this, you communicate them. If they don't like them, they can discuss it or work somewhere else. If they circumvent that and compile their own poo poo like jaegerx said, they get disciplined. It's an HR problem as much as a security problem at that point. It's also really not that hard. No one has carte blanche to do whatever they want at work. It's work. It's not your own home PC. So we agree that it's a policy problem, not an IT problem. You cannot lock down a PC unless they're an idiot. I've dealt with a locked down windows surface book, you know what i did, i just remote desktop'd into it while developing on my mac. Security is a joke, smart people will always find a way. E: add another 30 IE E: so I don’t eat another 30. Wait till y’all learn what a reverse ssh tunnel is to beat your vpn. jaegerx fucked around with this message at 05:08 on Jan 24, 2022 |
|
#
?
Jan 24, 2022 05:02
|
|
|
I can't believe you ate another 30 just to tell us that we can't stop you from breaking corporate policy if you really want to. We can fire you, though. Edit: I actually can believe it because it's something someone who thinks "I am physically able to" is the same thing as "I'm entitled to" would do. Security controls exist to keep honest people honest and remove any pretense of deniability when you jump through hoops to break the rules. KillHour fucked around with this message at 05:23 on Jan 24, 2022 |
|
#
?
Jan 24, 2022 05:20
|
|
|
jaegerx posted:So we agree that it's a policy problem, not an IT problem. You cannot lock down a PC unless they're an idiot. I've dealt with a locked down windows surface book, you know what i did, i just remote desktop'd into it while developing on my mac. Security is a joke, smart people will always find a way. Locking down remote desktop into workstations is a pretty basic thing. I would recommend it for any org, doubly so for those with a big work from home crowd. While there are other ways, the point is to not make it that easy at least.
|
|
#
?
Jan 24, 2022 05:25
|
|
|
Sickening posted:Locking down remote desktop into workstations is a pretty basic thing. I would recommend it for any org, doubly so for those with a big work from home crowd. While there are other ways, the point is to not make it that easy at least. I use remote desktop because I have to juggle multiple work laptops and my desk is crowded enough as it is, but I'm actually allowed to do so. In fact, it's the only option for our offshore team because my customer refuses to ship them a laptop (RIP). But in any case, the IT departments made that determination, as is their job. Edit: The one annoying thing is I'm required to be connected to VPN before I connect RDP since they want me to prove I'm physically in front of my laptop. But I understand why they do it so whatever. Also, they're nice enough to not time out my VPN connection for as long as I have an RDP session open (and the RDP session has no timeout either). I would not be that nice. KillHour fucked around with this message at 05:35 on Jan 24, 2022 |
|
#
?
Jan 24, 2022 05:30
|
|
|
|
| # ? May 24, 2024 15:56 |
|
|
port 3389 is mighty fine, but if you're lookin for me? I'll be on 23 
|
|
#
?
Jan 24, 2022 05:31
|
|
