Ask Lemmy
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com.
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
view the rest of the comments
IT restrictions should be much more conservatively applied (at least in comparison to what's happening in my neck of the woods). Hear me out.
Of course, if you restrict something in IT, you have a theoretical increase in security. You're reducing the attack surface in some way, shape or form. Usually at the cost of productivity. But also at the cost of the the employees' good will towards the IT department and IT security. Which is an important aspect, since you will never be able to eliminate your attack surface, and employees with good will can be your eyes and ears on the ground.
At my company I've watched restrictions getting tighter and tighter. And yes, it's reduced the attack surface in theory, but holy shit has it ruined my colleagues' attitude towards IT security. "They're constantly finding things to make our job harder." "Honestly, I'm so sick of this shit, let's not bother reporting this, it's not my job anyway." "It will be fine, IT security is taking care of it anyway." "What can go wrong when are computers are so nailed shut?" It didn't used to be this way.
I'm not saying all restrictions are wrong, some definitely do make sense. But many of them have just pissed off my colleagues so much that I worry about their cooperation when shit ends up hitting the fan. "WTF were all these restrictions for that castrated our work then? Fix your shit yourself!"
You pay me to admin 400 servers on a couple million dollars worth of hardware. Let me install a fucking app on my own machine without 4 levels of bullshit.
Me and the IT admin in my previous job had this understanding, as I dealt with field hardware, and he dealt with the "normal" IT stuff.
Once a merger caused the corporate requirement of only allowing whitelisted apps to run, my laptop was simply disappeared from the requirement list. It made it easier for the both of us. I could be on the other side of the world in sudden need of running some proprietary BS software that had to be whitelisted, and nobody wanted me to have to wake someone up to whitelist stuff.
When you deal with network hardware that cost more than most PCs, and the server clusters cost more than a house, some leeway should be allowed.
Until you install solarwinds between 2015 and 2020......
All the good will in the world won't make up for ignorance. Most people know basically next to nothing about IT security, and will just randomly click shit to make the annoying box go away and/or get to where they think they want to go. And if that involves installing a random virus they'll happily do it, and be annoyed that it requires their password.
A major part of that is, I think, that desktop OSes are, "by default, insecure" against local software. Like, you install a program on the system, it immediately has access to all of your data.
That wasn't an unreasonable model in the era when computers weren't all persistently connected to a network, but now, all it takes is someone getting one piece of malware on the computer, and it's trivial to exfiltrate all your data. Yes, there are technologies that let you stick software in a sandbox, on desktop OSes, but it's hard and requires technology knowledge. It's not a general solution for everyone.
Mobile OSes are better about this in that they have a concept of limiting access that an app has to only some data, but it's still got a lot of problems; I think that a lot of software shouldn't have network access at all, some information shouldn't be readily available, and there should be defense-in-depth, so that a single failure doesn't compromise everything. I really don't think that we've "solved" this yet, even on mobile OSes.
Sure, but the reason isn’t always just security.
We have government contracts and want more. But to get those, they insist on us doing a bunch of security things.
So it sucks for the users, but if we don’t implement the restrictions, we lose the contracts and thus the income.
And as a side benefit, holy shit we are pretty secure. Next annual pentest soon and I’m expecting good things from it!