One of our clients uses KowBe4. They had a user that failed several phishing tests. She is now very good at spotting real phishing attempts, which is good, but I get all of the tickets, which is annoying.
On he other hand, I try to track down the source of the email. I’ve received thank you emails from several people who did not know that their email accounts were compromised. They didn’t know because their IT department was not monitoring, and did not implement simple controls such as multi-factor authentication.
The guy who demanded… DEMANDED… that I give him access to everyone’s email passwords, and DEMANDED that we prevent users from changing their email passwords, and DEMANDED that we do not implement multi-factor authentication just got his email hacked for the second time in two weeks.
I logged him out of all instances, blocked login, changed his password, enforced MFA, sent an email to his boss.
Because of the work my coworker does, he has SW tools which are also used by people who are trying to illegally access networks.
IT got upset and there was a big kerfluffle. Nothing came of it, as it was necessary to his work. Now he informs IT and management when he uses new tools before he installs them and is entirely transparent.
Makes IT happy and then they can spend their time going after the people who install bittorrent (um, no, there’s no business need for that) and/or stream the UK Open (guess what, you’re temporary, good-bye).
On the other hand, when people first got work laptops, many people took them home and that was the primary family laptop. That was more than 20 years ago, and many people have to be told that they cannot do that.
Our standard practice when we set a client up from scratch for Office 365 and Azure is to enable MFA. We will only disable MFA based on a signed request that they acknowledge the risks and we disclaim all liability.
I’ve even blocked SMS MFA tokens and insisted on App based authentication to prevent SIM hijacking.
The one that pissed me off the most wasn’t exactly an IT issue, but was enforced by the IT department. IT didn’t let me download and install random software (reasonable). The software I wanted was a printer driver. And IT wanted me to provide proof that I’d purchased the printer before they would install it for me. And no, I didn’t have proof of purchase of the printer we’d had for years. (Nor was there any legal need for that, they give away drivers for a reason.)
I bumped that up several levels of management and eventually got permission to use my printer when working from home. Probably couldn’t today (haven’t tried) because they are much fussier about printing now, but back then it was essentially for doing my job. And the pushback i received was so stupid. Not, “document this is a real driver that is safe and compatible for your laptop”, but, “prove you didn’t steal the printer.”
I guess the other was when I was collaborating with people outside my organization to write a paper. The paper was going to be published publicly, and would (of course) include no trade secrets or private information. We set up a Google drive folder to share. Months later, IT blocked all access to Google drive with little warning. Yes, there was some official solution, but getting everyone set up with permissions, etc., was far from trivial, and the approved solution didn’t work as cleanly. We gave up, and ended up emailing a gazillion files around, instead of just using a shared drive.
When I worked as a software engineer in telecom 15+ years ago the company created a new, company wide, IT safety policy that all employees were directed to sign. It said, among other things, that users were not allowed to install any software on their computers that had not gone through IT approval. This of course would have made our jobs impossible, so most of us refused to sign and told our supervisors why.
Some programmers went the “I’ll just sign it and ignore it”-route, and some managers thought that was the way to go, but a majority of us just didn’t sign the policy. I can’t remember now whether they added exceptions for developers or whether we were just allowed never to sign on to the policy.
My employer isn’t that stupid. We have exceptions for developers. In fact, the mechanism by which i eventually got to use my printer was that a help desk person temporarily gave me developer privileges.
I understand the need for things like spam filters, data loss prevention (DLP) agents to make sure you’re not mishandling sensitive information, etc but I sometimes wonder how much thought is put into the implementation of these tools. When I get a notification that I have an email in my spambox, and it turns out to be something from corporate, but actual spam still managed to get through, I have to wonder what idiot set up the spam filter.
For one of the projects I used to work on, once a year we would send out about 35-40,000 letters that had to be custom generated. I had a process set up with an MS Word letter template that I would use to do a mail merge with an Excel spreadsheet of data and output PDF files to send to our print vendor for printing and mailing. I had a window of about two days from being given the OK to start running the letters to having them completed and sent to the printer. Usually it only took me about three hours to get all of the letters generated.
One year, I started running the letters and the process just bogged down within minutes. And the longer it ran, the more it slowed down. It took me half an hour or more just to run 1000 letters. There was no way I was going to get 40K done in two days. We eventually got all the letters created and sent out but it was a very stressful few days. After the deadline passed, I did some investigating and discovered that the bottleneck was one of the DLP agents running on my PC, which was analyzing the PDF output as it was being created and slowing the entire process to a crawl.
(This was confirmed a couple years later when another company took over the project. The guy I was training for the transition had absolutely no trouble running the letters on his company’s network.)
Oh, that reminds me of the time I was doing some industry volunteer work, and our corporate scanners decided one of the files contained social security numbers, and wouldn’t let me email it to my home computer.
It didn’t contain social security numbers, of course.
I finally gave up and asked the person who sent it to me to send a second copy to my home email. Sigh.
Now I get all my industry volunteer stuff sent to both addresses up front. Saves problems.
I generally have found that it doesn’t (and shouldn’t). Good security IT controls should be seamless and invisible if you have proper authentication.
The one exception is when I work with banks and financial services companies as clients. They generally have their systems locked down so you can’t access external web mail or a lot of non-business sites or transfer files via USB ports.
Make sure you use a random combination of 27 case-sensitive letters, numbers, and symbols. They can’t be proper names, actual words, sequences, variations of your last 30 passwords, or combinations of any two letters that sit next to each other on a standard keyboard!
Reminds me of way back when, the first time I had remote access to fix nighttime production problems. Prior to this, if you were on call and got a production problem that you couldn’t tell them how to fix, you had to get up, get dressed, and physically travel in to the office.
But they got a couple suitcase-sized remote terminals with dial-up modems. When you were on call, you could take one of these home with you. (Weighed about 25-30 pounds – quite a load to carry on public transit.)
Then if you got notified of a production problem (via beeper!), you could call in, put your phone handset into the acoustic coupler, and logon via that terminal. Worked at 30 characters per second.
We had an interesting security setup for that.
You dialed in to the phone that sat next to the operators console of the IBM 370/168 mainframe. It was answered by the night operator, he recognized your voice, so then he put his receiver into the acoustic coupler alongside the console. Usually he was expecting your call, since he was the one that beeped you in the first place.
That security process was simple & easy to use, and quite secure – never an instance of an intruder gaining access. But not always efficient – night operators are sometimes lonely, and want to spend some time talking.
Our front desk computers are heavily locked down - we can only get to websites they’ve pre-approved. It drives me crazy that I have to go to a separate computer in the back area every night to do two essential things.
On the other hand, considering how often we get the scammers calling us up trying to get access so they can steal guest credit cards and thinking of how some past co-workers would do it without thinking twice, maybe it’s a good idea.
Our IT insists that our computers be on overnight so they can perform maintenance, and then runs security scans in the middle of the workday. During these scans, which take about an hour or so, our computers slow to a crawl. Doesn’t help that we have 5400rpm drives on our laptops. Oh, and they just cut their budget so they can’t install the new SSDs we bought specifically for this issue.
My work has the most draconian password policy where for your company email account you have to have a password with more than 8 characters, include both upper case and lower case, must have at least one number and one symbol, your password must be manually reset every six months, and your current password cannot be the same as any of your previous 5 passwords after finally changing it.
