8-10 years ago - a couple years back the agency actually listed to scientists greenlighted/contracted some cloud services (shocker I know)
That’s good. Because now, I can think of several Federally mandated policies and security controls that make running a rogue cable between buildings a very bad idea 
As an aside, the good security folks should work with the people involved to determine a safe and secure method to do what they want to do.
The bad ones just say “Nope!”
I hate the bad ones too. US Army, I’m looking at you!
So it’s everyone’s fault except the people who do security. Got it.
My best friend (now deceased) was a computer security expert, a specialist in cryptography. He used to complain about “users” too. He and I had an ongoing argument about users vs. systems, and my point was that if the system continually induces the same kinds of problems for multiple people, then there’s something wrong with the system.
Yeah. There’s a policy that everyone is supposed to follow but nobody knew it. How’s that security’s fault?
Of course I agree that if a system is hampering a significant amount of people, then yes, it needs to be looked at.
But every user thinks they are “significant”
I sure as hell wouldn’t have done it without that CYA email from headquarters, that’s for damn sure! I thought at the time “are you suuure it doesn’t violate something” but it was their call. (also, there were existing telephony conduits so it wasn’t like we were stringing cables in trees).
They (DC IT) actually worked on earnestly to try to get the “through HQ” routing working and we were never sure where in the chain it was timing out. I got the impression that someone above them was preventing them from setting up a direct pipe and there were HQ politics involved - the cable solution may have been a bit of malicious compliance towards their own bosses.
You might be surprised. Automated hacking systems are always running; scanning the internet for exposed services and exploiting bad passwords, known backdoors, etc.
I have a web server that’s run a few no-stakes services over the years: a webforum that was never used, a WordPress blog site, a simple photo album. All of them were hacked. They were filled with spam, probably the password DBs harvested, and the scripts were changed to themselves send out spam.
Fortunately, these sites were never very important, so it was no loss just to delete them and move on. The automated systems that hack them don’t care about that, though.
If your work services have any public-facing aspect at all, then there will be hack attempts. That’s not to say that IT is doing the right thing here, but assuming that you’ll never be hacked because you’re unimportant is false.
There was one app I used where it sent username and password as a combined (hopefully encrypted but I dunno) string to the server like this: username@domain/password.
When you set the password, you were allowed to use the @ in the password (and of course you were encouraged to include at least one special character). Unfortunately when the system then parsed the combined string, the @ would read as the domain separator and you could never log on.
That would depend on whether security has actually made the instructions available. From what he’s saying, security hasn’t even made them available for security personnel.
I have been having the same problem when we changed our health insurance. My beloved husband didn’t put any middle initials (or his own Jr.) on the form, and now it is impossible for me to log in to the new insurance site unless I nuke all of the old information first. Since a bunch of medical providers are still billing the wrong insurance, I’m not willing to do that until we have it all straightened out. It is driving me batshit.
Sorry, but the help desk is not “security personnel”. And they DID have them, or else they wouldn’t have been able to relate the instructions on who to call.
People blaming “security” for lack of operational policies, training, or inconsistent help desk direction is a pet peeve of mine.
Isn’t it security’s job to disseminate security practices?
Who to call to get your username is not a “security practice”.
Similarly, who to call to get your password reset is not a “security practice”.
How to verify a caller is the user they say they are IS a “security practice”
So it’s not the job of security to determine who has permission to access sensitive information like a person’s username or who can reset a password?
Your definition of “security” is a bit fucked up.
Depends on what you mean by “determine who has permission”
Let’s say I am the CIO of a business. I determine that the help desk, and ONLY the help desk can reset passwords. I send out a memo to this effect including the number of the help desk.
Neither of those is a “security practice”
“Security” does a review of permissions and determines the exact permissions people at the help desk need in order to reset passwords. This is a “security practice”. Operations changes the permissions of anyone working at the help desk so they can do their job.
Now, if you call the wrong number? Not a security issue.
The help desk person doesn’t know how to change the password? Not a security issue.
The help desk person doesn’t have the right permissions? Not a security issue.
If the help desk person doesn’t know he/she is supposed to be resetting passwords? Not a security issue.
Does that help?