Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: New workplace security measures. Are they usual?

From: "Murda" <murdamcloud () bigpond com>
Date: Tue, 20 Jul 2010 12:03:43 +1000
Employees do have to trust that the information security folks and

support folks with access to such tools on your workstation lack the time or
inclination to go about forging emails as you.


I have found this to be true, on the whole. However, a recent Cyber-Ark
survey shows that snooping by IT staff is 'on the rise'.(As ever, I take
huge doses of NaCl when interpreting the results of surveys-especially ones
in which 'experts found that blah')
http://www.cyber-ark.com/news-events/pr_20100707.asp

I know that it is slightly off-topic but I do think we need to be aware that
humans can be worthy of our trust and paradoxically not worthy of it. Which
may mean that you need to operate under an attitude of 'assume that the
least trustworthy have access'. The rest is up to individual users, I guess.

I have worked in jobs where management/legal have asked me to delete a
user's email or to investigate without a user's knowledge in order to fire
them. This caused a palpable disconnect between what I think I am and what I
had been asked to do. The systems do indeed belong to the employer but I
have an innate sense that someone's email is 'private'(even work email). The
reality, is different from the idea or the principle, however. I can still
debate the point with myself, to be honest. If anyone has ever read Asimov's
'I, Robot' series, you may get some inkling of the moral/ethical dilemmas
that IT staff can face when working on behalf of 'the Man'. Rules
superseding rules within rules.

To answer the OP; the measures are now normal. It feels weird, but it is
normal in most workplaces. Making workers aware is a good step, though.
Greater surveillance and monitoring is now the order of the day. However,
what also needs to be raised is the idea that someone should 'watch the
watchmen'. Make sure that admins can be audited and that they are aware of
that, too. I personally think that we are all corruptible and or incompetent
at one time or another, to a greater or lesser degree. No-one can be
perpetually vigilant and this means that errors and malicious damage can
occur.
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Todd Haverkos
Sent: Tuesday, July 20, 2010 6:31 AM
To: securityfocus () aldomedina com
Cc: security-basics () securityfocus com
Subject: Re: New workplace security measures. Are they usual?

<securityfocus () aldomedina com> writes:


In my new workplace, they recently implemented severe security measures:
security guards, video cams in every hall, they changed all the BIOS and
administrator passwords, protected the computers from case-opening,

limited

all the Windows accounts. I assume this is fine (I don't know the Mexican
law about this).

However, they also installed a VNC server in every computer, and I'm
concerned because I believe they can fake any file, document or even email
as if I had wrote them. They should also be able to see everyone of my

files

and communications, even the private ones. Am I alright? Is this usual in

a

work environment? Is this legal in US or in Mexico?


It's probably safest to assume that any communication on an
employer-owned pc is NOT private.

I don't see anything there that strikes me as unusual for a US
workplace that has adequate security controls.  The choice of VNC
raises my eybrows a little from a technology selection standpoint, but
some form of remote control is quite common to facilitate support.

"Recently implemented" strikes my ear as a place that's either
recently had an incident, audit, or security review whereby they had
to get religion about security, or a new CISO or equivalent has been
hired to tame the beast.

Employees do have to trust that the information security folks and
support folks with access to such tools on your workstation lack the
time or inclination to go about forging emails as you.

You only have any real worries if you are doing things on (or have
files on) your work computer that you wouldn't want your boss and
boss's boss to know about.  Assume that everything you do can be
monitored at any moment.  I have no experience or knowledge of the
situation in Mexico, but in the US -- and I'll be quick to make clear
that I am not a lawyer -- I've read that there are limits what an
employer can log/record/monitor[1], but as a general rule, the "they
bought it, they own it, you work for them, they can monitor it" is the
thought process. Details vary by state, and the employment agreement
as well.


[1]
http://darkreading.com/insiderthreat/security/privacy/showArticle.jhtml?arti
cleID=224201355


--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: