Security Basics mailing list archives
RE: New workplace security measures. Are they usual?
From: "Murda" <murdamcloud () bigpond com>
Date: Tue, 20 Jul 2010 12:03:43 +1000
Employees do have to trust that the information security folks and
support folks with access to such tools on your workstation lack the time or inclination to go about forging emails as you. I have found this to be true, on the whole. However, a recent Cyber-Ark survey shows that snooping by IT staff is 'on the rise'.(As ever, I take huge doses of NaCl when interpreting the results of surveys-especially ones in which 'experts found that blah') http://www.cyber-ark.com/news-events/pr_20100707.asp I know that it is slightly off-topic but I do think we need to be aware that humans can be worthy of our trust and paradoxically not worthy of it. Which may mean that you need to operate under an attitude of 'assume that the least trustworthy have access'. The rest is up to individual users, I guess. I have worked in jobs where management/legal have asked me to delete a user's email or to investigate without a user's knowledge in order to fire them. This caused a palpable disconnect between what I think I am and what I had been asked to do. The systems do indeed belong to the employer but I have an innate sense that someone's email is 'private'(even work email). The reality, is different from the idea or the principle, however. I can still debate the point with myself, to be honest. If anyone has ever read Asimov's 'I, Robot' series, you may get some inkling of the moral/ethical dilemmas that IT staff can face when working on behalf of 'the Man'. Rules superseding rules within rules. To answer the OP; the measures are now normal. It feels weird, but it is normal in most workplaces. Making workers aware is a good step, though. Greater surveillance and monitoring is now the order of the day. However, what also needs to be raised is the idea that someone should 'watch the watchmen'. Make sure that admins can be audited and that they are aware of that, too. I personally think that we are all corruptible and or incompetent at one time or another, to a greater or lesser degree. No-one can be perpetually vigilant and this means that errors and malicious damage can occur. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Todd Haverkos Sent: Tuesday, July 20, 2010 6:31 AM To: securityfocus () aldomedina com Cc: security-basics () securityfocus com Subject: Re: New workplace security measures. Are they usual? <securityfocus () aldomedina com> writes:
In my new workplace, they recently implemented severe security measures: security guards, video cams in every hall, they changed all the BIOS and administrator passwords, protected the computers from case-opening,
limited
all the Windows accounts. I assume this is fine (I don't know the Mexican law about this). However, they also installed a VNC server in every computer, and I'm concerned because I believe they can fake any file, document or even email as if I had wrote them. They should also be able to see everyone of my
files
and communications, even the private ones. Am I alright? Is this usual in
a
work environment? Is this legal in US or in Mexico?
It's probably safest to assume that any communication on an employer-owned pc is NOT private. I don't see anything there that strikes me as unusual for a US workplace that has adequate security controls. The choice of VNC raises my eybrows a little from a technology selection standpoint, but some form of remote control is quite common to facilitate support. "Recently implemented" strikes my ear as a place that's either recently had an incident, audit, or security review whereby they had to get religion about security, or a new CISO or equivalent has been hired to tame the beast. Employees do have to trust that the information security folks and support folks with access to such tools on your workstation lack the time or inclination to go about forging emails as you. You only have any real worries if you are doing things on (or have files on) your work computer that you wouldn't want your boss and boss's boss to know about. Assume that everything you do can be monitored at any moment. I have no experience or knowledge of the situation in Mexico, but in the US -- and I'll be quick to make clear that I am not a lawyer -- I've read that there are limits what an employer can log/record/monitor[1], but as a general rule, the "they bought it, they own it, you work for them, they can monitor it" is the thought process. Details vary by state, and the employment agreement as well. [1] http://darkreading.com/insiderthreat/security/privacy/showArticle.jhtml?arti cleID=224201355 -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- New workplace security measures. Are they usual? securityfocus (Jul 19)
- Re: New workplace security measures. Are they usual? Andy Colson (Jul 19)
- Re: New workplace security measures. Are they usual? Todd Haverkos (Jul 19)
- RE: New workplace security measures. Are they usual? Murda (Jul 20)
- RE: New workplace security measures. Are they usual? Boyd, Chad (Jul 20)
- RE: New workplace security measures. Are they usual? securityfocus (Jul 20)
- RE: New workplace security measures. Are they usual? Erik Soosalu (Jul 20)
- Re: New workplace security measures. Are they usual? Todd Haverkos (Jul 20)
- RE: New workplace security measures. Are they usual? Murda (Jul 20)
- Re: New workplace security measures. Are they usual? Marc-André Laverdière (Jul 21)
- <Possible follow-ups>
- Re: New workplace security measures. Are they usual? tim (Jul 19)
- RE: New workplace security measures. Are they usual? Murda (Jul 20)
- Re: New workplace security measures. Are they usual? Todd Haverkos (Jul 21)
- RE: New workplace security measures. Are they usual? Murda (Jul 21)
- RE: New workplace security measures. Are they usual? Murda (Jul 20)
- Re: New workplace security measures. Are they usual? daniel . diaz (Jul 19)