Please help me convince my company this is a bad idea...

[Joemonkey]

I work in IT at my company, but not on any management level. However, my opinion is held in high regard (or at least I think it is). Today, my boss tells me that my company is talking about installing this bit9 software on all of our PCs and whitelisting all programs allowed to be ran. Also, they are wanting to maintain an internet whitelist for all web access, FTP, email, and other protocols. Let me repeat that. They want to maintain a whitelist of who we are allowed to send email to.

I'm trying to come up with some good thoughts to the contrary. Besides the initial administrative nightmare of creating these whitelists to begin with, maintaining it will be a nightmare for our helpdesk guys. Also, I think employee moral will go thorugh the toilet. I know my list is very short, but I just found out about this <1hr ago. What else should be brought up that we may not have thought of?

 

[mechBgon]

What brought them to the point that they're considering taking that step? Are they experiencing unwanted behavior by the employees, concerned about data leakage, or what's the big picture?

I could understand wanting only "IT-approved" software to run, in this day & age, but my first step in that direction would be to reduce everyone to a low-rights user account and set up disallowed-by-default Software Restriction Policy. Those don't have to be re-licensed year after year and are pretty effective, as long as you're starting with a clean PC.

If that's their main goal, you might put it to them as "hey, well what about this alternative, we've already got it right here and it's paid for. How about if I test it and report on it."

If they're also trying to mitigate the risk of people (or infected computers) sending their valuable information out to Russia via FTP or email, such as a copy of their customer database or whatever, that's sort of understandable. But as you say, it appears that it would require constant upkeep.

 

[Joemonkey]

It is a Japanese company related to the automotive industry. Without getting into too much detail, we had a Japanese user at another facility utilizing a Japanese file sharing program. Another Japanese user, luckily an employee of our company, utilizing the same program at home saw company sensitive data on this program and traced it back to the first user. Company seized that user's PCs from their house and their PCs from work and they now sit in my cube awaiting to be scoured by our Japanese IT advisor.

So, our director is now tasked with preventing this from happening again, and the Japanese portion of our company is pressuring us to show the steps we are taking to prevent it in the future. I'm hoping they are just talking in extremes and after a period of time they will see how silly whitelisting everything is. I mean, we'd probably have to hire an intern just to keep up the email whitelist alone...

Software restriction policies would be great, and like you said may be a free alternative, but the only MCSEs at our company with any sort of extensive experience in Group Policy are me and one other IT guy. So, explaining how it works to the point where our managers would be comfortable managing it may not be as easy as flashy marketing from a 3rd party source, with maintenance and support options.

We currently allow Domain Users to be in the Power Users group, and all our engineers, IT users, and laptop users to be local administrators. That too could change via a GPO, and we have recently been told to put Domain Users only in the Users group with no individual accounts in the local Administrators group on all future computers we give out.

 

[mechBgon]

We currently allow Domain Users to be in the Power Users group, and all our engineers, IT users, and laptop users to be local administrators.

Why not apply least-privilege principles to those accounts, since they probably could do the most damage if they were compromised? If I worked somewhere and they tried to stick me with local Admin powers, I'd request a non-Admin account to use for daily-driver stuff, then elevate to the Admin account when absolutely unavoidable. Best to keep the Admin powers stashed away for when they're actually needed, IMO.

 

[Joemonkey]

Originally posted by: mechBgon

We currently allow Domain Users to be in the Power Users group, and all our engineers, IT users, and laptop users to be local administrators.

Why not apply least-privilege principles to those accounts, since they probably could do the most damage if they were compromised? If I worked somewhere and they tried to stick me with local Admin powers, I'd request a non-Admin account to use for daily-driver stuff, then elevate to the Admin account when absolutely unavoidable. Best to keep the Admin powers stashed away for when they're actually needed, IMO.

I only wish we used least-privilege principles, would make our environment more secure even if we were inconvenienced a little. Would be a great idea, but none of us use this now (even though I do understand the importance of it) and it would be very difficult to get this approved by management, especially when afaik they don't do it either.

Also, since the initial problem was related to someone forwarding an email w/ an attachment to a home address, then that file ending up on their home computer, and subsequently on the file sharing program, I doubt this would be looked at as a first option, even though it should have been implemented the day they switched from Novell to AD.

Like I said before, this IT department daily uses a local and/or even Domain Admin account to log in for regular job duties. Even though we haven't been burned before, and the fact we are having to lock down so tight over an issue that isn't even directly related to not using least-privilege principles, we're being pushed that way due to audits from our parent Japanese company and SOX as well. I just don't want it to be a total 180 all at once.

 

[mechBgon]

Sorry I got sidetracked onto my pet subject there Maybe some of the actual security pros will drop in with some advice on how to handle management.

 

[rasczak]

if company is dead set on purchasing this, then your best bet is to ride it out. plus it's just tmore job security

 

[Joemonkey]

Originally posted by: jpbelauskas
if company is dead set on purchasing this, then your best bet is to ride it out. plus it's just tmore job security

I think it is currently an over-reaction to the situation. Hopefully people can calm down. However, if Japan says "buy this" then there is really nothing we can do.

 

[Homerboy]

To me it seems odd that it would be hard to get them to employ the least-privilege principles process versus paying and deploying the bit9 software... when in turn the results are pretty much the same are they not? Limiting the users as to what they can an can not run. Honestly I think your best bet is to at least present them with limiting user rights ESPECIALLY selling them on the $$ saving side of it. That will perk their interest and get some attention.

Other than that you maybe in trouble. Make you you whitelist IM in your bit9 buddy

 

[Homerboy]

what I was going to say too was as far as selling it in house, limit one of the managers. Have them try to install applications, run disallowed programs and such. Have them TRY to break it. Proof is in the pudding my friend.

 

[Joemonkey]

I did suggest least-privilege + software restriction policy to my direct manager, his response:

I was looking at the software restriction policies yesterday and will present that as an alternative to bit9, or any other lockdown software. I believe the bit9 software and management console gives administrators much greater flexibility than a Software Restriction Policy, as well as reporting against software that has been installed and approved. If that is not a requirement, then we certainly don't need to spend the money.

I'll let (the other higher ups) make that decision.

Thanks for the info. I'll be sure and raise that as a question in the bit9 parity demo as to what their software can do that a Software Restriction Policy cannot. Surely they have been asked that question before.

and my response:

I would say it is more attractive due to the support options they supply. Messing with Software Restriction Policy in Group Policy requires quite a bit of experience and knowledge with it, vs just being able to set up a webmeeting or call for help. Nothing like fancy marketing and support options!

 

[Joemonkey]

Oh, and Homer, I am 99.99% sure all IM will be blocked when this stuff goes into effect. It is supposed to be blocked now, I just *happen* to be on a VLAN that does not require me to go through the proxy for my connection to the internet

 

[Homerboy]

I would say it is more attractive due to the support options they supply. Messing with Software Restriction Policy in Group Policy requires quite a bit of experience and knowledge with it, vs just being able to set up a webmeeting or call for help. Nothing like fancy marketing and support options!

Well you hit that one on the head. In the long run its likely doing NOTHING more than what you can do in GPO (granted with more sweat and "work" versus clicking some radio buttons I'm sure). People like pretty interfaces and easy of use, even if they aren't the ones that are going to be using it.

Reporting? Oh lord. In big business anything that can spit out an excel spreadsheet or something to Crystal Reports... that sells itself.

 

[Red Squirrel]

Only really need ports 21 (even then, can probably get away without it) 80, 443 outbound, rest should be blocked (I may have missed a few others that are essential). Email should be handled by the email server (exchange, I'm guessing), and only the email server should be allowed to go outbound on port 25 to send email. The email server could also do the filtering to where it is allowed to send to, so its in a central location rather then scattered among PCs. so really p2p apps should not even work as every port is pretty much blocked outbound, and of course inbound. (NAT)

Locking down PCs to prevent these installs is a good step too, but need to secure the network itself as if people could do what they want on their PCs. So by locking down the PCs its simply a 2nd layer of security, but never depend on that.

 

[narzy]

Cisco CSA is irritatingly effective and works at the network level allowing you to dictate exactly what a computer is and is not allowed to do. It's logging capabilities are insanely in-depth and can be parsed rather easily, if they are deadset on doing this then that is the approach I would take.

 

[Joemonkey]

I'll have to suggest CSA to my manager. The email goes out tomorrow that pretty much says we are whitelisting all programs, websites, and outobund email and will be implementing these changes within the next 30-90 days, also all company PCs are not to be used for any personal activities, so don't be surprised if you log in one day and everything non-work related doesn't work.

However, I had lunch w/ some of the higher ups and squeezed out some info out of them that points in the direction of "this is a reactionary measure that may last for a short time only and we are making it as expensive as possible using 3rd party tools so they will balk at implementing it and come down to a more reasonable level" so maybe it all won't be so bad after all

It seems we all agree that taking eveything away in one fell swoop isn't all that bad so long as the IT department is in charge when we start giving priveliges back out.

 

[mechBgon]

Thanks for the info. I'll be sure and raise that as a question in the bit9 parity demo as to what their software can do that a Software Restriction Policy cannot. Surely they have been asked that question before.

I don't really view it as an either-or thing. If they want to harden the systems and establish full control of what can & cannot run, I think that should start with Windows itself (non-Admin + SRP + removal of all non-work-related software/features/services). I have difficulty comprehending I.T. people not wanting it, but evidently I'm narrow-minded :evil:

If they want reporting and control of what's actually still allowed to run after that, THEN they should look at Bit9 or whatever.

If you need further ammo to support the need for best-practices behavior, I have a growing Favorites list titled "Interesting malware" and could also suggest some concrete reasons you don't want to be using Admin or Power-User accounts if you don't have to. A couple to start with:

Infected USB devices, including flash drives, HDDs, digital picture frames, MP3 players. Plug it in, AutoPlay, Admin account, pwned. Some of these are pre-infected at the factory. A lot of malware spreads itself in that fashion nowdays, as you can see if you read malware descriptions at Symantec's threat explorer every day.

Infected burned CDs and DVDs people brought in. ditto.

Malware which gets onto one system, then infects other systems' network traffic on-the-fly, injecting malware into Web pages other systems are viewing. No, I'm not making that up

Malware built into banner advertisements on perfectly-legit websites, or perfectly-legit sites which get hacked (my own employer's site was hacked, and guess what I'd used as the default homepage...?), or even employees Googling for dangerous stuff like "blueberry jam." Believe it!

/shuts up again

 

[Joemonkey]

We are looking at some other software that locks down access to all external ports, USB, Firewire, cdroms, even com and lpt. It has a lot of options for logging as well, if you do want to allow someone to use a USB drive you can set limits on how much they can copy per day or per session, and log filenames or even copies of files themselves to see what they are copying.

Going from a "sure, go ahead and use your stuff for personal purposes, we don't care!" to pulling everything away will be interesting.

 

[narzy]

http://dms.cisco.com/rmc/dms/v...7801BB230F7E_video.xml sounds exactly what you need...

 

[Joemonkey]

Originally posted by: narzy
http://dms.cisco.com/rmc/dms/v...7801BB230F7E_video.xml sounds exactly what you need...

And its also very expensive

After passing around the original "whitelist" policy from IT to the president to administration/HR, it got VERY watered down, pretty much comes down to this:

1. Storing company info on external/non company computers, storage devices (ie. USB, flash drives, etc.) is strictly prohibited.

2. Downloading personal information at work on company computers is strictly prohibited.

3. Sending company information, including attachments in emails, to any non company business related email addresses is prohibited, with the exception of email communication that is critical to our normal business operations such as customers, suppliers, service providers & key stake holders.

4. All software on company equipment must be approved and installed by company IT staff.

Employees should be mindful that company computer equipment is intended for business use. We realize that sometimes there is incidental and brief personal use of company equipment, including internet surfing and email communication with non business contacts. Employees should refer to the employee handbook and the IT security policy to be reminded of the company policy and potential formal disciplinary action (up to and including termination) that is associated with abuse of email and internet privileges. As you may know, our company monitors email traffic and internet usage on company equipment to prevent potential abuses of this policy.

Additional measures may be implemented over the next few months as needed to further strengthen our IT security.

The purpose of this letter is to remind everyone of specific actions that need to take place to prevent future information security issues. Your support and understanding are necessary to help keep our company's work environment secure.

 

[elcamino74ss]

sounds more like they are trying to scare people into complying and may not really do anything to prevent. security has to be in layers. I agree the least priviledge method is a good start. You might also look at Data Loss Prevention products, while they aren't the silver bullet they are another layer

 

[gsellis]

Originally posted by: elcamino74ss
sounds more like they are trying to scare people into complying and may not really do anything to prevent. security has to be in layers. I agree the least priviledge method is a good start. You might also look at Data Loss Prevention products, while they aren't the silver bullet they are another layer

Sometimes, it really is a HR policy thing that we can spend millions on to solve with IT. Most companies have policies just like the above.

As for CSA being expensive, maybe. CSA can prevent day zero exploits including all of the worms to date if configured correctly. For some companies, that down cost is more expensive than 2-5 years of software, hardware, and FTE costs to run it. It all is about cost vs benefit/gain.