Comment Re:I'm seeing a lot of lazy Admins in this discuss (Score 0) 242
Bah!
I come from the same ideology as you, but after doing this type of work for 10 years plus, I am afraid I have changed my stance.
It is not the ammount of years which has jaded me from my previously much more open policy, but rather the out and out war being waged for control of end-users PCs and the change from more of a naughty boy type hacking to one where there is real crime more and more often being the motivation.
On my current network with 4500+ end users, we lock everything down real tight. No local admin privs, a default deny policy, and if you feel you have a reason to need a port opened, you had better be willing to pitch your cause all the way up the chain of command (I have no problem with granting such things, but it is my ass that gets chewed out/looks bad when an incident occurs which I am being paid to prevent, so I want everyone in the chain to sign off as well).
And it is not just the overt things occurring, I think the rootkits are perhaps the most frightening, if they are well written, they could tunnel through an http proxy no problem, and likely transmit data through already open channels, and if not abused, they could go undetected for quite a long time (maybe years). I think it is incumbent on any security professional to be as vigilant as possible, as it is not just the end-users we are protecting, it is the customer, and partners data, and they deserve to have their personal data not be stolen.
I come from the same ideology as you, but after doing this type of work for 10 years plus, I am afraid I have changed my stance.
It is not the ammount of years which has jaded me from my previously much more open policy, but rather the out and out war being waged for control of end-users PCs and the change from more of a naughty boy type hacking to one where there is real crime more and more often being the motivation.
On my current network with 4500+ end users, we lock everything down real tight. No local admin privs, a default deny policy, and if you feel you have a reason to need a port opened, you had better be willing to pitch your cause all the way up the chain of command (I have no problem with granting such things, but it is my ass that gets chewed out/looks bad when an incident occurs which I am being paid to prevent, so I want everyone in the chain to sign off as well).
And it is not just the overt things occurring, I think the rootkits are perhaps the most frightening, if they are well written, they could tunnel through an http proxy no problem, and likely transmit data through already open channels, and if not abused, they could go undetected for quite a long time (maybe years). I think it is incumbent on any security professional to be as vigilant as possible, as it is not just the end-users we are protecting, it is the customer, and partners data, and they deserve to have their personal data not be stolen.
