Rant about corporate information security practices

[gourav]

I don't know where to go with this, but I just want to rant somewhere.

I work for a finance company and my company takes information security very seriously. I guess most people working in large organisations would be familiar with this paradigm.

Here's my problem though. My company wants to run 3 anti-virus software, multiple network and activity monitoring softwares, more firewalls etc., but refuses to give anything but the most entry level i5 laptops. As a result, the laptops struggle with even basic tasks and often gets stuck on mundane everyday tasks.

Coming to security practices. They use Zscaler. So all our https traffic is decrypted and visible to the admins, including our passwords entered during login on any website. They use an Active Directory where they have opted for symmetric encryption of our passwords. So they can check our passwords. I understand the need to monitor network traffic, but what are they going to achieve by monitoring our passwords? They are just increasing the attack surface by opting for symmetric encryption. One leak and everyone's password will be out in the open.

Recently for some reason they decided to disable password saving on our enterprise managed Chrome installations. They also don't allow extensions like password managers. In theory this prevents passwords being stored on laptops. In practice we all know that this means people will use the same password everywhere or write it down in an unsecured text file. While we anyway only need the AD password within the organisation, we still have many accounts with vendors etc. which we need to manage. Right now I'm getting around this by using portable version of keepass.

They have also started taking 2FAs seriously. But they are completely clueless about it. For every application where they enable 2FA, they use some proprietory algo and have us install a new 2FA app on our phones. Right now I have 3 2FA apps on my phone, each catering to just one application.

I never imagined we'd have such frustratingly clueless people heading the information security department. It's infuriating. And I can't do anything about it except rant here about the luddites in our tech department.

Thanks for reading, rant over.

 

[ibose]

finance company and my company takes information security very seriously

Finance company and information security ? The Holy Grail !
Hmm.. from what I read, it looks like they threw common sense aside. I would be surprised if this is not impacting productivity and they are fine with that ?

 

[blr_p]

I never imagined we'd have such frustratingly clueless people heading the information security department. It's infuriating. And I can't do anything about it except rant here about the luddites in our tech department.

Thanks for reading, rant over.

Can't you talk to someone in that department and make yourself heard. You'd need to have alternative solutions ready in case they actually take you seriously

 

[vivek.krishnan]

I don't know where to go with this, but I just want to rant somewhere.

r/shittysysadmin would be best.

I work for a finance company and my company takes information security very seriously. I guess most people working in large organisations would be familiar with this paradigm.

Very much.

Here's my problem though. My company wants to run 3 anti-virus software, multiple network and activity monitoring softwares, more firewalls etc., but refuses to give anything but the most entry level i5 laptops. As a result, the laptops struggle with even basic tasks and often gets stuck on mundane everyday tasks.

So all the 3 AV fight amongst themselves for blocking access to a particular file and cripple the system? How great.

BTW, are the AVs proper ones from good companies or from the likes of Quickheal/Sequrite/Net Protect

Coming to security practices. They use Zscaler. So all our https traffic is decrypted and visible to the admins, including our passwords entered during login on any website. They use an Active Directory where they have opted for symmetric encryption of our passwords. So they can check our passwords. I understand the need to monitor network traffic, but what are they going to achieve by monitoring our passwords? They are just increasing the attack surface by opting for symmetric encryption. One leak and everyone's password will be out in the open.

Well, Zcalar is that only. Evil, but understandable.

symmetric means one successful AD attack and you guys are ****ed. I think this was supposed to be deprecated in some

Monitoring your passwords - voyeurs sysadmins. They are going to check if your passwords are leaked in the open

Recently for some reason they decided to disable password saving on our enterprise managed Chrome installations. They also don't allow extensions like password managers. In theory this prevents passwords being stored on laptops. In practice we all know that this means people will use the same password everywhere or write it down in an unsecured text file. While we anyway only need the AD password within the organisation, we still have many accounts with vendors etc. which we need to manage. Right now I'm getting around this by using portable version of keepass.

Why not use the AD password everywhere

They have also started taking 2FAs seriously. But they are completely clueless about it. For every application where they enable 2FA, they use some proprietory algo and have us install a new 2FA app on our phones. Right now I have 3 2FA apps on my phone, each catering to just one application.

Just ask for a phone for 2FA, keep it unlocked on your desk with the passwords! Easy.

I never imagined we'd have such frustratingly clueless people heading the information security department. It's infuriating. And I can't do anything about it except rant here about the luddites in our tech department.

Welcome to the new age of idiots taking over

Thanks for reading, rant over.

Ill start with my rant once i finish writing it

Can't you talk to someone in that department and make yourself heard. You'd need to have alternative solutions ready in case they actually take you seriously

View attachment 192860

More likely he will be categorized as a threat and shadowbanned

 

[gourav]

would be surprised if this is not impacting productivity and they are fine with that ?

It does. An excel file which opens instantly on my personal system (exact same config) takes approximately 10 seconds to open in my office laptop. Boot up time of the laptop is about 5 minutes, same as my 10-year old laptop

Can't you talk to someone in that department and make yourself heard.

I've dropped several emails, never received a reply.

So all the 3 AV fight amongst themselves for blocking access to a particular file and cripple the system? How great.

Yes, always. Git commit takes about 2 minutes, an action which is instant on my personal system.

BTW, are the AVs proper ones from good companies or from the likes of Quickheal/Sequrite/Net Protect

McAfee is proper? Dunno. One is Windows defender. Last one also is from a major co. itself, not able to recall the name immediately.

symmetric means one successful AD attack and you guys are ****ed.

Exactly. Why is this even a thing!

Just ask for a phone for 2FA

Will have to start doing that. One more app and I'm gonna tell them these apps are impacting my phone's battery life.
Or maybe I'll purposely reset my phone and lose my 2FA apps. Then I'll pretend to be dumb and tell them I didn't know I was supposed to take backup of those apps. That will give them a lesson on pitfalls of making people use their personal devices in office.

 

[PunkX 75]

McAfee is proper? Dunno. One is Windows defender. Last one also is from a major co. itself, not able to recall the name immediately.

Lol McAfee of all AVs?

Also, doesn't Defender automatically turn itself off when it detects another AV installed? You have the option of allowing Defender to periodically check for threats at the same time, but it's not full-blown at that point.

 

[blr_p]

I've dropped several emails, never received a reply.

Not receiving a reply does not mean it wasn't noticed. It's likely they might have received similar from other employees or shortly will.

Make friends with people in that department and you might get more insight.

 

[6pack]

you can't do anything. The IT head/ VP/AVP who takes such decisions is taking side money from vendor's to install their services.

Coming to security practices. They use Zscaler. So all our https traffic is decrypted and visible to the admins, including our passwords entered during login on any website. They use an Active Directory where they have opted for symmetric encryption of our passwords. So they can check our passwords. I understand the need to monitor network traffic, but what are they going to achieve by monitoring our passwords? They are just increasing the attack surface by opting for symmetric encryption. One leak and everyone's password will be out in the open.

just means that do not open any personal emails, banking or any sites in office. open on your phone in their respective apps on mobile data connection only and not on wifi. It's common sense if you value your privacy and security. Let the company go to shit if they don't care. No need to take responsibility that is not your's.

 

[gourav]

just means that do not open any personal emails, banking or any sites in office.

Yes, I don't. I never enter personal passwords on my office laptop. And I have hybrid work model, so half the days I'm at home and have my personal PC right by the side anyway.

 

[kalph09]

Having worked for over 10 years with 2 among the 'Big 4' and a large semi-conductor company. Information security is taken super seriously. I spend 6 months in a year getting my apps certified by Infosec and report critical vulnerabilities to vendors. Can totally understand your frustration, these organization have no choice but protect themselves from data leaks, phishing, hacking attempts.

Here's my problem though. My company wants to run 3 anti-virus software, multiple network and activity monitoring softwares, more firewalls etc., but refuses to give anything but the most entry level i5 laptops.

They probably have one legacy type AV to scan your files, one end point protection AV to monitor the devices you insert like phone, USB drives, etc (I once attempted to copy an APK file to a smart glasses, within 10 mins, it was reported and escalated to CSO and my boss) and one more AV to monitor sus activity (example: notepad.exe trying read through your files) This is how it was for me, my laptop would show 100% usage for hours. slowing down productivity.

They have also started taking 2FAs seriously. But they are completely clueless about it. For every application where they enable 2FA, they use some proprietory algo and have us install a new 2FA app on our phones. Right now I have 3 2FA apps on my phone, each catering to just one application.

That's terrible implementation. Do you deal with DoD or GCC or some government customer?
I had cisco duo, PingID and authenticator, sense will prevail only when costs for running these force them to rethink and implement the same 2FA broker across different applications.

I never imagined we'd have such frustratingly clueless people heading the information security department. It's infuriating. And I can't do anything about it except rant here about the luddites in our tech department.

I used to rant about this until I started working closely with them. They face these issue themselves and often make effort to make things easier. However, with any large organization, everything moves at snail pace and different tech teams often lock horns not turning off a feature or relax some of the security rules. End of the day, its the question of accountability if there is a data leak infosec is first questioned, therefore they go great lengths implementing multiple solutions so they have someone to blame (vendors)

 

[gourav]

They probably have one legacy type AV to scan your files, one end point protection AV to monitor the devices you insert like phone, USB drives, etc (I once attempted to copy an APK file to a smart glasses, within 10 mins, it was reported and escalated to CSO and my boss) and one more AV to monitor sus activity

Yes, you're right. That's exactly what we have. Except, USB ports are disabled on our laptops for data transfer. They can only be used for peripherals like keyboard mouse.

That's terrible implementation. Do you deal with DoD or GCC or some government customer?
I had cisco duo, PingID and authenticator, sense will prevail only when costs for running these force them to rethink and implement the same 2FA

Yes, I am myself an advocate for 2FA, so I wouldn't mind it at all if they had a single app with separate tokens for each website. One of the 2FA apps is Microsoft authenticator. Another application we use supports Microsoft authenticator, but they also have their own proprietory 2FA app. Needless to say my company chose to go with the proprietory app.

We don't deal with government organisations, at least, not in my area of work within the company.

 

[vivek.krishnan]

It does. An excel file which opens instantly on my personal system (exact same config) takes approximately 10 seconds to open in my office laptop. Boot up time of the laptop is about 5 minutes, same as my 10-year old laptop

Ah. I can understand this, the file is being scanned - or maybe even multiple times!

I've dropped several emails, never received a reply.

Dont bother and dont open your mouth, you might get the responsibility and its not easy

Yes, always. Git commit takes about 2 minutes, an action which is instant on my personal system.

Well, MITM does take time and effort

McAfee is proper? Dunno. One is Windows defender. Last one also is from a major co. itself, not able to recall the name immediately.

Considering the alternatives of Quickheal and Sequrite and other crapware, mcafee is pretty decent.

Loads of commission (upto 60%) is being paid by quickheal to get their AV installed. And its BS.

Exactly. Why is this even a thing!

sysadmins with control personalities. Dont ask, I have seen these jokers, 2 of them are working in my ex company as MSP and have mostly sold them on quickheal with my idiotic IT director who also was sold on quickheal because recommended by that business MLM

Will have to start doing that. One more app and I'm gonna tell them these apps are impacting my phone's battery life.
Or maybe I'll purposely reset my phone and lose my 2FA apps. Then I'll pretend to be dumb and tell them I didn't know I was supposed to take backup of those apps. That will give them a lesson on pitfalls of making people use their personal devices in office.

You go do that

Lol McAfee of all AVs?

Also, doesn't Defender automatically turn itself off when it detects another AV installed? You have the option of allowing Defender to periodically check for threats at the same time, but it's not full-blown at that point.

Dude, mcafee vs quickheal, just think which is better.

Will the antivirus because you have a made in india antivirus will be less effective! Sadly this BS has been seen.

Or Russian are fraands with India so they wont attack - total BS.

And rather than AV, EDR is the need of the day.

you can't do anything. The IT head/ VP/AVP who takes such decisions is taking side money from vendor's to install their services.

just means that do not open any personal emails, banking or any sites in office. open on your phone in their respective apps on mobile data connection only and not on wifi. It's common sense if you value your privacy and security. Let the company go to shit if they don't care. No need to take responsibility that is not your's.

100% correct. Kickbacks. The MSP tried selling something worth 50K for 1L because no competent IT person to check.

Even better, they disabled 2FA and got some or all board of directors email ID hacked

 

[PunkX 75]

Dude, mcafee vs quickheal, just think which is better.

Will the antivirus because you have a made in india antivirus will be less effective! Sadly this BS has been seen.

Or Russian are fraands with India so they wont attack - total BS.

And rather than AV, EDR is the need of the day.

Quickheal is garbage, and McAfee is a definite step up.

My point was that a company that's supposedly pulling out all the stops towards security would have gone a step further in choosing an AV. Maybe Bitdefender? I'm not a systems specialist so I could be wrong.

 

[vivek.krishnan]

Quickheal is garbage, and McAfee is a definite step up.

My point was that a company that's supposedly pulling out all the stops towards security would have gone a step further in choosing an AV. Maybe Bitdefender? I'm not a systems specialist so I could be wrong.

Does that company look like its pulling out all steps towards security OR trying to only do it on paper? You can be a judge of that.

BTW, Quickheal uses bitdefender engine but thats heuristics based so wont work as EDR. hence why free defender is far better than quickheal and the securite bullshit that they are pandering about.

 

[PunkX 75]

Does that company look like its pulling out all steps towards security OR trying to only do it on paper? You can be a judge of that.

BTW, Quickheal uses bitdefender engine but thats heuristics based so wont work as EDR. hence why free defender is far better than quickheal and the securite bullshit that they are pandering about.

Judging by the current scenario described by the OP, it's pretty obvious.

I agree, free defended definitely outshines in that regard.

 

[kvn95ss]

The thing about disabling password managers is baffling to me. Bitwarden allows you to self host a server (simple docker image, so not the hardest to configure). You just do a domain login instead of signing in through Bitwarden. It can even do basic 2fa if you get the premium/enterprise license, but for basic password management you can self host without paying the company. Since you’re hosting, the only price would be for the compute and what little storage Bitwarden needs. Or just pay and use their service.

 

[vivek.krishnan]

Another company that is in Mumbai has an equally puzzling directive is that - if you are a guest, and before you connect to their wifi, they will check your computer for antivirus. If you have a free one like defender, they wont allow. Puzzling enough, quickheal is allowed, but not MS defender

I found it stupid why they didnt have a guest network seperate setup instead. they have business equpiment btw, not consumer equipment like mine!

While at the place I worked at earlier, I would check the any guest systems for any pirated softwares - just a quick cursory glance in the installed programs or apps, as we were using a static IP and getting traced back to that IP would be a disaster. Infact, at all our factory locations, we used to do this, till our esteemed leader, decided that this was infringing on the time of the client. Nor could we deploy guest networks, because we were always cut down on budget, so instead of proper business wifi equipment, we had to do with consumer equipment. Oh and the company got sucker punched last year because of not following this rule (i had resigned couple of months back)

Fun fact, in the initial days, I would repurpose 740N routers into APs for wifi. Would be a pain to setup, but worked. And we used pfsense (realtek NIC, sempron machines or C2D, then intel nic, dedicated hardware earlier, and then virtualised) for a very very long time and recently moved to Sophos (finally). The one plus point of doing pfsense was I was extremely good at networks (CCNA helped too) and we had deployed it alongside Airtel MPLS with proper dual routing pathways.