Who Is Minding The Minders? (Don’t Worry About. . .)
RansomWare has recently been in the news. That’s where a hacker takes over your computers, encrypts the hard drive and then asks you to pay a ransom to unlock them. It’s a global problem. The US FBI director just likened it to the threat on 9/11.
You have people in your IT department who spend their entire day worrying about RansomWare (and MalWare and viruses and Trojans, and worms, phishing, and spear phishing, and whaling, and lots of other threats that you probably have never even heard of.) Thy spend their time working on it so that you don’t have to. (But, don’t click the links. NEVER click on links in an email.)
Have you ever wondered about those faceless IT guys who spend their days and nights defending your network? They have a lot of access to network resource. I mean, they are the guys you call when you are locked out of your system. So clearly they can get around network protections that stop us mere mortals.
Should you be worried about them?
In a word, No. You should do background checks when you hire them. You should certainly hold them accountable, but you should not try to build systems to try to keep them out.
It won’t work. And, it will prevent your teams from being able to do the work they need to do. I worked in an IT org one time where it was decided that local desktop engineers could no longer change permissions for users.
That probably seemed like a reasonable precaution. After all, elevation of privilege is a threat vector that hackers often use. In fact, it so common it’s actually called “elevation of privilege.” Yeah, let’s bump that ability up to the desktop leads.
Oh, except now my local DEs cannot get into some of the services they need. They have to ask a Lead to allow them in. The Leads are now spending part of their time granting access to the engineers who are supposed to be doing the work.
Later the same company made a change to the local firewalls. They decided they didn’t want to allow uses to access personal email, (gmail, Microsoft mail, etc.) So, they changed the firewall. Now if you tried to get to live.com, you got an error.
That’s more secure right?
Not so much. Remember the guys who guard the network also know the network, better than any of the executives. So, simply using your computer on the local network wouldn’t allow access to personal email sites.
But, if you use the corporate VPN, you connect to a system in India and the local network limits don’t apply. Personal email is accessible just fine.
You might think that the network engineers, and informed users would let management know that they missed a spot.
No. Because your IT guys like to be trusted and if you don’t trust them, they are going to do their jobs anyway, but not put up with your silly security restrictions.
But, you should still never click the links. Seriously, don’t click the links in emails.
Stay safe
Rodney M Bliss is an author, columnist and IT Consultant. His blog updates every weekday. He lives in Pleasant Grove, UT with his lovely wife, thirteen children and grandchildren.
Follow him on
Twitter (@rodneymbliss)
Facebook (www.facebook.com/rbliss)
LinkedIn (www.LinkedIn.com/in/rbliss)
or email him at rbliss at msn dot com(c) 2021 Rodney M Bliss, all rights reserved