When does web security get too much?
I have always been interested in the balance of “risk and profitability” within the framework of public safety: what level of risk is acceptable for maintaining efficiency and productivity?
Examples can be seen everywhere. One day, at one of the crossroads of one of the cities an accident occurs: a car knocks down a child.
The public is outraged, city officials are going to a meeting, and here's the result: $ 60,000 is spent on installing speed bumps, fences and traffic lights at this intersection - even if it was obvious that the accident was caused by a drunk driver and was not related to the peculiarities of the intersection itself.
I understand why this is happening. People want to do something to ease the pain. However, what is the point in equipping one particular intersection with redundant security measures, ignoring all other intersections in the country?
')
These thoughts came to my head when I talked with a friend who works in one small company. He complained about a new IT specialist who came to work with them recently.
The first thing this guy did in the new workplace was that their network was unsafe, and he introduced new, completely draconian, protection measures. Employees are no longer able to choose the password themselves; it is assigned automatically and consists of 12 letters and numbers interspersed that cannot be remembered. And this password needs to be changed every month.
He also blocked messengers and the ability to open email attachments, as well as YouTube and many other popular sites. That company, by the way, is engaged in the production of video content, which means viewing video clips on the web is an integral part of their work. In the process of all innovations, this IT specialist made the work in the company uncomfortable, confusing and much less pleasant.
Do you think that during the existence of this small video production company, have they had any incursions? No never.
The same story happened in elementary school, where my daughter is studying. Using the school website, students can check what they have set for their home, download various documents, etc. Recent innovations have significantly complicated this process: the password must be no shorter than 8 characters, consist of numbers and letters and not contain vocabulary words.
And this is in junior school!
Newspaper The Times also recently strengthened its defense. Previously, in order to enter your page and accept or reject the comments of my readers, it was enough for me to enter my login and password. Now I need to find the SecurID key given to me; open a program to connect via VPN, which works through my Mac; have time for 60 seconds to enter the password, which is displayed on the key, until it expires; enter your ID; connect; go to a secure page and enter another login and password.
I think everyone understands that I am moderating comments on my articles much less now! Do not think that I am complaining about my superiors (hello, boss!) - they have a lot of reasons to worry about the safety of working on the Internet - I just had to say something.
I once read that air travel can be 100% safe. Yes, technically it is possible. But it will take the introduction of such a number of security measures, redundant checks, precautions and security policies that a plane ticket will cost $ 50,000 and no more than 20 flights will be made per day.
Everything needs a balance. Anything can be done almost absolutely safe - by paying a huge price and in the process nullifying all the amenities. Air transport today has a good balance - for 2007-2008 there was not a single crash in the United States - and at the same time, airplanes fly all the time, and a ticket costs significantly less than $ 50,000.
I understand the motives of IT professionals: “I was hired to provide security. If I can't do it, they'll fire me. Convenience and speed of work for me are secondary. "
It may be worthwhile for companies to consider hiring, in the appendage of OT specialists (to optimize technologies) who will restrain the impulses of IT specialists. Someone who will say: "Come on, is it really necessary?".
Examples can be seen everywhere. One day, at one of the crossroads of one of the cities an accident occurs: a car knocks down a child.
The public is outraged, city officials are going to a meeting, and here's the result: $ 60,000 is spent on installing speed bumps, fences and traffic lights at this intersection - even if it was obvious that the accident was caused by a drunk driver and was not related to the peculiarities of the intersection itself.
I understand why this is happening. People want to do something to ease the pain. However, what is the point in equipping one particular intersection with redundant security measures, ignoring all other intersections in the country?
')
These thoughts came to my head when I talked with a friend who works in one small company. He complained about a new IT specialist who came to work with them recently.
The first thing this guy did in the new workplace was that their network was unsafe, and he introduced new, completely draconian, protection measures. Employees are no longer able to choose the password themselves; it is assigned automatically and consists of 12 letters and numbers interspersed that cannot be remembered. And this password needs to be changed every month.
He also blocked messengers and the ability to open email attachments, as well as YouTube and many other popular sites. That company, by the way, is engaged in the production of video content, which means viewing video clips on the web is an integral part of their work. In the process of all innovations, this IT specialist made the work in the company uncomfortable, confusing and much less pleasant.
Do you think that during the existence of this small video production company, have they had any incursions? No never.
The same story happened in elementary school, where my daughter is studying. Using the school website, students can check what they have set for their home, download various documents, etc. Recent innovations have significantly complicated this process: the password must be no shorter than 8 characters, consist of numbers and letters and not contain vocabulary words.
And this is in junior school!
Newspaper The Times also recently strengthened its defense. Previously, in order to enter your page and accept or reject the comments of my readers, it was enough for me to enter my login and password. Now I need to find the SecurID key given to me; open a program to connect via VPN, which works through my Mac; have time for 60 seconds to enter the password, which is displayed on the key, until it expires; enter your ID; connect; go to a secure page and enter another login and password.
I think everyone understands that I am moderating comments on my articles much less now! Do not think that I am complaining about my superiors (hello, boss!) - they have a lot of reasons to worry about the safety of working on the Internet - I just had to say something.
I once read that air travel can be 100% safe. Yes, technically it is possible. But it will take the introduction of such a number of security measures, redundant checks, precautions and security policies that a plane ticket will cost $ 50,000 and no more than 20 flights will be made per day.
Everything needs a balance. Anything can be done almost absolutely safe - by paying a huge price and in the process nullifying all the amenities. Air transport today has a good balance - for 2007-2008 there was not a single crash in the United States - and at the same time, airplanes fly all the time, and a ticket costs significantly less than $ 50,000.
I understand the motives of IT professionals: “I was hired to provide security. If I can't do it, they'll fire me. Convenience and speed of work for me are secondary. "
It may be worthwhile for companies to consider hiring, in the appendage of OT specialists (to optimize technologies) who will restrain the impulses of IT specialists. Someone who will say: "Come on, is it really necessary?".
Source: https://habr.com/ru/post/97125/
All Articles