Security Issues: Compatibility, Convenience and Toys
Looking back over my 20 years of doing IT support, some of the top security issues that I have encountered have been compatibility, convenience and yes, you guessed it, toys.
Sometimes It can be hard to get employees with all their differences, likes and dislikes, to get along. Sometimes It can be downright impossible to get software to get along with the server. On more than one occasion I have seen where software wouldn’t play nice with the server unless the directory it used was given the security settings of “Everyone” and “Full Control”. Everyone means every authenticated user (It used to include even unauthenticated users!) and Full Control means, well, you get the picture.
For example, the application team of a company was trying to get a new web application installed for some executives. The data in the directory was not updating properly. The team had tried everything and the only thing that worked was allowing “everyone – full control” security rights to the directory. Of course this was against corporate policy for a web app, and the server team would not allow it. The software had to be up and running by a certain date. A mini power struggle ensued. The server team called in their people, the application team called in, well, the executives. Guess who won that battle?
Companies will run old versions of software because it is too costly, time-consuming or difficult to upgrade. These programs can be full of security issues. Especially software 10 or even 15 years old when security was not a top concern.
It seems that the more authority an employee has, the more toys they have. When dealing with top executives and company decision makers, many times you run into the magical four word phrase, “But, I want it”. This means, “I understand that this peer-to-peer software sharing service is an open door for malware and hackers, and even though we jumped through hoops to secure our system, I want it.” Of course that attitude lasts until their network is compromised, and their toy costs them.
It is amazing what I have been asked to do for executives and business owners over the years. One of the funniest by far was for a utility company CEO. He was one of the most technically competent executives that I had even met. He was an engineer before he became an executive and was probably the top engineer in the company. I had installed a new workstation for him. It was a two-day process.
Many of the utilities that he used were no longer being made and where not network aware. They were going to be replaced “someday”, but processes still relied on them. It was a minor miracle to get them to work with the newer OS. He only wanted certain data copied over from his old computer. It was checked and double checked. When I left we had verified that everything had worked at least twice, sometimes more. When I went in to work the next morning I received a call from a very angry CEO. As I was taking the call, I couldn’t fathom what I had missed or what ancient program decided to crash on his new system. Or what company process was being held up because his software wasn’t working. When I picked up the phone all I heard him say was, “WHERE ARE MY BIKINI BABE PICTURES???”