Friday, February 02, 2007
I Have Failed
"It is natural for the immature to harm others. Getting angry with them is like resenting a fire for burning." Shantideva
"Anger is the most impotent of passions. It effects nothing it goes about, and hurts the one who is possessed by it more than the one against whom it is directed." Carl Sandburg
A few weeks ago, I had a flicker of anger. I had received an email that said I had submitted a "weak" ticket where I had flagged at least two severely bad security practices. When I talked to my immediate supervisor about it several days later I lost it entirely when talking to him although the outburst wasn't directed at him, but at the more senior managers. I look upon my job as protecting my company from exploitation and theft. At it's heart, security is about loss prevention, IT Security doubly so. But my company isn't interested in protecting systems and assets from online theft or protecting employees from themselves, it's interested in using IT Security to increase productivity by making an example of people not complying with the Acceptable Use Policy. It doesn't matter that some of the rules aren't really enforceable as they stand currently. Employees aren't allowed to shop, view porn, or use company computers to listen to music while at work, but the proxy servers which should be blocking access to these sites aren't. Then there's the question of buying a book related to your job at Amazon.com when you are at work. Is that within the AUP policy? As for porn, well, sex is hardwired into people's brains. You might as well ask people to stop breathing. If porn went away, Internet Commerce would wither and practically die, it's that profitable an industry. And it doesn't have to be a porn site, dating sites with "Intimate" sections exist.
So, management has decreed that we monitor Internet usage throughout the company and submit "sexy" tickets, cases where the violator is doing something very bad, such as viewing adult material, shopping for firearms, etc. The problem here is that we will have a few false positives, especially with firearms. This is a hunting state. You can drive 50 miles in any direction and likely find a place to hunt. I was hoping that we'd be allowed to submit tickets showing weaknesses in our security, but that is not to be. It doesn't even matter that someone who's smart can circumvent our surveillance just by using Terminal Services and surf from his home system remotely from work provided the network lets him. The system we use can't decrypt encrypted traffic. It will only catch "low hanging fruit". The people who will do the most harm it will not catch. Don't even ask about child porn. There's a Catch-22 there. If we see images of child porn while investigating a violator, technically we are violating the law as well and can be arrested. Our management is "working" on that procedure.
But I have failed - spiritually and in my duty to protect the company. I lost my temper when I discovered that even though I followed guidelines and procedure and did the right thing, it wasn't what management wanted. What really angered me is that they are changing what they want from us again. They want stories, a nice written analysis with pictures of what we find, kind of like an intelligence write up or dossier, or the kind of research report a private investigator might write for a client. But we aren't given any useful training on discerning a real from a false case. We are supposed to "know" what management wants as vague as that is. They want dirt. They want scandal. They want sex. Meanwhile, you can steal our billing software code from our development group, steal trade secrets, and what not probably without any one noticing because we are too busy looking at employees' surfing habits instead of doing what we were hired to do.
"Anger is the most impotent of passions. It effects nothing it goes about, and hurts the one who is possessed by it more than the one against whom it is directed." Carl Sandburg
A few weeks ago, I had a flicker of anger. I had received an email that said I had submitted a "weak" ticket where I had flagged at least two severely bad security practices. When I talked to my immediate supervisor about it several days later I lost it entirely when talking to him although the outburst wasn't directed at him, but at the more senior managers. I look upon my job as protecting my company from exploitation and theft. At it's heart, security is about loss prevention, IT Security doubly so. But my company isn't interested in protecting systems and assets from online theft or protecting employees from themselves, it's interested in using IT Security to increase productivity by making an example of people not complying with the Acceptable Use Policy. It doesn't matter that some of the rules aren't really enforceable as they stand currently. Employees aren't allowed to shop, view porn, or use company computers to listen to music while at work, but the proxy servers which should be blocking access to these sites aren't. Then there's the question of buying a book related to your job at Amazon.com when you are at work. Is that within the AUP policy? As for porn, well, sex is hardwired into people's brains. You might as well ask people to stop breathing. If porn went away, Internet Commerce would wither and practically die, it's that profitable an industry. And it doesn't have to be a porn site, dating sites with "Intimate" sections exist.
So, management has decreed that we monitor Internet usage throughout the company and submit "sexy" tickets, cases where the violator is doing something very bad, such as viewing adult material, shopping for firearms, etc. The problem here is that we will have a few false positives, especially with firearms. This is a hunting state. You can drive 50 miles in any direction and likely find a place to hunt. I was hoping that we'd be allowed to submit tickets showing weaknesses in our security, but that is not to be. It doesn't even matter that someone who's smart can circumvent our surveillance just by using Terminal Services and surf from his home system remotely from work provided the network lets him. The system we use can't decrypt encrypted traffic. It will only catch "low hanging fruit". The people who will do the most harm it will not catch. Don't even ask about child porn. There's a Catch-22 there. If we see images of child porn while investigating a violator, technically we are violating the law as well and can be arrested. Our management is "working" on that procedure.
But I have failed - spiritually and in my duty to protect the company. I lost my temper when I discovered that even though I followed guidelines and procedure and did the right thing, it wasn't what management wanted. What really angered me is that they are changing what they want from us again. They want stories, a nice written analysis with pictures of what we find, kind of like an intelligence write up or dossier, or the kind of research report a private investigator might write for a client. But we aren't given any useful training on discerning a real from a false case. We are supposed to "know" what management wants as vague as that is. They want dirt. They want scandal. They want sex. Meanwhile, you can steal our billing software code from our development group, steal trade secrets, and what not probably without any one noticing because we are too busy looking at employees' surfing habits instead of doing what we were hired to do.