28 comments

[ 2.8 ms ] story [ 63.2 ms ] thread
How do security specialists think about this sort of risk assessment? Not just for pandemics but anything that would make key people have to access these systems remotely.
Security guy here. I work in finance, but the calculus around how you look at risk doesn’t change much from industry to industry, what changes is risk tolerance.

Fact of the matter is that some things you don’t ever want remotely accessible. No security is perfect, and if your worst case scenario costs human lives, you simply cannot tolerate any level of risk.

That being said, there are probably companies out there with security that poses more of a barrier to employees than it does protection to the organization. In those cases it’s important for orgs to do their own disaster planning (there are many scenarios where office become unavailable) and make appropriate plans to deal with that.

Some orgs will not be able to function without an office depending on the nature of the work. Many can if they take the time to set up secure ways for people to work remotely beforehand.

I've done assessment work for utilities, exchanges, large health providers and similarly regulated/sensitive organizations.

The risk decisions (implied or explicit) being made here are sensible. These organizations simply aren't set up to operate in anything like a "BeyondCorp" all-remote model.

The middle of a national crisis is the absolute worst time at which to try to make sweeping changes to facilitate new models of work. In a very plausible worst case, you end up with IT disasters that not only force people to work on site, but force everyone to come in and work extra hours using paper and ad hoc spreadsheet processes, while essential services are compromised for customers.

The concern that "opening up" these organizations would pose security threats isn't just sensible, it's obvious: most large enterprises are set up in the same perimeterized model we used in the 1990s, line-of-business internal applications are almost never hardened against attacks, and most internal segmentation is handwaving; internal site-wide pentests never fail against big companies.

Exactly, IBM consultants will still wrap an engagement today with unencrypted telnet listening on all interfaces of your "AS400".

"It's not open to the world" is quite often justification for some really poor security decisions.

These types of orgs just need to staff for this type of thing and have work rules and facilities to manage.
I was going to say "a Bond movie where he the biggest threat to his life is not being able to work remotely", but then that is generally the biggest threat to his life all the time. I guess these problems here are the actual ones that should be addressed in the Sam Altman investing in covid-19 startups thread.
Most companies that I worked for and which had troublesome remote work setup used the "security by obscurity" approach. The IT there were completely incompetent and the only way they knew to make systems "secure" is to limit outside access. And most of those crippled infrastructures were windows-based. As usually there were exceptions though.
At my employer the issue is the opposite. They don't value security so they disable all firewalls, encryption, 2FA and everything else in favor of ease-of-use. My concern isn't that people will have a hard time working from home, my concern is that whatever malware they have at home is now also roaming the company network.
Let's dig a huge gaping hole into that infrastructure with a VPN and BYOD. And when it doesn't work, blame IT support for not properly supporting my dusty old Windows XP installation. Sure.

What you want is separation, though for real work it quickly becomes impractical. So there are special rules for something, and suddenly, everybody are running on those not-so-special rules anymore.

IT security is still mostly about people and awareness at this point.

Limiting outside access is not "security through obscurity". That would be something more like "we have a VPN server that gives you full internal access that doesn't even have a password, but no one is going to figure out that we are running it on a non-default port".
This is correct. I was super confused for a minute when I read the original comment.
> Staffers at power grids, intelligence agencies, and more often don’t have the option to work from home

Yeah I'm good with that.

I'd like the power grid staffers to keep doing their jobs thanks very much
They can keep doing their jobs... at the office.
I thought zero trust is the only reasonable approach.
This is a thing that people say because it's ideally true and an article of faith among cool-kid practitioners†, but it is absolutely not the reality in major enterprises, and wanting it to be the case doesn't make it so.

I agree with the cool kids that it's a good thing!

> This is a thing that people say because it's ideally true and an article of faith among cool-kid practitioners†, but it is absolutely not the reality in major enterprises, and wanting it to be the case doesn't make it so.

As someone who deals with large enterprises with regards to network architecture, you couldn't be more wrong if you tried.

If you aren't adopting a zero-trust like security model, you are retarded, to use less-than professional speak.

It's a reasonable approach if you're ready for this, but there are many organizations which would need lots and lots of work on infrastructure to be prepared to anything close to zero trust, and "simply" switching to a zero trust model would be a disaster.
It's interesting that preventing a cyber virus and a real world virus is mutually exclusive. Some things require connectivity, when it's virtual connectivity you're exposed to virtual viruses and when it's physical connectivity you're exposed to real viruses.
The only real network computer security is achieved by unplugging the network. And even then...
Most of the issue here is not features or limitations of VPN architecture, it's the decision to completely air-gap certain systems, which is a common practice in both government and industry with critical systems. Just e.g. "doing BeyondCorp" does not address the problem that workers cannot interact with an air-gapped system without being in the special room in the special building.
I think it’s completely sensible for critical infrastructure to be air gapped and for people maintaining it to go into the office. This should be in the same category of jobs that cannot do remote work as doctors, nurses, etc that just have to be on site.

This is not the time to do sweeping IT architecture changes.

That being said, I think lots of normal companies have horrible IT security infrastructures that focus on compliance and covering peoples asses in case things go wrong as opposed to actual security. Those usually also make it hard for remote workers (vs BeyondCorp), which is now coming back to bite them.

right now healthcare should really be considered critical infra too.
I didn’t mean to imply it’s not (now or ever). I doubt that most healthcare systems need to air gapped though (actual medical equipment should be).
I didn't say you were :) my comment was just an additional complementary point to yours
Availability is actually also a part of security, complementing privacy and confidentiality...
I wonder how many affected organizations have begun to turn non-office space into office space and shift work around? Imagine working at the NSA, you won't want a few thousand people coming through security and stuff every day, so you shift the work to be 24/7 and make people come in smaller shifts, then you can put people in closets with good desks and lights and stuff to separate them. If hospitals can turn non-ICU rooms into ICUs (I have seen them turn some doctor's offices into ICUs recently, even) then why couldn't a utility or secure organization do the same?
Back in the day this was done with a bunch of paired encrypted modems, and a multiple serial port, getty, and ISDN-PRI are all probably still a thing...