Very sensitive subject but what would IT security be like in government bodies

euser1984

In particular the garda....and their sensitive information....

In particular due to the concept of corporate espionage as opposed to some script kiddie.

Thanks.

syklops

Why?

Khannie

Government bodies take this stuff very seriously.

AnCatDubh

euser1984 wrote: »

In particular the garda....and their sensitive information....

In particular due to the concept of corporate espionage as opposed to some script kiddie.

Thanks.

I think the IT Security may be the least of their worries at the present time, though this is the organisation where email is only a recent (ok, a few years now) phenomenon - this, I believe, due to risk aversion. I'm not knocking it btw, in fact it may have been the entirely right thing for them to do at the time given the setup of their operations.

The bigger threat for them as is in the public domain at the moment is obviously the enemy within, and even if its not an 'enemy' within, a friend within may cause significant collateral damage - reputational or otherwise. On a deeper level in an open and democratic society we should be able to embrace such exposures. We should also have a mature media industry. um....

I gather they will take this stuff really seriously. I also believe that no system is infallable so potential there, probably; but i'd expect that you'd want to be throwing some serious resource to achieve it.

Hitchens

euser1984 wrote: »

In particular the garda....and their sensitive information....

In particular due to the concept of corporate espionage as opposed to some script kiddie.

Thanks.

this is Ireland.................'nuff said!

syklops

Hitchens wrote: »

this is Ireland.................'nuff said!

You'd be surprised.

As ANCatDubh said, large parts of the Gardai are behind the fore in many ways from a technological point of view, the upshot of which is they are less vulnerable to many forms of attack than their private sector counterparts.

Other government departments I have worked with took IT Security very seriously, dedicating large amounts of budget and manpower to it.

Of the security reviews/audits I have done in the past year, if I were to compare government organisations over private sector organisations, it was better in the government departments 90% of the time. I'm not at liberty to say which organisations of course.

Hitchens

syklops wrote: »

I'm not at liberty to say which organisations of course.

of course, .........hush, hush, National Security etc.........say no more! :cool:

Khannie

Hitchens wrote: »

of course, .........hush, hush, National Security etc.........say no more! :cool:

NDA's are standard fare.

syklops

Hitchens wrote: »

of course, .........hush, hush, National Security etc.........say no more! :cool:

Its called a non-disclosure agreement. I can't talk about either the government or private sector organisations.

Hitchens

syklops wrote: »

Its called a non-disclosure agreement. I can't talk about either the government or private sector organisations.

I onnit yo! :pac:

RainyDay

I know of one Government department (a fairly sensitive one) which only recently forced password expiration, but still has no password complexity rules, so passwords are normally changed from 'Newpassword1' to 'Newpassword2' or maybe even 'Newpassword3' before being written down on a yellow sticky note and stuck on the monitor.

They might as well leave the keys under the mat.

Khannie

Password exiration is (IMO) a waste of time pain in the arse. The idea behind it is fine (if the password is compromised, limit the damage by limiting the duration). There are a few flaws with that though which I wont go into, but anyway. Yeah, people should be given guidelines on what constitutes a good, memorable password that wont need expiration. I also think everyone should use keepass, personally.

eddiehen

Khannie wrote: »

Password exiration is (IMO) a waste of time pain in the arse. The idea behind it is fine (if the password is compromised, limit the damage by limiting the duration). There are a few flaws with that though which I wont go into, but anyway. Yeah, people should be given guidelines on what constitutes a good, memorable password that wont need expiration. I also think everyone should use keepass, personally.

I would totally agree. Password complexity over password expiration time all day long. The overhead of password resets (which would essentially force the user to change the password to something they would remember and therefore something more obvious and therefore more hackable by a dictionary crack) is just counterproductive.

Installing keepass would require local admin rights too (or at least access to SourceForge - blocked by some transparent proxies), as an aside. If you cannot trust a user to set a complex password and let them remember that for 90 days, then you should not give them access to programs which could make registry changes (sorry, windows hat on here)

hmmm

Government departments vary, some are good, some are not. Budgets can be large, but oftentimes it's wasted buying shiny boxes as a "tick the box" exercise - in particular there used to be an end of year rush to buy equipment to ensure that budget was not lost for the year after. You'll often find a very good and knowledgeable security head, but staff who have transferred into security from completely unrelated roles (because of public sector rules) - it's obviously not ideal to have firewall admins who were office clerks the year before. Most of the people I meet are pretty diligent and hard working, but you need more than diligence to be effective at security.

RainyDay

Khannie wrote: »

Password exiration is (IMO) a waste of time pain in the arse. The idea behind it is fine (if the password is compromised, limit the damage by limiting the duration). There are a few flaws with that though which I wont go into, but anyway.

I disagree. The idea works - by changing the password, you explicitly cut off any access by others. Also, when passwords get shared from time to time (which of course shouldn't happen, but does happen), it limits the time period that others have access.

Khannie wrote: »

Yeah, people should be given guidelines on what constitutes a good, memorable password that wont need expiration.

I agree with all except the 'no expiration' bit. There are a few good sites that have examples of how to create memorable yet strong passwords.

Khannie wrote: »

I also think everyone should use keepass, personally.

It's unlikely to be a realistic option in a corporate environment, where the organisation would need to do a full security review of keepass before handing over the keys to the business to them. Better to work towards single-sign-on, strong passwords and expiration every 60 days or so.