New ask Hacker News story: Ask HN: How to deal with a cybersecurity org that has jumped the shark?
Ask HN: How to deal with a cybersecurity org that has jumped the shark?
3 by darksaints | 2 comments on Hacker News.
I'll start out by saying I'm not a security expert, but I know the basics that every engineer should know well and I've previously worked in high-threat environment companies with practically perfect track records, so I've seen what an effective security org does well. That being said, if what I'm saying is wrong, please point it out to me. I'd actually love to be wrong about this. Background: Our security team has been nothing more than a fail factory for at least two decades now, with several high profile breaches. Like we could probably have our own dedicated section on `haveibeenpwned.com`. There was a recent shakeup, the old team got fired en-masse, and a new team has taken their place. I will gladly admit that the old team needed to be fired, and the new team treats security as a top priority...it just that it seems like they're doing it all wrong. Examples: 1) We have gone through 3 network security systems in 2 years. First a standard VPN, then a SDP. The most recent was some newer technology from a company I had never heard of, and only seems to be used at companies several times smaller than ours. Nobody can seem to explain how this software works or how it secures our network, but it has had several extreme unintended consequences, such as breaking local development environments with its custom MITM certificates, breaking automated security scanning software, occupying between 1-2 cores at 100% on our laptops, and worst of all, a whitelist-only access policy. The process for whitelisting a single site involves filling out a survey and writing an essay as to why we need to access it. In the past, when I have done this for things like access to documentation sites for open source software that we use in production, I have gotten blanket denials that have had to be escalated to the VP level. The people reviewing the requests don't seem to know anything about software or telecom at all, and yet they have very strong opinions on what is business critical or not. All to stop phishing, which is really strange because they have treated hardware MFA like an afterthought. 2) Our laptops have been locked down, and all admin privileges have been removed. We are to install all software via a software installer app. When we need new software, we have to request it to be added. This can take anywhere from several weeks to several months. If we request that software be updated to a newer version, it will take weeks. Even if the reason for the update is due to security vulnerabilities . 3) We have a new team dedicated to tracking PII. The way that they've implemented this is by having contractors contact database owners on slack and asking them for completely uninhibited permissions to scan our databases. When I pressed them for more information about how they store the credentials, they showed me how they collect and store them. I watched as they copied the credentials to their OneNote, then tested them out manually in DBeaver, then added them to a secure vault. There is probably a OneNote notebook floating around where one of these contractors has unrestricted database credentials to every database in the company. This is just a sample due to the 4000 char limit. On top of making our day to day jobs a total nightmare, I feel bad for our customers. These policies have broken customer-facing software, and most of them appear to me to be a step backward in actual security. And any time that criticism happens, we get an extremely hostile and childish response, ranging from "You don't know anything about security" to "If people would stop clicking on phishing links, we wouldn't have to do this". There is no forum for discussion of security policies, you either accept them or you are framed as part of the problem. Have any of you ever dealt with this before? Is there a professional way to affect meaningful change without risking getting fired? Or do I have to accept that I have no control over the situation?
3 by darksaints | 2 comments on Hacker News.
I'll start out by saying I'm not a security expert, but I know the basics that every engineer should know well and I've previously worked in high-threat environment companies with practically perfect track records, so I've seen what an effective security org does well. That being said, if what I'm saying is wrong, please point it out to me. I'd actually love to be wrong about this. Background: Our security team has been nothing more than a fail factory for at least two decades now, with several high profile breaches. Like we could probably have our own dedicated section on `haveibeenpwned.com`. There was a recent shakeup, the old team got fired en-masse, and a new team has taken their place. I will gladly admit that the old team needed to be fired, and the new team treats security as a top priority...it just that it seems like they're doing it all wrong. Examples: 1) We have gone through 3 network security systems in 2 years. First a standard VPN, then a SDP. The most recent was some newer technology from a company I had never heard of, and only seems to be used at companies several times smaller than ours. Nobody can seem to explain how this software works or how it secures our network, but it has had several extreme unintended consequences, such as breaking local development environments with its custom MITM certificates, breaking automated security scanning software, occupying between 1-2 cores at 100% on our laptops, and worst of all, a whitelist-only access policy. The process for whitelisting a single site involves filling out a survey and writing an essay as to why we need to access it. In the past, when I have done this for things like access to documentation sites for open source software that we use in production, I have gotten blanket denials that have had to be escalated to the VP level. The people reviewing the requests don't seem to know anything about software or telecom at all, and yet they have very strong opinions on what is business critical or not. All to stop phishing, which is really strange because they have treated hardware MFA like an afterthought. 2) Our laptops have been locked down, and all admin privileges have been removed. We are to install all software via a software installer app. When we need new software, we have to request it to be added. This can take anywhere from several weeks to several months. If we request that software be updated to a newer version, it will take weeks. Even if the reason for the update is due to security vulnerabilities . 3) We have a new team dedicated to tracking PII. The way that they've implemented this is by having contractors contact database owners on slack and asking them for completely uninhibited permissions to scan our databases. When I pressed them for more information about how they store the credentials, they showed me how they collect and store them. I watched as they copied the credentials to their OneNote, then tested them out manually in DBeaver, then added them to a secure vault. There is probably a OneNote notebook floating around where one of these contractors has unrestricted database credentials to every database in the company. This is just a sample due to the 4000 char limit. On top of making our day to day jobs a total nightmare, I feel bad for our customers. These policies have broken customer-facing software, and most of them appear to me to be a step backward in actual security. And any time that criticism happens, we get an extremely hostile and childish response, ranging from "You don't know anything about security" to "If people would stop clicking on phishing links, we wouldn't have to do this". There is no forum for discussion of security policies, you either accept them or you are framed as part of the problem. Have any of you ever dealt with this before? Is there a professional way to affect meaningful change without risking getting fired? Or do I have to accept that I have no control over the situation?
Comments
Post a Comment