InsideTech

Odd forum to post this in,

Security should ALWAYS be a main priority. If those who plan/approve budgets are halfway intelligent, there will never be a conflict.

 IMAO Security isn't only a "Data" matters, it should extend to non-IT, or physical security and vigilence should extand to IT.

Nothing can stop anyone to run a live CD on a PC and get informations on local machine and nothing can stop a guy to directly pull off a PC of a desk, then what stop this ? Not an IT guy, especially not a slim IT guy.

LarrythecableGuy says ...

 IMAO Security isn't only a "Data" matters, it should extend to non-IT, or physical security and vigilence should extand to IT.

Nothing can stop anyone to run a live CD on a PC and get informations on local machine and nothing can stop a guy to directly pull off a PC of a desk, then what stop this ? Not an IT guy, especially not a slim IT guy.

your correct to some extent.  I can lock down the bios and remove the ability for you to boot off of removable storage.  But that is my point.  Why does a board have final say on what can and can't be done to secure a network.  When all they are looking at is money and the colleges image?  In my opinion the image will drop if the newspapers print your college has had a huge network security breach, and IT people recodmended all the necessary things to stop this but the board wouldn't go through with this because they didn't want allocate more money toward that department.  Especially when that same commitee grants the approval for 3 labs of 30 pcs to get upgraded with brand new 19 inch imacs for a department that the college could do without.

-Animuso

animuso says ...

LarrythecableGuy says ...

 IMAO Security isn't only a "Data" matters, it should extend to non-IT, or physical security and vigilence should extand to IT.

Nothing can stop anyone to run a live CD on a PC and get informations on local machine and nothing can stop a guy to directly pull off a PC of a desk, then what stop this ? Not an IT guy, especially not a slim IT guy.

your correct to some extent.  I can lock down the bios and remove the ability for you to boot off of removable storage.  But that is my point.  Why does a board have final say on what can and can't be done to secure a network.  When all they are looking at is money and the colleges image?  In my opinion the image will drop if the newspapers print your college has had a huge network security breach, and IT people recodmended all the necessary things to stop this but the board wouldn't go through with this because they didn't want allocate more money toward that department.  Especially when that same commitee grants the approval for 3 labs of 30 pcs to get upgraded with brand new 19 inch imacs for a department that the college could do without.

 

-Animuso

I can always unlock the bios by taking off the battery on the board (you know, the barbarian way) ;-) there is always something.

I don't know why a chairmen board got to say what need to be done with security, especially without consulting the chief security officer or the chief information security officer.

It's all politics, wI had an issue that I brought up many times that our main domain/file server's OS partition was running low on space, but I needed to purchase a new OS disk to rebuild. The company who we needed the $30 disk from put our account on hold because the CFO (also incharge of IT) didn't want to pay these late fees, so I couldnt get my disks, TWO months later, the whole system crashed because someone queued a print job that took all the resources left of the server and crashed it, the whole company went down. then when the CFO asked how this happened, I told him I warned him, but you didn't listen. Lets just say after that the bills where paid so I could get my disks.

Having said that, maybe you should wait until a breach then you can do the whole "I told you so"

JeffEmon says ...

It's all politics, wI had an issue that I brought up many times that our main domain/file server's OS partition was running low on space, but I needed to purchase a new OS disk to rebuild. The company who we needed the $30 disk from put our account on hold because the CFO (also incharge of IT) didn't want to pay these late fees, so I couldnt get my disks, TWO months later, the whole system crashed because someone queued a print job that took all the resources left of the server and crashed it, the whole company went down. then when the CFO asked how this happened, I told him I warned him, but you didn't listen. Lets just say after that the bills where paid so I could get my disks.

Having said that, maybe you should wait until a breach then you can do the whole "I told you so"

But the sad thing is I can perform the breach myselft.  Let alone my club would just dominate it.  I already bailed out a club member for sniffing the network and capturing the wrong password.

Ok you have here a club...that you don't "have" pay that is willing to help cause most of them just want expierience and you turn them away because your insecure about your network???? yet you would pay someone to do what we would have done for FREE!!!!! or even a signature.

"The DC/DNS and the FS " Domain Controller, and File Server?  is that what those abr. mean larry?

Phreadd says ...

Security should ALWAYS be a main priority. If those who plan/approve budgets are halfway intelligent, there will never be a conflict.

Like anything else to which a budget applies, some sort of analysis is required.  In the case of security and its relative priority, there should be a risk/benefit analysis.  It is always possible to spend more on security than is necessary or appropriate.  And in the case of an educational institution, security could be prioritized over delivering education, but that might not make sense.  Security effort and spending should be commensurate with the value of the assets being protected and the primary goals of the organization.

So, if the OP notices certain shortcomings in the network security as compared to the ideals taught in the classroom, the first question should be, why?  It could be negligence, or it could be that the network segment examined didn't have much in the way of practical vulnerabilities.