Matt Jezorek

This seems to be the hardest task in my job but yet a major portion of my job seems to be protecting the systems from the people who run them. Supposed security people and other technical people always claim to want security yet they use backdoors or ways around any security measures we put in place. This is because they know the systems and environment. I am guilty of this as well.

For example we have at work a content filter system however our policies are based on group policies that we control, so we can just put our user into a group that is not filtered. While this seems innocent it is still going around a policy that we are supposed to enforce. We as technically savvy users or security professionals seem to believe that the protections we put in place are only for the technically ignorant people so we find ways around them.

I have also found people installing certificates to allow them to login as administrator level accounts without a password while in laziness it is nice however when that server contains sensitive data it’s a very bad practice. Your normal users are not going to generally implement these types of work a rounds like a technical user will.

Technically intelligent does not mean security wise and I would be willing to bet your technical users are far more risky to your sensitive systems than a non-privileged user.

So how do we protect ourselves from ourselves? Implementing policy does not appear to work, as it should, as someone who has privileges to change the policy will find a way to exempt himself or herself. If we are responsible for the audit will we fix these types of concerns? We do not want to raise one person to be the Network Nazi or Group Policy Cop and if we do who enforces the policy on them?