Sunday, February 25, 2007
Security: you've got to want it
via Stupid Security, the comments section of The Daily WTF describes some real-life incidents at hospitals and military bases.
Hospitals are regulated to protect confidential health information. But what do you think happened to the morale of employees who wanted to protect privacy and security when, as "Calli Arcale" wrote,
That discussion triggered a flood of horror stories, including plenty from the military:
Elaborate features don't keep you safe, what you need is to think things through:
See also How to break into a high security data center.
If you hire someone like me, I'll emphasize choosing a security policy that will actually get followed. It may not be the cheapest and it may not be the most impressive, but the security measure you can live with day by day are the only ones that will do you any good.
|
Hospitals are regulated to protect confidential health information. But what do you think happened to the morale of employees who wanted to protect privacy and security when, as "Calli Arcale" wrote,
My brother-in-law got fired from one security job (at a hospital, no less) for upholding policy and verifying an unbadged person's identity before letting them in.
That discussion triggered a flood of horror stories, including plenty from the military:
Re: The Direct Approach
2007-02-05 13:08 • by Jethris (unregistered)
116399 in reply to 116393
reply quote
The military is good for these.
I worked in a classified data center. We had duress words to use to signal whomever we talked to that we were under duress. One of them was Scrabble.
We then had our security police come in through the building and see how many offices they could get into. They faked a pass (had a picture of a bunny on it), and then went to each workcenter.
"Hello, my name is Mr. Scrabble. I have a new employee, and we're going around to each office for the newcomer's tour."
3/4 of the offices let him in, gave him the tour (which was probably classified as well). At our shop, we actually called the security police and then was given kudos for actually following the rules.
Elaborate features don't keep you safe, what you need is to think things through:
Re: The Direct Approach
2007-02-05 14:57 • by muttonchop (unregistered)
116444 in reply to 116440
reply quote
I used to work for a large research facility. The building I worked in had two sets of doors at the main entrance, an inner door and an outer door. The inner door was locked at all times, and employees had to enter a code into a keypad to gain entry. The outer door was left unlocked during the week. Between the two doors was a window looking into the receptionist's office and a telephone, so any guests arriving could either ask the receptionist to open the inner door, or phone someone to come and let them in.
About a month after I started working there, it was decided that the keypad system wasn't secure enough and that it should be replaced with a badge reader instead. We were all issued new access badges, and the reader was installed. On the outer door. Now that it was no longer needed, the keypad on the inner door was removed, so it remained unlocked at all times.
However, we had a problem. Guests still needed to be able to gain entry to the building, so to accommodate them the outer door was left unlocked during the week. To sum up, we went from an unlocked outer door and a locked inner door to two sets of unlocked doors, because the old system was not secure enough.
See also How to break into a high security data center.
If you hire someone like me, I'll emphasize choosing a security policy that will actually get followed. It may not be the cheapest and it may not be the most impressive, but the security measure you can live with day by day are the only ones that will do you any good.
# posted by Frederick @ 8:11 PM Email to a friend:
Haloscan: they provide trackback