The ability to react
During a recent conversation I found myself debating the difference between reacting and overreacting. Someone was telling me a story about work and that after a certain security incident they reacted by putting users on “complete lockdown”. They used this incident to push through all the security measures they have been trying to implement (and then some) that they have not been able to get approved otherwise. This person was touting how great it was and how screwed the users are with the new policies in place. I like to shake the cage, so I simply said that you don’t often hear people bragging about when they overreact to a situation. This raised some eyebrows (as intended) and opened the door for discussion to get my point across.
All the snow we have received lately reminded me of an incident many years ago where the difference between reacting and overreacting would have yielded very different outcomes. I was about 17 or 18 at the time and had my younger brother riding shotgun. The roads were covered in snow and it was damn cold, so ice was a factor. Being young and dumb I was traveling a bit too fast on this particular road given the conditions, but that is a topic for another day. Anyway, we came to a bend in the road and I lost control of the car (fwd with all seasons, so not too difficult). I wanted to go left and the car wanted to continue on it’s path straight into the trees, a classic understeer situation. Almost as smooth as James Bond himself, I used the brake to control the back end and the gas to regain traction while keeping the steering wheel pointed where I wanted to go. It wasn’t long but all was well again. Why? Because I didn’t panic. In that situation many people would have overreacted and either sent the car spinning uncontrollably or just plowed into the trees. I reacted to the situation quickly and appropriately. I still remember my brothers reaction during and after this little incident. He thought I was the most amazing driver, and most certainly thought those trees were going to have company.
I think the ability to react to any type of situation, in a quick and timely manner, is extremely important. Lets not forget however that reacting APPROPRIATELY is probably the most important aspect. Forcing users into “lockdown” as he put it was not the appropriate reaction. They had a small issue that had they spent 2 minutes to think about the situation could have been dealt with quietly and without interruption to the business. Instead they overreacted. There were memos with jargon that no one could understand sent out to all users, forced password changes for all users – without notification, shutdown of all VPN access, heavy content and protocol filtering enabled, changes to access lists (improperly I might add), last but not least…removal of admin rights on all users local machines via Group Policy. There were some other smaller, yet still annoying things, I just can’t remember what they are at the moment.
Some of the items they implemented should have been in place already. Some aren’t bad ideas if you can get buy in. Some are just dumb. So you must be wondering what the incident was, well I am going to tell you. Apparently ONE user was password protecting MS Office documents with the same password he used for his network account. He then sent one of these documents off site to a group of people collaborating on a project and followed up with the password to everyone. To the users credit he realized at this moment that there are many issues with what he did and quickly approached the IT Department to ask how to change his password. Rather than helping this guy, looking back at logs, and reminding users about password policies they panicked. They sold the story up the ladder that accounts have been compromised and that immediate action needed to be implemented to ensure the company would be secure. At first I thought they embelished to management just to get approval for their security measures. This is not the case though, as this person tried justifying all of their measures. He honestly thought it was the best course of action.
Going live with security measures just because you can, without understanding the ramifications is nt going to cast you in a positive light. You are going to piss off an awful lot of employees, disrupt business, and look like the crazy IT department. Now there are certain situations where “lockdown” is necessary, hopefully you do not encounter many of these. In this situation however they simply overreacted to an issue.
Filed under: Security | Leave a Comment