Wednesday, March 11, 2009

How is that not compromised?

How confusing, according to the Ministry Of Justice, Jack Straw in particular,
Central records show that, for this period, 41 staff have been subject to disciplinary action for breaches of IT security policy. The types of incidents involved would have included, but not exclusively, mis-use of email, internet browsing, incorrect use of passwords and login details. None of the incidents compromised the integrity of the Department's systems.
I put that bit in bold because it seems a tad contradictory. If someone has been discplined for incorrectly using login details and passwords to system how exactly can it follow that the integrity of the systems were not compromised?

It has though just occured to me that this response is from Jack Straw who's own copnstituency email was hacked, compromised and royally rooted in an epic fail.


Anonymous said...

"Disciplinary action" can mean anything from a verbal ticking off to sacking.
I don't know the details of what was announced or done but I can imagine scenarios that fit the Departments description quite easily:

Imagine someone sharing a username/password with someone else for convenience one day e.g. giving it to a new joiner who had yet to be set up, or someone who had locked their account and needed to do something urgently before it could be unlocked. Imagine the other person was suitably authorised to have access to the material they went on to sue - at the same level of authorisation as the account they borrowed. All of that means that no actual material damage took place - no one saw or did anything once logged in they couldn't have done. The misdemeanor is to share an account/password.

Its exactly the kind of thing that happens from time to time in organisations - and which gets dealt with like this when discovered.

Before trying to create heat around announcements like this, a bit of light is needed first from something other than flames.

I don't work in the Dept - or indeed in the civile service.

dizzy said...

A perfect display of knowing nothing about information security principles and data integrity

dizzy said...

Let me add to that, if Person A's uses Person B's credentials then Person A will, as far as the system is concerned by Person B, and thus any act will be catalogued by the system as those of Person B. Even if Person A has the same access level as Person B, the systems intergrity is compromised by that fact of personation.

Chris Paul said...

Cos it's something like logging in a colleague you've known for like five years with your pw 'cos they've temporarily forgotten the piece of paper they have it scribbled on - backwards natch - and you don't want to wake up the grumpy IT support man/disturb the IT support man from his blogging/porn/tweeting.

When will you learn to trust again?

Sam Duncan said...

I think it's probably another case of civil service language. To you as a professional or me as an amateur geek, if a password is "misused" it follows that security has obviously been compromised. It hasn't necessarily been breached, but the likelihood of that happening has been increased. However I suspect that to the civil service, "compromised" == "breached".

Call it lying if you like. I would.

Anonymous said...

Probably a manager demanding an employees log in details to check an email because they can't be bothered to go through the proper procedure.

Last sentence is bollox after what they have written in the rest of the paragraph.

Infosec should be left to professionals. Never mind elected members even IT folk can talk a load of balls about security.

dizzy said...

Chris Paul has excelled himself here. in one reply hes show first that he knows bugger all about infosec and secondly knows bugger all about what i do as a job.

Anonymous said...

Quite agree Dizzy, in the world of IT security - trust no-one. Just because Chris Paul is apt to trust colleagues that he has known for 5 or more years, that doesn't mean said colleague may/may not have malicious intent when asking to be logged in.

As a former SWIFT admin person, wild horses wouldn't have dragged my SWIFT key out of me to allow someone else to login.

Chris, did you apply for the job at Twycross?