BYO computer at Suncorp

Discussion in 'Business & Enterprise Computing' started by WRC, Mar 29, 2011.

  1. one4spl

    one4spl Member

    Joined:
    Dec 9, 2005
    Messages:
    428
    Location:
    Jamboree Hts, Brisbane
    I know, I've worked in both - along with police, utilities and government, all are special in their own kind of way, too.

    That doesn't mean that something that have been tested out and proven in the easy-win world of education will never make it into other areas.

    Like I said, pick and choose. It's not as if finance companies (or anyone) can carry zero security risk - they just know their risks and manage it.
     
  2. Disco_Stu

    Disco_Stu Member

    Joined:
    Apr 10, 2002
    Messages:
    580
    Location:
    Ipswich, Qld
    Riddle me this mr Suncorp-headline generator?

    Rather than setup a strong corporate AV/firewall solution, have a standardised easy to support network. You will allow SOME users to bring in their own machines...

    So little miss pink laptop rolls in at 8.30 ready for work. Sits down. Connects to network, starts working.. Firewall locks her out because of the million virii on her machine from facebooks.

    She puts her hand up, calls IT. they see whats going on...

    Do the IT support then try and troubleshoot/FIX her home PC? Do they charge for this? Do they have to lickity split get down there with a spare machine for her to use?

    I can see the paper benefits of this. But then I see how it would go down in practice, and it falls to pieces.
     
  3. dave_dave_dave

    dave_dave_dave Member

    Joined:
    Mar 17, 2004
    Messages:
    2,867
    Location:
    Gold Coast
    So i spoke to my little brother about whats happening at Suncorp.

    Its a big drama internally and they are not prepared for it in any way at all. The reason they bought this in is because some of the higher ups are mac fanatics and want to be able to use their macs and ipads on the corporate network. The people in charge of the network refused to allow apple products connection to the network due to security concerns and having to train / employ a lot of new staff to deal with it, so they pushed though this policy under the guise of "saving money" when all the really wanted to do is be able to use macs on the network.

    He said its a huge fuckup in progress.
     
  4. Annihilator69

    Annihilator69 Member

    Joined:
    Feb 17, 2003
    Messages:
    6,082
    Location:
    Perth
    If you use a MAC and then you login to your citrix terminal how is that any different compared to using a PC except for I guess using a mac keyboard and mouse.
     
  5. lavi

    lavi Member

    Joined:
    Dec 20, 2002
    Messages:
    4,004
    Location:
    Brisbane
    because mac's are evil, anything that a self centred MCSE certified grad don't understand is evil

    and yup i'm typing this post on a mac

    humour me this:

    the only way to access Suncorp systems is via a citrix gateway
    the only way to login is with user/pass and token (2 form authentication)
    every network port is in security mode as in every port can only talk to two servers, dhcp which would be dns as well and the citrix gateway

    now how is this not secure? I'm pretty sure they will want every machine to have latest antivirus install with latest definitions and that can easily be enforced

    yes it would be cheaper to give everyone thin clients BUT those clients cost money and need to be refreshed, the way i see it they will make money with this as most users will bring in laptops which use fuck all power compared to a desktop and most users are not quite as dumb as one things, yes there are some really retarded users out there but most are OK

    this also means the end users will look at their laptops as a tool not as an random item they use for facebook hence they will be a little more careful with it and what they install on it as if you don't have it working you might not work that day and not get paid

    on the flips side with all those Mac users ... gee even better, they don't need to take a charger with them as most MacBooks Pro last a full day on battery (mine does) so less money on power.

    they will end up being more productive overall, as you work better on what you're used to, yes they will have the dumbshits but there is always a thin client terminal for them

    Like i said ... i see this working just fine for suncorp, most support admins and shit are worried they will loose their jobs and make a big fuss over it, toughen up princess
     
  6. lavi

    lavi Member

    Joined:
    Dec 20, 2002
    Messages:
    4,004
    Location:
    Brisbane
    my point exactly, let users bring their own laptops = low power bill
    their network can support security right now so what's the problem? i'm pretty sure most their shit is way above PCI standards and with each user using 2 form auth then really it's not a bad option
     
  7. GiantGuineaPig

    GiantGuineaPig Member

    Joined:
    Oct 23, 2006
    Messages:
    4,027
    Location:
    Adelaide
    I think you might have gotten confused on the last bit, I actually said it above in response to gords comments above that, but also re-reading it wouldn't stop the capture of whatever gets typed out while someone has malware.

    Anyway as always agree with all your comments IACSecurity, including that compies *legal* don't have high security :)

    Lavi - I agree that Mac's don't matter for this example, but I don't see how bring your own computer would be more productive, when all you're doing is connecting to a Citrix environment.
     
  8. Phido

    Phido Member

    Joined:
    Jun 20, 2003
    Messages:
    7,377
    Location:
    Dark City
    This is what happens when IT does not care about users requirements.

    Maybe there is some specific mac based financial software, or graphic design software. Or the fact apple does make some compelling products (laptops etc) that due the blanket we do not buy, is ignored.

    I don't know why IT people think they are at the top of the food chain. Yes, your area is IT, but if your a dick, at some point you will get squashed. IT is a tool, its not the most important aspect of a business.

    The days of being Bastard system operator from hell are over. Im sure there are plenty of people outside if the IT depts in corperations that know a great deal about IT. IT is now a commodity, if your not doing your job well, then firings, outsourcing, open computer policies etc are all possible.
     
  9. Mac

    Mac Member

    Joined:
    Aug 1, 2001
    Messages:
    762
    IT need to make decisions primarily on the business requirements, not what the users want.

    The objections to the system Suncorp wish to put in place arent cos IT guys are are being tools, its because that unmanaged end points cant be effectively secured.

    In this instance, end points really must be secured. They must be secured because we're talking about a billion dollar Insurance and Finanical Services company...
     
  10. GiantGuineaPig

    GiantGuineaPig Member

    Joined:
    Oct 23, 2006
    Messages:
    4,027
    Location:
    Adelaide
    I am not a fan of anyone who calls themselves a BOFH, it's very unprofessional and they shouldn't have a job.

    Mac based financial software? I'd be very suprised if any enterprise solution existed that was Mac only.

    Also, there's nothing wrong with Mac hardware (apart from the pricing). There's no risk in having the hardware, it's the OS. Get a Mac and put Windows on it, all good - it's as managable as any other PC in the company.
     
  11. Lukenet

    Lukenet Member

    Joined:
    Oct 4, 2002
    Messages:
    535
    Location:
    Brisbane
    Give me access to a client "BYO PC or Mac" with a key log tool and a packet sniffer app and I will show you how unsure your little citrix world is. PS. I am also typing this on a MAC but i am not deluded into thinking it is secure..
     
  12. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,112
    Location:
    Brisbane
    So let's play hypothetical, and say that the end user bringing the laptop in from home has no idea about the basics of practical security (not difficult to imagine, as it's true for most end users regardless of their platform of choice).

    Now say that same end user has picked up a simple trojan keylogger. Say that every single keystroke they're typing is being picked up and logged. Then, hours later when they get back home and log on to their totally unsecured home network, the whole thing is packaged up and sent to some foreign botnet.

    The end result is this: nobody gives a shit how secure the Citrix setup is. It can be the most well patched, up to date amazing thing you've ever seen. They can employ all of the most whiz-bang 802.1X network level security, DLP and application level security inside their network. As soon as outside devices are brought into the picture, risk is added.

    Keyloggers are getting more and more sophisticated. There are even ones now that capture screenshots per mouse click (in a bid to get around visual security systems - like many banks that require a visual keyboard to enter a PIN).

    The end result is always the same - if you only secure half of the "end to end" system, then you've still got a security risk.

    All this chatter about securing up Citrix and ensuring the internal network is secure is all well and good. But the moment a client device gets owned, you face the very real risk of someone, somewhere knowing something about the internals of your network.

    Take the latest RSA breech, for instance. How did the attackers get in? Did they breech RSA's two factor auth? No. Did they attack some web-facing application? No. Did they break in through a firewall or other externally facing network point? No.

    So how did they do it? They sent an email to RSA employees that contained an XLS file, and inside that an infected flash file. That owned a handful of machines, and gained them access inside the network.

    One would argue that of all the companies in the world, RSA should be the pinnacle of security. What it did show was that they had some very obvious weaknesses in their "end to end" security design - most notably the fact that their client machines weren't patched.

    This new Suncorp idea is adding huge amounts of risk. They're essentially asking anyone to bring anything from outside with no guarantee that they've met any level of patching or security compliance. And again, who gives two shits if they are only accessing things through Citrix - a simple keylogger/screengrabber app is all it takes to siphon information from critical systems. Whether that information is primary (customers' private details - TFN, address, date of birth, etc - enough to start basic identity fraud), or secondary (usernames/passwords to internal systems, which can then be fed to people working inside the network).

    Suncorp is a huge target for organised crime. Anyone who doesn't think so is deluding themselves. When their systems access both banking and insurance information, the wealth of information they have inside those systems is insanely valuable to the right people. Any system that invites people to attach devices to their network (even via Citrix) is posing great risk to the overall security of the company.

    I've worked for far smaller financial companies that wouldn't risk Citrix access due to even smaller risks. I've said it before and I'll say it again: Suncorp's IT executives are idiots, and I sure as hell wouldn't have either my banking nor insurance with that company after reading some of the things I have in the last 5 years.

    I also know some people who are at the top of their game when it comes to sysadmin and technical security positions. Those people have had the misfortune to work for Suncorp, and have since left. Their advice to me is the same: avoid the place like the plague, no matter how good the money. I have been offered roles at Suncorp, and my response has always been the same: "thanks, but no thanks". If pushed by recruiters as to why I reject their offers, I inform them politely of their terrible reputation for technical best practices and security, and leave it at that. What's interesting is the response from recruiters: "yeah, we hear that a lot".
     
  13. chopstick9558

    chopstick9558 Member

    Joined:
    Nov 8, 2004
    Messages:
    50
    Maybe they should think about hiring a consultancy firm to do some internal pen testing, just to show how 'secure' their BYO environment will be :thumbup:
     
  14. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,112
    Location:
    Brisbane
    Those are the people whom it does happen to. And generally they're the ones who have signed off on some shitty security system, taken their pay check and buggered off to leave some other poor sap to clean up.
     
  15. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,008
    Location:
    NSW
    Having not read the previous 7 pages, why would they care about refreshing their fleet if they are enforcing a virtualised environment anyway. you could pretty much connect with a pentium 1 and it wouldn't matter.

    Then there is the heartache of some fucknut bringing in a box with ICS on it and the associated support costs of that crap.
     
  16. lavi

    lavi Member

    Joined:
    Dec 20, 2002
    Messages:
    4,004
    Location:
    Brisbane
    so how is a keylogger helping you with 2 form factor authentication?
    if you run win7 as a non admin user how much safer is the SOE from suncorp?

    lets be serious

    an average suncorp monkey gets all his keystrokes recorded ...whoopty do! all his keystrokes get sent to some cracker, whoopty do! whats the cracker going to get? lots of info? maybe! his user and pass? maybe but without the 2 form auth what can he really do?

    let's look at this realistically :) you all imagine a clapped out acer notebook full of viruses on suncorp network ... this is not the case, they will most likely ask every user to have say McAfee installed, when they plug it in the network there will be some NAC rules in place where McAfee goes and does an update etc... once McAfee is happy the switch will hop the user on a different VLAN so he can open up a citrix session

    who was the moron who said Mac's are expensive? you must really think McDonalds is fine cuisine right?

    Mac's are the cheapest high quality tools for your computing evironment when you look at features you get for your dosh ... yeah you can buy a clapped out Acer for $700 with an i5 but then the battery only lasts 2.5 hours, the screen suffers form massive light bleeding, it's heavy, looks cheap need i go on? I said it on this forums before ...for a portable computer you take the MacBook Pro/Air write down their features and go find something that is better feature for feature and cheaper, there is nothing....PERIOD

    BOFH ?!? please! wake up to yourself don't compare natzi Sys Admin with retard system admin...here is something you should know about Suncorp

    my younger sis works for suncorp (until last week as she moved to a competing bank) so here is a little story about their "support and admin team"

    she had to have her Dell replaced as it died, truth is her profile was crewed but the support gave her a new dell as they could not be bothered doing anything else, whoopty do it failed as the profile had to be rebuild, they did that then a duplicate IP came up, so she called them and told them the issue, at the same time her boss said she was using her IP (probably same thing came up on his pc as well) so now the support was worried as she shares the same IP as her boss and she can see and have access to everything her boss has on his PC .... she told them she can just do a ipconfig /refresh as she had to do it at home sometiems but they assured her to take the day off as she is a security risk because her PC is now sharing the same IP as her bosses PC, she had 2 days off as they could not fix it on friday nor on Monday so she got a new office on Wed! and by Fridy she had her office back as they fixed the issue

    so yeah ....it would of taken one of us probably 10min to fix it not 7 days, the system admins/support there are retards, now if you're that stupid then fuck! this will not work for Suncorp but if they actually employ someone who is a little switched on it might work very well.

    It comes down to your support staff and system admins ... they should see this as a good thing not as a night mare as in the end there will be less work for them, unfortunately most are quite dumb and worried they will have to work more or will not be needed so they all revolt clinging with their teeth to their job, you're only worried about your job when you feel you're not good enough to do your job...if you know you can do your job then fuck! look on seek and go for it!

    To be honest NAC and 2 form auth works very very well, i have done this with Symantec and someone competing with RSA and worked very very well, as long as the end user has up to date Symantec antivirus and has performed a scan after the last definition they are allowed on the public VLAN where they can have some internet access and access to the citrix gateway, this worked very well, sure some were complaining it takes 20min to do a scan but the other workstations that were not BYO had the same NAC rules

    come to work turn pc on go have a coffee and chat come back 15min later and you're sweet! the bonus is when you go home you have a virus clean system as well (relatively)
     
  17. lavi

    lavi Member

    Joined:
    Dec 20, 2002
    Messages:
    4,004
    Location:
    Brisbane
    that takes too long .... 3 hours of social engineering and you can do much much better! hell it's amazing what a well dressed size 8 woman with C cups can do to senior management and she only costs a grand a day! no need to wait 6 months, what you said can be done in 2 weeks with some planning then 3 hours of her time.
     
  18. Mac

    Mac Member

    Joined:
    Aug 1, 2001
    Messages:
    762
    where's my popcorn... :D
     
  19. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,112
    Location:
    Brisbane
    Suncorp IT management aren't after business benefits. They're after PR and more articles on ZDNet.

    It's clear announcements like these are not made for the good of their staff. They're made entirely to get attention from outside.
     
  20. Zardoz

    Zardoz Member

    Joined:
    Jun 28, 2001
    Messages:
    2,174
    Location:
    Melbourne
    Many organisations are looking at the move towards the direction where BYO PC and services hosted in the DC ("the cloud" in this case) are the methodology used. The idea here is to also reduce the cost of the network, which at present, is usually a very high operating cost to the company. Especially wired ports to every desk. The network will start to transition to wireless, it's face it, a decent, 802.11n wireless LAN is sufficient for most corporate use these days.

    The network will start to look like an ISP again - open access everywhere, or at the very least, a private VLAN where you can only talk upstream. It's simple, because all your security (ACLs etc) resides in the DC.

    Want to know where this model is already working? Look at a university... students access the network via wireless, typically a secured 802.1X authentication, then they access their applications via a web browser (typically an intranet, Google Docs etc). Support is no different to an ISP - they support how to connect these devices to the network and that's that.

    I'm told that while Cisco do not support Macs on their corporate infrastructure, the penetration of their fleet is about 50/50. Apple equipment is peer supported, via a very large and active wiki, where I'm told questions are answered in seconds. This level of support may even exceed the official channels for their Windows SOE...

    Edit: Most of us use the same banks with the same username and password login (and sometimes, two-factor auth such as SMS tokens or RSA tokens). These are the same banks that CEOs use who have millions of dollars of resources to manage. So please, can we put the security argument to bed?
     
    Last edited: Apr 4, 2011

Share This Page

Advertisement: