Been thinking lately about some of the restrictive policies that corporations, .mil, .gov, and some others have when it comes to security.

Does it work?

Where are we at?  

Are all the extremely restrictive policies in your corporate work environment working?  

What can be relaxed?  Why? 

Do firewalls work?  Network based ones?  Host-Based ones?

Does Web filtering work?  Why?  Why are you filtering the web?  Is it because companies don't want people surfing?   Or is it because companies are afraid of the employee going to "hate" sites.  Or, who knows what they are going to bring back into the network from hackerz.com?

Example: Why in some environments, is Instant Messaging banned?  Is it because of the security risk of people transferring files in and out of the network?  The vulnerabilities in the client?  Or, the inability to limit what people are saying and doing?

Example:  I recently ran across an example where iTunes was not allowed on the network because it was considered P2P.  Is iTunes P2P?  Of course not, but here is an example of where reeducation for the "experts" and the loss of "policy for policy's sake" may be helpful.

We'd like to hear your feedback.  What does Security 2.0 mean to you?  We all have our own opinions, we'd like to hear yours!

 Update:  Thank you all for your feedback, please keep it coming.  We've had some feedback from users that have very restrictive environments (I've chosen not to note anyone's name on this diary entry, to protect the innocent), where even higher-ups in the company watch the desktops of all their employees remotely.  Just to see if they are doing something "they" wouldn't want them to.  What is wrong with a little "me" time while at work?  Is it a security risk to allow me to read cnn.com?  What about those people that work from home?  Are they held to the same standard?  Which could bring me to another point... why don't we have more people telecommuting...  but I digress.

We've had some people write in with some very legitamate concerns.  Now, mind you, I am not advocating that you all run out and install whatever you want, and surf wherever you want, I am saying "why do you have these restrictions?"  If you have restrictions for a legit reason (don't want people going to webmail because viruses can possibly get in via that vector), then fine.  If you don't want people to IM at work because you work for a bank (thank you reader for writing in about this), and the SEC doesn't like "unmonitored communications".  There are companies that make programs/software to monitor IM!  Heck, I use Snort/Sourcefire products to do it!  <okay, that was a semi shameless plug>

I get frustrated when I hear a "rule" or a "policy" that is basically in place for policies sake.  (It's like having a post meeting meeting. Or a pre meeting meeting.  Do you really need to have a meeting about the meeting?  Sorry, pet peeve.)

Keep your emails coming!

Joel Esler

http://handlers.sans.org/jesler