One of my first “real” jobs in security back in the 90′s was working as an IT security engineer for a government contractor and internet backbone provider. One of our tasks was finding people who bridged the internal network with the internet. We found one guy who had been running his own ecommerce business on our external network. He showed up on our scans because he had 2 network interfaces on his machine with one connected to the external network and one connected to our internal network. He didn’t seem to understand that if there was a network vulnerability on his machine that he was compromising our internal network by bridging the firewall.
He had signed a form when he requested an external network connection that he knew the risks and that he would not bridge the internal network. The penalty for such an egregious policy violation was termination. But HR refused to terminate him. We disconnected the network and shook our heads saying “policy without enforcement means he or someone else will just break the policy knowing there is no recourse.” About 6 months later we detected him bridging the network again. Again HR refused to enforce the security policy with termination. I left the company but I would place a bet that there is a nice bridge in their internal network right now.
We also found a contractor with a home ISDN line connected to our internal network on a machine with a DSL line connected to the internet. That contractor was quickly removed from the contract because the contracting company didn’t want to lose their contract. This fact was well publicized through the company grapevine so people could see there were consequences, well at least for contractors.
The sign at the top of this page has the text “Please” and no consequences for violations. Guess what? The sign is ignored.
Written by: Chris Wysopal