Submitted by jillianpikora t3_11dn123 in Pennsylvania
HomicidalHushPuppy t1_ja9mvwi wrote
Why are government employees putting apps like this on government phones in the first place???
No-Setting9690 t1_ja9q8fe wrote
Real question is, wtf is it not locked down by IT? If a user can do that, so can a malicious hacker. Seems like zero security is in place.
ItsjustJim621 t1_jaa9gcy wrote
I’m one of 7 IT people in my company….if someone wants to even download something as mundane as MS Paint, they need us to remote in and temporarily give them privileges to do so
Zenith2017 t1_jad3agv wrote
Your question is on point and well directed. The county should have more controls in place to begin with, 100%. But security always has an inherent trade off.
My only answer is that it takes a lot of man power, money, and red tape to effectively control devices like that. Remember, while Lancaster County IT and security folks are taking directives passed by CISA as well as the state, they're pretty much on their own for actually implementing and controlling stuff like that. It's not like they get some PA or fed sponsored software that does what they need; as I understand it's on the county to contract with vendors and implement their tech.
Yes, it's very simple and not too staggeringly expensive to lock down these devices with JAMF or whichever solution. But, that also comes with a ton of downside. You now have tickets and calls and ornery users and delays resulting from needing your help desk folks to go resolve app install requests. You're worried about where these packages are sourced from, so you're either maintaining your own repos which is a ton of work, or trusting the app store. You might be manually maintaining a whitelist of apps users can install without further authorization, and you still need to have a mechanism to actually stop them from breaking the rules.
Security comes from a simple idea, but the reality of making it happen is WAY more complex, especially in a government environment where change will take years or decades. I mean, look at the timing of this announcement, versus the exposés published ages ago showing how TikTok aggressively harvests metadata and could previously even see the contents of your clipboard. It took all that time for a decision to be made and a control to be implemented.
No-Setting9690 t1_jad4y2j wrote
Been in IT almost 30 years. Locking down a cell phone is quite easily managed with the correct software. What you stated is correct on why they usually don't do it, but it's not an excuse they should ever make.
It's not an if, but a when they will be hit. It only takes one user to make you have a very bad day.
Zenith2017 t1_jad7wmq wrote
Oh I'm painfully aware of that last part...
No-Setting9690 t1_jad8ng1 wrote
Same here. Way too many 8 seconds calls that should have happened, turn into an IT nightmare.
Zenith2017 t1_jad9y77 wrote
I toil day after day to make and implement effective security detections, and then customer gets pwned because a fricken domain admin just says yeah whatever go ahead to getting spammed with 100 MFA pushes they didn't initiate. 😭🙃🥺🫠
No-Setting9690 t1_jadaj1z wrote
That's very sad and funny at the same time. Quality of admins today is not the same. Too much Googling, not enough effective knowledge.
xeio87 t1_jaayb4u wrote
So the one reason I could see is social media outreach. Many agencies keep a Facebook/Twitter/etc profile for announcements and other stuff. That's about it.
Jiveturkwy158 t1_jadgz6o wrote
They don’t have to have the capability to do so for the legal team of the county to make a specific rule to make it abundantly clear that in case a piece of tech can download (somehow got a permission missed by it setup) that doesn’t imply the user has permission to.
This is a cya by the legal team, not a directive from IT.
Viewing a single comment thread. View all comments