Viewing a single comment thread. View all comments

Zenith2017 t1_jad3agv wrote

Your question is on point and well directed. The county should have more controls in place to begin with, 100%. But security always has an inherent trade off.

My only answer is that it takes a lot of man power, money, and red tape to effectively control devices like that. Remember, while Lancaster County IT and security folks are taking directives passed by CISA as well as the state, they're pretty much on their own for actually implementing and controlling stuff like that. It's not like they get some PA or fed sponsored software that does what they need; as I understand it's on the county to contract with vendors and implement their tech.

Yes, it's very simple and not too staggeringly expensive to lock down these devices with JAMF or whichever solution. But, that also comes with a ton of downside. You now have tickets and calls and ornery users and delays resulting from needing your help desk folks to go resolve app install requests. You're worried about where these packages are sourced from, so you're either maintaining your own repos which is a ton of work, or trusting the app store. You might be manually maintaining a whitelist of apps users can install without further authorization, and you still need to have a mechanism to actually stop them from breaking the rules.

Security comes from a simple idea, but the reality of making it happen is WAY more complex, especially in a government environment where change will take years or decades. I mean, look at the timing of this announcement, versus the exposés published ages ago showing how TikTok aggressively harvests metadata and could previously even see the contents of your clipboard. It took all that time for a decision to be made and a control to be implemented.

1

No-Setting9690 t1_jad4y2j wrote

Been in IT almost 30 years. Locking down a cell phone is quite easily managed with the correct software. What you stated is correct on why they usually don't do it, but it's not an excuse they should ever make.

It's not an if, but a when they will be hit. It only takes one user to make you have a very bad day.

2

Zenith2017 t1_jad7wmq wrote

Oh I'm painfully aware of that last part...

1

No-Setting9690 t1_jad8ng1 wrote

Same here. Way too many 8 seconds calls that should have happened, turn into an IT nightmare.

2

Zenith2017 t1_jad9y77 wrote

I toil day after day to make and implement effective security detections, and then customer gets pwned because a fricken domain admin just says yeah whatever go ahead to getting spammed with 100 MFA pushes they didn't initiate. 😭🙃🥺🫠

2

No-Setting9690 t1_jadaj1z wrote

That's very sad and funny at the same time. Quality of admins today is not the same. Too much Googling, not enough effective knowledge.

2