If it *Ain't* turned on, then......

[GlennSprigg]

It always gets me these days, with the number of recent 'incursions' into secure systems.
So many companies/departments have many permanently open 'lines' opened to their Routers.
Accessed either with passwords, or brute-force attacks etc.  I understand why this must be so
at times, for say certain Universities & many departments/companies needing 24-hr access....

I used to work as a Tech for a certain world-wide company, and virtually all my 'customer' base
involved many high security establishments, (including govt. depts), that did NOT need (and deliberately
disabled!) 'constant' real-world access !!  If I needed to 'remotely' connect, when not there in person,
for diagnostics/faults/modifications etc, then LOCAL Security Personnel would be contacted by Phone
first, identification & codewords (& more ) given, and they would Physically turn on the Power to the
Routers/Modems. A time frame was given, and re-contacted when finished!!  Without re-contact, the
power was turned off again.  As my Subject description said......
If it *Ain't* turned on, then NO-ONE can access ANYTHING 

[Rerouter]

1. Design brief built involving carefully thought out segregation
2. System Designer designs it secure and airdropped where possible
3. Begins Construction, Local managers start poking and prodding for extra functionality that require things not be air gapped and begin pushing it up the chain
4. HR and upper management read those things in half context, and want to have a nice dashboard that lets them see everything
5. new hobbled design brief pushed down and some air gapped things end up plugged in for "convenience"
6. IT finds out about the changes too late to stop them and has to fight the next few months / years to get things back closer to the original spec

Ends up being charged 5 times the original brief from inter-office politics.

even found this in automotive incident cameras, you would not believe the level ears perk up at the thought of being able to pull a live stream of a driver they don't like to look for faults, despite said system being built specifically to only talk to a secure storage server and using a heavily locked down interface to pull after the fact clips by authorized users.. Every month a feature request pops up wanting the ability to start a real time video stream on any unit to a web dashboard and to share that stream by a link anyone can watch with no time or data constraints.... 

[soldar]

I posted this story before.

One day I walked from the street into the office and my boss started ranting that his computer had got a virus from my computer located in a different room. He was furious and went on and on and was even more furious when I tried to interrupt. When he was done I told him my computer was not on and had not been on for several days I had been away. Could he explain how it could have transmitted a virus to his machine while it was turned off? He couldn't but somehow someone else must be at fault.

[GlennSprigg]

1. Design brief built involving carefully thought out segregation
2. System Designer designs it secure and airdropped where possible
3. Begins Construction, Local managers start poking and prodding for extra functionality that require things not be air gapped and begin pushing it up the chain
4. HR and upper management read those things in half context, and want to have a nice dashboard that lets them see everything
5. new hobbled design brief pushed down and some air gapped things end up plugged in for "convenience"
6. IT finds out about the changes too late to stop them and has to fight the next few months / years to get things back closer to the original spec

Ends up being charged 5 times the original brief from inter-office politics.

even found this in automotive incident cameras, you would not believe the level ears perk up at the thought of being able to pull a live stream of a driver they don't like to look for faults, despite said system being built specifically to only talk to a secure storage server and using a heavily locked down interface to pull after the fact clips by authorized users.. Every month a feature request pops up wanting the ability to start a real time video stream on any unit to a web dashboard and to share that stream by a link anyone can watch with no time or data constraints.... 

O-K-A-A-Y....  I'll remember that next time I contemplate leaving a router/Modem turned on !!