06.12.07

Can We Have Security Without Idiocy?

Posted in Uncategorized at 03:03 by lnxwalt

One thing that we often see in the IT field is someone starting to obsess about network security. They then want to layer firewall on top of firewall, anti-virus on top of anti-spyware, with plenty of pop-ups warning about pings and other network traffic directed toward the user’s computer.

I certainly do not advocate that someone allow their systems to go unprotected.  There is a place for automated defenses–anywhere that human intervention would be ineffective, such as rapid-response situations or frequent but minor events–but the truth is, motivated humans acting upon knowledge are the  best defense against malicious activities against the system and network.

I talked about this somewhat on my personal advocacy blog.  We have to take reasonable precautions, but at some point, we need to accept some responsibility for our choices. 

Already we have people who advocate going to extreme lengths to prevent even the most unlikely scenarios from occurring.  Personally, I believe that we can never achieve perfect safety.  At some point, we have to give up too much–in terms of freedom, in terms of happiness, in terms of concentrating power in the hands of our defenders–with only minimal improvements coming as a result.

You can tell that you’ve gone too far when your users willingly give their passwords to the I.T. guy, because he’s the hero.  Your I.T. guy’s job is very simple: he must enable the rest of your employees to do their jobs productively.  He’s a servant to the others.  (Yes, I know that your “I.T. guy” may be female.)

As far as I.T. security goes, your I.T. staffers are just like any other employees.  In many organizations, I.T. security is permission based.  I am not talking about automated permissions granted through network roles.  I am talking about “you can not print to the plotter without getting approvals from this list of people first.”  That describes a permission-based network, which means you can not do anything that you are not explicitly authorized to do.  In such a network, you must be careful not to treat your I.T. staff members like they are special and exempt from some of the restrictions that everyone else faces.

Beware of making certain people ultra-trusted and powerful, while others (just as vital to your organization) are looked at with suspicion and have their system rights restricted as though they are malicious.  Does the CEO have a computer he takes home that can get through the VPN to access data on your main file server?  Although you want most of your employees to relax and enjoy their time off, they will occasionally have an idea that they wish to work on before they forget.

“But what if they log in and steal data?”

A wrongly-motivated employee can steal data with flash drives, floppies, CDs, printouts, e-mail, FTP servers, or even old fashioned methods like rote memorization.  You can never prevent a wrongly-motivated insider from finding a way to leak information.  Once again, if you distrust your rank & file that much, you should also distrust your executives–after all, the CxOs are the ones most likely to commit the kind of large-scale fraud that brings regulators after the company itself.

So you see, it is sheer idiocy to arbitrarily label some employees as trusted and others as untrusted.  Does it improve security?  Of course not, because the trusted ones now have far greater leeway and access, enabling a wrongly-motivated employee to cause much more damage.

As on my personal blog, this is going to be a series of articles (blog postings).

Next time, I hope to look at the idea that computer and network security is completely different from physical security.

MANDATORY DISCLAIMER:

Let me note that I am not a security guru or security consultant.  I read news and  articles about I.T. security, but this does not give me that background to offer a substitute for obtaining a real security guru’s advice.  I  recommend that your business should at some point look into ways to make your network more secure.

Permalink