Protecting Users Against Themselves
As an IT administrator, security advisor, and computer professional, there are very few items higher on your list in today's networking environment than security. There are millions of dollars, thousands of man hours, and droves of computer configuration time spent fighting the security issues that plague our networks. Unfortunately, there is nothing like a shot of reality to get you thinking about how good a solution is working. Recent studies have proven that although security has become a key issue for the IT staff, users are still finding ways to keep things insecure. There are solutions to most of these issues, have you implemented them?
How Your User's View Security
There was research done by the RSA in late 2007. The survey was done by technology professionals on the streets of both Boston and Washington. Typical corporate America users were polled, with routine questions asked to them regarding security and the users' practice of security at the office. With Boston and Washington both being large cities full of enormous corporations and more than their share fair of government agencies, the study had more than enough users to poll. The study focused primarily on how users use and access corporate data and how they approach physical access to computers and company assets. The results of the study are shown in Table 1.
Percentage of Enterprise Employees
Percentage of Governmental Employees
Access work e-mail via a public wireless hot spot
Lost a laptop, smart phone or USB flash
Send work documents to a personal e-mail address so as to access from home
Internal wireless network for use in conference rooms and guest offices left open for use without login
Have held a secured door open for someone at work whom they didn't recognize
Have forgotten access card/key and been let into the building by someone that didn't know them
Have noticed an unfamiliar person working in an empty office in their area of the building
Have asked for identification or otherwise reported the unknown person
Have switched jobs internally and still had access to accounts or resources that they no longer needed
Have stumbled into an area of the corporate network to which they believed they should not have had access
Table 1: Results of how employees answered questions about security at their office
As you can see by these results, the amount of money, time, and effort that is spent on training employees on security of technology and assets is not paying off all that well. However, with the correct physical, logical, and written policies, many of these issues can be negated, even if the user decides to ignore the proper security procedures.
Every IT professional understands that if the physical security of the company is compromised, the assets that are being protected can be jeopardized much faster. Based on the questions that were asked in the study, here are some solutions that can help negate issues related to physical security.
Have held a secured door open for someone at work whom they didn't recognize?
Have forgotten access card/key and been let into the building by someone that didn't know them?
- Implement employee ID cards.
- Have a written policy that forces employees to wear and show ID cards at all times.
- Install ID card readers at every entrance to the building, as well as key egresses inside the building.
- Place a security guard at the main entrance to the building to check ID cards.
- Install cameras at all exterior doors and to key egress points inside the building.
Have noticed an unfamiliar person working in an empty office in their area of the building?
Have asked for identification or otherwise reported the unknown person?
- Like employees, all visitors should be forced to wear Visitor ID badges at all times when in the building.
- With both employees and visitors wearing ID cards, it is easy to spot intruders that should not be in the building.
- Employees should have incentives to report unfamiliar people and enforce ID badges.
- Signs, reminders, memos, etc should be continually posted to remind everyone to wear ID cards.
Even with the influx of spam, adware, viruses, Trojans, etc that are associated with e-mail, employees are still not paying attention to the negative aspects of abusing e-mail. Enforcing a more stringent security environment around e-mail and other network access can help defend against users that do not follow good security practices.
Access work e-mail via a public wireless hot spot?
- Do not provide any access to e-mail outside of the company, unless it is using a VPN or secured connection.
- Configure mail server to check and enforce authentication from local network only.
- Do not allow users to connect to their desktop remotely, unless they first make a connection to the VPN.
Send work documents to a personal e-mail address so as to access from home?
- Enable encryption on all outgoing e-mail.
- Configure attachment level filters for all outgoing e-mail. This can deny certain file types, as well as attachment content.
- Restrict corporate firewalls from receiving POP3, IMAP, and other methods of receiving e-mail from outside hosted personal e-mail sites.
- Implement a written policy that prohibits users from accessing personal e-mail while at work.
- Provide education and demos on how outside hosted e-mail sites can be dangerous to the company.
Internal wireless network for use in conference rooms and guest offices left open for use without login?
- Configure all wireless access points to perform one, if not all of the following:
- Do not broadcast the SSID,
- Enable MAC address filtering,
- Configure higher level security such as WPA and WPA2,
- Implement a RADIUS server for authentication, as shown in Figure 1 as an example for just one access point option.
- Implement Smart Cards for all wireless network access.
Figure 1: Wireless security can use pre-shared keys and RADIUS servers for authentication
Have switched jobs internally and still had access to accounts or resources that they no longer needed?
- Implement procedures for new hires and job changes that force resource owners to provide level of access summaries for employee.
- Implement Restricted Groups and Local Users and Groups within Group Policy to control membership in groups, as shown in Figure 2.
- Implement delegation of administration within Active Directory to limit group membership administration.
- Perform regular audits on security group membership.
Figure 2: Local Group membership can be managed using PolicyMaker, Windows Server 2008, or Windows Vista SP1
Have stumbled into an area of the corporate network to which they believed they should not have had access?
- Implement an incentive program to promote good security practices, such as areas of the network which are incorrectly configured.
- Ensure that NTFS permissions are configured on all network resources to include only the proper security groups.
- Implement good user and group practices within Active Directory. This is typically user accounts being placed into groups, named and used to group similar user types that reside in Active Directory. Then, these groups are placed into other groups, named and used to assign permissions, residing in Active Directory or Local Groups residing on the server with the resource. Finally, the resource is configured with the groups used to assign permissions.
- Implement Access Based Enumeration for all Windows Server 2003 servers that store data.
Many of these measures and solutions are written policy oriented. The written policy must be strict and clear as to the flexibility and consequences of inappropriate behavior. For the enforcement of security through technical means, some of the solutions will require a change of how users access the network and data. Security has never been easy, fun, or without complaints. However, if security is not addressed early, often, and without consequences, most companies will see results similar to those shown in Figure 1, which indicates that security is almost non-existent.