The Weakest Link: Part II
Keeping your users informed and involved can save your network.
You just can't ignore the human element -- the user factor. You can have the
best hardware and software configured precisely as it should be to secure your
network, and an uneducated user can leave the door wide open. You have to understand,
listen to and train your users. They're truly your last line of defense.
As with last
month's column, each of the tales I'm recounting here actually happened
to a friend or family member. Don't repeat their mistakes and ignore the user
factor: That's all it takes to leave your network wide open and vulnerable.
Do It Yourself
Things have gotten better at Fred's office since a nasty virus incident brought
the whole company to a halt. Like everybody else, though, the company is experiencing
exponential growth in the amount of inbound spam. Budgets are tight, but the
IT staff has finally implemented an affordable mix of solutions that seem to
work and don't require a lot of administrative overhead. It almost sounds too
good to be true -- and indeed, it is.
While it's ideal for the IT staff, the spam-blocking mechanism isn't very secure.
It has also resulted in extra work for users, and even has a negative impact
on the company's bottom line. Here's what the IT department came up with: First,
a free, open-source program on the mail server intercepts and deletes obvious
spam. The program's settings are configured rather conservatively to prevent
false positives, so there's still a moderate amount of spam that arrives in
To shield users from the resulting clutter, a second filter on the server divides
the e-mail into two groups. Messages from people on a user's whitelist of approved
senders go straight to the inbox. Everything else is moved to a spam folder.
Fred has added me to his whitelist, so he gets e-mail from me immediately.
However, incoming e-mail from new customers ends up in his spam folder. Following
the company's IT guidelines, Fred looks through his spam folder at least once
a day to identify legitimate messages. He clicks a button that moves the message
to the inbox and adds the sender to his whitelist. Any future e-mail from that
sender is immediately delivered to the inbox.
The three minutes each day that Fred spends sorting through potential spam
doesn't seem like much, but it adds up to one hour over the course of a month.
When you multiply how much it costs the company to employ Fred for one hour
and multiply this by the number of employees who have to do the same thing each
day, it becomes obvious that this method of spam filtering isn't that cheap
after all. It also hinders productivity because it delays delivery of potentially
Security isn't as tight as it should be, either, because this scheme doesn't
allow for central monitoring and it's error-prone. Hurried employees may easily
misclassify a message or be tempted to open spam. The lesson here is that network
security measures should never rely on end-user decisions. They should be as
centralized as possible and carefully managed to facilitate early problem detection.
Mark and most of his colleagues are a little older and haven't yet made the
move to portable digital music players. While working in their cubicles, they
often plug headphones into their computers and listen to CDs. Last year, the
IT department became concerned about the risk of malware getting into the network
from CDs and other removable media.
As a result, a new company-wide policy stated that employees are no longer
allowed to insert any removable media, including CDs, into company computers.
Mark and a few of his colleagues comply with the policy, but they aren't very
happy that the IT staff effectively prevented them from listening to music.
Others simply continue to listen to CDs when nobody from the IT department is
around. This means that the new policy hasn't eliminated the threat, but only
served to confirm the commonly held negative view of IT.
Security measures are only effective when you can enforce them. Sending out
a memo is not an effective enforcement mechanism. If users disagree with a policy,
they'll find ways to circumvent or ignore it. If the IT staff at Mark's company
occasionally mingled with other employees, they'd understand that everyone wants
to keep the network secure, but that most co-workers can't fathom how their
music-listening habits could be a security risk.
A good alternative to that policy would have been a more flexible -- but enforceable
-- solution that addresses user needs as well as security. Software that blocks
access to data CDs while letting you play music CDs is a good example. Not all
policies can be enforced using technical means, though.
Whenever security depends on users, it's important that these policies don't
impede productivity or existing workflows. Everyone has to understand the reasons
for every policy so they'll be motivated to comply.
Last Line of Defense
Feeling like the king or queen of your network may feel nice for a while. As
in most monarchies, though, it gets harder in the long run to face your subjects'
hostility and keep them in line.
A better approach is to see them as partners. Try to understand your co-workers'
needs and make an effort to keep them involved. In turn, they'll be much more
likely to help you keep the network secure. Proper training will help them do
this effectively. This means you'll have to invest some time in designing training
that's both relevant and interesting to your colleagues.
The users can be the weakest link -- it's up to you to make them the strongest
link. Over time, you'll realize this is a worthwhile pursuit.
Users are the last line of defense for your network. Your primary job is to
stop any threats before they get to that line. If everything else fails, you
will need to be confident that everyone in your organization is prepared and
willing to help you keep the network secure.
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.