Security Advisor

The Weakest Link: Part II

Keeping your users informed and involved can save your network.

• By Joern Wettern
• 12/01/2007

As with last month's column, each of the tales I'm recounting here actually happened to a friend or family member. Don't repeat their mistakes and ignore the user factor: That's all it takes to leave your network wide open and vulnerable.

Do It Yourself
Things have gotten better at Fred's office since a nasty virus incident brought the whole company to a halt. Like everybody else, though, the company is experiencing exponential growth in the amount of inbound spam. Budgets are tight, but the IT staff has finally implemented an affordable mix of solutions that seem to work and don't require a lot of administrative overhead. It almost sounds too good to be true -- and indeed, it is.

While it's ideal for the IT staff, the spam-blocking mechanism isn't very secure. It has also resulted in extra work for users, and even has a negative impact on the company's bottom line. Here's what the IT department came up with: First, a free, open-source program on the mail server intercepts and deletes obvious spam. The program's settings are configured rather conservatively to prevent false positives, so there's still a moderate amount of spam that arrives in users' mailboxes.

To shield users from the resulting clutter, a second filter on the server divides the e-mail into two groups. Messages from people on a user's whitelist of approved senders go straight to the inbox. Everything else is moved to a spam folder.

Fred has added me to his whitelist, so he gets e-mail from me immediately. However, incoming e-mail from new customers ends up in his spam folder. Following the company's IT guidelines, Fred looks through his spam folder at least once a day to identify legitimate messages. He clicks a button that moves the message to the inbox and adds the sender to his whitelist. Any future e-mail from that sender is immediately delivered to the inbox.

The three minutes each day that Fred spends sorting through potential spam doesn't seem like much, but it adds up to one hour over the course of a month. When you multiply how much it costs the company to employ Fred for one hour and multiply this by the number of employees who have to do the same thing each day, it becomes obvious that this method of spam filtering isn't that cheap after all. It also hinders productivity because it delays delivery of potentially important e-mail.

Security isn't as tight as it should be, either, because this scheme doesn't allow for central monitoring and it's error-prone. Hurried employees may easily misclassify a message or be tempted to open spam. The lesson here is that network security measures should never rely on end-user decisions. They should be as centralized as possible and carefully managed to facilitate early problem detection.

Tune Out
Mark and most of his colleagues are a little older and haven't yet made the move to portable digital music players. While working in their cubicles, they often plug headphones into their computers and listen to CDs. Last year, the IT department became concerned about the risk of malware getting into the network from CDs and other removable media.

As a result, a new company-wide policy stated that employees are no longer allowed to insert any removable media, including CDs, into company computers. Mark and a few of his colleagues comply with the policy, but they aren't very happy that the IT staff effectively prevented them from listening to music. Others simply continue to listen to CDs when nobody from the IT department is around. This means that the new policy hasn't eliminated the threat, but only served to confirm the commonly held negative view of IT.

Security measures are only effective when you can enforce them. Sending out a memo is not an effective enforcement mechanism. If users disagree with a policy, they'll find ways to circumvent or ignore it. If the IT staff at Mark's company occasionally mingled with other employees, they'd understand that everyone wants to keep the network secure, but that most co-workers can't fathom how their music-listening habits could be a security risk.

A good alternative to that policy would have been a more flexible -- but enforceable -- solution that addresses user needs as well as security. Software that blocks access to data CDs while letting you play music CDs is a good example. Not all policies can be enforced using technical means, though.

Whenever security depends on users, it's important that these policies don't impede productivity or existing workflows. Everyone has to understand the reasons for every policy so they'll be motivated to comply.

Last Line of Defense
Feeling like the king or queen of your network may feel nice for a while. As in most monarchies, though, it gets harder in the long run to face your subjects' hostility and keep them in line.

A better approach is to see them as partners. Try to understand your co-workers' needs and make an effort to keep them involved. In turn, they'll be much more likely to help you keep the network secure. Proper training will help them do this effectively. This means you'll have to invest some time in designing training that's both relevant and interesting to your colleagues.

The users can be the weakest link -- it's up to you to make them the strongest link. Over time, you'll realize this is a worthwhile pursuit.

Users are the last line of defense for your network. Your primary job is to stop any threats before they get to that line. If everything else fails, you will need to be confident that everyone in your organization is prepared and willing to help you keep the network secure.