Body behind keyboard error

The old saying that 'IT would be perfect if it weren't for end-users' rears its head again as IT departments attempt to secure devices in the era of distributed networks.
Samantha Perry
By Samantha Perry
Johannesburg, 18 Feb 2008

Your network is everywhere. At its myriad ends are a host of users running around the planet with devices that you do not own, but are expected to secure and support. Welcome to the era of distributed networking, mobile computing and even more chaos than usual.

Most organisations today are faced with a host of end-user devices, from cellphones to PDAs, laptops and iPods that are owned by end-users who expect to be able to use them for work and play in the same way they would use company equipment.

An outright ban on employee-owned devices is only likely to cause employee dissatisfaction (at best) or rampant end-user rebellion (at worst). The solution: learn to manage what you cannot control, as impossible as that may sound.

Down the wormhole

The problem, says Condyn risk and compliance manager Paul Platen, is that you have corporate information residing on end-point devices. "The risk of information on those devices being disclosed wilfully or through negligence becomes a problem for the organisation and for the IT department," he says.

"From an applications perspective, users use hotspot Internet access points, which can be compromised."

And of course, in the Internet era, the devices connecting to your network are not only your employees', they're also your customers'.

"It's becoming a bit of a battle," says Carl Louw, head of Internet channel at Absa Digital Channels.

"We're probably slowly but steadily moving to a state where, I expect, in a couple of years, all end-user devices will be compromised by spyware, key-loggers and Trojans. This is the assumption we have and we are working toward curbing that.

"In most cases," he adds, "our customers are fairly diligent in terms of how they secure their PCs; they follow our suggestions."

A broader picture

The best place to start, as with anything ICT related these days, is, you guessed it, an audit. Says McAfee South Africa country manager Chris van Niekerk: "Obviously, the first thing that has to happen is for the CIO to decide what he wants to protect and what needs to be protected. A lot of companies don't know what they need to protect, and data is becoming so vital these days. You've got to look at the information and do data classification."

Once you know what you want to protect, you need to look at the means it has to leave the organisation, he says.

"From a hacking perspective, someone can [breach the system] and steal or compromise data. But if you look at what Gartner is saying, 60% of all security breaches happen within the organisation. When you protect your perimeter with intrusion prevention solutions, anti-phishing, anti-malware, anti-virus, anti-spyware and so on, you are only covering 40% of the problem. You need to look at what means people are able to use to remove information - USB devices (iPods, memory sticks, digital cameras), normal print and copy, copying data and pasting it into a Web mail facility and so on. The other danger is a mobile user. For example, a user takes a laptop home and can print, copy or e-mail data from there. And what happens if the device is stolen?"

Says Samresh Ramjith, security CTO for Dimension Data South Africa: "Mobility forms part of a much bigger security picture in any organisation. If you have discussions with different organisations, depending on culture, vertical and maturity level, you get different answers on what's deemed critical and appropriate, and what constitutes an acceptable usage policy or not. Speak to a consultant and, depending on maturity, you will get different advice on whether you need do a technical assessment or a full-scale risk analysis.

"Some people form a committee to draw up policies, workflows and look at industry trends and threats to take care of basics. You could do a lot of work for a long time before you get to any tangible outcome. It's good to have a policy and a process, and to assess industry trends, but you need to do something to safeguard yourself now.

"As far as mobile is concerned," Ramjith says, "the first thing you need to decide is: Do you need mobility in the first place? What is your culture? What is your vertical? What do you do? Is it a requirement for people to have remote and mobile access to your information? If it is, the requirement is usually for access to e-mail. If you want to allow that, great, but is it critical that they have access to file servers? Well, not necessarily. Are you an organisation pushing for a totally mobile workforce? Then fine, mobility in all its shapes and forms and facets is something you will want to do."

We're moving to a state where I expect all end-user devices to be compromised.

Carl Louw, head of Internet channel, Absa Digital Channels

This, of course, is the million-dollar question. For many organisations, mobility has crept in and become de-facto, pushed onto IT by users who want to get maximum functionality from their PDAs, cellphones and laptops. But is it really necessary? And if it is, is it necessary for all users?

All of the above can be managed by policy - what devices can access the network, which users can remotely access which resources, whether USB ports are enabled or disabled and so on. Technology can track and monitor exactly what is happening to data, where it is being viewed, printed, copied, e-mailed or edited. But the whole point of technology, ostensibly, is to enable productivity and efficiency, and to benefit the organisation and its users. Locking a laptop down to the extent that it has the functionality of a Commodore 64 is pointless. Policy needs to be workable, it needs to be enforceable and it needs to enable IT to secure organisational intellectual property without compromising users' ability to get work done.

As Ramjith notes: "Users do what's convenient and expedient; even if it's a bit naughty, they will do it. For example, the stop sign in your suburb that becomes a yield simply because everyone treats it as such."

In other words, if policy or technology impedes a user's ability to work in the way that makes the most sense to them, they will ignore it or find a way to circumvent it.

End-user training

Notwithstanding the above, the best laid plans and the best-written policies won't stand up in the face of ignorance. The solution? End-user education.

Says Panda Security CEO Jorge Dinar'es: "Educating end-users is a serious problem, but we cannot blame users all the time. There is a false perception of security. Everything is apparently under control, people are safe, there are no threats. However, we are witnessing a true silent epidemic, which infects an increasing number of companies without them knowing. There is a paradox between users' perception of security and the reality of cyber crime. Companies should educate their employees on how to protect their PC and environment. You can have the best protection, but in the end, everything depends on the user's knowledge. If users are aware of the risks they are running, they will install a solution to avoid problems, including protection against unknown codes."

Sixty percent of all security breaches happen within the organisation.

Chris van Niekerk, country manager, McAfee SA

According to Barry Gill, technical services manager of Mimecast SA, if someone wants to break into your network, they will. "There is no such thing as an infallible network and someone with time, patience, resources and skill will get in - most likely through social engineering techniques. If organisations could find a successful way of making users accountable for any action that occurs on their equipment, we would see a dramatic shift in awareness. One newer strategy is working with people's e-mail. For example, if someone sends out an e-mail that may have a username or password in it, we flag it, block it and tell them that it travels in clear text and can be intercepted and used by someone to launch illicit activity. Once users understand that their data, and not just data on company servers, is also at risk from things like identity theft, people will start being cagey like never before. Impacting users so they realise the potential severity of the actions they take without clamping down on them like the Patriot Act is a tricky balancing act."

Formal training

In the meantime, formal education can make a difference, provided it is done correctly. Says Foster-Melliar trainer Derrick Planck: "Most end-user education quickly becomes techno-speak - viruses, signatures, firewalls - and people have no idea. As part of any preventative system, you need an ongoing education system that teaches people in a simple, practical way. For example, you don't leave your house key under the front-door mat, so don't leave your password under your keyboard. End-user training needs to move away from tech speak and become pragmatic and practical.

"The idea is to give a few hours of training so that end-users walk away with two or three key messages that will be remembered for at least the next year. As a practical recommendation, you need to do some sort of introductory or awareness course. Do it on a campaign basis, send all the troops through over a few weeks. Within three months, you will have had head count turnover, so you'll want to be able to supplement education with a one- or two-page policy detailing security guidelines for new employees. You'll probably need a morning refresher for all staff annually because of changes in technology, changes in business models and because people forget. We work on the basis that people forget 80% of the message within 24 hours; the rest stays. You don't want to affect productivity, so after three hours of security speak, most people turn into vegetables. The training needs be light-hearted, entertaining, pragmatic and practical," he states.

The many-headed snake

You can have the best protection, but in the end, everything depends on the user's knowledge.

Jorge Dinar'es, CEO, Panda Security

From viruses, hackers, botnets, Trojans, phishers and malware to end-users who allow their three-year-olds to play with their PDAs or post passwords to themselves via e-mail, the many heads of the security beast seem to be multiplying. Getting line management on board and getting them to police security policy breaches, suggests Mimecast's Gill, can help take the weight off the IT department and make users at all levels more aware of the problem.

Likewise, as Foster-Melliar's Planck outlined, practical and user-friendly training is a must. Making users aware of the implications of their actions in plain, simple English is also necessary. An infection that downs servers is an example of why people should adhere to security policies; the pain and inconvenience of the experience is fresh in their minds. If anything is certain, it is that the bad guys will always be one step ahead. Recruiting your end-users onto your police force is a must.