The US defence officials have recently released information about a security breach they suffered back in 2008.
It seems some one placed a USB flash drive in to a government computer that contained malicious code placed on it by a forigen intelligence agency. This spread to other systems and opened up the Defence network to allow data to be transferred to rogue servers.
USB seems to have become the new medium for spreading virus and malware, and to be honest its hardly a surprise. Many companies seem to react to the growing security threats by creating stronger and stronger network gateways. In many cases these become so secure and so restrictive that they prevent the staff they are designed to protect, from actual carrying out there jobs.
And then the problems really start, people start to despair at the work provided service and will carry out the downloads at home and bring them in on there USB sticks. Completely circumvention the security policies in place.
There is of course the option to restrict access to only authorised USB devices, but to actual set this up is a major headache, and a large cost is involved. Especially when the Client PC’s are spread over a number of sites and you don’t have complete and utter control over them. Also by restricting the USB devices you hit the same issue as when you lock down the firewalls. People unable to carry out there jobs effectively.
It’s surprises me the number of times a valid request from a user to run an application or run some java code, gets turned down with a “its against company security policy”, when what the help desk engineer really means is ” I don’t know what the security policy is and I don’t have the time to look in to this for you fully to see if we can help”.
When “security policies” effect the efficiency in how some one can do there work, or even worse push people to find ways around them, then there is a problem with them. Good security policies, and set ups should be invisible to the end user, they should also be implemented in such a way that when users have valid reasons that cause them to come up against them, there are clear processes of how to take it forward for quite and decisive resolution.
Losing your users confidence in this area, and they will go from helping to being the major week link in the system. Many companies seem to see there security policy as a fight against the stupidity and malicious activity of there user, shutting them out of this loop of IT. Rather the users should be a central part of the policies, when you think that a huge % of breaches are caused by user “error”, there education should be where at least some of the money that funds the security should go.
I know at home using some common sense I have managed to survive many years now with out any security issues with only a basic consumer hardware firewall (linksys), and some well known free virus software. Where as friends and family regularly hit issues despite having paid for every virus scanner under the sun.
Spending 10’s of thousands of pounds on software to block USB devices, and more on IPS scanning, and still more on you hardened firewall, you will still never cover all the bases, while giving your users the freedom they need, and as soon as they hit that wall they will look for ways around it.
Making a network secure is easy, making a secure network that is usable… That what require the skill.