Recently I had a chat with a few fellow SP’s (Security Professionals) and a few stories came up of what policies they are using to “protect” the company they are working for from inside attacks. Yes you read right, inside attacks. The problem nowadays is that most data theft and “cracking attempts” are done by insiders (read: people who got fired, or something like that). The issue is that with todays firewall and proxy technology , you can protect your perimeter pretty well. But you have a whole bunch of humanoid potentials sitting there that you cannot “lock down” or “filter”.

So, why do we need Security policies and what are they? Security Policies are documented procedures about how to behave when accessing your employers data, printers and generally information. By definition you should always consider that ANY information that you have in electronic, paper or any other form, is privileged information and YOU have the privilege to see it. There are different Security Policies for different areas but we will focus on the IT usage Security Policy.

The main issue I find when discussing with fellow SP’s is that a lot of them are not unlike the zealous people in the MAC, Windows and Linux world. They take Security principles to the absolute extreme and do everything you can to protect the companies’ data. This of course is a good thing but a lot of SP’s go down the wrong road. As the saying goes: ” There is a fine line between security and paranoia”. This is the line that a LOT of SP’s step over. The main principle that should be applied to ANY data access is of course “least access”. So by default any user has the least access possible (none? :)) and then you add the rights they need. What I have seen however is that people (employees) are get nailed down SO tightly that in inhibits their work. A good example is this: User writes Document and Document needs to be , by corporate policy, added into the Intranet. This is done via a big Javascript based interface or an ActiveX plugin or whatever. The Security Policy however states that All ActiveX and Javascript possibilities are disabled in the Companies default browser (Internet Explorer). Great so that is the problem and a call to the help-desk says “sorry can’t do anything, but we can import the document manually for you”. <- Nice of them! But in the long run it is a nuisance. So, user complains to their "techie" friend and he says: "install Firefox in usermode (no admin rights needed)", the user this way has effectively bypassed the Security Policy.

Another example would be the classic one: Passwords. A very common approach by the security department is :

• complexity: It cannot match a dictionary word
• no-history: It cannot be the same as your last XX passwords
• frequency: Change it every 30/60/90 days
• complexity2: It has to contain special characters and/or numbers

While this for most users shouldn’t be a problem, many companies have more then one authentication system, each of which introduces its password refreshes at different intervals , or some which you get a password and CANNOT change it. I have worked in companies that had up to 8!! different username/password systems. Yes, usernames changed too. When these factors come into play, a lot of users start to look for ways of bypassing the constant burden of passwords. These then come down to sticky notes, papers, CELLPHONES!! etc.

These are just 2 examples but there are many more. I am trying to convince fellow SP’s at any point that a discussion arises, not to think from THEIR perspective but ask their users for input about systems, about procedures. Put bulletins out or polls. I am not saying make relaxed Security Policies but make them with SOME reasonability in them.

I am a proponent for giving the users a little more slack then what most SP’s do and I stand by it, if we educate them they will probably become more of an asset then a threat. At least i think it would be worth a try?

//Flosse

Popularity: 3% [?]