Bears: They shit in the woods
Nuff said.
If you ask the average business person who is responsible for the security of data held in computer systems, the chances are they will point to the IT department. After all, it's all about passwords, keys, firewalls, locks on computer room doors and other systems-related perceptions they have picked up without ever really having …
The "IT" industry has made a lot of money running after the endless flaw - fix & educate cycle. Only it's not a solution, it's a racket.
- Why should visiting a website be a security risk?
- Why should files stored on external media be unencrypted by default?
- Why should all applications be able to read any file stored on a system?
While difficult and unfashionable more money should be invested in the software and firmware platform. Yes, even Trusted Platform Module could be used for good! Secure must be by design, other measures are like a bandage: useful, but only on a new bleeding wound.
(icon - for all those that prioritised features over security)
An old adage in computing[1] is along the lines of
"if it's fast and ugly they'll use it and curse you. If it's slow, they will not use it"
Since this book has been in priint for nearly 20 years (and the phrase pre-dates it by some time), you'd think that the people who produce security "features" would've twigged, that slow features are no features - as people will disable, subvert or otherwise work around them.
If you want to implement security features - and all of the listed reasons for lapses have a technical solution, then the first rule must be to make them transparent to the user. He/she must not be aware of them, they should not interfere with the users' goals, or response time or as the wise man put it, they won't be used.
[1] The Art of Computer Systems Performance Analysis - Jain, 1991
The time has come for the user to own his machine, and access applications via a one-password intranet. That would solve maintenance, hardware support, encryption and loss of hardware, as well as multiple OSs.
User: I can't make our SAP run on my i-Phone
Helpdesk (hungarian accent): try buying a machine with a bigger screen
But a business needs to "empower" their employees by training them in the art of war that is working with digital information (does not only matter about content, personal, financial, CAD drawings, etc .. its the context that also makes them valuable).
Businesses (and politicians) need to understand all the issues of data handling .. i.e. the whole data lifecycle model .. how it is created/captured, how it is stored, how and by whom it is accessed and how it is destroyed. Understanding the relationship between data and how it is used is as fundamental these days as understanding how to build, ship and sell physical items .. data is no different, except it is much easier to lose copies of itself. We protect gold shipments differently to nappies and for good reason .. information is no different, appropriate controls at all stages in its lifetime is a must.
I work with Data Classifications, RBAC, encryption, lost and stolen laptops, PCI, DPA, you name it and it is clear that people want to "do the right thing" but they need both the carrot of helping their company not go down the pan due to a data breach and the stick of being fired if they fail to apply the *published* risk management policies.
So engage your staff and tell them why data is valuable to a business and why they (and you) will lose their jobs if they are caught following bad practices ... but please do actually ensure that you TELL your staff and keep telling them at regular intervals! And in these days of plausible denability ensure that you have immutable audit logs of all data handling transactions (that is where the technology can help 8-).
Of course IT departments aren't responsible for users being dopey, but IT departments need to be much much more pro-active in getting the message out about laptop security - they need to ensure the systems are user friendly (rather than just being geek friendly and hence user hostile), the instructions given are intelligible (written in English rather than Visual Basic) and they need to make sure the message gets out across the organisation (which requires the more subtle art of persuasion rather than the science of installation).
IT departments are only too happy to fall back and blame pressures from da management rather than actually engaging with said management to try and convey the importance of all this. They need to play the office politics game in a constructive manner rather than just falling into line with the existing status quo. They need to explain things in layman's terms, but of course to many this is antithetical to their approach, which is to keep all the IT secrets in-house and act as the gatekeeper to this universe, whilst simultaneously bitching about the ineptitude of '(l)uers' and basking in the glow of superiority from the light emanating from their own bumholes.
In other words, ye cadre of IT folk whom are all to willing to point fingers, the cultural failings are not merely those of the organisation without, but also the IT department within. But hey, it's so much easier to moan than take a look in the mirror isn't it - but the wise heads know that technology is paradigm changing, so the best IT bods will be working to change their organisation to fit in with that rather than fight it.
I've heard of using outrageous headlines to grab peoples attention but I've never seen such an example of stating the obvious used to do the same thing!
Secondly, and to the point of the article which I eventually got to after dealing with the strain of the headline, it is the *user* (or their department) that requests a laptop, it's the *users* data that the *user* loads onto the laptop and it's the *user* who lugs the thing about all day every day, need I go on?
In my opinion the IT department of most companies are there to provide a service to that companies staff: maintain servers and systems, perform backups etc and of course, particularly in this day and age, perform encryption of relevant systems including laptops.
Our job is not however to hold the hands of every single employee who ever uses a laptop, it's a ridiculous idea. I believe wholly in comprehensive end-user training, it may be time consuming initially but to state the obvious myself I'm sure we're all aware of the time costs of any one of the potential risks caused by end user ignorance (used in the purest sense of course).
Once the user has had the training and has received the correctly configured device, it must be the users responsibility to make sure it stays so and that their data on board stays safe, including reporting any problems to IT and abiding with any repairs/re-configs that may be necessary.
If I buy a brand new car from a dealership and it has all the latest security features, place my laptop on the seat in clear view and my car gets broken into, I don't sue the car company. They provided me a service and *I* gave a thief enough of an opportunity.
Now I think I've stated the obvious enough myself.
... Just bar everyone from using laptops, make them use terminals, with just a screen and a keyboard, no way to plug in external media.
if you have to give the lusers a box, put it in a safe with only one key, and a few holes in the back for the monitor, keyboard & mouse. (Don't forget the fan)...
-Just let me get my lockpicks...
I work in IT support for a large London council ....
Bloke logs a call about his laptop problem, he brings it into us.
I find written on a piece of paper inside the laptop bag:
- The disk encryption password
- The local user username
- The local user password
- The URL for our VPN (also in his IE favorites)
- The user name for the VPN hardware token
- His password for the VPN hardware token
- Instructions on how to access the VPN
- The guys Network username
- And his password right into our network
And,- The actual Hardware token was in the bag as well!
Unbelievable!
I'm afraid that more than 90% of the people that I deal with just don't give a hoot, whether or not the laptop is their property or their company's. They throw them around, leave them on permanently, while attached to a power supply and leave all manner of data displayed on the screen.
As for malware, forget it. Most of them have heard terms like virus, trojan and adware but don't have a clue what they mean or how they are contracted. They are ordinary, non-technical people who have been given this lump of equipment for them to write letters or enter some sort of data. They are not interested in how the thing works, it is just their job to use it. If it gets infected, it is just broken. If it gets stolen, they will just have to ask for another one. After all, it's only a bit of old electrical equipment.
...think they own the computer any more than they own their desk or phone. They don't have admin access, they don't install stuff, they don't configure it, any more than they empty their own bin or fix the taps in the washroom themselves. It's IT's job.
That helps in preventing them from bypassing security features.
Encrypt. Configure the encryption so that it locks the device if it hasn't talked to the server after a given number of days. That ensures the thing's connected to the corporate network from time to time and gets the patches and AV updates you're forcing out.
Treat breaches that can't be locked down (like the bloke with the bit of paper detailing all the passwords (we've had this too)) like any other corporate security breach - official warning on the record via HR. Mandate the use of encrypted USB sticks only, and use widely available software to lock the machines to only accept these.
Lots you can do. If you suggest all that and senior management throws it back in your face, point them to the possible consequences. And when you have to take the network down to clean all the viruses off which their refusal to follow your advice has let on, refer them back to what you told them. They won't like "I told you so" but they might take a blind bit of notice in future.
Oh, too complicated to collate evidence? They will want to go to tribunal? Costs money to implement such measures? They claim not to have read their employment contract and the companies policies? They are ignorant of the Data Protection Act? (no defence for anyone?)
Start sacking, fining and jailing people .. yes make examples of them ... and then you might see incidents lower for a bit ... got to keep it up though because people are human and suffer more bit rot than your average Windows installation.
As Melchet would say "shout, shout and shout again". (Thank you Darling)
Implementation of the rules is not an IT issue .. its a business issue and no different from requiring people to correctly do their timesheets, performance reviews, expensive (sic) claims, health and safety training etc.
"Security is everyone's responsibility" should be the corporate mantra.
it's worse than that.
If the lappy gets infected, they have a good reason for not doing any work. Don't have to wait for the next (thin) covering of snow: "Sorry I couldn't submit my report on time, the laptop got a virus - yes I'm still waiting for the IT people to fix it. They say it could be days before they get to it." So now it's "bloody IT, why don't they pull their fingers out and fix my people's problems". While the indolent desk-jockey spends their days annoying their colleagues (thus preventing them from working, too" or "works from home" ahem.
Better yet. Didn't like the paltry pay rise? Get you own back & "lose" the laptop. That it appears on ebay the next week and makes up for the rise you think you should've got is immaterial. Or if the newbie gets a new, wizzy laptop and you want one too, well the same applies.
Oh yes, while I'm at it. @I got one two weeks ago ...
Just so's you know. *All* the users do this, all the time. You just discovered one, single instance.
Never have been and, sad to say, probably never will be.
A big problem, already obliquely mentioned in an earlier reply, is that UI details are decided by IT people, who generally are not particularly good about usability issues.
Take for example, something as simple as sending an email to a group of people. It's a regular failing for all the addresses to be stuffed into the To: header, with the result that all recipients see all the addresses. In theory, BCC should be used, but even when whined at in a loud, obnoxious, buzz saw-like voice with a pronounced nasal edge, I've seen an offender in this matter repeat the mistake within very few months.
One has to ask why email clients allow more than one address in the To: header at all, and why they don't automatically switch to BCC when more than one recipient is specified. Yes, yes, I know, we have to allow flexibility in case some geek needs to expose a mass of email addresses via To:.
Then there are the programs that are coy about which preferences settings are global to all documents opened and which apply only to one document. I will name no names.
Simply put, users do not want to burden themselves with endless geeky detail. They will listen to you, but they won't hear you. And that applies to admonitions about security as much as to the sending of mass emails.
I do not know what the solution might be -- if there is one.
It's shared responsibilities really. The first responsibility is with IT to implement security policies and enforce them in a way that doesn't get in the way of the user. As an example, where I currently work, the standard laptop install includes a BIOS password (setup so that the password is also required to come out of hibernation or reboot), full disk encryption, automated user file backup and a proxy that forces you to go through VPN if you want to access the internet from a network that is not the company's network. We are also all issued with a security token to access the VPN or some web enabled services from any computer. Accounts are locked up with standard priviledges. You can request temporary admin priviledges but you have to specify why. None of this really interferes with actual work so there is no real incentive to bypass it.
There are other things that you could consider doing, such as:
- issue employee with an encrypted USB key (such as an IronKey: www.ironkey.com) and tell them that if they want to transfer files on a USB key, they have to use that one, no personal key allowed => you enable them to do what they want but on your terms and in a secure manner
- use features like the "guest session" on Ubuntu 8.10 so that they can let someone else use their laptop temporarilly in a restricted session that is wiped out when finished
Of course, with such a setup, there are a lot of things a user could do, such as:
- leave his laptop on the train,
- burn important data to a non-encrypted CD and forget that CD in the pub (does anybody know of any software that is easy to use that can produce encrypted CDs?),
- write down all his passwords on a post-it note stuck to the laptop along with the security token
And that's where you should educate your users. Make sure the policy is clear and easily accessible. Then make sure all employees know why the policy is in place and what are the consequences of not following it.
At the end of the day, it's the usual conundrum of giving users the possibility to do what they want, while being in control of what they can do.
Well, ... doesn't that mean that there is a suitable marketing initiative for a suitable product at the right price?
Wrong price = forget it, dead as a dodo or Monty Python's Parrot
Right price = a doable winner?
Maybe even a linux based whatever (sock?) that virtualises Windows within it (runs the OS as a virtual machine) ?
Say, 20 quid?
That is what a majority of people think when they use property that is not theirs. Ever go just the speed limit in a rental car? Did you really care about the stain on the wall you made in that apartment (or flat) you rented years ago?
Sadly people have no sense of ownership when they didn't pony up the cash for whatever it is they're using.
I had a user take his laptop on the road and in the hotel he decided to search for porn. He saw a few pop-ups and didn't think twice about clicking them. To only his surprise he got infected with several Trojans due to his porn frolicking session. His excuse was that he didn't see a problem at the time cause he wasn't on our company network, yet using the company laptop did not seem to bother him.
The point is that we as "IT" need to make users accountable for their actions. We have a clause in our handbook that does. I did the work to repair the laptop and billed the employee. You know he's not going to type "young sexy babes" in Google anymore.
** the pirate pic cause there were swashbuckling sites that were still in the cookie cache when I cleaned it out **
Everyone here is griping about the ineptitude and lax attitude of users. Bollocks I say. This boils down to incompetent management. Management often has a lax attitude about security until it bites them in the rump, at which point they round on the IT department.
This is typically the part where half the IT department quits in frustration after years of being told by that same management that they were being "too paranoid" about issues like security.
The problem really boils down to usability. Users, management, even most admins don't want to have to remember 50 different passwords, their context, the user and domain they run under, etc. etc. etc. It's just a tool people use, and until the security portion of it becomes a problem, most will wonder why bother with it?
Thus this has become a multi-fold issue: myopic management who don't want to hear what they consider doom-mongering from their techs, techs who can't or won't make security simple and easy, and users who are unwilling or unable to understand that they should be treating access to information as something worthy of more complex consideration than a hammer or wrench.
Rest assured however that IT will always take the blame. You know you work in IT if you have no authority to do anything, and all the responsibility if it goes wrong. Especially if it is actually someone else's fault.
It's realistically up to the end user. Yes those of us in the position of making the policies, dishing out the hardware, issuing passwords, etc etc need to do our part. And make sure that in doing out part we try to instill in our users the importance of maintaining security. That ranges from doing our best to ensure best practices in terms of physical security, software/hardware hardening, encryption, and user training. However at the end of the day we can't follow the users around, cant prevent them writing passwords on sticky notes, or as one person posted above receiving a laptop with "the keys to the kingdom" inside the bag.
There is only so much we can do and ultimately the onus for the security of a laptop or any other portable device that might contain information you're company wants to keep private is on the person issued said device.
Just to add mine to what I'm sure will be a litany of horror stories. Last year I was contracted to integrate PGP desktop into the systems in half a dozen offices of an international stock brokerage firm. I had no more gotten done with one office than I had to go back to another one of their offices to complete installation on a laptop that a user had not brought in. As I'm walking back to this persons office I see nice formatted word doc on everyone's desk which had in letters big enough to see with a passing glance from several feet away their PGP log in credentials, local computer username and password, as well as their public and private key pass phrases. I asked the local IT wonk about it who cheerfully showed me what he had knocked up. Said document also had instructions on how to log into their VPN (including their credentials for VPN log in) and other internal systems which would give anyone who picked up that paper access to the personal financial information of every client (read thousands of clients) in that office. He had made it up for one bitchy user who didn't see the need for all this "computer security nonsense" then in a stroke of sheer stupidity made up one "cheat sheet" for every user in the office.
Thus is the perils of security at the hands of spineless IT people and end users who think that there is no reason to protect the most sensitive personal and financial details of their clients.
Please see earlier comments about transparency.
Whoever designed a scheme requiring three usernames and four passwords should be nailed to the door of the IT department as a warning to others who fail to consider their users' needs.
(I assume that you also mandate long passwords, full of funny characters, with monthly renewals).
If you honestly believe such conduct "unbelievable" then you're in the wrong business.
Anyone faced with that many things to remember will always resort to pencil and paper.
Have a single username/password for EVERYTHING. No exceptions.
Make the password immensely strong and impossible to remember.
Change it monthly.
Hand them out to users, written on a $100 bill. (Or even larger depending on the value of the data being protected).
Anyone who hasn't lost it by the end of the month gets to spend it once they've got the next one. That should ensure they look after it.
Anyone who writes it down anywhere else, or who's password is found to have been written down anywhere else (implying that it was inadequately guarded), is fired instantly. Even the boss.
The trouble is that it isn't generally some minion that can be retrained/disciplined/beaten with a cluebat. The more senior the person the more likely they are to have ****ed up security.
You can try telling CEOs not to use their hotmail account to discuss tenders or not use the the free WiFi in the airport to send email but it doesn't work.
And the more security procedures you put in place the more these people can work around them 'to get things done' - like forwarding everything to hotmail because they can't be arsed logging into the VPN.
Any password that is difficult (much less impossible) to remember is NOT immensely strong, it is inherently immensely weak.
If users cannot remember their passwords, they will write them down, somewhere totally inappropriate and insecure. Attempting to prevent this behaviour by inducements, punishments, threats, explanations, entreaties, or even physical force are doomed to fail.
If you allow users to have a easily remembered password, this will ALWAYS be more secure than a password which they WILL write down. And then lose. Or keep on a post-it in the laptop bag. You cannot stop the tide from rising. You cannot stop users from behaving in this manner.
The solution is to require a long password (or better, passphrase, or passsentence), which will be easy to remember (no requirement for upper/lower case mixtures, special characters, or numbers); but due to its length, difficult for unauthorised persons to guess. This is not very secure, but it is more secure than ANY alternative.
Security solutions which do not take account of human nature are deeply flawed, and those who are 'shocked' when they fail (cf AC 15:22 GMT above) are guilty of looking at only a subset of the overall problem, and therefore doomed to fail.
Paris, 'cos I would like to know the sentence she requires before granting access...
the reason to can put multiple pepol in to is there are times I need to see who else it was set to for example a email about problem spreading over our mobile vpn and accounting system I need to see it has been sent to just me (vnp) or me and our accounting systems expert and if not I need to email him
IMO one aspect that is often forgotten is to treat the computer as a tool that you need to master in order to do your job.
We need to communicate this to the users.
I work in a large hospital with 10.000 users and 100+ in the IT dept.
A nurse or doctor today has to master a lot of technology and ahdere to a lot of stringent procedures on pain of losing their license. This is OK by them because they see the point. If you're not careful with sterile equipment the patient may get an infection.
The same doctors and nurses think nothing of saving sensitive documents to a public share instead of their own home directories (or preferably as an attachment to the Electronic Patient Record). They do not see, and the clinical mangament do not see, that this is the same thing.
Saving sensitive info to a public share is no different from mixing sterile and non-sterile equipment.
Indeed, some patients may prefer a minor hospital infection before they want to see their patient record being public.
Doing things in a secure manner is a PITA, but they do it when they see it's important.
We need to appeal to their sense of professional pride and make the computer be as important a piece of equipment to master as any other tool of the trade.
...if there's no penalty attached or you aren't allowed to enforce it. HR drones can usually find a way to get the user off with just a warning if it's someone's golden boy who is the offender yet could manage to dismiss someone for farting in the wrong key if their face doesn't fit.
I'm more fed up with stupid management policies and even worse stupid IT developers that insist on every damn application at work requiring a different username and password before I can use it. I think I'm currently at 15 combinations and its growing - I'm only a mere mortal too so don't have access to all the systems. Even the damn intranet needs me to login as it doesn't check who I've just logged on the network as.
As for laptops and VPNs well sometimes it just has to seen to be believed. We run two types of VPN access depending on whether you are connecting over broadband/wifi or via dialup. The dialup uses SecureID tokens to authenticate. The other one however is just a username and password - its not even a locally set password but dished out from IT, and to make it worse we all use exactly the same password.....
Black helicopters coz frankly we aren't paranoid enough
Got a new works laptop, locked into user mode, instead of having a password that I can remember, have to change it for a different one each month, so month one is Password01 then Otherpassword02 etc then back to Password01 as advised by the IT department
Backups ? - got this great utility that backups all all data to the server, great if in the office, but over a vpn shared with 100 other users ? not a chance, so backed up when in the office every 2-4 months and onto usb stick when can be bothered
This is then transferred onto personal DVD backups, not secure, but way it goes....