Analytics
3/26/2010
04:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Tech Insight: Make The Secure Path Easy For Users

How to keep track of the systems and data on your network and make security policies simple, user-friendly

Managing a large enterprise network can be a daunting task, especially when faced with geographically diverse locations that prohibit you from having hands-on access when security incidents arise. And the prevalence of malware attacks through trusted sites by malicious advertisements, compounded with end users behaving badly, certainly doesn't make it any easier.

Enterprise security professionals are left trying to manage a plethora of problems that stem from a few key issues. Of course, if security could be completely transparent, then we wouldn't face these problems. Instead, we're often at the mercy of complex, poorly written information security policies that users don't understand. And it's not rare for half of the IT workers responsible for adhering to and building systems that comply with the policies to not fully understand them, either. With policies not designed for the layman, it's no wonder employees are regularly violating them.

But it's not just policies that are to blame. During the InformationWeek and Dark Reading "Strengthening IT Security's Weakest Link: End Users" virtual event on Wednesday, Ozzie Diaz from AirPatrol quoted some particularly disturbing statistics that came from a report published last year by IT World Canada and Harris-Decima. In "Freedom to Compute," 90 percent of Generation Y workers admitted to violating IT policies with no consequences -- yet not a single one was fired, and 7 percent had no clue that there could be repercussions.

So how do we get a handle on these problems? Dr. Rachna Dhamija had a great suggestion in her keynote at the virtual conference. She said we need to make the easy path the secure path, and make it hard to perform unsafe actions. For the most part, we can make the work path easy, but also allowing users to have the freedom to visit social networking sites immediately complicates security because it opens companies up for malware attacks and possible data exposure.

Companies need to focus their awareness efforts on end users' understanding of security policies and why they exist. Employees need to be made aware of the consequences of compromised credentials, a lost laptop, or a malware infection. Keeping with the theme of making security transparent, awareness efforts don't have to explain all of the controls underneath, but they do need to enlighten users to the dangers of using social networks, what company information can be shared, and how to better spot malicious messages and links.

Nontechnical issues certainly play a large part in the management headache, but technical issues shouldn't take a back seat. The number of data breach notifications from lost and stolen laptops and mobile devices should put system and data inventory at the top of many enterprises' short lists of technical issues that need to be addressed. Simply put, if you don't know what you have and where it is, then how can you put the proper security controls in place to protect it? And what do you tell management when they ask what was on the CFO's laptop when he left it in the taxi?

As one of the base functions, data loss prevention (DLP) solutions can assist with the task of data discovery to see just what is stored out in the enterprise. Data discovery should be used to determine the pervasiveness of sensitive data throughout the enterprise. Once found and classified, the process can begin for deduplication, deletion, and/or protection of the data as deemed necessary to prevent potential exposure that can lead to expensive notification costs, damage to public image, and customer loss.

Countless other issues can plague security professionals in a large enterprise, of course. But being able to define policies that users can understand and follow, and reining in data sprawling across the enterprise, can help maintain security pros' sanity -- and the security of their employers' data.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web