Analytics
3/26/2010
04:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tech Insight: Make The Secure Path Easy For Users

How to keep track of the systems and data on your network and make security policies simple, user-friendly

Managing a large enterprise network can be a daunting task, especially when faced with geographically diverse locations that prohibit you from having hands-on access when security incidents arise. And the prevalence of malware attacks through trusted sites by malicious advertisements, compounded with end users behaving badly, certainly doesn't make it any easier.

Enterprise security professionals are left trying to manage a plethora of problems that stem from a few key issues. Of course, if security could be completely transparent, then we wouldn't face these problems. Instead, we're often at the mercy of complex, poorly written information security policies that users don't understand. And it's not rare for half of the IT workers responsible for adhering to and building systems that comply with the policies to not fully understand them, either. With policies not designed for the layman, it's no wonder employees are regularly violating them.

But it's not just policies that are to blame. During the InformationWeek and Dark Reading "Strengthening IT Security's Weakest Link: End Users" virtual event on Wednesday, Ozzie Diaz from AirPatrol quoted some particularly disturbing statistics that came from a report published last year by IT World Canada and Harris-Decima. In "Freedom to Compute," 90 percent of Generation Y workers admitted to violating IT policies with no consequences -- yet not a single one was fired, and 7 percent had no clue that there could be repercussions.

So how do we get a handle on these problems? Dr. Rachna Dhamija had a great suggestion in her keynote at the virtual conference. She said we need to make the easy path the secure path, and make it hard to perform unsafe actions. For the most part, we can make the work path easy, but also allowing users to have the freedom to visit social networking sites immediately complicates security because it opens companies up for malware attacks and possible data exposure.

Companies need to focus their awareness efforts on end users' understanding of security policies and why they exist. Employees need to be made aware of the consequences of compromised credentials, a lost laptop, or a malware infection. Keeping with the theme of making security transparent, awareness efforts don't have to explain all of the controls underneath, but they do need to enlighten users to the dangers of using social networks, what company information can be shared, and how to better spot malicious messages and links.

Nontechnical issues certainly play a large part in the management headache, but technical issues shouldn't take a back seat. The number of data breach notifications from lost and stolen laptops and mobile devices should put system and data inventory at the top of many enterprises' short lists of technical issues that need to be addressed. Simply put, if you don't know what you have and where it is, then how can you put the proper security controls in place to protect it? And what do you tell management when they ask what was on the CFO's laptop when he left it in the taxi?

As one of the base functions, data loss prevention (DLP) solutions can assist with the task of data discovery to see just what is stored out in the enterprise. Data discovery should be used to determine the pervasiveness of sensitive data throughout the enterprise. Once found and classified, the process can begin for deduplication, deletion, and/or protection of the data as deemed necessary to prevent potential exposure that can lead to expensive notification costs, damage to public image, and customer loss.

Countless other issues can plague security professionals in a large enterprise, of course. But being able to define policies that users can understand and follow, and reining in data sprawling across the enterprise, can help maintain security pros' sanity -- and the security of their employers' data.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3653
Published: 2015-07-06
Cross-site scripting (XSS) vulnerability in the template preview function in Foreman before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted provisioning template.

CVE-2014-5406
Published: 2015-07-06
The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, ...

CVE-2014-9737
Published: 2015-07-06
Open redirect vulnerability in the Language Switcher Dropdown module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a block.

CVE-2014-9738
Published: 2015-07-06
Multiple cross-site scripting (XSS) vulnerabilities in the Tournament module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) account username, a (2) node title, or a (3) team entity title.

CVE-2014-9739
Published: 2015-07-06
Cross-site scripting (XSS) vulnerability in the Node Field module 7.x-2.x before 7.x-2.45 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors involving internal fields.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report