Analytics
3/26/2010
04:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tech Insight: Make The Secure Path Easy For Users

How to keep track of the systems and data on your network and make security policies simple, user-friendly

Managing a large enterprise network can be a daunting task, especially when faced with geographically diverse locations that prohibit you from having hands-on access when security incidents arise. And the prevalence of malware attacks through trusted sites by malicious advertisements, compounded with end users behaving badly, certainly doesn't make it any easier.

Enterprise security professionals are left trying to manage a plethora of problems that stem from a few key issues. Of course, if security could be completely transparent, then we wouldn't face these problems. Instead, we're often at the mercy of complex, poorly written information security policies that users don't understand. And it's not rare for half of the IT workers responsible for adhering to and building systems that comply with the policies to not fully understand them, either. With policies not designed for the layman, it's no wonder employees are regularly violating them.

But it's not just policies that are to blame. During the InformationWeek and Dark Reading "Strengthening IT Security's Weakest Link: End Users" virtual event on Wednesday, Ozzie Diaz from AirPatrol quoted some particularly disturbing statistics that came from a report published last year by IT World Canada and Harris-Decima. In "Freedom to Compute," 90 percent of Generation Y workers admitted to violating IT policies with no consequences -- yet not a single one was fired, and 7 percent had no clue that there could be repercussions.

So how do we get a handle on these problems? Dr. Rachna Dhamija had a great suggestion in her keynote at the virtual conference. She said we need to make the easy path the secure path, and make it hard to perform unsafe actions. For the most part, we can make the work path easy, but also allowing users to have the freedom to visit social networking sites immediately complicates security because it opens companies up for malware attacks and possible data exposure.

Companies need to focus their awareness efforts on end users' understanding of security policies and why they exist. Employees need to be made aware of the consequences of compromised credentials, a lost laptop, or a malware infection. Keeping with the theme of making security transparent, awareness efforts don't have to explain all of the controls underneath, but they do need to enlighten users to the dangers of using social networks, what company information can be shared, and how to better spot malicious messages and links.

Nontechnical issues certainly play a large part in the management headache, but technical issues shouldn't take a back seat. The number of data breach notifications from lost and stolen laptops and mobile devices should put system and data inventory at the top of many enterprises' short lists of technical issues that need to be addressed. Simply put, if you don't know what you have and where it is, then how can you put the proper security controls in place to protect it? And what do you tell management when they ask what was on the CFO's laptop when he left it in the taxi?

As one of the base functions, data loss prevention (DLP) solutions can assist with the task of data discovery to see just what is stored out in the enterprise. Data discovery should be used to determine the pervasiveness of sensitive data throughout the enterprise. Once found and classified, the process can begin for deduplication, deletion, and/or protection of the data as deemed necessary to prevent potential exposure that can lead to expensive notification costs, damage to public image, and customer loss.

Countless other issues can plague security professionals in a large enterprise, of course. But being able to define policies that users can understand and follow, and reining in data sprawling across the enterprise, can help maintain security pros' sanity -- and the security of their employers' data.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.