Analytics
3/26/2010
04:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tech Insight: Make The Secure Path Easy For Users

How to keep track of the systems and data on your network and make security policies simple, user-friendly

Managing a large enterprise network can be a daunting task, especially when faced with geographically diverse locations that prohibit you from having hands-on access when security incidents arise. And the prevalence of malware attacks through trusted sites by malicious advertisements, compounded with end users behaving badly, certainly doesn't make it any easier.

Enterprise security professionals are left trying to manage a plethora of problems that stem from a few key issues. Of course, if security could be completely transparent, then we wouldn't face these problems. Instead, we're often at the mercy of complex, poorly written information security policies that users don't understand. And it's not rare for half of the IT workers responsible for adhering to and building systems that comply with the policies to not fully understand them, either. With policies not designed for the layman, it's no wonder employees are regularly violating them.

But it's not just policies that are to blame. During the InformationWeek and Dark Reading "Strengthening IT Security's Weakest Link: End Users" virtual event on Wednesday, Ozzie Diaz from AirPatrol quoted some particularly disturbing statistics that came from a report published last year by IT World Canada and Harris-Decima. In "Freedom to Compute," 90 percent of Generation Y workers admitted to violating IT policies with no consequences -- yet not a single one was fired, and 7 percent had no clue that there could be repercussions.

So how do we get a handle on these problems? Dr. Rachna Dhamija had a great suggestion in her keynote at the virtual conference. She said we need to make the easy path the secure path, and make it hard to perform unsafe actions. For the most part, we can make the work path easy, but also allowing users to have the freedom to visit social networking sites immediately complicates security because it opens companies up for malware attacks and possible data exposure.

Companies need to focus their awareness efforts on end users' understanding of security policies and why they exist. Employees need to be made aware of the consequences of compromised credentials, a lost laptop, or a malware infection. Keeping with the theme of making security transparent, awareness efforts don't have to explain all of the controls underneath, but they do need to enlighten users to the dangers of using social networks, what company information can be shared, and how to better spot malicious messages and links.

Nontechnical issues certainly play a large part in the management headache, but technical issues shouldn't take a back seat. The number of data breach notifications from lost and stolen laptops and mobile devices should put system and data inventory at the top of many enterprises' short lists of technical issues that need to be addressed. Simply put, if you don't know what you have and where it is, then how can you put the proper security controls in place to protect it? And what do you tell management when they ask what was on the CFO's laptop when he left it in the taxi?

As one of the base functions, data loss prevention (DLP) solutions can assist with the task of data discovery to see just what is stored out in the enterprise. Data discovery should be used to determine the pervasiveness of sensitive data throughout the enterprise. Once found and classified, the process can begin for deduplication, deletion, and/or protection of the data as deemed necessary to prevent potential exposure that can lead to expensive notification costs, damage to public image, and customer loss.

Countless other issues can plague security professionals in a large enterprise, of course. But being able to define policies that users can understand and follow, and reining in data sprawling across the enterprise, can help maintain security pros' sanity -- and the security of their employers' data.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-0598
Published: 2015-03-05
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

CVE-2015-0607
Published: 2015-03-05
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0657
Published: 2015-03-05
Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCur69192.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.