As security professionals, we want our network to be as secure as possible. The exception is if we're hired to break into it, but even then our job is to help secure the network to prevent future break-ins. The problem is that in securing our networks, it's easy to forget about the user and the "business."We get excited about features like security posture assessment checks for the machine plugging into the network or connecting via the VPN. Being able to prevent unpatched laptops with outdated antivirus from connecting to our network is great, but we forget the machines connecting in might be from a contractor or business partner who doesn't have administrative privileges and cannot apply updates to his system.
If he can't connect, then they he work, and security just became the bad guy for inhibiting productivity.
In the blog "InfoSec Professionals: Come Down Off Your Pedestal
," the writer, Xavier, ran into a similar problem in which a co-worker had sent a message about the upgrade of its SSL VPN. When the upgrade was over, Xavier couldn't connect because his machine failed the "host checks." He was able to find a workaround to get in and get his machine up to pass, but how would users have dealt with the situation if they were on the road and suddenly couldn't get in?
"Myrcurial" used the term "friction-free security" in his comment, and it's so fitting. Security programs need to include procedures and solutions to secure the environment, but it also has to balance the user's productivity and functionality. A better solution for the scenario Xavier found himself in would have been for his co-worker to put the posture assessment in a "warning" mode. Users could be notified that their machines aren't up to corporate standards and they have two to four weeks to correct it before they lose access.
Remediation also needs to be easy. I'm working with a group who will be deploying network access control in the near future, with plans to enable posture assessments of endpoints first in warning mode, then blocking after a grace period. The key is making sure the failed endpoints end up in a quarantine area and have the means to update their antivirus or patch their machines as needed.
I've always used the term "transparent" when talking about how security should be for the user, but "friction-free" is one description I'll probably start using because I think it gives off a better sense of the compromises that must go into building effective security into an environment.
As a quick aside, version 3.4.1
of the Metasploit Framework was just released, so go grab it. It contains some good updates, including new exploits, auxiliary modules, and 11 new Meterpreter scripts. Congrats
to "Egypt" for becoming the new manager of the Metasploit Project.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.