Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/12/2010
02:10 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Friction-Free Security

As security professionals, we want our network to be as secure as possible. The exception is if we're hired to break into it, but even then our job is to help secure the network to prevent future break-ins. The problem is that in securing our networks, it's easy to forget about the user and the "business."

As security professionals, we want our network to be as secure as possible. The exception is if we're hired to break into it, but even then our job is to help secure the network to prevent future break-ins. The problem is that in securing our networks, it's easy to forget about the user and the "business."We get excited about features like security posture assessment checks for the machine plugging into the network or connecting via the VPN. Being able to prevent unpatched laptops with outdated antivirus from connecting to our network is great, but we forget the machines connecting in might be from a contractor or business partner who doesn't have administrative privileges and cannot apply updates to his system. If he can't connect, then they he work, and security just became the bad guy for inhibiting productivity. In the blog "InfoSec Professionals: Come Down Off Your Pedestal," the writer, Xavier, ran into a similar problem in which a co-worker had sent a message about the upgrade of its SSL VPN. When the upgrade was over, Xavier couldn't connect because his machine failed the "host checks." He was able to find a workaround to get in and get his machine up to pass, but how would users have dealt with the situation if they were on the road and suddenly couldn't get in? "Myrcurial" used the term "friction-free security" in his comment, and it's so fitting. Security programs need to include procedures and solutions to secure the environment, but it also has to balance the user's productivity and functionality. A better solution for the scenario Xavier found himself in would have been for his co-worker to put the posture assessment in a "warning" mode. Users could be notified that their machines aren't up to corporate standards and they have two to four weeks to correct it before they lose access. Remediation also needs to be easy. I'm working with a group who will be deploying network access control in the near future, with plans to enable posture assessments of endpoints first in warning mode, then blocking after a grace period. The key is making sure the failed endpoints end up in a quarantine area and have the means to update their antivirus or patch their machines as needed. I've always used the term "transparent" when talking about how security should be for the user, but "friction-free" is one description I'll probably start using because I think it gives off a better sense of the compromises that must go into building effective security into an environment. As a quick aside, version 3.4.1 of the Metasploit Framework was just released, so go grab it. It contains some good updates, including new exploits, auxiliary modules, and 11 new Meterpreter scripts. Congrats to "Egypt" for becoming the new manager of the Metasploit Project.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23836
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The...
CVE-2021-23837
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious...
CVE-2021-23838
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script without proper input sanitization. For example, a malicious user...
CVE-2020-35581
PUBLISHED: 2021-01-15
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the meta[title] parameter.
CVE-2020-35582
PUBLISHED: 2021-01-15
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/post.php request with the post_title parameter.