Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/12/2010
02:10 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Friction-Free Security

As security professionals, we want our network to be as secure as possible. The exception is if we're hired to break into it, but even then our job is to help secure the network to prevent future break-ins. The problem is that in securing our networks, it's easy to forget about the user and the "business."

As security professionals, we want our network to be as secure as possible. The exception is if we're hired to break into it, but even then our job is to help secure the network to prevent future break-ins. The problem is that in securing our networks, it's easy to forget about the user and the "business."We get excited about features like security posture assessment checks for the machine plugging into the network or connecting via the VPN. Being able to prevent unpatched laptops with outdated antivirus from connecting to our network is great, but we forget the machines connecting in might be from a contractor or business partner who doesn't have administrative privileges and cannot apply updates to his system. If he can't connect, then they he work, and security just became the bad guy for inhibiting productivity. In the blog "InfoSec Professionals: Come Down Off Your Pedestal," the writer, Xavier, ran into a similar problem in which a co-worker had sent a message about the upgrade of its SSL VPN. When the upgrade was over, Xavier couldn't connect because his machine failed the "host checks." He was able to find a workaround to get in and get his machine up to pass, but how would users have dealt with the situation if they were on the road and suddenly couldn't get in? "Myrcurial" used the term "friction-free security" in his comment, and it's so fitting. Security programs need to include procedures and solutions to secure the environment, but it also has to balance the user's productivity and functionality. A better solution for the scenario Xavier found himself in would have been for his co-worker to put the posture assessment in a "warning" mode. Users could be notified that their machines aren't up to corporate standards and they have two to four weeks to correct it before they lose access. Remediation also needs to be easy. I'm working with a group who will be deploying network access control in the near future, with plans to enable posture assessments of endpoints first in warning mode, then blocking after a grace period. The key is making sure the failed endpoints end up in a quarantine area and have the means to update their antivirus or patch their machines as needed. I've always used the term "transparent" when talking about how security should be for the user, but "friction-free" is one description I'll probably start using because I think it gives off a better sense of the compromises that must go into building effective security into an environment. As a quick aside, version 3.4.1 of the Metasploit Framework was just released, so go grab it. It contains some good updates, including new exploits, auxiliary modules, and 11 new Meterpreter scripts. Congrats to "Egypt" for becoming the new manager of the Metasploit Project.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16219
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. An out-of-bounds read may be exploited by processing specially crafted project files. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16221
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A stack-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16223
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A heap-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16225
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A write-what-where condition may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16227
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. An improper input validation may be exploited by processing a specially crafted project file not validated when the data is entered by a user. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute a...