divisionbyzero

Most of the organizations I’ve been a part of, the IT staff usually has exemptions from IT policies if not significantly escalated privileges. This distances them from their users. I also happen to know and test MANY different ways to circumvent the policies and controls in place on the network. You can’t push policies and haphazardly grant exceptions to those policies to the group in charge of making them.

We live in a world of malware. Spyware, Adware, Virii, and generally annoying programs saturate the landscape of the web. Users don’t even have to really try to get these infections either. Just visiting some websites can lead to infection if you’re blissfully unaware of the evil in EULA’s. To combat this problem, a large number of corporations automatically remove Administrator rights from user’s computers. This sounds like a great idea, but atleast until Vista, Microsoft Employees all have administrative rights on their own workstations!

Worse than your IT Staff being unfamiliar with userland without privileges, is the OS DEVELOPER being relatively unfamiliar with its interface without administrative privileges. Even with this protection, attackers can still escalate privileges, or circumvent that fact by exploiting programs that HAVE to run as administrator. Take a look at the Secunia database for JUST the Operating System flaws in Microsoft Windows XP Pro. A search for “antivirus” on Secunia is also a bit depressing, listing 88 vulnerabilities for Antivirus Suites.

Aside from hackers, technologically inclined staff can undermine your group policies in several interesting ways. Network security can be circumvented just as easily. The advent of portable applications and network anonimizers, techniques used by “bad guys” for years, have destroyed policy’s strong hold on the corporate network. Determined users will knock down any and all technological barriers to their productivity.
Even if you’ve managed to take all the precautions to prevent the circumvention of your policies, including BIOS Protection, a determined user armed with google can circumvent your BIOS password and just boot up into Ubuntu or any number of other free, live CD distributions of linux to escape all of your fancy Active Directory Based security policies. From there it’s trivial for users to do what they want. Using WINE and OpenOffice, they can be just as productive as normal users, and far less restricted.

The bottom line is that the users have to be able to comfortably work within your organization with your security policies before your policies are effective at preventing breaches. There are a number of factors, far beyond the reach of most corporate IT Policies & Procedures documents that need to be addressed.

Employees honestly need to feel like a part of the organization, which is difficult when you consider how upper management is distancing itself from the worker bees. As retarded as it sounds, when the average worker is being degraded by executives who take home more in BONUSES than most DEPARTMENTS take home cumulatively in their organization over the course of a year, there’s incentive for corporate espionage and sabotage. This has been witnessed several times in history. I’ll stop before I get political, but bottom line, is there will never be “Information Security” in a country where there’s an obsurd distinction between rich & poor.

Employees must also be given certain amount of Trust to give them a feeling of belonging or exclusivity. The tools to provide accountability to actions on your network are readily available, so should they fall out of line, you can casually remind them or adjust your policy if necessary. If there’s no trust in the organization, the employee is forced to look out exclusively for themselves, which means they’ll be much more likely to act without regard to their impact on the organization.

Employees need room to grow and learn. Without the potential to better themselves and their monetary compensation for their laborious contributions to your organization, the employees will leave, taking with them knowledge of your security measures. They will also be more receptive to ideas of subterfuge, infidelity, and mutiny. Reward your employees whenever possible.

Eventually you’ll get to the IT side of Network Security. Basic preventive and passive monitoring measures should be deployed on the network to prevent outsiders from attacking. The prevention of “insider attacks” requires more than just a Booklet of IT Security Rules. Those rules should be flexible enough to be deployed throughout the organization, with as few exceptions as possible. Ideally you want your computer systems working for you, not getting in your way.

Regardless of the policies you decide on, the IT group should be the FIRST group to adopt the policy, trickle out from there. That way you can determine and fix potential problem for power users before the CTO kicks your door in.