We live in a world of malware. Spyware, Adware, Virii, and generally annoying programs saturate the landscape of the web. Users don’t even have to really try to get these infections either. Just visiting some websites can lead to infection if you’re blissfully unaware of the evil in EULA’s. To combat this problem, a large number of corporations automatically remove Administrator rights from user’s computers. This sounds like a great idea, but atleast until Vista, Microsoft Employees all have administrative rights on their own workstations!

Worse than your IT Staff being unfamiliar with userland without privileges, is the OS DEVELOPER being relatively unfamiliar with its interface without administrative privileges. Even with this protection, attackers can still escalate privileges, or circumvent that fact by exploiting programs that HAVE to run as administrator. Take a look at the Secunia database for JUST the Operating System flaws in Microsoft Windows XP Pro. A search for “antivirus” on Secunia is also a bit depressing, listing 88 vulnerabilities for Antivirus Suites.

Aside from hackers, technologically inclined staff can undermine your group policies in several interesting ways. Network security can be circumvented just as easily. The advent of portable applications and network anonimizers, techniques used by “bad guys” for years, have destroyed policy’s strong hold on the corporate network. Determined users will knock down any and all technological barriers to their productivity.
Even if you’ve managed to take all the precautions to prevent the circumvention of your policies, including BIOS Protection, a determined user armed with google can circumvent your BIOS password and just boot up into Ubuntu or any number of other free, live CD distributions of linux to escape all of your fancy Active Directory Based security policies. From there it’s trivial for users to do what they want. Using WINE and OpenOffice, they can be just as productive as normal users, and far less restricted.

The bottom line is that the users have to be able to comfortably work within your organization with your security policies before your policies are effective at preventing breaches. There are a number of factors, far beyond the reach of most corporate IT Policies & Procedures documents that need to be addressed.

Employees honestly need to feel like a part of the organization, which is difficult when you consider how upper management is distancing itself from the worker bees. As retarded as it sounds, when the average worker is being degraded by executives who take home more in BONUSES than most DEPARTMENTS take home cumulatively in their organization over the course of a year, there’s incentive for corporate espionage and sabotage. This has been witnessed several times in history. I’ll stop before I get political, but bottom line, is there will never be “Information Security” in a country where there’s an obsurd distinction between rich & poor.

Employees must also be given certain amount of Trust to give them a feeling of belonging or exclusivity. The tools to provide accountability to actions on your network are readily available, so should they fall out of line, you can casually remind them or adjust your policy if necessary. If there’s no trust in the organization, the employee is forced to look out exclusively for themselves, which means they’ll be much more likely to act without regard to their impact on the organization.

Employees need room to grow and learn. Without the potential to better themselves and their monetary compensation for their laborious contributions to your organization, the employees will leave, taking with them knowledge of your security measures. They will also be more receptive to ideas of subterfuge, infidelity, and mutiny. Reward your employees whenever possible.

Eventually you’ll get to the IT side of Network Security. Basic preventive and passive monitoring measures should be deployed on the network to prevent outsiders from attacking. The prevention of “insider attacks” requires more than just a Booklet of IT Security Rules. Those rules should be flexible enough to be deployed throughout the organization, with as few exceptions as possible. Ideally you want your computer systems working for you, not getting in your way.

Regardless of the policies you decide on, the IT group should be the FIRST group to adopt the policy, trickle out from there. That way you can determine and fix potential problem for power users before the CTO kicks your door in.

This concept is key to PROGRAMMING. What I find astounding, is a large majority of corporations are adopting this practice for ALL IT related issues, and it’s even saturating into HR and other areas of employment. Working as a Security Administrator, I’m surprised that most employers have decided to not trust their employees. If you can’t trust them, then why would you hire them?

Some key differences between “users” and “employees”. We’ll assume for the sake of argument, that we’re talking about a Web Application and an Employee’s Desktop Computer.

Web Applications:

• Usually allow most of the internet to establish a connection.
• Usually implement a custom or home-grown authentication schema.
• Usually implement a custom separation of privilege system.
• Usually users are not screened prior to access.

Employee’s Desktop Computer:

• Usually require physical acces (normally, badged entrance to a building, sector of a building, and possibly a room key).
• Usually sit behind fairly restrictive firewalls that block unrequested inbound communication from external places.
• Usually implement a centrally controlled authentication system like ActiveDirectory, or LDAP.
• Usually this process is linked directly into HR’s New Hire / Termination Process
• Permission and ACL system’s are usually tied directly into ActiveDirectory and/or LDAP
• Users are screened through the interview process. They also tend to be known to the organization.
• Actions on the systems usually include a system for accountability wherein an event can be traced directly back to a particular user.

Yes, there are exceptions. I know Kevin Mitnik would just walk into a building behind an employee, pretend like he belonged there and sit down at an unused computer and “hack” internally. However, people like Mitnik are exceptions to the rule. Most of these pimply faced, angst ridden, EMO listening script kiddies don’t have the courage necessary to “hack” at a social level.

So why doesn’t your organization trust you? They can easily punish & revoke acccess after repeat offenses. Theoretically, it’s not more work than is currently being done. Actually, if users had administrative rights over their pc’s, they could install the software they need to get their jobs done without putting in tickets to a corporate help desk. Would machines get thrashed by malware and stupid ass HotBar installs? Of course, but how many untrusting environments currently deal with those problems as is?

The fact is, virus and malware writers are clever. Certain processes run as administrator on a windows machine regardless of the user logged in. Using the builtin messaging systems, the malware writers can force their installer to run as administrator if you have an Antivirus process running. So in a sense, we have policies that impact and impede employees while not really eliminating the serious threats they’re being flagged as preventing.

Currently, using a combination of open source tools at work, we’re trusting our users. If they’re not productive, they don’t stick around. We get the IT overhead the hell out of their way and let them be productive. The result has been more effective employees. We do have problems occassionally, but every IT section fights the occassional virus or malware outbreak. Even cooler, the system we’ve adapted has helped us automate a lot of the fight because we’ve had far more time free to implement proactive and reactive network security policies since we’re not spending all our time installing Adobe Acrobat on all 800 of our users’ Desktops.

We’ve also noticed that when users feel trusted, they tend to have a much more positive outlook on the whole IT field. I’ve been in environments where users hate their computer so much they become beligerent the second they get an error message. Granted, we still have angry users, but much less frequently than previously. We hired our employees because they were the best candidates and part of their job is being responsible. If they’re not responsible, they don’t last long.

Of course, there’s an additional piece to consider. Now that we’ve nailed down the monitoring and accountability, we’ve noticed that after users get warned about something once, they generally don’t repeat offenses. They genuinely want to be secure. Do you honestly think your employees want to compromise their personal data, trade secrets, or customer data? Hell no! That’s bad. No one wants bad. They generally don’t know not to click the f*cking monkey until you tell them not to. It’s education.

The internet is a scary place filled with promises of riches beyond your wildest imagination. That promise, techies know is no different than any opportunity that existed prior to the internet. Usually, if it sounds too good to be true, it generally is. Users need and want to be better educated about the threats they face online. Just like you paid that consultant to come in and teach best practices to your programmers, you should put together classes for users to get education on the internet and computers.

If you don’t believe me, I dare you to put together an introductory course to internet safety for your users. Offer the class, don’t force it down their throats and see what the response is. Also, please don’t be ignorant to non-work related issues. Your employees screw around at work, and if they like you, they work at home. So, address clicking on the monkey and myspace.com and the threats that they face on those sites. Don’t be arrogant and make the class fun.

Even if a small percentage come to the first class, they’ll generally spread that knowledge to co-workers and friends virally. The average person wants to know and use best practices for maintaining security on their home & work PCs. They don’t want the world to know that they just bought Yanni tickets!

Generally speaking, not trusting the users is a GOOD thing for PROGRAMMING. However, used as blanket policy for your employees, it creates an environment of distrust and disdain. It will undermine any “team building” seminars you just paid for to help people “synergize”. They’re your employees and many of you spend more time at work than with your own families. If you’re around people you can’t trust, GET OUT OF THERE NOW. IT Policies will not help you in this case.