As expected, I caught a lot of flak for last week’s column suggesting that one of the better, real security solutions an administrator could implement is to prevent unauthorized programs from executing on business-owned computers.
I have to say I was surprised to get several letters completely agreeing with me -- mostly from security administrators who have already implemented my suggested policy. They recounted what their environments were like before preventing unauthorized software and afterwards, none would change back. Several C-level administrators wrote me to say that employees trying to circumvent their company-mandated images would be fired for the first offense.
More common, unfortunately, were the e-mails admonishing that I would stifle employee creativity and doom the company to catastrophic failure. One reader spelled it out like this: “The problem is that you are trying to make your job easy. Your prescription gets that done. No question. But at what cost to the organization? In the end organizations exist to make profits (private sector) and add value for their customers (all sectors). Not to be secure. Security is part of the picture but only a supporting part. Your suggestions amount to 'everything not explicitly permitted is denied.' Organizations and societies that operate like this wind up static, stagnant, and wither away.”
I like this reader’s e-mail in particular because it captures the fears accurately. Similarly, several educational institutions wrote to tell me that I would be killing “academic freedom” by preventing unsanctioned programs.
I appreciate these readers’ comments, but I don’t buy their arguments. Underlying my recommendation is the most significant change that has occurred to computer security in recent years. Nearly 99 percent of all malware exists to steal victim information. Let that sink in a moment. We now call it crimeware, and nearly 99 percent of all organizations aren’t doing enough to prevent it.
The risk is high, and most entities are still treating the threat as if the world of malicious hacking is still full of teenagers sending greetz out to their peers or trying to flood e-mail systems with identical e-mail copies. It’s a different threat model now, and yesterday’s defenses didn’t work yesterday, much less today.
Most companies need a drastic wake-up call. It can be my column or a security event. It’s your choice.
If you’re against my recommendation to crack down on unauthorized programs, is it innovation you don’t want to stop or a fear that you and your co-workers won’t be able to install the latest guilty pleasure software on your work PC?
Most software that users install does not come close to fulfilling a business objective. Preventing your end-users from installing Gator, Hotbar, AIM, Party Poker, P2P file-sharing programs, illegally downloaded music, and everything else they want to install will not stop innovative progress.
IM is a good example of an app that users love but isn’t necessarily good for business. About a decade ago, IM began to appear in corporate environments, installed and used by end-users without IT or administration approving it. Heck, IM vendors went so far as to create firewall-evading install routines to ensure their IM products would intentionally circumvent IT-initiated firewall policies. IM has even been incorporated into a few corporate communication products.
But for the most part, it’s a complete waste of time for most businesses. Employees aren’t sending IMs to other employees and partners about business issues. It’s mostly a way for employees to conduct more private personal chats on company time without being seen connected to a telephone all the time.
IM worms and viruses are still gaining popularity. P2P programs regularly publish confidential files to the Internet. Illegal music downloads are, well, illegal, and they use copious amounts of network bandwidth. I love to play online poker, but maybe it’s not the best use of my company’s paid time.
How many of your employees during the past 12 months have been buying and installing GotoMyPC without your knowledge? Take a look -- you may find out that the employee has been accessing his or her computer desktop from home for weeks or months. How convenient. No security issues there, right?
If we could trust employees to only install nonmalicious and productive applications, it would be good for the company. But most users will download junk and malware. In general, end-users can’t be trusted to make appropriate risk decisions. Let them trash their home machines instead.
It's like a company car: You probably can't repaint it, jack it up, or add a nitro tank to the fuel system. That doesn't stop you from driving it anywhere you want to go though. You might drive faster with a nitro tank installed, but you'll blow out the engine a lot more quickly and end up on the side of the road or needing a tow. If I prevent you from installing the nitro tank, you'll travel a lot further without a breakdown and will get more accomplished over the long run. Many companies don’t mind you using the company car for personal business as long as you don’t wreck it. Why can’t it be the same with company-owned computers?
What those who say my primary defense stifles innovation and creativity don’t understand is that not allowing unauthorized software to be installed leads to more, faster innovation.
Yes, I make a living from installing inadequate, doomed-to-fail-several-times-a-year, expensive computer defense solutions and fighting the computer bad guys, but I’d love not to have to do it. Really. How wonderful would our lives be if we actually spent more time helping end-users be more productive? Instead of showing an end-user how to be more innovative with their computer, I’m troubleshooting to find why it’s so slow, removing adware and spyware, reinstalling, and fighting rootkits.
Denying all unauthorized software by default leads to more innovation, lower costs, and fewer complaints. The people rallying against this recommendation haven’t tried it.
But if you simply can’t justify denying all unauthorized software by default, consider making two classes of end-users. The users who “get” computer security -- and don’t install stupid things -- can have free rein. But the 98 percent of your users who've just gotta install that free screensaver or free game should be locked down.
If you still disagree with me, tune in next week and I'll show you where you fit into the Grimes Hierarchy of Computer Security model.