Continued debate on desktop lockdowns

To make the case for unauthorized software bans more clear, Roger heads once more into the breach

A few columns ago, I suggested the single best security defense any company could implement is to prevent users from installing any unauthorized software.

The adulation and the critical response was overwhelming. I got so many people telling me I’m an idiot that you would have thought I had said something critical about a Mac computer. (Mom, no need to write next time, just call.)

[ Talkback: Desktop lockdown debate ]

Many critics wrote that I was an off-the-deep-end security zealot who didn’t really understand how IT security was just a part of the business, and not THE business. And this was from my friends and colleagues. Yeah, my CPA, years of graduate business school, and years as a C-level exec are forgotten.

My advice would doom any company following it to utter failure and miserable employees, my critics continued to complain. This comes despite the fact that most of the Fortune 1000 companies already do what I recommend and still continue to grow -- and have satisfied employees.

Most critics felt I’ve been embedded in the security world too long and I’m overstating the risk. Let me counter with the following statements (which I shared on my colleague Bob Lewis’ Advice Line blog):

Statement 1: Ninety-nine percent of today's malware exists to steal money, identity information, and data. This isn't my warm and fuzzy best guess. It's data from Symantec, McAfee, MessageLabs, Postini, etc. Read their quarterly and monthly threat reports. Go to any of their sites and view the top 50 threats. If you find a single threat that doesn't do what I reveal, please write back. I didn't come up with this figure on my own.

(If you allow end-users to install their own software, it means they are logged in as Administrator or root. If you were to reveal this fact to any security group, the critical responses would be tremendous.)

Statement 2: If you allow end-users to install anything they like, a remote attacker can easily gain unauthorized access to anything but the most secure companies. It can be done by spamming your company with very legitimate-looking e-mails from a company executive about a topical event, which really contain rogue malware. It can be done by dropping infected USB keys in your parking lot, or by placing a CD-ROM labeled “Pending 2006 Layoffs” in your company. The tricks are well-known and have worked on every company I’ve ever tried them on. There isn’t a professional penetration tester you can find who will not tell you the same. It’s a cake walk.

My one-off, unscannable, client-side trojan program "dials home" using port 443 (which is allowed out through every firewall I've encountered) using encrypted data streams. Virus scanners don't pick it up; IPSs and IDSs don't pick it up; and certainly end-users and security administrators don't pick it up.

If you're a reader who believes your company can't easily be compromised by socially engineering at least one of your employees into installing software they really shouldn't, please write me.

Statement 1 is true. If Statement 2 is also correct for you, then continuing to allow end-users to make software-install choices means you've accepted that your company can be compromised at will by almost any hacker. It means that with a minimum amount of effort your company's databases and corporate secrets can be compromised.

That's okay. All security is a cost/benefit trade-off, and different companies accept different levels of risk.

But it is a big risk to take. If you took the current risk of Statement 1 to management, followed by a statement that it's relatively easy for a hacker to client-side, socially engineer your employees, would it not be management's fiduciary responsibility to require a better defense?

If your current defenses can't stop a user from installing my trojan program and compromising your network at will, shouldn't you be doing something different to offset the risk? Maybe not desktop lockdown, but shouldn't you be doing something different, instead of just waiting passively for the inevitable attack?

If Statement 2 is true for you, and you do nothing different, it means you either don't believe Statement 1, or you are playing the odds that attackers won't target your company -- and if they do, they really won't do much real damage. Me, I'd rather gamble off company time.

My one best recommendation may not be for you, but if Statement 2 is true for you, and you are tasked with computer security defense, it begs you to do something different.