Continued debate on desktop lockdowns

A few columns ago, I suggested the single best security defense any company could implement is to prevent users from installing any unauthorized software.

The adulation and the critical response was overwhelming. I got so many people telling me I’m an idiot that you would have thought I had said something critical about a Mac computer. (Mom, no need to write next time, just call.)

[ Talkback: Desktop lockdown debate ]

Many critics wrote that I was an off-the-deep-end security zealot who didn’t really understand how IT security was just a part of the business, and not THE business. And this was from my friends and colleagues. Yeah, my CPA, years of graduate business school, and years as a C-level exec are forgotten.

My advice would doom any company following it to utter failure and miserable employees, my critics continued to complain. This comes despite the fact that most of the Fortune 1000 companies already do what I recommend and still continue to grow -- and have satisfied employees.

Most critics felt I’ve been embedded in the security world too long and I’m overstating the risk. Let me counter with the following statements (which I shared on my colleague Bob Lewis’ Advice Line blog):

Statement 1: Ninety-nine percent of today's malware exists to steal money, identity information, and data. This isn't my warm and fuzzy best guess. It's data from Symantec, McAfee, MessageLabs, Postini, etc. Read their quarterly and monthly threat reports. Go to any of their sites and view the top 50 threats. If you find a single threat that doesn't do what I reveal, please write back. I didn't come up with this figure on my own.

(If you allow end-users to install their own software, it means they are logged in as Administrator or root. If you were to reveal this fact to any security group, the critical responses would be tremendous.)

Statement 2: If you allow end-users to install anything they like, a remote attacker can easily gain unauthorized access to anything but the most secure companies. It can be done by spamming your company with very legitimate-looking e-mails from a company executive about a topical event, which really contain rogue malware. It can be done by dropping infected USB keys in your parking lot, or by placing a CD-ROM labeled “Pending 2006 Layoffs” in your company. The tricks are well-known and have worked on every company I’ve ever tried them on. There isn’t a professional penetration tester you can find who will not tell you the same. It’s a cake walk.

My one-off, unscannable, client-side trojan program "dials home" using port 443 (which is allowed out through every firewall I've encountered) using encrypted data streams. Virus scanners don't pick it up; IPSs and IDSs don't pick it up; and certainly end-users and security administrators don't pick it up.

If you're a reader who believes your company can't easily be compromised by socially engineering at least one of your employees into installing software they really shouldn't, please write me.