A large percentage of computer security problems have origins in a common issue: end-users installing or running programs without administrative approval and control.
Outside of buffer overflows and social engineering attacks, most exploits occur because users inadvertently install unauthorized malware or other programs. Many times, the programs are malicious in nature from the start, such as viruses, worms, Trojans, and spyware; but others are legitimate programs that allow new types of exploits to happen.
Every piece of software is another potential vector for attack. Allow your users to install Macromedia’s Flash component, and you risk exploitation from maliciously coded Flash controls. Install Google’s new search bar and risk confidential information being retrieved. Allow end-users to play personal CDs on their computer and a new rootkit program may be installed. (Thanks, Sony!)
I travel a lot, including visiting a lot of foreign countries where my cell phone does not work. I started using Skype to talk to family and friends wherever I can connect to the Internet. Skype is great -- it sounds better than a cell phone and costs pennies a minute to connect to anybody else’s real phone.
But when I installed it as it was gaining popularity, I knew it was only a matter of time before it would be exploited. Sure enough, within a few months, somebody found some holes, and Skype released some patches. I don’t expect these to be the last security patches that Skype releases.
Every new piece of software that is installed on a PC increases its risk of exploitation, whether the software is Skype, Java, RealPlayer, Firefox, QuickTime, iTunes, or even anti-virus software. I often counsel companies where the single best thing they can do to minimize security vulnerabilities is to control what software its users can install and run. Which browser add-ins are users running? What ActiveX controls are installed? Any administrators out there surprised lately at finding GoToMyPC installed without their knowledge so employees can reach their work desktops from home?
Many -- if not most -- of these companies balk at my advice. Forcing end-users to get IT approval before installing software would create "undue hardship" or "limit academic freedom," I’m told. End-users would revolt, and management would never support the idea. (To be fair, this may be the practical reality -- not an exaggeration.)
It is because this one major issue of software control cannot be implemented that dozens of other security defenses (which will always fail) are implemented. I’m often told that the time and effort spent approving and controlling what software can be run is a big waste of time. I think it is a bigger waste of time to continually fight malware, viruses, worms, Trojans, spam bots, and every other type of automated malware as a daily part of the IT plan.
As all of us know, most end-user problems result from newly installed software or unapproved configuration changes. Lock down the desktop, and you will minimize support costs and malicious attacks.