One by one, end-users began to install instant messaging. I'd uninstall it on one user's workstation only to find it installed on the two PCs beside them. I was fighting a losing battle. I decided to block the IM network port to prevent the clients from connecting to the outside hosting channel servers, and the IM clients morphed to bypass the firewall settings. I went to complain to the company CEO, only to have him request that I install it on his computer. I didn't want to support IM, but eventually I learned that my job is not to decide what end-users or management should be running, but to secure as best as I can what they want to run.
The IM invasion (as I called it) was replaced with a p-to-p push, then music downloads (full of malware), and unauthorized USB keys ("Hey, what are those things?"). Then a major vendor, spending tens of millions of dollars on radio and magazine ads, convinced my end-users that they could not live without GoToMyPC. No need to get the IT staff involved. Firewalls are no problem. Right.
The next invasion(s)
Today's invasions are led by video services, SMS texting, and social-networking sites. Is it a YouTube video or a malware program codec? Like it or not, your current and future employees will be engaging in social-networking sites, such as MySpace, LiveJournal, Facebook, Plaxo, and so on, and their cell phone more than they interact with real live human beings. If you have teenage kids, you already know what I mean. But it isn't just kid's play; one large financial entity recently used virtual world Second Life to host an internal company meeting. Hey, did my avatar just pat my boss on the butt?
Various social-networking leaders are even developing APIs that will allow an increased Web 2.0 social-networking experience, social-network-specific applications, and cross-service communications. All of these are great things to hack. And let's not forget VoIP programs (such as Skype), iPods, iPhones, Gphones, or whatever. If you're in IT, you will always have to defend end-users and the organization against themselves.
Once you note that some insecure technology or program is taking over your environment, either spend all your efforts to eradicate it, or accept it. If you have to accept it (because, for example, the CEO just posted his resume to Facebook), work to make it as safe as possible. Here are some tips:
* Start with end-user education.
* If the free program they are downloading is insecure, offer a more secure, "corporate standard" alternative that interfaces with the product they like.
* Use scripts or group policies to secure the product's installation settings.
* Buy or use antimalware products that work with the product you are trying to protect.
* And in the end, if your end-users ignore all your advice and intentionally install potentially malicious programs, that doesn't mean it isn't your problem.