Free Newsletters
Technology & Business Daily
InfoWorld
Log-in | Register
SECURITY ADVISER  

Continued debate on desktop lockdowns

To make the case for unauthorized software bans more clear, Roger heads once more into the breach
By Roger A. Grimes
July 28, 2006		  

A few columns ago, I suggested the single best security defense any company could implement is to prevent users from installing any unauthorized software.

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Dell

Free IT resource

TechNet: More ways to know it, share it, and keep it running.

Sponsored by Microsoft

The adulation and the critical response was overwhelming. I got so many people telling me I’m an idiot that you would have thought I had said something critical about a Mac computer. (Mom, no need to write next time, just call.)

[ Talkback: Desktop lockdown debate ]

Many critics wrote that I was an off-the-deep-end security zealot who didn’t really understand how IT security was just a part of the business, and not THE business. And this was from my friends and colleagues. Yeah, my CPA, years of graduate business school, and years as a C-level exec are forgotten.

My advice would doom any company following it to utter failure and miserable employees, my critics continued to complain. This comes despite the fact that most of the Fortune 1000 companies already do what I recommend and still continue to grow -- and have satisfied employees.

Most critics felt I’ve been embedded in the security world too long and I’m overstating the risk. Let me counter with the following statements (which I shared on my colleague Bob Lewis’ Advice Line blog):

Statement 1: Ninety-nine percent of today's malware exists to steal money, identity information, and data. This isn't my warm and fuzzy best guess. It's data from Symantec, McAfee, MessageLabs, Postini, etc. Read their quarterly and monthly threat reports. Go to any of their sites and view the top 50 threats. If you find a single threat that doesn't do what I reveal, please write back. I didn't come up with this figure on my own.

(If you allow end-users to install their own software, it means they are logged in as Administrator or root. If you were to reveal this fact to any security group, the critical responses would be tremendous.)

Statement 2: If you allow end-users to install anything they like, a remote attacker can easily gain unauthorized access to anything but the most secure companies. It can be done by spamming your company with very legitimate-looking e-mails from a company executive about a topical event, which really contain rogue malware. It can be done by dropping infected USB keys in your parking lot, or by placing a CD-ROM labeled “Pending 2006 Layoffs” in your company. The tricks are well-known and have worked on every company I’ve ever tried them on. There isn’t a professional penetration tester you can find who will not tell you the same. It’s a cake walk.

My one-off, unscannable, client-side trojan program "dials home" using port 443 (which is allowed out through every firewall I've encountered) using encrypted data streams. Virus scanners don't pick it up; IPSs and IDSs don't pick it up; and certainly end-users and security administrators don't pick it up.

If you're a reader who believes your company can't easily be compromised by socially engineering at least one of your employees into installing software they really shouldn't, please write me.

Statement 1 is true. If Statement 2 is also correct for you, then continuing to allow end-users to make software-install choices means you've accepted that your company can be compromised at will by almost any hacker. It means that with a minimum amount of effort your company's databases and corporate secrets can be compromised.

That's okay. All security is a cost/benefit trade-off, and different companies accept different levels of risk.

But it is a big risk to take. If you took the current risk of Statement 1 to management, followed by a statement that it's relatively easy for a hacker to client-side, socially engineer your employees, would it not be management's fiduciary responsibility to require a better defense?

If your current defenses can't stop a user from installing my trojan program and compromising your network at will, shouldn't you be doing something different to offset the risk? Maybe not desktop lockdown, but shouldn't you be doing something different, instead of just waiting passively for the inevitable attack?

If Statement 2 is true for you, and you do nothing different, it means you either don't believe Statement 1, or you are playing the odds that attackers won't target your company -- and if they do, they really won't do much real damage. Me, I'd rather gamble off company time.

My one best recommendation may not be for you, but if Statement 2 is true for you, and you are tasked with computer security defense, it begs you to do something different.





 


 
InfoWorld Test Center Contributing Editor Roger A. Grimes is a Foundstone Ultimate Hacking instructor/consultant teaching Windows, Linux, Unix, and Solaris security.

  More of Roger A. Grimes' column

Newsletter Check out all of our free newsletters!
Enter e-mail address:




 

TOP NEWS:


»  Four quick tips for choosing an IM security product
71 percent of businesses will invest in real-time messaging this year. If you're one of them, be sure to protect your enterprise

»  Forrester analysts ID hot IT jobs
Research group finds 16 IT roles with a promising future

»  Nvidia claims 10 hours of HD video on Tegra chip
The Tegra 600 and 650 can be used with hard disk drives and are designed partly for mobile Internet devices

»  Database vendors add Google's MapReduce
Greenplum and Aster Data Systems will support Google's programming technique, developed for parallel processing of large data sets across commodity hardware

»  Network management: Tips for managing costs
New technologies, changing requirements, and ongoing equipment maintenance and upgrades cost money, but there are ways to manage expenses

»  EMC targets SMBs, branch offices with new low-end storage
Celerra NX4 highlights include thin provisioning, snapshot technology for data recovery and backups, and Web-based console for management of storage volumes




Remote Access: Maintain Security and Decrease the Burden on IT
Join this interactive webcast to discover how IT Managers can control access rights, end-user security settings and end-point authorization. Sponsor: Citrix(R) GoToMyPC(R) Corporate

»  Click here to view this Webcast 		  Virtualization Solutions Guide
This comprehensive IT Strategy Guide covers Virtualization and puts you at the forefront of the discussion. You'll learn all you need to know from the cost of virtualization, how to implement it for your business, how to back it up safely and which products are best. Sponsored by Riverbed

»  Click here to download now

- Special Advertising Partners -
WHITE PAPERS
  

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert
Find out when the latest white paper is available:
 
 
INFOWORLD MARKETPLACE
  
» BUY A LINK NOW
  

FIND PRODUCTS AND COMPANIES
» COMPLETE PRODUCT GUIDE



TECHNOLOGY INDEX
• Applications
• Application Development
• Security
• Networking
• Wireless
• Platforms
• Hardware
• Data Management
• Storage
• Web Services
• Business
• Telecom
• Professional Services
• Standards

TECH WATCH 


What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law
Ephraim Schwartz's Column and Blog (InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
» MORE COLUMNISTS

MORE INFOWORLD BLOGS


Open Sources 
Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day 
Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...



• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

ADVERTISEMENT


RESOURCE CENTERadvertisement 

GOVERNMENT IT & POLICY
'If you don't go after the network, you're never going to stop these guys. Never.'
From the State Department, All the News for Inquiring Minds
TechPresident, the Internet Citizenry's New Consensus Taker



Sponsored Technology Links

 
 
 HOME  NEWS  BLOGS  PODCASTS  VIDEOS  TECHNOLOGIES  TEST CENTER  EVENTS  CAREERS   About | Advertise | Awards | RSS | Contact Us 

Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service.
All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses,
phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services.

 CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo
Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist