Controlling the uncontrollable user

Improve security by taking back control of software installation from employees -- it's for their own good

A large percentage of computer security problems have origins in a common issue: end-users installing or running programs without administrative approval and control.

Outside of buffer overflows and social engineering attacks, most exploits occur because users inadvertently install unauthorized malware or other programs. Many times, the programs are malicious in nature from the start, such as viruses, worms, Trojans, and spyware; but others are legitimate programs that allow new types of exploits to happen.

Every piece of software is another potential vector for attack. Allow your users to install Macromedia’s Flash component, and you risk exploitation from maliciously coded Flash controls. Install Google’s new search bar and risk confidential information being retrieved. Allow end-users to play personal CDs on their computer and a new rootkit program may be installed. (Thanks, Sony!)

I travel a lot, including visiting a lot of foreign countries where my cell phone does not work. I started using Skype to talk to family and friends wherever I can connect to the Internet. Skype is great -- it sounds better than a cell phone and costs pennies a minute to connect to anybody else’s real phone.

But when I installed it as it was gaining popularity, I knew it was only a matter of time before it would be exploited. Sure enough, within a few months, somebody found some holes, and Skype released some patches. I don’t expect these to be the last security patches that Skype releases.

Every new piece of software that is installed on a PC increases its risk of exploitation, whether the software is Skype, Java, RealPlayer, Firefox, QuickTime, iTunes, or even anti-virus software. I often counsel companies where the single best thing they can do to minimize security vulnerabilities is to control what software its users can install and run. Which browser add-ins are users running? What ActiveX controls are installed? Any administrators out there surprised lately at finding GoToMyPC installed without their knowledge so employees can reach their work desktops from home?

Many -- if not most -- of these companies balk at my advice. Forcing end-users to get IT approval before installing software would create "undue hardship" or "limit academic freedom," I’m told. End-users would revolt, and management would never support the idea. (To be fair, this may be the practical reality -- not an exaggeration.)

It is because this one major issue of software control cannot be implemented that dozens of other security defenses (which will always fail) are implemented. I’m often told that the time and effort spent approving and controlling what software can be run is a big waste of time. I think it is a bigger waste of time to continually fight malware, viruses, worms, Trojans, spam bots, and every other type of automated malware as a daily part of the IT plan.

As all of us know, most end-user problems result from newly installed software or unapproved configuration changes. Lock down the desktop, and you will minimize support costs and malicious attacks.

I realize that the majority of companies cannot prevent their users from installing whatever software they like. Heck, I have a hard time controlling what software runs on my own family’s PCs. If you can’t stop new software from being installed, you must make a proactive plan to manage the risk. Here are some tips:

- Educate your users on your company’s software install policy (i.e., do they need IT approval?).

- Educate users on the kinds of software installs to avoid, the ones bound to be full of spyware and other malware. Explain that every new piece of software can lead to remote exploitation and complete, malicious control of their computer.

- Put an auditing mechanism in place to find out what your end-users are running. Even if you don’t have control of what they install, you must know what is running. Audit installed programs and listening IP ports.

- Develop a process to ensure that newly installed applications get installed in a secure way (you don’t want file-sharing, p-to-p apps sharing out confidential directories).

- Ensure that any installed program has its auto-update feature enabled, if it has one. Also, be aware of programs which do a poor job of removing the old, vulnerable code after the updated version is installed. Adobe Acrobat and Sun’s Java have been criticized for this lately.

- Make a case to management to remove any high-risk program, along with penalties for repeat offenders.

- Institute a content layer inspection device that can prevent unauthorized protocols sneaking over authorized ports (such as IM over port 80).

- Teach your IT team to be aware of new programs and to report them to IT management when discovered, so the risk can be analyzed immediately.

It's a simple fact that users are going to install new software you don’t know about, and that it will increase the chances of malicious exploitation. My best advice is to control what is installed and running on all managed PCs. Failing that, become proactive about the software you don’t control.

Copyright © 2005 IDG Communications, Inc.