Thirty years after the PC was launched, security and management problems for the endpoint seem to be getting worse rather than better. PCs have become more functional, creating a greater surface area for attack. And the number of endpoint devices has proliferated, as tablets, netbooks and smartphones have entered the fray. The …
The main problem is to find a workable balance between necessary security and the staying workable of the computers/devices. In the company I work for, security is constantly used as an excuse to enforce totally ridiculous rules. Starting up a PC on our network takes usually around 25 minutes. People use many different systems, for which the passwords all regularly change, all with their own fiendishly different set of password rules. Result is that everybody has a piece of paper on their desk with all their passwords written on it.
Badly implemented security is counter-productive and is actually very unsecure.
25min boot time
"However, what makes me think you are not he, is the whole 25 minutes boot time crap." How do you know it's crap? FYI: I work at a supposed to be a 'Technology Company' where most employees use Mathlab and stuff on old Thinkpad T41 laptops from 2004 with 512MB or 1GB of RAM. Every morning it takes between 15 to 20min for the crap XP install and the gazillions of gizmos (Sophos, Radia, etc) to load into this tiny memory so that a login is possible, and often enough it can take 30mins before the PC becomes even barely useable. Most PCs also run software disk encryption which makes matters worse. IT knows about it but there's nothing they can do as long as management is to cheap to replace all the outdated crap we use.
So no, I don't think his statement that his PC takes 25mins to boot was BS. But I do think that your arrogant I-know-better-than-you attitude stinks and it's very clear you know jack shit what people have to fight with out there.
AC because of obvious reasons.
@AC from another AC
Running Matlab on a PC with 512MB RAM? I pity them. Once the OS is loaded your largest contiguous memory block would be about 10MB, not going to get far in Matlab with that.
I can concur with long boot to login times. My machine boots quickly but the time from boot->login->usable desktop on a high spec Win 7 machine on the corporate LAN is around 5-10 minutes varying with the prevailing wind.
refuse employees to take computer equipment home so their 5 year old can play hello kitty island adventure on a company laptop.
SHAME ON YOU!
If you really want to be a tight wad then make all accounting people use a thin client so all activity is on the server and they can not delete anything and tracking can not be erased.
Trouble makers who get their computers on a monthly basis also should be prime candidates to use a thin client. repeat offenders of security risk should reread the company manual for the third and last time and 4th time fire them.
IT for its role in the matter should only back up company data and no restore of personal non work related files should be touched and should be considered lost to the client. If its not work related then its not your job to touch it. Once data restore has been made then remove local admin rights and only give client power user. Install server software that blocks all advertisements going into your network and install spam catching software.
The whole proposition of the "VP wanting to access the new ERP system via his tablet thingy" is a systematic security risk which will undermine any serious security strategy. Very much like "developer needs flash to view movies on the machine he also uses to administer 500 million RSA Access tokens". We all know how that was a major success story - for the attackers.
So I repeat - access to confidential data must be strictly limited to devices under full control of the IT department and conformant to a proper security strategy (quick patching, software only from known-good sources, monitoring at the firewal etc).
The whole idea of "employees brining in their own devices" is horrible from a security point of view, because nobody really knows from which dodgy sites they downloaded some "free" software. Neither does anybody except themselves know about all the porn+malware sites they frequent from 20:00 to 23:00.
Where is the discussion on protecting data at rest...?
AKA Full Disk Encryption.
For many organisations this is critical - even on desktop machines.
I'd argue that FDE should be a given for any corporate. So many files get copied off of the network and worked on locally, or applications leave local traces laying around that anything less is ridiculous. Far too many documents and data items get considered on the basis of sensitive from a service/product standpoint and other risks such as "in the local news" risk is ignored. My boss thought his data was safe as I couldn't logon to his PC and view his files. A couple of minutes with the bootable USB drive on my keyring enlightened him to the real risks.
One other thing...
License compliance...? Detecting and reporting on all those unlicensed applications on your network...?
Don't have USB sticks - don't miss 'em!
Our office purged USB drive access over a year ago and I can't say we miss it at all. In place of USB we set up universal access (SFTP, FTPS or web transfer from anywhere) to our personal Windows folders and some shared content using Serv-U Gold (on Ubuntu) and we've never looked back.
Good article, but how to explain to the users?
Good article, I like the systematic approach and the management perspective.
But how do you explain to your users all that security is in their own best interest, so they can actually get their jobs done and go home at 5 o'clock?
In our smallish company we have, what I think, a very reasonable balance between security and useability. Still I spend a lot of time dealing with users that feel all those security measurements are just frustrating their daily work. Even simple procedural things like file libraries that can only be updated by users with management permissions, lead to endless discussions about how much easier everything would be if they could just update it themselves. And then they want to install that super convenient calculator utility their nephew showed them or synchronize business data to their smartphone so they can take a look while having their lunch around the corner.
I just want that everything works as it should work and all security and legal requirements are met, so everybody can go home at five. How do I explain that to them? That it actually saves them time and thus the company money if everything is done in a secure and orderly fashion?
How do you deal with Windows 7 gadgets/widgets? I see these as a potential security issue in that anyone can install them.
What about authorized users using authorized software?
Recent news items (securities fraud, WikiLeaks) make it clear that organizations can be compromised by authorized users using authorized software. This problem is not mentioned at all.
The real issue is a much more general one of risk management......how high is the risk, and how much are you prepared to spend to minimize that risk? The highest risks cannot be lowered to zero, and no amount of technology implementation (software, hardware, network monitoring, etc etc) will make the risk zero.
I've sold a lot of Symantec Endpoint Protection and its NAC capabilities. What made the product standout, was a great administrator that could make sense of the policy capabilities. It's a very good product when configured right. Sadly 80% of installs are done by hacks that are bloody fools thinking they know it all and "it's just AV, how hard can it be?" mentality....
Now I work for a company that standardized on McAfee and ePO, and I noticed a few things I can't do like install CCleaner. It gets wiped within seconds of install. Due to it having a secure erase function. This I found by looking through the logs and registry keys of the app.
The hardest part is that no single product is good enough, and often, multiple products must be used to apply a solid endpoint management and data protection strategy (You see two disparate markets)
You've got desktop management products, AV products, disk encryption, and data management/access/protection products. No single vendor can combine them into a single product, nor would one want to! That is just a mess of complications and agents.
At the end of the day, Security Officers will say you need X/Y/Z feature, and have a list of all required features. But the reality is that, <insert regulatory requirement here> probably only needs 30% that, but it's poor comprehension, or overzealous fools that buy the kitchen sink, and only deploy the part of it.
Side note, complaining of 25Minute boot times? Where are we 1995? Seriously, get modern hardware, software, and updated applications. My guess is that you run 2 versions back on your AV software, still on XP, on a PII machine with 256MB RAM.
Another issue I have come across are "portable apps". Due to the lack of installation requirement I can have my own version of Chrome, Firefox, secure eraser etc up and running in seconds.
As I said a couple Springs ago ...
Rather than re-write it, see:
Not what "security by obscurity" normally means ...
I really hate this term "endpoint security", which seems to have been dreamt up by some marketroid in order to avoid saying "computer" ... and as for "remediate", what's wrong with "fix"?
Please rewrite the article in English ... and while you're at it hyphenate "bot-herder" so that it doesn't look like "bother-der".
What you can do to enforce endpoint security?
Put the authentication and security bits in a hardware dongle ..
ps: In that whole article the only system you managed to mention in relation to malware was Android .. :)