Tue, Feb 28 2006 12:20
Is leaving computers turned on a massive security risk?
There's a thread going on PatchManagement.org listserve and according to some folks I am severely deficient in allowing my end users to leave their computers on.
Because they say, when a system is turned on, it opens up a hole for intruders to drop things on those boxes.
They only want the systems on when a user is there, and they trust their users to patch their machines. That to leave the machines on for remote access is insane of me to even think of doing.
I find these 'absolute' conversations to be quite interesting. Because it's my belief that there is no such thing as a black and white answer in security. It's about risk analysis and finding a balance. Of being just enough security, of the right amount, at the right time, in the right amount of annoyance so that end users don't find a way around it. Because at the end of the day, security HAS to take an equal weight with the business of the firm. If it takes an extreme higher priority, then you might as well turn off the computers and servers, and stop doing business. Because if you go and live on an island with no computers and no need for interactions, that's probably the only way you will be absolutely secure from all technology risks like Identity Theft and what not. Of course then you will have a new set of risks to worry about. Just go ask the folks on the TV show Lost about the risks they face "without" technology around.
I find the thoughts that "you must turn off your system otherwise bad guys are sitting there dropping bad things on your systems" to be an interesting thought. If you believe your internal network to be that infected, then yes, design your network with that risk and threat in mind. In my mind you must then design the network such that you assume all tcp/ip packets are hostile and you cannot trust anything that you cannot verify coming from something you trust.
It's my understanding that Microsoft designs their network in this manner with an IPSec set up so that unless you have a SmartCard you don't get domain access. Conversely all the new Network Access Protection stuff that's coming down the pipeline looks very interesting to better protect and 'vet' the connections coming into our networks. But in a small network, it's my opinion that I can still do what I need to do to have a somewhat more 'trusted' internal network. Now I'm sure I'm absolutely the naive one, but with the additional tools I have --like the SBS build in monitoring email, and ISA 2004 and the Scorpion Software's Firewall Dashboard (that just is releasing a final beta as a matter of fact) can help keep me a smidge informed that once something happens (please note I said when not if as one should always be prepared for the worst) I can act as fast as I can to take whatever actions I need to do.
But I think for someone to say "look at the packets hitting your desktop firewalls, all those bad guys trying to intrude" means that I shouldn't be just calmly looking at those firewall logs, but having a heart attack and freaking out and trying to either block the entry point, or figure out what machine on my internal network has gotten owned and starting an investigation. As someone coined the term... "draining the network" at that point and rebuilding it.
I guess I'm of the opinion that if I can't reasonably protect with "good enough" security machines that are merely turned on, how in the world can I protect them when there are end users sitting at those machines using them? Our end users are not trained in security AT ALL. The entire computing industry has done a poor job in educating us at all on technology, let alone securely operating computers. Walk into ANY office and talk to an end user about the application they are using and I'll bet you that they don't know how or if their systems are being backed up, they don't know anything about patches, or care about firewalls, don't understand that bad guys are being paid $10,000 a pop for vulnerabilities, and I would argue that it's not their job to be that geeky and know all about that... it's mine. There job is to just do what they need to do, sticking sticky notes on the monitor for all the 'to dos' that they need to do.
I don't trust my end users to be on top of patching like I am and I want to be the one installing and approving patches. I don't want them to be the one assigning risks to email attachments, it's my job. There are some users of technology that telling them to look for a button in a tool bar is asking them way way too much. Now maybe we shouldn't have those folks using computers, but the ugly reality is that we have these users in our networks, using technology. So we'd better plan our networks for these folks. Ensuring that as much as we can we build in secure processes that aren't such an extreme bother that folks go around it and find another way to do their job.
I know they say that the network guys shouldn't be in charge of the security because there's a conflict of interest, but where is it in the computer security book that the folks on the business side can't be involved in this process of security as well.
Because folks at the end of the day this is about acceptable risk. And quite honestly I cannot see how you can make a determination without a business hat at the table.
I just don't think that the risks that are acceptable for my network are acceptable for yours. Especially not if we're not the same size and you don't have the technology that I do (like Remote Web Workplace).
And you know what.... that's OK.
Filed under: Security