Posted on 01/13/2010 6:16:40 AM PST by ShadowAce
I was recently reminded while troubleshooting a friend's small business network of where most computer systems' real security weaknesses lie. Where do you think it is? The desktop operating system, which was Windows XP SP3? The server operating systems, which were Windows Server 2003 SP2 and Novell's SLES (SUSE Linux Enterprise Server) 11 SP1? Or, the Sonicwall TZ 210 firewall appliance?
The answer was, of course, none of the above. The weakest spot on your network is never your operating systems, your hardware, your applications, your security software or any of the rest of the technical side. The weakest link is always you and your people.
Whether it's something as simple as that old stand-by of users putting a password on a yellow sticky note on their monitor or someone tricking their way into your office with a fake ID, your real security problem is the people sitting between their keyboards and their displays.
Security software like anti-virus programs and firewalls do help stop attacks coming from over the Internet, but if you have only one person who's willing to click on a malware-bearing fake Hallmark e-card, you still have a problem.
The answer to this problem is education. You need to remind your users -- and yourself while you're at it -- that on the Internet everyone really is out to get you and you always have to your guard up. After all, just because you're paranoid doesn't mean that they're not out to get you.
This is boring I know. You'll find it boring; your users will certainly find it boring. But, it's the only way to make your network safer. It won't be perfectly safe mind you. There is no such thing as perfect security. But, it will help.
In my friend's case, I tracked down his problem to an employee who had brought a laptop from home into work and he had managed to give his laptop a case of Net-Worm.Win32.Kido.ih. When he booted up his system at the office, the virus got loose on their LAN and started fouling up their Windows 2003 servers, which is when I got called in.
OK, so there were several problems here, not the least of which was that they hadn't been doing a good job of keeping their Windows machines updated since the Windows security hole that lets Kido do its stuff, MS08-067 has been patched for over a year. Still, the bottom line is that they never would have ended up in any trouble if 1) the end-user hadn't had an infected laptop and 2) the IT staff let him hook his PC right up to the corporate network. Another day, another technical problem that was also largely a people problem.
end users.....without a doubt it’s the nut behind the keyboard.....
Yes...climbing up onto the desk is a dead giveaway.
PEBCAK with this column. :-)
I agree. If I saw anyone sitting between their keyboard and monitor, I'd be pretty sure they had a problem.
Without a doubt ....the people using it.
Beat me by 1:45! Curses!
I like to call them.....Lusers.
We are the security risks we’ve been waiting for.
When they ask me what was wrong with their computer I like to tell them “OH...just another ID10T error”....
I guess the only really safe thing to do, is not have any end-users.
My nightmare day as IT Manager usually begins with “I had a spyware warning come up on my machine and I installed it and now I keep getting popups.”
My kin told me that his company did well on almost all the typical areas: firewalls, physical access to datacenters, change control, OS/application patching, etc. However, they failed miserably overall because of employees.
One test that 90% of employees failed was the "free flash drive" test. The test involves dropping USB flash drives in the parking lot (or giving them away as a promotion somewhere). Software on the drive launches, does some scans, then sends PC/network data to the 'hacking' company. 9 out of 10 people picked up the drives, brought them inside the building, and plugged them into their work PCs. Ouch.
That's extreme. The perfectly reasonable answer is that they need to be registered, plus have a waiting period and monthly limit.
That's extreme. The perfectly reasonable answer is that they need to be registered, plus have a waiting period and monthly limit.
I just charge them for any help they get.
lol...
And, yes, I concur—PEBCAK constitutes about 95% of my IT issues. Every time I figure there’s NO WAY someone could be dumber than that last guy, an even dumber one shows up to prove me wrong.
Whenever he said, "I'm sorry, I can't do that..." I wanted to reach down his throat and pull out his chips.
Very creative...there’s another office, a rather large one that fell for a similar scam...what was it called...? Oh yeah, the Pentagon.
It was a lawyer. Maybe you should have. Who would blame you?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.