Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

All about the Benjamins.

While Hutton and Bejtlich go point-counterpoint ("Alex, you ignorant slut ..."), I’ll just riff off of Hoff, not just because it tickles my alliteration funnybone ...

Chris points out the growing horror of endpoint security software sprawl, to which I just want to ask one question:

How much of this proliferation is a desperate attempt to protect against your own users?

Chris writes:  “After all, the endpoint is the closest thing to the data, so the more endpoint control the better, right?”

Not quite.  The endpoint is the closest thing to the USER.  Who is opening attachments, downloading software, browsing questionable sites, mailing himself confidential data, and generally ignoring both policy and good technical sense.  Let’s take a look into the future, where we’re all on blades.  Where are you going to see the most security at that point?

I submit that there is only so much you can do to protect your enterprise data against the people you’re allowing to access it.  The overarching priority should be to simplify user interfaces and educate the users (yes, with a cluebat if necessary).  You’ll still have self-propelling worms and hostile scans to deal with, but you’ll be so much better off if your users simply don’t open strange attachments or go to AdultFriendFinder.com. 

We tend to rely more heavily on technology, because let’s face it:  most of us in this field are introverts and we don’t like talking to real live people if we can possibly help it.  But as security people, we can’t be everywhere.  We can’t be clicking the mice for all the users, and we certainly can’t watch every move.  We should be simplifying what users can do as far as possible so that there are fewer ways that they can shoot themselves in the foot, and then we should be teaching them gun safety.

Hoff is right:  we are getting to the point where we are deploying too much complexity, which in itself creates security problems.  We’re slapping one Band-aid after another on top of an already complicated mess.  Let’s get back to the root cause and address that instead.

Posted by shrdlu on Sunday, September 02, 2007
(4) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: Maxim headroom.

Previous entry: The best thing about security blogging ...

Comments

LonerVamp United States on 09/02  at  11:11 AM:

The pendulum has already started swinging back to terminal devices instead of fat clients...for better or worse. smile That certainly simplifies what users do!

Kees Leune Netherlands on 09/02  at  11:16 AM:

submit that there is only so much you can do to protect your enterprise data against the people you’re allowing to access it.  The overarching priority should be to simplify user interfaces and educate the users (yes, with a cluebat if necessary).  You’ll still have self-propelling worms and hostile scans to deal with, but you’ll be so much better off if your users simply don’t open strange attachments or go to AdultXFriendXFinder.com.

We seem to be in agreement. I wrote it down a little more politically correct last month:

However, this perspective is flawed. An organization consists of a collection of individuals. Each of those individuals has a personal agenda, which always takes the front seat. Second to that comes their professional agenda. Social scientists, who have studied organizational dynamics acknowledge this, and even make it a fundamental principle in their theories. I believe that it is time that information security professionals also acknowledge this, and adopt the point of view that any organization, and certainly a university, should consider that the organization’s perimeter is made up of its users: staff, faculty, students, third-parties, partners, etc.

The careful observer, who also knows a little more amount my background, may speculate as far as to that post smile

Alex United States on 09/02  at  05:18 PM:

The goal to shoot for is relatively simple, but not completely satisfactory.  I could be wrong, but the even the most mature/stable Infosec Program will still be 100% beholden to:

Change Management (including asset/vulnerability/threat management)

Log Management (which I’m sure Anton will be elated to back me up on)

rybolov United States on 09/06  at  08:07 AM:

Still more proof that users need to be equipped with command-detonated implants.  That’s the ultimate endpoint security device.

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: