Don't Get Caught in the Greynet
|
A credit commercial asks, "What's in your wallet?" My version: What's on your network? |
According to a new FaceTime Communications study, the answer is unauthorized software--or "greynet" applications--that create security risk.
More than two-thirds of end users feel justified to download unauthorized software, which could be as seemingly innocuous as instant messaging or risky peer-to-peer software, according to FaceTime. Some of this software is back-loaded with malware that can breach the corporate network. Eighty percent of IT managers reported their locations suffered a greynet-related security problem within the previous six months.
Unauthorized software is a problem that IT organizations and even Microsoft cannot ignore. I'm cutting through the management, help desk and employee productivity issues to focus on security. I offer my recommendations to Microsoft and its IT organization customers about how to respond to the greynet applications problem.
What IT organizations should do:
- Assume that employees will download stuff to their work computers and lie about it if asked. Remedy: Provide safe downloads in popular categories. While such practice might sound like a waste of resources, it's better you provide the goodies--like holiday screen savers or desktop wallpaper--than employees prowl the Wild Wild Web. A safe download site might even build morale or generate goodwill toward the IT organization.
- Take it for granted that employees working from home or on the road will have unauthorized software on their computers. Here, greynet is a gray area. Reduced productivity or bandwidth is a management problem that shouldn't be ignored, but the greater concern should be security. Same remedy as the one above should apply. Employees will download stuff; it's better they get the software from you than someone else.
- Regard every computer that leaves the confines of the organization as a security risk. Employees aren't the only problem. I can't count the number of situations I've seen or heard about where malware infected computers when nieces, nephews or grandchildren came to visit. A corporate computer in the home will get used by unauthorized users if left untended. One remedy: Add security authentication to the network log-in process. No mobile PC should be able to connect to the corporate network unless its security software is functioning and definitions are up to date.
- If the organization has an Intranet portal using SharePoint Server or other software, assume there are links to dangerous downloads everywhere. My big gripe about SharePoint is the way shared sites proliferate. Sure, people should work together, but there can be too much sharing. One remedy: Keep expirations to a short time to discourage lingering SharePoint sites.
- Expect employees to do stupid things, like open an attachment to mom's chain e-mail. I delete all chain mail, even from mom, unopened. Harsh remedy: Block all e-mail except for authorized recipients, such as those in global address books. If most e-mail is spam anyway, why not treat most e-mail as spam?
- Treat RSS feeds and other subscriptions as likely attack vectors. No disagreement, enterprise RSS is a valuable utility, but feeds are often unmonitored. Remedies: Reduce risk by blocking comment feeds. For now, comments are the likeliest source of dangerous links and, at some point in the future, dangerous scripts and other maladies. More broadly, use software that can view feeds without HTML or support for scripts, cookies and other Web features.
Another tactic would be to simply run most users in standard mode, which would greatly limit end users' ability to install unauthorized software. Similarly, upgrading to Windows Vista would give IT organizations more control over users, while UAC (User Account Control) would act as a buffer against malware installations.
What Microsoft must do:
- Expose the bad guys. Microsoft should use its resources to spotlight dangerous Web sites or software. Why not make available a Most Wanted list that could be posted on the Microsoft home page or security Weblog, or distributed by RSS or Live Gadget. The subscription content could be continuously updated. Microsoft already collects some information for Internet Explorer. Highlighting bad sites or software would be a simple extension that would offer huge customer benefit. Surely, if Microsoft issued a monthly Most Wanted list, bloggers and news services would write about it.
- Take out the botnets. The bad guys use networks of compromised computers to launch attacks, spread malware or spew out spam, some of it offering access to software or dangerous Web sites. The hackers are only as strong as their supply lines, which are the botnets. I challenge Microsoft to marshal its resources and those of its partners to identify compromised computers and take them out. State laws seek to keep unsafe vehicles off the road. Why should unsafe, compromised computers have easy access to the Internet?
- Provide a safe download site, with software guaranteed to be malware-free, to all Windows customers. Windows Ultimate Extras is fine for consumers, but, for security purposes, more "extras" would benefit everyone, including business users. A safe software Web site could also showcase partners' goodies; Windows Marketplace is a good first step. By using Live.com, gadgets could be showcased, too.
Some recent, related Microsoft Watch posts:
- Vista Security: A Petulant Child, Jan. 16, 2007
- The Weakest Link is You, Jan. 11, 2007
- Bad Security Habits, Jan. 4, 2007
- Microsoft Should Take Out Its Real Competitors, Dec. 18, 2006
- Priming Vista Security for the Enterprise, Dec. 13, 2006
- Windows Vista: What Is Anti-Virus, Anyway, Nov. 13, 2006
Comments (5)
Although your strategies are basic common sense, they won’t work in just about ANY office that I’ve ever worked in. The primary concern of any IT person who wants to maintain security is to stay on top of the office politics.
Sure, I’m making this cynical but unless you’re the boss’s son and look like a football quarterback who makes IT happen from his PDA while on the golf course, everyone knows that they can eventually bully their way to being left alone with their toys, screensavers and pornography. Most businesses consider IT to be a bunch of nerds with an inferiority complex who function purely in a support role.
My rules for maintaining security are different and don’t often work. (Because I don’t look like a football quarterback, I’m sure!) ;) None the less, if you have any intention of staying for the long term and not job hopping every two to three years, you have to overcome the office pecking order.
First, find out whether or not management considers their data to be important. If they reflexively think that you can be replaced by a video game junkie, don’t even try to maintain security. You’ll just alert the bootleggers and porn surfers to your agenda. Simply have everyone sign the office computer policy paperwork and hope that you don’t become the designated scapegoat.
Second, if you’ve actually managed to convince the suits that the data is more important then protecting the boss’s son when he falls asleep at his desk while playing fantasy football online, protect yourself. The first defense of a disgruntled employee is to attack IT for their own abuses. The difference is that IT often tests software without ever putting it into production. They also know more about download risks and they are as human as everyone else when it comes to the occasional diversion. None the less, you need to be untouchable if your department is going to be responsible for the dismissal of an employee.
Third, proactively maintain as much control over security as you can. Site blocking, port blocking and workstation security help to keep honest people honest. IT doesn’t want to become the constant bearer of bad news. Sooner or later, the politically driven suits will consider you to be the problem, not the users. None the less, they tend to do things on the cheap so having knowledge of free tools helps IT to bridge the gap in understanding the value of site blocking, commercial grade firewalls and other security tools.
Finally, know the business of the company or you won’t be involved in the decision making process. IT should be evaluating software for corporate use. When every engineer starts cobbling together rinky-dink databases out of whatever software they’ve managed to bootleg, IT is the group that has to integrate all of the data generated by lone wolfs who often only develop as a means to demanding newer, faster toy PC’s.
The biggest problem with desktop computers is their near proximity to becoming game consoles and home stereo systems. If a person “needs” a fast computer, make sure that the hardware fits the need. High end video and sound cards usually means that someone is designing a Playstation, not a production workstation. Does your IT manager approve of “perks” in the form of computers? Well, I have stories of government employment where IT is rarely run by IT professionals and “perks” and patronage driven purchasing become the business of IT. Nobody cares enough to fix it so you either become a delivery boy or you fight every day against your own office just to do your own job and maintain security.
Posted by Greg | January 18, 2007 10:43 AM
--I was about to make a much simpler version of the comment above:
Joe, people are idiots, whether in management, employees or even software and OS company management who dictate what their programmers do. But I do agree with you. If rationality ever becomes a widespread infectious vector, maybe someone will listen to you someday...
Glenn Charles
Posted by Glenn Charles | January 18, 2007 2:31 PM
i just received a e-mail stating i have won a mircooft powerball lottery e-mail address
from the uk could you verify
the contact name is Barry hurst at claimsofficerdp_uk@yahoo.co.uk
claims dept manager
and stephen harison at >express_couriersystem@yahoo.co.uk>
please verify
thanks they want $560. for delivery of 493,689.98 in usd
please email me back
thanks
cherri
Posted by cherri chavez | January 19, 2007 12:57 PM
i just received a e-mail stating i have won a mircooft powerball lottery e-mail address
from the uk could you verify
the contact name is Barry hurst at claimsofficerdp_uk@yahoo.co.uk
claims dept manager
and stephen harison at >express_couriersystem@yahoo.co.uk>
please verify
thanks they want $560. for delivery of 493,689.98 in usd
please email me back
thanks
cherri
Posted by cherri chavez | January 19, 2007 12:58 PM
I'd suggest a two-pronged approach:
1. Make employee awareness of security issues a key part of your security program. This is key to making your security program work.
2.Provide a way for users to run an application by IT and get a quick response in terms of any security issues. The review is security oriented only, it is not for IT to judge the usefulness.
If you make employees aware of the security issues and provide them away to get the applications they determine they need while complying with security requirements you'll have a lot more success.
I am pragmatic, we won't get the opportunity to review all greynet apps but we can catch most. Additionally, by providing a simple way for users to get the applications they need and meet security concerns managers are more likely to support our efforts to stop truly un-necessary greynet applications from being installed.
Posted by Michael Schaffner | January 21, 2007 10:54 AM