Roger A. Grimes responds:

Bob,

To prove I'm right, I'm willing to give you and a company of your choice a free security evaluation. Pick any medium sized company (100 PCs +) running a normal business with Internet email access, that doesn't implement a strict policy against unauthorized software installs. Give me written authority from the owners or senior management to compromise it by inducing an employee to install a software program of my choice. I promise to do nothing but get internal access to company assets, and do no other damage and cause no business interruptions.

To be a fair test, don't let the employees know that you've allowed me to do this or about this particular challenge.

Give me 96 hours, and I'll successfully be in the company with full access to company databases and resources, plus the ability to capture more passwords, etc.

I do this all the time for a living, and in 9 years I've never not been successful. I'll even show you the program that I will be installing to prove internal access.

The only compensation I ask is to be able to publish in my column the outcome of the challenge and the company's name, including your acceptence of my challenge, whether I succeed or fail.

If I succeed, it means any attacker can compromise that company with a minimum of effort, and basically own the company and its data resources. Your stance, and others like it, puts companies, like the one I'm hoping you'll offer up, open up to the risk I'm proposing.

Malware and hackers are no longer script kiddie threats. It's criminal in nature and designed to steal money and data.

If I fail, you expose my recommendation as an unrealistic fraud, and I walk away in shame.

Let's put our differing opinions to the test, blogging without reputation risk is for lesser pundits.

I'm confident one of your readers will be open for the free security assessment.

I wonder if anyone has bothered to ask him about this? I did - and he's not quite as self serving or oblivious as you make out.

I originally posted a comment about his article, saying much what you are saying. Then I decided to send it TO him. His response was basically that his recommendations assumed a responsive IT organization.

I think that should be clearly spelled out. The way the article is presented some unwarranted assumptions and conclusions can be drawn. No, security is NOT the be all and end all of all decisions. If you really think so, get out of IT and start using clay tablets - they are the only media that are almost (but not completely) impossible to duplicate without a laborious process. And consumers of IT often DO have very good reasons for wanting the things they want - even in cases where it would look totally the reverse at first blush. This needs to be clearly recognized. And, no, the job of IT is not to make their job easier, but to streamline things to the extent that it improves the consumer experience.

On the other hand, dealing with both sides of the coin, I think he's not entirely out of line. He makes some points that really do need to be considered.

I find that the idea of such a ban has immense appeal to me. The amount of time spent on dealing with problems posed by unauthorized software is immense - and that is time that users cannot use their computer fully - or at all, and time that IT cannot spend on adding value or providing other services.

The other thing that I find is that very often when people implement "solutions" for genuine business needs, they wind up doing stuff that causes them problems, or just limits them in unexpected ways. When they talk to me, I'll often come up with a better solution.

I'll bet that that's where he came up with the idea that lockdowns lead to more productivity. I don't know if he really is right or not. But, once you really think about the ramifications of the situation, you should be able to see that it's not as it sounds on the face of it.

And, sometimes, people just want to to do things their way. Now, if it's a matter of what your desktop looks like, for instance, fine - I think that locking down a desktop to the point that a person cannot change the colors or backgrounds is generally stupid - but there are legitimate reasons to enforce certain standards. And, security IS a legitimate reason - providing that legitimate business needs are being met.

Let's face it the same guy who is hollering why those security "fanatics" won't let him do whatever it is he wants to do, is highly likely to be screaming "lawsuit" if his private data gets compromised. And, he's gong to be even less happy if the place needs to cut staff because of the loss they took due to a data breach.

As a practical matter, I generally recommend a middle course. The reason is that all too often organization do NOT have the kind of responsive IT that is needed. Sometimes it's a matter of staffing. Other times it's a matter of culture, and until that culture changes, users do need a by-bass.

Most good security professionals worth their salt know that security can not hinder the essential operations of a company because the business must run and work efficiently to even have anything to secure in the first place.

Along those lines many companies do have a major issue with "mainstreaming" applications in a timely manner and that can really introduce some risk into the enterprise due to lack of standards and a large variety of apps/os's.

I can't decide if I am missing the point of this respone or the original Grime news letter. Having been on both sides of this issue, I see validity in both arguments.

At a previous place of employment, the IT department took the "lock down" approach with was fine from a security and support perspective until we had to get an application installed to allow us developers to do our job. First, the IT department couldn't do it for 2 weeks and then they were going to need help because they didn't understand what needed to be installed and how to configure it. If the lock down approach is to be applied, then the IT department must be able to respond to needs quickly, effectively, and efficient.

At the same time, I consulted with a company 10 years ago without any security policy and they were having virus problems as a direct result.

"Lock Down" solved one problem and created another. Neither strategy is an absolute.

My first reaction to Grimes' article was "Get a Mac!", followed by (... or Linux!). Either move will solve 99% of the problem right from the start.

But I also agree with your suggestion that such lockdown security approaches are self-defeating because they will force all the ordinary employees to find a way to shoot the locks off, simply overwhelming both security and IT.

On the one hand, Grimes is right in that some unauthorized software wreaks havoc with security settings, in addition to goobering up PCs so that I.T. staff has to come behind to clean out the garbage to return them to good working order.

On the other hand, Lewis is right in that some programs are necessary in order for conscientious employees to get their jobs done, especially when I.T. can't get around to it or is pathologically paranoid.

What I see is that the issue of unauthorized software is a symptom of much larger issues.
1) Why doesn't I.T. provide ALL the tools to employees necessary to be productive?
2) Why are employees so burdened that they must work from home, or must do domestic duty from the office?
3) Why aren't employees trained sufficiently to know the difference between a necessary tool (e.g. GoToMyPc) and frivolous software (e.g. WebShots or MySpace)

Here we are. As in all things balance is the key. There are, indeed, companies where security should be terribly high with no unauthorized programs and no data leaving the office. For instance, the Veterans Administration. I'm not thrilled with my data being stolen (Yes, I'm one of those veterans).

There is/was no excuse for that. And innovation isn't one of the things I'm looking for in that type of organization.

Other businesses, for instance publishing or graphic arts are typically innovative and should allow some leeway.

Even in those companies, however, there are divisions whose security should be unassailable. HR, Finance for instance. The people who work there typically only need a few programs to perform their work.

So, in my humble opinion, the answer to the question is a resounding, "It depends."

You can get Performancing for FireFox at http://performancing.com/firefox as well as other web log tools and services.

I don't work for them, but I like their stuff.

I had to re-check the date on this to see if if was written pre-VA laptop theft.

Seriously, as I wrote to my Seantor regarding same: You don't do anything that is so important it cannot wait until tomorrow. The risk of losing confidential data is so great that NONE of it should leave the office.

Bob,

You rock! I couldn't help but wonder exactly what you would think when I saw that security peice earlier this week.

Say, can we get a debate posted online between you two. I'm sure you'd clean Grimes' clock. You sure did with this posting.

To me, Grimes' most astonishing statements relate to IM:
"But for the most part, it’s a complete waste of time for most businesses. Employees aren’t sending IMs to other employees and partners about business issues. It’s mostly a way for employees to conduct more private personal chats on company time without being seen connected to a telephone all the time." In my geographically-distributed software development organization, at least, this couldn't be less true. Maybe by "most businesses" he means "businesses that operate in ways I can't imagine".

Bob,

Thank-you! I'm so glad I'm not the only one whose blood pressure rose at the various assertions in the quoted article. You want to stifle innovation and getting things done? Lock down the computer system as tight as possible. People will be able to generate documents and powerpoint files, unfortunately probably little else will get done (oh, financial reports with Excel will be done also).

You missed another couple of ASSA comments, "... the 98 percent of your users who've just gotta install that free screensaver ... should be locked down". My favorite part was the elitist, arrogant view by the VPS about the lowly "end-user": "if we could trust employees to only install nonmalicious and productive applications, it would be good for the company. But most users will download junk and malware. In general, end-users can't be trusted to make appropriate risk decisions. ... " Pretty high opinion of your fellow-employees there.

I have been on both sides of this argument, as a member of the user community and as one called upon to save others from their self-inflicted computer woes. I agree that from a corporate perspective, locking-down computers can be quite short-sighted. However, Bob, your suggested alternative of "installing a corporate solution" is not in my experience one that is available to the Information Security area. They don't have the resources or the mandate to perform testing on applications that have no direct role in security. Mr. Grimes's choices may not include installing a corporate IM solution; his options might only be whether to allow users to install one themselves. I do completely agree with what you said Mr. Grimes's statement on lock-downs leading to innovation -- that is absurd. And there should be an attempt to balance security risk with opportunity. However, while support for a lock-down approach could be easily attacked if it came from a CIO, to me it is understandable, and to some extent to be expected, coming from a security chief.

Clarification in regard to usage of that "innovation" word: Existing kind of innovation as understood by sales, marketing, management and financial guys, as well as that of current breed of politicians, should be outlawed. Punishment may vary - anywhere from a public spanking to slow painful execution of all the bloodline.

I believe that Roger has fallen into a trap I've seen many times over the years. That is the "Me and My Department are the Centre" argument.

Human Resources, Payroll, Computing, Accounts Receivable, Purchasing, Marketing, Physical Plant, I've seen all those and more, by their own account you understand, claim to be the Most Important Department. The organization just doesn't exist without them, can't you see that?!

It's often advanced by well-meaning but over zealous individuals. They may be energetic and talented, but they've fallen into a self-centred view of their organization.

Here's what I expect to happen as a result of implementing Roger's policy. Short-term security gains, and resultant declines in security incidents, cause the security department to declare triumphantly that they were right. The policy is a great success.

Over the long run however the organization goes into a decline. Talented personnel in every department but security, and eventually even security themselves, leave. Competitors start to circle like vultures. Since the security mandates ate away at innovation, which is fundamentally a strategic issue, it's difficult to make the connection. Short-term Win = Long-term Loss.

Roger repeatedly states that the problem is various types of song and video players, or malware laden Peer-To-Peer systems. He then proceeds to ban, not the identified troublemakers (an appropriate response), but everything new (cannons against flies)! It's a bureaucratic response.

His procedure for getting new systems in place? A "quick and responsive" approvals process. Yeah, right. Once Security has blanket deny authority over everything, they have automatically set themselves up as the organizational powerbrokers. What are you going to give me if I approve your application?

I doubt Roger will ever realize, or accept, that his "Great Leap Forward" in security plays any role in long-term organizational difficulties.

Good grief, take a chill pill Bob!

As a counter to your view, I rather like this article:
http://www.ranum.com/security/computer_security/editorials/dumb/
(The Six Dumbest Ideas in Computer Security)

The first dumb idea is default permit.

Sincerely,

Gene Wirchenko

In response to Roger's challenge ... oh, yes, that's exactly what I'm going to do: Waste a client's time with this nonsense.

The principle in question is exactly parallel to this proposition: I should ask a friend or loved one to let you aim a paintball gun at them. you're guaranteeing that if they don't walk around in a head-to-toe Kevlar suit, you'll be able to splatter them with paint.

Sure you can. So what?

Here's a counteroffer: Give me a company of your choosing and I'll bring productivity to its knees and morale to the breaking point within six months, doing nothing except constantly improving information security.

Probably, I can make security measurably worse as I do so. (This is easy - I'll just enforce strong passwords that change every day. That will guarantee that a lot of employees write them on Post-It notes they place on their monitors.)

- Bob

Here's a challenge:

I work for a Fortunue 50 company - attacked regularly I'm sure. I used to be a SysAdmin, now I'm on the sales side (SE). I used to be a God in my domain, now I'm merely a user. A permananently remote one at that. I have great sympathy for my IT group - underfunded and staffed. Worse, I'm 3000KM away from them on a good day. I'm also a power user who used to control his destiny.

I have admin rights on my laptop out of sheer necessity. I can’t allow my IT group, valiant as it is, to take 3 days to respond to an issue I can resolve in seconds. I have to much work to do. Am I the most important resource to my company? Not by a long shot, am I working long hours as it is? Heck ya. Do I want to watch my work pile up as I wait for IT? Guess again.

How have I reconciled this? 1st I have the luxury of being smart enough to support myself 90+% of the time (not the normal user I know). 2nd I have the freedom to install all sorts of stuff that isn’t IT approved – but only if IT doesn’t’ have something that works. Am I risk to the business? Not really, I have a mandated up to date patch and virus – enforced by VPN scan and quarantine before I access the important stuff. AND my company trusts me – big leap on their part but I’m productive as are my coworkers. If IT is to be the big brother, IT has to be faster than the users, more proactive than they generally are now. That means more money and resources. See the challenge in that? I have rarely met an IT person who generally wanted to slow things down, I meet IT folk that are often hamstrung by politics or budget or both.

IT needs to listen to users and business needs to support IT when they come for resources. If you have both

I've worked on a few large (5,000pc+) standardization projects and, without repeating the comments above (nearly all of which are well-thought-out, passionate and valid) here a few things I've discovered:

"Standard Office PC" is just that. It is the base, the norm, the 80 of 80-20. It is one-size-fits-some, with an eye on the goal of one-size-fits-most. Developers, engineers and yes, IT folks frequently fall outside of that 80% limit. At that point the PC standardization/lockdown process (that's people, not technology) needs an out. Maybe it's a separate, non-standard PC that might run on a separate subnet, or not have the std corporate tools (CRM, ordering, financial) installed. Maybe it's just an "exception" process from IS-security.

The point is that there should be a way for end-users to get what they need (I will refrain from Stones references), and equally important is that there should be a requirement that users justify what they need in business terms.

Part of the issue (from the Grimes/IT viewpoint) has nothing to do with junior G-men or visions of perfect world order - it's workload management. IE is a good example. It sucks, I'll be the first to agree. But I also recognize that my company (10k+ people) spends a huge amount of time patching, securing, etc their installed base of IE. They would spend the same (or statistically similar) time with FireFox, Opera, etc. They picked IE, there's no compelling business reason to move, blah blah blah. However, if I install Firefox on the grounds that it's "better" for me, the patching and securing onus is on me, and I had better be incredibly clear on exactly what, when, why and how IT decides to make their updates to IE so I can match it. And woe unto me if I miss something and unwittingly violate SoX, HIPPA, etc. It's not worth the risk for tabbed browsing and a couple of plugins.

That same argument can't be made for all software (file managers, notepad, etc) and that's where IT has to take a chill pill.

IM is one of those interesting cases (imho). Are you denying it because you think it's a time-waster (how about all those "punch the monkey/smack the penguin/elf bowling" flash website games?), or because it's another "analog hole", or because your industry has strict retention policies on communications and it's difficult (if not impossible) to capture, store, retain and later dispose of those communications based on those policies?

While I feel hobbled every single day by my company's refusal to implement IM, it would be on the bottom of *my* list too, in the face of evaluating self-encrypting jump drives (again, industry requirement for all removable media to be self-encrypting); dozens of daily ACL change requests; the usual slew of serious web usage violations (we're not talking "punch the monkey"); determining how security needs to adapt to new technologies like virtualization; navigating and implementing the requests for group accounts vs individual; determining the issues and risks with new wireless capabilities; etc etc etc.

Great Discussion. Great points/counterpoints. I use personal software at work - OneNote, Quattro Pro &c but I forbid others to bring/download personal stuff. Why? Well, licensing for one. A mediocre vertical package which still has DOS routines (so crash city) for two. But the Big Reason is most of the users refuse to take the time to learn productivity enhancing featurs in Adobe Acrobat, Word, and other standard programs because they are "too busy". So they need other programs? Yeah Right! And as to working from home at will - when was the last time your CoToMyPC fans ran a comprehensive security audit on their home PC that they want to connect?

I'd say that it all depends on the qualification of IT personnel.

I've used to work for a company that definitely has been attacked, moreover it has been a target of some very highly publicized attacks. I'm pretty sure that if there were any successful break-ins, they would be highly publicized too (see, a lot of highly qualified people has a personal grudge against this comany).

Yet, it was the best work environment too. The engineers are free to install whatever they want on their desktop machines (no IT support for that but who needs it anyway?). There is no web proxy, and access to the outside Internet is fully upen - to any host, to any port. The company firewall handles all the details, and I think technically it does have a web proxy but it's not visible from inside. The work-from-home is supported by both direct modem connections and VPN.

And the productivity definitely didn't suffer. In fact this company has the highest productivity from all the ones I've worked for.

... I love the elitism, "I use personal software at work - OneNote, Quattro Pro &c but I forbid others to bring/download personal stuff. " This is exactly what causes problems, the "I am able to do what I need to do because I know what I'm doing and *you*, a mere user (with an MSEE, BSEE, and 20+ years in the industry) obviously don't". Having been subjected to this kind of arrogance on the part of other branches of security as well (we can do this, you can't because we can't trust *you*), I can tell you that nothing kills morale, productivity, and most especially strong security posture than this kind of activity. You want to have people figuring out how to circumvent security and policy so they can get things done? Implement the sort of policies indicated above.

From where I sit, both Roger and Bob are right.

In general, the dirth of internal controls inside the network make it open season for authorized users to do whatever they want, and many companies suffer hidden losses because there is no means to find out what goes on in an unauthorized fashion by authorized users. Look at Dan Verton's book the Insider for an eye opening look at this issue, and then you will discover the reason for the birth of so-called extrusion prevention companies like Reconnex and Vontu, whose risk snapshots have found a 100% failure rate for adherence to security policies. Maybe corporations do not really want to know what goes on inside the company; some might be horrified to find out.

On the other hand, trying to lock up security very tightly in the past has tended to "brick up" systems and ended up impeding the business model and data flow, and pit IT/security staff against business people. This is really because the technology to enforce security policies and allow information sharing in a positive, comprehensive way has never been available before.

Multilevel/trusted security that prevents incidents in proactive way, in a positive security model framework (deny-by-default inside the network) is the only way that security and business flow can be achieved.

Workplace culture is a factor in this. Where people are happy they are motivated to do well for their companies and themselves, incidents may not occur as often, but it only takes one bad apple to bring down the tree. Where they are bored or disgruntled, training had shown to be mostly ineffective. In both cases, there are just some staff that need to be protected from themselves, and internal controls must be applied.

I want to thank everyone for responding to my column, whether you agreed or disagreed. The more we debate, the more we help each other.

There is no perfect security solution. Even if you implement the main recommendation I offer up, there are still a host of other attack vectors (e.g. buffer overflows, data malware, vulnerabilities in existing apps, social engineering, etc.) that can be successful.

And I don't live in a vacuum where it's my way or the highway. Most of my clients don't want that draconian measure, any more than most of my critics. I understand that.

But the clients that do implement it, have significantly less problems and risk. You cannot argue that point.

And to Bob, and everyone else claiming that my idea (which isn't even my idea) will cause a company to fail, decrease productivity, and stifle innovation...I say where is your evidence? Are you speaking from your best gut estimate, or using objective data? How many of you are speaking from experience of having participated in what I'm talking about?

Most of the Fortune 1000 already does what I suggest, and most of the Fortune 1000 is striving, growing, and registering more patents than ever. If strictly locking down the desktop did any of the things my critics suggest, wouldn't the majority of them be in a major downfall right now instead of increased productivity year over year? Wouldn't patent requests go down? Where are all the disgruntled employees who quit their jobs solely over a locked down desktop?

I'm sure there are examples of all of that...but let's measure the weight of both sides instead of emotional spectulation.

I frequently make my recommendation to companies. Most don't take me up on it. Again, I understand the fear. But the ones that do, will tell you they would never go back. All the engagements go something like this:

1. I have one or two leaders in mgmt and IT that really support the idea, including senior mgmt.
2. Most people in the company and IT hate it.
3. It takes 2 days to 2 weeks to plan the rollout, depending on the size of the company.
4. It takes 2 weeks to 2 years to finish the implementation, depending on the size and distribution of the company.
During steps #2-#4, lots of people dislike me.
5. But to a company, months later, every person involved with the rollout would not turn back. People, especially IT, sales, and tech support folks, aren't happy that they can no longer install software on a whim, but they understand the policy and even feel better about the company because of it.

Crucial to this policy is responsive IT and Mgmt. Mgmt makes all the approval decisions, and IT installs. We create a policy and procedure, and I tell the company that if the cannot be extremely responsive, don't head down that road. By responsive, I mean 1-day response on emergency requests, and 2-week maximums. Each policy even allows flexibility for onsite IT approval and installs within the hour (i.e. Webex needs to be installed for a remote sales demo, etc.)

You may or may not like me. I've been writing for 20 years and my feelings are not hurt easily. And I don't back down from a heated discussion just because the majority of responders are attacking me. If you come back with good arguments, I'll reconsider my position. I do that time to time. No one's perfect and no one has all the answers.

It's just that every argument I'm hearing here, I heard when insisting on deny-by-default firewall rules two decades ago. Twenty years ago, security administrators were given all the same critical arguments (end users won't stand for it, decreased freedom, lower productivity, etc.). Now, it's the most common firewall policy and no one thinks anything of it.

Same thing will happen with denying all software installs by default. This isn't draconian. It's common business sense. It is the way most companies will handle host security in the next 5-10 years.

There are still plenty of places that don't have a deny-by-default firewall rule...especially universities. I'm sure that has nothing to do with the fact about why their networks are full of malware, hackers, illegally copyrighted material, and compromised data.

One recent university that I have consulted at for years continued always gave me the restricting academic freedom argument. Finally, they got exploited on a weekly basis, with enough public and private damage, that their rules begin to change. This week we're putting in the first perimeter based firewalls. They are also facing two multi-million dollar lawsuits (one for loss of confidential data, the other for allowing their systems to attack another company).

Despite what they teach in college about us all being proactive...being proactive will get you fired and yelled at. We are all reactive sheep, waiting until the damage has occurred before we respond.

I'm sorry I upset your mental apple cart. But I don't get paid to continue to support poor convential wisdom.

Allowing the majority of your end users to install software on their personal whim is bad security policy, bad company policy, and does decrease the productivity and revenue of the company.

Quotes I Like:

Abraham Lincoln
If I were to try to read, much less answer, all the attacks made on me, this shop might as well be closed for any other business. I do the very best I know how--the very best I can; and I mean to keep doing so until the end. If the end brings me out all right, what is said against me won't amount to anything. If the end brings me out wrong, ten thousand angels swearing I was right would make no difference. Abraham Lincoln

Charles Babbage
"...Propose to a man any principle, or an instrument, however admirable, and you will observe the whole effort is directed to find a difficultly, a defect, or an impossibility in it. If you speak to him of a machine for peeling a potato, he will pronounce it impossible: if you peel a potato with it before his eyes, he will declare it useless, because it will not slice a pineapple."

In the end, computer security isn't even a serious problem in my world. It's just a job. One of my kids in the emergency room is a problem, everything else bad is just an inconvience.

RayMartin wrote:

>>1) Why doesn't I.T. provide ALL the tools to employees necessary to be productive?>2) Why are employees so burdened that they must work from home, or must do domestic duty from the office?
>3) Why aren't employees trained sufficiently to know the difference between a necessary tool (e.g. GoToMyPc) and frivolous software (e.g. WebShots or MySpace)

Excellent question. I think that this is my most fundamental disagreement with Mr. Grimes. He seems to think that it's not possible to train users on these issues. I disagree. But, the organization eeds to be committed to this.

>>Give me 96 hours, and I'll successfully be in the
>>company with full access to company databases and
>>resources, plus the ability to capture more
>>passwords, etc.
I can promise he might have access my companies databases, but not to the data. This kind of sniffing tools he's talking about can be prohibited and searched for. And someone smart enough, and malicious enough to steal information isn't likely to be stopped by Roger's policy or attempts at lockdown.

Total lockdown is asinine. His example of blocking RealPlayer, for example - we deliver a lot of eLearning through that media player. And, heaven forbid one my team wants to listen to music through headphones in our open cubicle environment to block out extraneous noises. I have worked as a consultant in dozens of organizations. Most have a sensible middle ground - blocking some things (mostly by policy) like p2p software, but otherwise making users responsible for what they do, and having network and resource access controlled. I wonder, is Roger one of those guys who used to demand a business case for each website an employee wanted to access? It's the companies bandwidth/time/computer, etc. after all.

My current company has gotten paranoid about security since the VA incident. Some of the response has been good - teaching about information that should not be retained, where to store confidential or personally identifying information. They issued everyone a 1 GB encrypted thumb drive that is perfect for this type of information. Great move, and adds value.

They have also pushed out a crappy hard drive encyption program that causes huge slowdowns (I could live with that) and multiple times a day lockups (a "known issue"). I'm talking no-warning, power-down-reboot to recover lockups. The worst feature in my mind, is not giving the users any control over what gets encrypted. I'm pretty sure my mp3 collection, and Progam Files don't need to be encrypted. If I could set it to skip certain directories, or only encrypt my email folders and a few other sensitive client folders, this would have much lower impact, without compromising real security concerns.

With these difficulties users began uninstalling or otherwise circumventing this program. Four cycles of the "arms race" later, they have finally made a system check at login to make sure the programs are installed, and logging people who are having multiple installs. Countermove - people are trading scripts that let it start, and then kill it before it causes problems. We are arguing for some sensible middle ground, meeting the security needs of the firm. But, until then, the Rogers in my company are facing the "prison guard's dilemma" - the "prisoners" as a group are smarter than the "guards", and have more collective time to find holes, or dig them.

And, if as Kayza contends, Roger is assuming a responsive IT organization, I would just point out that no organization does an honest, accurate self-assessment - "no, we aren't responsive, we just want to make our job easier." The friggin' post office thinks they are responsive!

This is why ethics courses should (if they are not currently) be required in all IT degrees and training programs (maybe include a little game theory as well). It would provide better understanding of the principles involved.
The balance between security and open systems is a form of Prisoners Dilemma, with no technical solution. Both challenges presented (Roger's and Bob's response) are equally valid, but diametrically opposed. In each case, the optimization of the subparts (security and business operation) doesn't necessary optimize the organization. If security is so lax that the equipment becomes non-functional (or too expensive due to constant maintenance), the organization will receive no benefit and lose. On the other hand, as security gets stronger and the user is unable to accomplish tasks due to lockdown or beaurocracy, the organization will receive no benefit and lose.
By the way, the Tragedy of the Commons comes into play here as well, but I'll leave that for another time.
Bob's point, now and on similar articles in the past, has always been to identify the balance, and to remember that if the business doesn't make a profit, all of us are out of work. IT really has no business playing watchman or gatekeeper, or whatever.
If employees are using the internet for personal business, what does that have to do with IT? I wouold assume that person has a supervisor/manager/leader/etc that is responsible for their work. It's their job to ensure that employee is working consistent with their salary.
Likewise, with those evil files (like MP3s and pictures) where there is potential of litigation afterwards, a strong statement of policy and penalties is a legitimate reaction. Then when a problem arises, there is no question. The penalty is enforced. Let's face it, no one is sitting at the copy machine enforcing copyright laws, why does IT feel the need to try to enforce it?
Controlling support comes real easy when you have a standard image. If a tech can't fix it within a certain period of time, reimaging solves the problem. Training employees to organize their files and use network file storage is a mere training problem not a technical problem. Employees who have trouble with this continually should maybe find another position entirely. An employee having to sit and install all of their applications becomes a motivator to be reasonable about installing apps that would "break" their workstation.
It's about IT being real about their position. Unless you are a shop providing IT services by contract, IT is a support organization with no profit making capability. We should be helping our organization be more efficient and profitable, or at least not hinder them in the process it we don't have the manpower to be proactive.

While I appreciate the measured tone of Roger's case, and rebuttals, it's a case of "A Modest Proposal". Jonathan Swift anyone?

You see, I do know what I'm talking about. I have actually worked in IT for nearly 20 years. I have worked in organizations where, to state the matter plainly, most users' needs didn't matter very much. In all organizations I've worked in, there is always more work to do than time to do it in.

That's one key reason why PC's were a good idea. They allowed clients to start making choices themselves. Independent work and activity became the norm, not the rare exception.

The penultimate expression of "deny by default" was the mainframe with attached 3270 terminals. Incredibly secure, reliable, compatible (with it's own previous versions only), expensive, inflexible, unwieldy. A mixed bag of attributes to be sure.

The world walked away from that architecture, not totally, but mostly. There's a reason.

You see, it's not up to us to provide statistics or proof Roger. You're the one taking an extreme position. You prove to us, statistically and empirically, that completely locked down companies are more profitable over the long run. Not more secure, but more profitable.

You have not done that. All you supply is your assertion, based on some (I imagine) gut feeling, based on short-term contractual engagements. Verbal massages given from customers who feel good because you made their world simple, this week. Not good enough. Not convincing.

You see, in my experience, most clients want to do a good job. They are generally reasonable and responsible. Give them a reasonable option and they'll take it 99% of the time.

I say cater to the average client, the good ones. You focus your energies on the problem clients. You treat all clients as though they were the irresponsible ones. That's not good organizational relations.

Statement #1
99% of today's malware exists to steal money, identity information, and data. This isn't my warm and fuzzy best guess. It's the data from Symantec, McAfee, MessageLabs, Postini, etc. Read their quarterly and monthly threat reports. Go to any of their sites and view the top 50 threats. If you find a single threat that doesn't do what I reveal, please write back. I didn't come up with this figure on my own.

[If you allow end-users to install their own software, it means they are logged in as Administrator or root. If you were to reveal this fact to any security group, the critical responding would tremendous.]

Statement #2
If you allow end-users to install anything they like, a remote attacker can easily gain unauthorized access to anything but the most secure companies. If you're a reader who doesn't believe that their company can't easily be compromised by socially engineering at least one of your employees into installing software they really shouldn't, please write me.

[My one-off, unscannable, client-side trojan program "dials home" using port 443 (which is allowed out thorough every firewall I've encountered) using encrypted data streams. Virus scanners don't pick it up, IPSs and IDSs don't pick it up, and certainly end-users and security administrators don't.]

Statement #1 is true. If Statement #2 is also correct for you, then continuing to allow end users to make software install choices means you've accepted that your company can be compromised at will by almost any hacker.

It means that with a minimum amount of effort your company's databases and corporate secrets can be compromised.

That's okay. All security is a cost/benefit trade-off, where different companies accept different levels of risk.

But it is a big risk to take. If you took the current risk of Statement #1 to management, followed by a statement that it's relatively easy for a hacker to client-side, socially engineer your employees, would it be in management's fudiciary responsibility to require a better defense?

If your current defenses can't stop a user from installing my trojan program and compromising your network at will, shouldn't you be doing something different to offset the risk? Maybe it's not desktop lockdown, but shouldn't you be doing something different, instead of just waiting passively for the inevitably?

If Statement #2 is true for you, and you do nothing different, it means you either don't believe Statement #1 (foolish, old school), or you are playing the odds that an attacker won't target your company, or if they do, they really won't do much real damage. Me, I'd rather gamble off company time.

My one best recommendation may not be for you, but if Statement #2 is true for you, and you are tasked with computer security defense, it begs you to do something different.

Roger A. Grimes

Let me touch the elephant too and tell you what it feels like to me...having just left a Global500 company...

>I frequently make my recommendation to >companies. Most don't take me up on it. Again, >I understand the fear. But the ones that do, >will tell you they would never go back. All the >engagements go something like this:

>1. I have one or two leaders in mgmt and IT >that really support the idea, including senior >mgmt.
>2. Most people in the company and IT hate it.

Immediately, the Wintel server admins get an exemption because if they can be trusted to admin Wintel servers, they can be trusted to have admin rights on their desktops. Likewise desktop support is exempted. Since the Wintel server admins are usually near the *nix server admins, they add the *nix server admins to the exempted group. Then the NAS/Samba people get added...

>3. It takes 2 days to 2 weeks to plan the >rollout, depending on the size of the company.
>4. It takes 2 weeks to 2 years to finish the >implementation, depending on the size and
>distribution of the company.

The people in the business that actually make things (engineers, lab people, whatever your business is) start working on how they get their exemption. Could be an old client/server client that "will only run if they have admin rights" on their desktop. What this usually means is we had admin rights in the past, we won't work with desktop support to try to figure out what the least amount of security necessary is.

Another favorite, but usually to prevent any kind of company wide security policy at a server level is - "these are process control systems, we can't put anti-virus on there, and we can't give up admin rights because the applications require them - see previous statement re "clients" - and these servers can "never go offline" for automated patching. Odd then that the server logs show several reboots as the machine owner took it upon themselves to install other apps that do the same thing that apps in the approved IT portfolio do. Usually with a default IIS install. I know this because when nimda and codered were crippling the network I watched my logs as all these requests came from your critical "process control" servers.

>During steps #2-#4, lots of people dislike me.
>5. But to a company, months later, every person >involved with the rollout would not turn back. >People, especially IT, sales, and tech support >folks, aren't happy that they can no longer >install software on a whim, but they understand >the policy and even feel better about the >company because of it.

I think we're illustrating the 80/20 rule. 80% of the people are fine with it, the other 20 have found ways around it. The 20% would include the people responsible for

>Most of the Fortune 1000 already does what I >suggest, and most of the Fortune 1000 is >striving, growing, and registering more patents >than ever. If strictly locking down the desktop >did any of the things my critics suggest, >wouldn't the majority of them be in a major >downfall right now instead of increased >productivity year over year? Wouldn't patent >requests go down?

Which seems to reconcile how both Roger and Bob can be right about this.

You're a slave to your assumptions, Roger.

If you allow end-users to install their own software, it means they are logged in as Administrator or root.

If your current defenses can't stop a user from installing my trojan program and compromising your network at will, shouldn't you be doing something different to offset the risk? Maybe it's not desktop lockdown, but shouldn't you be doing something different, instead of just waiting passively for the inevitably?

Sure, a complete lockdown is easier. But to argue from a position that the only alternative is to leave everything wide open is to willfully ignore real alternatives.

In a perfect world, this is what happens:

Users identify needs that are not currently being met.

They contact me or my department, which is adequately staffed. We point out already installed and secure functionality which meets their needs, or we evaluate their needs, assemble the necessary budget, and implement a solution in an acceptable time frame.

Everything remains secure.

I know I heard a chuckle at the idea that the users identify and explain their needs. Even I laughed at the idea that my department would be adequately staffed and funded. Now that we've all had a daydream and a laugh, let's get to reality.

My department is shortchanged in budget and in staff. The same is true of nearly every other department.

Still, that pesky user will get the job done. Sometimes they will have to break rules in order to do that. They might be IT rules, or HR rules, or AP rules, or something else. At the end of the day, or the project, or the fiscal year, if the benefit to the company outweighs the known loss, the employee will be rewarded, not punished.

Employees who DO NOT get the job done because they refused to bend or break rules will not be rewarded. They won't be punished, but you'd better believe that they'll be sitting at the same desk, wearing the same title, this time next year.

This is the reality we're dealing with.

We can make it as difficult as possible for the user to break rules, or even impossible. This has the advantage of being the most secure option.

We can throw up our hands and say the hell with security, let's empower the users. I don't think many people will sign up for this option.

Or we can go for a middle ground. Executed properly, this requires an awful lot of contact with the user. We might even have to go to the level of detail where we know that Joe in Sales is a competent power user, but Ed in Marketing is planning on retiring just as soon as he gets his money from Nigeria.

I walk the middle ground. But I can say from experience that this is the most time consuming and physically difficult option. It means too many late nights and lots of time spent building relationships with the users.

It does have an advantage, though. My users are not afraid to tell me "I need this software that I use at home,"? or even "Have you seen this dancing guy on YouTube?"? This gives me the opportunity to tactfully head off problems before they happen. And I know which users I have to sit on, and which ones I can forget about for months at a time.

But boy, am I tired at the end of the day... or night.

Hey...

If we all think security is bull#$%@, then why ware all reading articles on security and trying to rip apart the system of lockdown..

Security is always absolute security and all those who diagree should try sleeping with thier doors unlocked at night...after all burglars don't attack everyday and what do have the cops for??? Lets not stofle the feeling of being secure by locking our houses and feel like we're living in dungeons...

Bob, I think you're just talk talk and talk... Please don't waste anybodys time by accepting Grime's challenge but don't waste everybody's time with nothing but a lot of gas.

Nice.. good job!