Recently we’ve seen some discussion around the blogosphere about corporate security checklists – Kenneth Belva, for one, extols their virtues in a recent post on BlogInfoSec – In Praise of the Information Security Checklist.
Says René Poot on the subject:
The times I have been within corporate installations, I see that very often ‘corp. security checklists’ are circumvented because they lack ’situational awareness’ or flexibility. More often than not, users will find ways around security policies imposed on them; as they tend to find them annoying. Corporations tend to throw a lot of money at security solutions, when they should perhaps be focusing more on security awareness, making users aware of the threats and how not to open every email or attachment out of curiosity!
Inflexible ‘rulings’ – like “no WLAN permitted” – will be ignored. A good example of this is an administrator who enthusiastically set out to eliminate each and every (rogue) Access Point that had been hooked up to the corporate network, to comply to corporate policy of ”no wireless LANs permitted.” After almost eliminating them all, he found a very insecure one hooked up in the board room… for the managers and board members. Fearing he’d be reprimanded for removing this, he set about to be raise awareness and change corporate policies regarding the use of WLAN. Rather than shun it, he encouraged the company to embrace and understand it in order to be able to use it as a tool. This ‘flexible’ mentality is required in many fields. Look now at the use of mobile devices and how they allow users to connect to corporate networks and at the same time provide them with music while on the treadmill at the gym! Many corporations will probably demand a separation between ‘home use’ and ‘corporate use’, but the line between the two is fading fast and difficult to maintain. Users will inevitably start using their fancy new iPhone/Blackberry/HTC device, and so it’s up to the ’security enforcers’ within the corporation to embrace and learn how to integrate these solutions best into their networks rather than simply banning them.
Don’t get me wrong; some checklists are necessary, as security is only as strong as it’s weakest link. The other day I had a customer that insisted on the highest level of encryption for his tunnel, but failed to see the necessity of strong authentication – so it’s useless. The checklists can function as ‘baseline’ security. How they then go on to create flexible policies, I can’t say.
Much of this also depends on corporate policies. Some have a pre-imaged laptop with the same set of tools on it, tightly controlled by the administrator; it’s on these devices that users become most inventive in circumventing the security policies!
