Dealing with Network Security Scofflaws

By Jacqueline Emigh | Jan 28, 2002 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/963021/Dealing-with-Network-Security-Scofflaws.htm

When it comes to security, some end users just don't get it, according to many network managers. Intentionally or not, these troublesome users keep jeopardizing security by downloading forbidden attachments or visiting off limits Web sites. When technical interventions alone don't ward off these problems, some administrators are resorting to social sanctions, either informally or through company policies.

Parrish S. Knight is one network manager who's faced down pesky users. "In our particular case, we were infected (with a virus) by someone who refused to follow safe computing practices. Everyone had been warned not to open e-mail attachments from a particular proxy server, but she did so, anyway -- not just once, but twice," says Knight, an Internet and LAN administrator at Market Access International.

Knight's also found himself up against people who eat up bandwidth during peak network periods by spending too much time on Napster.

At other companies, users have left corporate networks wide open to viruses by circulating spam mail, according to Paris Trudeau, product marketing manager for SurfControl.

Knight has dealt with some problems at his company by speaking directly to either the abusers or the abusers' bosses. Also, to "help protect users against themselves," he's using anti-virus software on both a proxy server and users' desktops. The WinProxy server updates its signatures every three hours. The Symanetic desktop software is also configured for automatic updates.

Although individual companies' strategies vary, other frequently used technical interventions include firewalls; asset management and monitoring tools; content filtering software such as SurfControl's products; and subscriptions to signature database lists.

Though not in the same category as antivirus software, SurfControl's tools can be configured to screen out e-mails with.spamlike subject lines and .vbs and double file extensions, for example, Trudeau says.

Often, however, technology interventions themselves aren't enough. For one thing, anti-virus software can't do much of anything to protect against a brand new virus, until the first incidences of that virus have been detected and reported.

"What's most important, really, is a company-wide security policy, in which employees are fully informed and aware of prohibited conduct and proper usage," maintains Zachary A. Slavin of The Slavin Group, a systems and services provider in New York City.

Echoes another administrator: "The potential value of published security policies is reached when something occurs, and you attempt to discipline the employee who has flagrantly breached its conditions."

It isn't necessarily easy, however, to arrive at workable policies around controversial areas such as employee monitoring, personal Web surfing, and personal use of corporate e-mail addresses.

"I think a certain amount of personal e-mail usage is okay -- if users occasionally get in touch with their folks, for instance. But how much is too much? Where do you draw the line?" asks Knight.

"If someone is surfing the Web between noon and 1:00 pm each day, maybe that's not an issue," Slavin says. "If someone is doing nothing but downloading files from 9:00 am to noon, that's probably an issue. But you can't overdo things either, or you can run into problems with productivity and employee retention. You can monitor employee usage, but you don't want to get into a 'keystroke Big Brother' situation. It's a balancing act. If the policies are making people miserable, the company might end up losing money due to high employee turnover."

Moreover, just because a policy has been put in place, employees won't necessarily abide by it. Patrick Hinojosa, general manager at Panda Software, points to the need for specific language.

"The policy needs to be clear and unambiguous. It can't say just, 'Don't do bad things.' It has to say something like, 'You aren't allowed to use Web-based e-mail ever, under any circumstances," Hinojosa says.

Some recommend getting written signatures to be able to prove -- in court, if necessary -- that employees are aware of the company's security policies. Slavin, though, sees HR-sponsored security training sessions as a better way. "HR can just go to the employee training file for documentation," he observes.

Enforcement is essential, experts agree. As punishment for breaking security policies, employees can be reported to their bosses, banned from the Internet at work, suspended, or in some cases, even terminated from their jobs.

Increasingly, IT departments are starting to team with HR on both security training and policy enforcement. "For enforcement to be effective, though, HR must act right away, the first time someone violates policy. Otherwise, employees will tend to ignore policies. Sanctions should then be applied uniformly, to all perpetrators. It isn't a good idea to just 'put on a head on a pike,' or in other words, to 'make an example' out of someone," says Hinojosa, who was a VP of HR at another company before joining Panda.


» See All Articles by Columnist Jacqueline Emigh


Slavin says that one of his customers is already practicing IT/HR teamwork. "Mainly, though, it isn't that prevalent yet," he adds. Meanwhile, administrators at some companies are trying less formal enforcement methods.

In organizations without clear cut security policies, some network managers are reporting troublesome users directly to top management.

"Unless there's already a high level of interest among executives, though, this will only work if you emphasize the potential consequences of user actions. You can't just say, 'I don't like users to download these particular kinds of files.' Then the execs will be thinking, 'Why is he bothering us with this?' You have to tell them, for example, that viruses can cause a loss of critical data."

Generally speaking, many administrators are finding formal policies the best way to go. "I have learned that unless (a policy) is on paper, it doesn't hold up," says one administrator. "Implied security policies don't cut it. What I consider 'wrong' may not be considered 'wrong' by the next guy."

All too often, though, companies don't even implement security policies until an incident actually takes place. Notes Hinojosa: "Then the executives will be saying, 'Oh my God, our accounting reports are gone! How could this have ever happened?'"

--
Jacqueline Emigh (pronounced "Amy") is a 12-year veteran of computer journalism. She is currently freelancing for several leading technology and business publications. She was previously a senior editor for Sm@rt Partner Magazine, and before that, a bureau chief for Newsbytes News Network.