Often, as security professionals, we tend to blame our users. Not all people are security aware and take the right decision when facing a potential security issue. Yes, we know: they click, they open, they answer questions, they trust, …
But let’s be realistic, sometimes they make bad actions just because of us. Our mission is to protect our employer’s or customer’s data and their team members against more and more threats. To achieve this, we take decisions for their own sake: we deploy new tools, new controls and procedures. We get paid for this job as well as the users: they get paid too to perform other tasks. Today, computers are everywhere and almost all people working in a company have to use them and network resources.
I was browsing through the huge amount of data leaked from HackingTeam, searching for juicy information about Belgium. I found an email with this signature:
>LASTNAME Firstname >Position >Department/Organization >Tel : +32-xxx.xxx.xxx >Tel : +32-x.xxx.xx.xx >Belgium >[email protected]<organization>.be (without attachment) >[email protected]<well-known-isp>.be (attachment OK)
My first reaction was a big “WTF?!?“. He/she asks to send files to a private mailbox hosted by a well-known Belgian ISP. Is this mailbox properly protected? Does he/she use a strong password? Is the password share across multiple services? We know that attachments may potentially contain very sensitive information!
After the first reaction and a few deep breathes, I took some time to think deeper. Maybe this is the only alternative for this user to receive files from external contacts. The system in place in his/her organization might be too restrictive, too slow, under sized to handle the total amount of processed data. I don’t know the reason but one think is for sure: humans are excellent in finding evasive ways to get stuff. From his/her point of view, the employee is just trying to get things done. Let’s go back to the example above. IMHO, trying to block everything at all costs is a wrong approach. We often forget that the IT department is offering services to the end-users. It implements tools to help them to work efficiently and it goes in the same way regarding security. We have to implement tools and procedures to help people to work in a safe environment.
The next time you reject a request from a user for “security reason“, don’t just say “No!” but “No, because…“. Explain why and propose an alternative matching at best his/her requirements and yours (from a security point of view). In the example describe in this post, if people must exchange files with external contacts, why not deploy a file sharing service coupled with a strong scanning of the incoming files? Everything is possible but requires to invest some time and money… Wait… That’s maybe the real problem?