Convenience does not overrule common-sense and industry standards
In IT, convenience has taken much more of a focus as of late. Businesses don’t upgrade or update for a number of reasons. The user’s requests or “requirements” are being used as an example and may state this is needed for their respective role, regardless of how many times the subject matter is used per month or quarter. At best, the rationale for these tends to be shallow and not well thought through, documented, or analyzed. Their request is taken as being acceptable as is.
Examples of this abound in the enterprise. In certain businesses, the autorun functionality may be engaged. This function would probably not be actively used, however simply is there. The users don’t want to change the configuration in place, even though the need for this is not significant and easily remedied with a click from a dialogue box. The potential risk and issues have not been analyzed and reviewed. The files could be malicious and contain a variety of viruses, Trojans, and other programs coded to ruin the CISO’s day, week, or month, depending on the depth of the issue. The autorun option being configured as enabled would allow these automatically to be put on the system. The autorun simply opens the drawbridge to the laptop or desktop and enterprise, and invites the malware in for dessert as the keys are on the table.
Enabling the USB ports also has proven to be problematic. The USB port generally is not utilized by a majority of the users. This is however actively used by a select group, comprising a less than significant number of the totality. The users with a strong and robust voice still demand this functionality as they claim this is vital for their role, although it is not. This has been treated as more of a right, than a privilege.
The risks with this are bountiful. A large percentage of malware is introduced into the enterprise with the USB. The issue has been one of portability. The user cannot be completely sure where the USB had been used or plugged into, along with other USBs have been plugged into the same equipment. The USB used by a parent, could have been borrowed by a child and used at their school prior to being returned. Anywhere the USB is used, any malware on that system could be transferred.
The users and groups tend to hold onto old technology, for example using SHA-1 or TLS 1.1. These and other outdated technology continues to be used and the associated parties refuse to change. This steadfast holding onto the outdated technology and protocols tends to be due to legacy systems requiring this. The business may not want to require this from the vendors due to the costs involved, and the vendor “refusing” to update their systems. To enforce this, the person or group may also slow the decision process. The status quo would rather be maintained than update the systems and security. The groups find keeping insecure protocols are more important or pertinent than mitigating the risk for the customer. They refuse to factor into the decision the risk as part of the equation.
This focus on and applying more weight to convenience is an issue. By accepting the risk without actually analyzing the potential risks and extended effects if these risks were to be realized in the form of a compromise is a significant oversight. This should be in the forefront of the decision process.
This is indicative of the users being more focused on how it affects their world and responsibilities. This is a rather short-sighted process. The focus should be more on the business and enterprise for the long-term.
The issue is not going to go away anytime soon. This will continue as technology and applied processes continue to improve. The decision-makers and users presently are viewing the situation in the very short-term to minimize the effort that would need to be expended. The focus and thought patterns with this need to change. As there is no change occurring or being done at a portion of a snail’s pace, the risks continue, and these risks increase every day, the enterprise becomes more of a target, and the business may increase it being scanned and probed with the initial stages of an attack.
The users need a re- and/or continuing education. As this may inaccurately appear to be a single-minded push, the message should be gently stated with facts of the situation, inclusive of the risks if not being implemented. The directive to make the changes needs to be a rather clear choice, based on these facts, risks, and industry standards.
This process will not change the thoughts or processes overnight. This push will take effort, time, and patience. If this process was easy, the entirety of the enterprise would all be completely using the current technology and practices. This endeavor of updating the current industry standards is completely worthwhile, yet frustrating at times. The evidence to the contrary is open for all to read every week as the compromises in the multiple industries are published.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.