Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Dealing with User 2.0

Published: 2010-02-04
Last Updated: 2010-02-05 03:37:00 UTC
by Mark Hofman (Version: 1)
14 comment(s)

Computing has been around for a while and security has grown with it over the last few decades.  Increasingly however I'm coming across User 2.0 and I am betting that you are as well. They bring their own particular security challenges that we need to start solving in order for our organisations to grow and compete in the User 2.0 world.

Some of us who are  a little bit worn around the edges will remember User 0.1.  The world was good. Users had nice green screens in front of them, they could type only those bits that the application needed and securing the environment was a cinch. Well relatively, the mainframe required you to manage users and give access to resources using RACF, ACS2 or even Topsecret.  It was however, for most of us, not a very connected word and User 0.1 happily lived in this green glowing environment.  They even still knew how to write using a pen and paper!

Then something horrible happened, these new fan dangled things called "personal computer" started to make an appearance.  Even worse people realised that if students and the military could have computers talking to each other, then why couldn't they?  This is where it started to get trickier for us Security folks.  Many of us grew up in mainframe or unix environments and with a few exceptions these were tightly controlled.  User 0.5 was born and demanded connectivity from their new PC to the old world of Unix and Mainframes. 

User 1.0 came along when businesses started to connect to the internet and conduct business on the internet.  Many User 1.0 were upgraded from User 0.1 or 0.5, so they had an almost automatic acceptance of the restrictions and limitations that we as security folks placed on them.  A standard desktop environment, with standard applications that cannot be changed.  Corporate computers issued to staff, firewalls, content filtering etc, etc, etc.  

Security groups also changed their approach over time.  Where many initially started as the "thou shalt" people with User 0.1, with User 0.5 they added "nay" to their vocabulary.   There were strict controls in place and the usual answer to many requests where security was involved was "NAY".  Thankfully this phase didn't last long and with understandable exceptions, most security groups changed their approach and started working with the business rather than against it (Darwin eat your heart out).  So today we see most security groups working with the business.  With User 1.0 security groups have learned new words "Yes we can, but only if you use this and this and this". But that is ok, User 1.0 isn't giving security groups that hard a time.  They are willing to use the applications they have been given.  They will learn the tools when they move from company to company.  Business objectives are being met and security groups are helping to achieve this.  However much of this really does still depend on having standard applications, used by all, few exceptions.  There is still relatively tight control over the environment.  Yes we have to let things through our firewalls and filters that a few short years ago we would have denied, but they can be managed.  

The User 1.0 era however is drawing to an end, they are slowly being upgraded, although not all of them will be fully upgradable to User 2.0 or beyond and a new user has arrived, User 2.0.  User 2.0 or Gen Y as some people like to call them are the digital generation and many businesses including their security teams are struggling to deal with them.  User 2.0 grew up digitally, vinyl is something that is on the floor, rotary phones is something you see in old movies, and a walkman is someone that takes the dog for its run.  

User 2.0 has different expectations of their work environment.  Social and work activities are blurred, different means of communications are used.  Email is dated, IM, twitter, facebook, myspace, etc are the tools to use to communicate.  There is also an expectation/desire to use own equipment.  Own phone, own laptop, own applications.  I can hear the cries of "over my dead body" from security person 0.1 through to 1.9 all the way over here in AU.  But really, why not? when is the last time you told your plumber to only use the tools you provide?  We already allow some of this to happen anyway. We hire consultants, who often bring their own tools and equipment, it generally makes them more productive.  Likewise for User 2.0, if using Windows is their desire, then why force them to use a Mac? if they prefer Openoffice to Word, why should't they use it?  if it makes them more productive the business will benefit.  

We have to start managing and protecting the data rather than concentrating all our efforts on the perimeter.  The pentesters amongst you know that a large percentage of companies have a hard crunchy outside and a soft squishy centre.  If we manage and protect the data then what is used to access or manipulate the data becomes less important. There will always be applications that must be used in organisations, but it shouldn't matter if they are accessed using firefox, IE, Chrome or others.   So depending on your security posture it may be ok to allow IM, access to social sites, issue staff with blackberries, iphones, or allow them to use their own equipment and applications.  Security person 2.0 just has to deal with it slightly differently.   We already know how to do it, many of us have had the stealth upgrade to Security person 2.0.  We know how to inspect traffic, control malware, control network flows and control access to data that isn't dependent on a particular way of accessing it.  However we do have to start thinking harder about how this can be applied to User 2.0.  The reality is that there will be more and more pressure to open up networks, provide more flexibility in the tools available to users, whilst maintaining the security of the organisation and protecting the information.  Dancing on that pinhead doesn't seem so hard now does it?

So here is you homework for the weekend.  How will you deal with User 2.0? How are you going to protect your corporate data without saying "Nay" to things like facebook, IM, own equipment, own applications, own …….?  How will you sort data leakage, remote access, licensing issues, malware in an environment where you maybe have no control or access over the endpoint?  Do you treat everyone with their own equipment as strangers and place them of the "special" VLAN? How do you deal with the Mac users that insist their machines cannot be infected?  Enjoy thinking about User 2.0,  if you send in your suggestions I'll collate them and update the diary. 

Mark 

I'll be speaking in Wellington on 18 Feb a weather report from the ISC and teaching SANS 401 in Wellington 15-20 March 2010.>

Keywords:
14 comment(s)

Microsoft Patch Tuesday Pre-Release

Published: 2010-02-04
Last Updated: 2010-02-04 23:42:30 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Microsoft announced earlier today that they will be releasing a total of 13 bulletins next Tuesday [1]. These bulletins will fix 26 difference vulnerabilities. The bulletins affect all versions of Windows.

The MSRC blog has a nice table summarizing the upcoming release.

The Internet Explorer issue released by Microsoft yesterday will not be patched.

[1] http://blogs.technet.com/msrc/default.aspx
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

0 comment(s)
Diary Archives