Dealing with User 2.0

Published: 2010-02-04
Last Updated: 2010-02-05 03:37:00 UTC
by Mark Hofman (Version: 1)
14 comment(s)

Computing has been around for a while and security has grown with it over the last few decades.  Increasingly however I'm coming across User 2.0 and I am betting that you are as well. They bring their own particular security challenges that we need to start solving in order for our organisations to grow and compete in the User 2.0 world.

Some of us who are  a little bit worn around the edges will remember User 0.1.  The world was good. Users had nice green screens in front of them, they could type only those bits that the application needed and securing the environment was a cinch. Well relatively, the mainframe required you to manage users and give access to resources using RACF, ACS2 or even Topsecret.  It was however, for most of us, not a very connected word and User 0.1 happily lived in this green glowing environment.  They even still knew how to write using a pen and paper!

Then something horrible happened, these new fan dangled things called "personal computer" started to make an appearance.  Even worse people realised that if students and the military could have computers talking to each other, then why couldn't they?  This is where it started to get trickier for us Security folks.  Many of us grew up in mainframe or unix environments and with a few exceptions these were tightly controlled.  User 0.5 was born and demanded connectivity from their new PC to the old world of Unix and Mainframes. 

User 1.0 came along when businesses started to connect to the internet and conduct business on the internet.  Many User 1.0 were upgraded from User 0.1 or 0.5, so they had an almost automatic acceptance of the restrictions and limitations that we as security folks placed on them.  A standard desktop environment, with standard applications that cannot be changed.  Corporate computers issued to staff, firewalls, content filtering etc, etc, etc.  

Security groups also changed their approach over time.  Where many initially started as the "thou shalt" people with User 0.1, with User 0.5 they added "nay" to their vocabulary.   There were strict controls in place and the usual answer to many requests where security was involved was "NAY".  Thankfully this phase didn't last long and with understandable exceptions, most security groups changed their approach and started working with the business rather than against it (Darwin eat your heart out).  So today we see most security groups working with the business.  With User 1.0 security groups have learned new words "Yes we can, but only if you use this and this and this". But that is ok, User 1.0 isn't giving security groups that hard a time.  They are willing to use the applications they have been given.  They will learn the tools when they move from company to company.  Business objectives are being met and security groups are helping to achieve this.  However much of this really does still depend on having standard applications, used by all, few exceptions.  There is still relatively tight control over the environment.  Yes we have to let things through our firewalls and filters that a few short years ago we would have denied, but they can be managed.  

The User 1.0 era however is drawing to an end, they are slowly being upgraded, although not all of them will be fully upgradable to User 2.0 or beyond and a new user has arrived, User 2.0.  User 2.0 or Gen Y as some people like to call them are the digital generation and many businesses including their security teams are struggling to deal with them.  User 2.0 grew up digitally, vinyl is something that is on the floor, rotary phones is something you see in old movies, and a walkman is someone that takes the dog for its run.  

User 2.0 has different expectations of their work environment.  Social and work activities are blurred, different means of communications are used.  Email is dated, IM, twitter, facebook, myspace, etc are the tools to use to communicate.  There is also an expectation/desire to use own equipment.  Own phone, own laptop, own applications.  I can hear the cries of "over my dead body" from security person 0.1 through to 1.9 all the way over here in AU.  But really, why not? when is the last time you told your plumber to only use the tools you provide?  We already allow some of this to happen anyway. We hire consultants, who often bring their own tools and equipment, it generally makes them more productive.  Likewise for User 2.0, if using Windows is their desire, then why force them to use a Mac? if they prefer Openoffice to Word, why should't they use it?  if it makes them more productive the business will benefit.  

We have to start managing and protecting the data rather than concentrating all our efforts on the perimeter.  The pentesters amongst you know that a large percentage of companies have a hard crunchy outside and a soft squishy centre.  If we manage and protect the data then what is used to access or manipulate the data becomes less important. There will always be applications that must be used in organisations, but it shouldn't matter if they are accessed using firefox, IE, Chrome or others.   So depending on your security posture it may be ok to allow IM, access to social sites, issue staff with blackberries, iphones, or allow them to use their own equipment and applications.  Security person 2.0 just has to deal with it slightly differently.   We already know how to do it, many of us have had the stealth upgrade to Security person 2.0.  We know how to inspect traffic, control malware, control network flows and control access to data that isn't dependent on a particular way of accessing it.  However we do have to start thinking harder about how this can be applied to User 2.0.  The reality is that there will be more and more pressure to open up networks, provide more flexibility in the tools available to users, whilst maintaining the security of the organisation and protecting the information.  Dancing on that pinhead doesn't seem so hard now does it?

So here is you homework for the weekend.  How will you deal with User 2.0? How are you going to protect your corporate data without saying "Nay" to things like facebook, IM, own equipment, own applications, own …….?  How will you sort data leakage, remote access, licensing issues, malware in an environment where you maybe have no control or access over the endpoint?  Do you treat everyone with their own equipment as strangers and place them of the "special" VLAN? How do you deal with the Mac users that insist their machines cannot be infected?  Enjoy thinking about User 2.0,  if you send in your suggestions I'll collate them and update the diary. 


I'll be speaking in Wellington on 18 Feb a weather report from the ISC and teaching SANS 401 in Wellington 15-20 March 2010.>

14 comment(s)


Users 2.0 lets their Macs get infected?
Of course, It's invulnerable, you can click on anything. I'll send you a link if you want to try ;-)
I take very seriously a point raised, I think by Dan Kaminsky, that we should no longer distinguish between trusted and non-trusted networks. I don't know why this isn't already common practice, if only as a method of damage limitation in case something on an internal network is compromised, or an employee acting maliciously.

I guess very few organisations defend their internal services against intrusion as well as those directly reachable from the Internet. In cases I've seen, internal services are left practically wide-open; the assumption being that nobody has the motivation, or technical expertise, to take advantage of that, or that any such action would be detected and could then be dealt with through disciplinary means.

I think the greatest resistance to User 2.0 is that it would necessitate a whole new effort to secure these internal networks.

Modern threats, though, may necessitate this anyway. Conficker sneaking in via USB mass storage devices; malware delivered as encrypted attachments or SSL; browser/XSS/proxy exploits allowing internal services to be reached indirectly. Of course some awkward administrators will try to stop employees from using USB mass storage devices (sometimes all USB devices!), SSL (yes, I've really known this happen!) and maybe JavaScript and browser plugins to try to avoid these problems. But I don't see these approaches working for much longer.

I think, inevitably, things will go two ways. One is to have ultra-restricted workstations for business use (User 0.1-style). The other is to allow anyone to use any device (User 2.0-style), but with ultra-restrictive access to the business services and data. A little of both approaches may work nicely for everyone.
Of course all of this will also require that policies and procedures adapt. The adaption of policies and procedures is meaningless if HR and management don't adapt. Why lay this entirely at the feet of security admins, this is a corporate culture issue, not just the responsibility of IT or InfoSec. Of course there remains the question of ownership and use of organizational resources. The owners of resources including data, do have the right to control how their resources are used. That is a C-level decision that can be made completely outside the control of InfoSec. Nor does the plumber analogy work as the plumber is unlikely to alter your water, divert it to others, or prevent your effective use of the water for his/her personal benefit. The plumber's tools will not take your assets (data) when he leaves as will many personal electronic devices. Actually this is more like a personal chef, you expect the chef to use your appliances, your food, and to prepare only what you desire, how you desire it, although you have no issue with the chef bringing their own knives and a few tools. Let's kill the whole 2.0 terminology, the reality is that this is the misguided belief that the Internet and computing are free resources, they aren't. Everything costs money and short of taxes, one should have rights over how one's money is spent and how the acquired assets are used. These are rights of property ownership, which does not change because of a perceived change in computing paradigms by a user group lacking ownership over resources.
Just as most companies don't provide their users with radios(users bring their own in), there is little business need to provide much in the way of "Social Media". Users should justify why they need most extras (maybe a little browsing to News media and/or web based email), but the extras should be handled via personal devices (Smartphones, personal laptops, etc...) in MANY cases. Hopefully striking a balance will allow companies to keep the employees they want to keep, but also keep an eye on their costs (they shouldn't need to add 3 extra T1's for internet connectivity just so their employees can be on Facebook/Youtube all day long).
There is a very good reason for not letting employees "bring their own tools" - compatibility of the work product. A while back we looked at Open Office as a lower cost replacement for Microsoft Office, but we could not do it because all of the Excel spreadsheets containing macros would need to be rewritten, and most important for our organization, all of the legal documents were incompatible as to the format of the final printed pages. I love Open Office, but its ability to coexist with Micro$oft Office in a mixed environment is limited.

I strongly agree with Alan that security 2.0 'nomenclature' does not express the real problem

No matter how you slice, dice or cut it, it eventually boils down to trust. Employees (and contractors, but they are under contract) must adhere to company ethics or policies. And I think this is where things can go wrong with whatever-you-call-them (User 2.0/Gen Y).

And that's a social problem...

So maybe we should make sure the people are accountable(more journaling?) and leave societal issues to the HR people.
It also doesn't help that software is being written that requires the user to have administrative rights on their machines. This kind of software development undermines a lot of what we try to do from a security standpoint.
There is a very large difference between user expectation and business necessity. Just because expectations may mandate a variety of tools and systems to complete a task, it does not always mean that these are required. I would personally prefer an Ubuntu desktop at work, but do I really need it? No. Many times, consumer oriented software and services may incur a level of risk that can easily be negated by simply analyzing the request, performing a risk assessment, assessing true costs (hard and soft), and then making a rational decision that benefits the business from all facets. Too many times, user 2.0 has justified a certain action by time savings compared to cost. The usual formula is outlined like this for me:

(initiative) saves me 1 minute per hour X 8 hours a day X 5000 employees X an average base pay rate of $15 per hour = $10,000 per day! We should totally do that!

Justifications like these are invariably flawed and overstate the benefits while ignoring risk or cost expenditures. The truth is that productivity and value is not a fixed rate based upon time, and time savings can easily be filled by other non-productive activities. Costs of deployment, maintenance, training, and other factors can easily overwhelm benefits.

Many user 2.0 personnel simply don’t see the big picture, and are focused upon personal benefit and gain. Many of the technologies that comprise this user 2.0 toolset (social media, consumer software, communications devices) are focused upon personal gain entertainment. There is a place for new initiatives, but not until they can be properly assessed and compared against business need.
Please stick with the cool exploit stuff and forgo the long editorials. Thanks.

Diary Archives