Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Dealing with User 2.0 - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dealing with User 2.0

Computing has been around for a while and security has grown with it over the last few decades.  Increasingly however I'm coming across User 2.0 and I am betting that you are as well. They bring their own particular security challenges that we need to start solving in order for our organisations to grow and compete in the User 2.0 world.

Some of us who are  a little bit worn around the edges will remember User 0.1.  The world was good. Users had nice green screens in front of them, they could type only those bits that the application needed and securing the environment was a cinch. Well relatively, the mainframe required you to manage users and give access to resources using RACF, ACS2 or even Topsecret.  It was however, for most of us, not a very connected word and User 0.1 happily lived in this green glowing environment.  They even still knew how to write using a pen and paper!

Then something horrible happened, these new fan dangled things called "personal computer" started to make an appearance.  Even worse people realised that if students and the military could have computers talking to each other, then why couldn't they?  This is where it started to get trickier for us Security folks.  Many of us grew up in mainframe or unix environments and with a few exceptions these were tightly controlled.  User 0.5 was born and demanded connectivity from their new PC to the old world of Unix and Mainframes. 

User 1.0 came along when businesses started to connect to the internet and conduct business on the internet.  Many User 1.0 were upgraded from User 0.1 or 0.5, so they had an almost automatic acceptance of the restrictions and limitations that we as security folks placed on them.  A standard desktop environment, with standard applications that cannot be changed.  Corporate computers issued to staff, firewalls, content filtering etc, etc, etc.  

Security groups also changed their approach over time.  Where many initially started as the "thou shalt" people with User 0.1, with User 0.5 they added "nay" to their vocabulary.   There were strict controls in place and the usual answer to many requests where security was involved was "NAY".  Thankfully this phase didn't last long and with understandable exceptions, most security groups changed their approach and started working with the business rather than against it (Darwin eat your heart out).  So today we see most security groups working with the business.  With User 1.0 security groups have learned new words "Yes we can, but only if you use this and this and this". But that is ok, User 1.0 isn't giving security groups that hard a time.  They are willing to use the applications they have been given.  They will learn the tools when they move from company to company.  Business objectives are being met and security groups are helping to achieve this.  However much of this really does still depend on having standard applications, used by all, few exceptions.  There is still relatively tight control over the environment.  Yes we have to let things through our firewalls and filters that a few short years ago we would have denied, but they can be managed.  

The User 1.0 era however is drawing to an end, they are slowly being upgraded, although not all of them will be fully upgradable to User 2.0 or beyond and a new user has arrived, User 2.0.  User 2.0 or Gen Y as some people like to call them are the digital generation and many businesses including their security teams are struggling to deal with them.  User 2.0 grew up digitally, vinyl is something that is on the floor, rotary phones is something you see in old movies, and a walkman is someone that takes the dog for its run.  

User 2.0 has different expectations of their work environment.  Social and work activities are blurred, different means of communications are used.  Email is dated, IM, twitter, facebook, myspace, etc are the tools to use to communicate.  There is also an expectation/desire to use own equipment.  Own phone, own laptop, own applications.  I can hear the cries of "over my dead body" from security person 0.1 through to 1.9 all the way over here in AU.  But really, why not? when is the last time you told your plumber to only use the tools you provide?  We already allow some of this to happen anyway. We hire consultants, who often bring their own tools and equipment, it generally makes them more productive.  Likewise for User 2.0, if using Windows is their desire, then why force them to use a Mac? if they prefer Openoffice to Word, why should't they use it?  if it makes them more productive the business will benefit.  

We have to start managing and protecting the data rather than concentrating all our efforts on the perimeter.  The pentesters amongst you know that a large percentage of companies have a hard crunchy outside and a soft squishy centre.  If we manage and protect the data then what is used to access or manipulate the data becomes less important. There will always be applications that must be used in organisations, but it shouldn't matter if they are accessed using firefox, IE, Chrome or others.   So depending on your security posture it may be ok to allow IM, access to social sites, issue staff with blackberries, iphones, or allow them to use their own equipment and applications.  Security person 2.0 just has to deal with it slightly differently.   We already know how to do it, many of us have had the stealth upgrade to Security person 2.0.  We know how to inspect traffic, control malware, control network flows and control access to data that isn't dependent on a particular way of accessing it.  However we do have to start thinking harder about how this can be applied to User 2.0.  The reality is that there will be more and more pressure to open up networks, provide more flexibility in the tools available to users, whilst maintaining the security of the organisation and protecting the information.  Dancing on that pinhead doesn't seem so hard now does it?

So here is you homework for the weekend.  How will you deal with User 2.0? How are you going to protect your corporate data without saying "Nay" to things like facebook, IM, own equipment, own applications, own …….?  How will you sort data leakage, remote access, licensing issues, malware in an environment where you maybe have no control or access over the endpoint?  Do you treat everyone with their own equipment as strangers and place them of the "special" VLAN? How do you deal with the Mac users that insist their machines cannot be infected?  Enjoy thinking about User 2.0,  if you send in your suggestions I'll collate them and update the diary. 


I'll be speaking in Wellington on 18 Feb a weather report from the ISC and teaching SANS 401 in Wellington 15-20 March 2010.>


391 Posts
ISC Handler
Users 2.0 lets their Macs get infected?
Of course, It's invulnerable, you can click on anything. I'll send you a link if you want to try ;-)

391 Posts
ISC Handler
I take very seriously a point raised, I think by Dan Kaminsky, that we should no longer distinguish between trusted and non-trusted networks. I don't know why this isn't already common practice, if only as a method of damage limitation in case something on an internal network is compromised, or an employee acting maliciously.

I guess very few organisations defend their internal services against intrusion as well as those directly reachable from the Internet. In cases I've seen, internal services are left practically wide-open; the assumption being that nobody has the motivation, or technical expertise, to take advantage of that, or that any such action would be detected and could then be dealt with through disciplinary means.

I think the greatest resistance to User 2.0 is that it would necessitate a whole new effort to secure these internal networks.

Modern threats, though, may necessitate this anyway. Conficker sneaking in via USB mass storage devices; malware delivered as encrypted attachments or SSL; browser/XSS/proxy exploits allowing internal services to be reached indirectly. Of course some awkward administrators will try to stop employees from using USB mass storage devices (sometimes all USB devices!), SSL (yes, I've really known this happen!) and maybe JavaScript and browser plugins to try to avoid these problems. But I don't see these approaches working for much longer.

I think, inevitably, things will go two ways. One is to have ultra-restricted workstations for business use (User 0.1-style). The other is to allow anyone to use any device (User 2.0-style), but with ultra-restrictive access to the business services and data. A little of both approaches may work nicely for everyone.
Steven C.

171 Posts
Of course all of this will also require that policies and procedures adapt. The adaption of policies and procedures is meaningless if HR and management don't adapt. Why lay this entirely at the feet of security admins, this is a corporate culture issue, not just the responsibility of IT or InfoSec. Of course there remains the question of ownership and use of organizational resources. The owners of resources including data, do have the right to control how their resources are used. That is a C-level decision that can be made completely outside the control of InfoSec. Nor does the plumber analogy work as the plumber is unlikely to alter your water, divert it to others, or prevent your effective use of the water for his/her personal benefit. The plumber's tools will not take your assets (data) when he leaves as will many personal electronic devices. Actually this is more like a personal chef, you expect the chef to use your appliances, your food, and to prepare only what you desire, how you desire it, although you have no issue with the chef bringing their own knives and a few tools. Let's kill the whole 2.0 terminology, the reality is that this is the misguided belief that the Internet and computing are free resources, they aren't. Everything costs money and short of taxes, one should have rights over how one's money is spent and how the acquired assets are used. These are rights of property ownership, which does not change because of a perceived change in computing paradigms by a user group lacking ownership over resources.

57 Posts
Just as most companies don't provide their users with radios(users bring their own in), there is little business need to provide much in the way of "Social Media". Users should justify why they need most extras (maybe a little browsing to News media and/or web based email), but the extras should be handled via personal devices (Smartphones, personal laptops, etc...) in MANY cases. Hopefully striking a balance will allow companies to keep the employees they want to keep, but also keep an eye on their costs (they shouldn't need to add 3 extra T1's for internet connectivity just so their employees can be on Facebook/Youtube all day long).
There is a very good reason for not letting employees "bring their own tools" - compatibility of the work product. A while back we looked at Open Office as a lower cost replacement for Microsoft Office, but we could not do it because all of the Excel spreadsheets containing macros would need to be rewritten, and most important for our organization, all of the legal documents were incompatible as to the format of the final printed pages. I love Open Office, but its ability to coexist with Micro$oft Office in a mixed environment is limited.
Walt S

3 Posts

I strongly agree with Alan that security 2.0 'nomenclature' does not express the real problem

No matter how you slice, dice or cut it, it eventually boils down to trust. Employees (and contractors, but they are under contract) must adhere to company ethics or policies. And I think this is where things can go wrong with whatever-you-call-them (User 2.0/Gen Y).

And that's a social problem...

So maybe we should make sure the people are accountable(more journaling?) and leave societal issues to the HR people.
Walt S
17 Posts
It also doesn't help that software is being written that requires the user to have administrative rights on their machines. This kind of software development undermines a lot of what we try to do from a security standpoint.
Walt S
1 Posts
There is a very large difference between user expectation and business necessity. Just because expectations may mandate a variety of tools and systems to complete a task, it does not always mean that these are required. I would personally prefer an Ubuntu desktop at work, but do I really need it? No. Many times, consumer oriented software and services may incur a level of risk that can easily be negated by simply analyzing the request, performing a risk assessment, assessing true costs (hard and soft), and then making a rational decision that benefits the business from all facets. Too many times, user 2.0 has justified a certain action by time savings compared to cost. The usual formula is outlined like this for me:

(initiative) saves me 1 minute per hour X 8 hours a day X 5000 employees X an average base pay rate of $15 per hour = $10,000 per day! We should totally do that!

Justifications like these are invariably flawed and overstate the benefits while ignoring risk or cost expenditures. The truth is that productivity and value is not a fixed rate based upon time, and time savings can easily be filled by other non-productive activities. Costs of deployment, maintenance, training, and other factors can easily overwhelm benefits.

Many user 2.0 personnel simply don’t see the big picture, and are focused upon personal benefit and gain. Many of the technologies that comprise this user 2.0 toolset (social media, consumer software, communications devices) are focused upon personal gain entertainment. There is a place for new initiatives, but not until they can be properly assessed and compared against business need.
Walt S
4 Posts
Please stick with the cool exploit stuff and forgo the long editorials. Thanks.
Walt S
9 Posts
@mquibell: please forgo reading content you don't care about!

For those of us who actually face real problems like this one, I think the issue of eliminating the trusted network is extremely important and the User 2.0 is forcing action on that front.

I certainly agree that no organization needs to be overly accomodating to fickle trends and user preference. Control and standardization of information assets is critical to a cost-effective security program. However, we must recognize the propensity of the User 2.0 to do everything they can to circumvent a policy they don't like. That's why IT organizations and software developers must learn to operate in an environment without trust boundaries.

17 Posts
"But really, why not? when is the last time you told your plumber to only use the tools you provide? We already allow some of this to happen anyway. We hire consultants, who often bring their own tools and equipment, it generally makes them more productive. Likewise for User 2.0, if using Windows is their desire, then why force them to use a Mac? if they prefer Openoffice to Word, why should't they use it? if it makes them more productive the business will benefit."

There's a flaw in your logic here. When I hire a plumber, while he does bring his own tools, he doesn't call me to fix his tools when they break. Users 2.0 are still going to expect Corporate IT to support their device, and fix it when it's not broken properly.

Support contracts costs money. Support without support contracts generally means slow response time. This will yield dissatisfaction with Corporate IT, and loss of revenue from the business due to reduced productivity during downtime when IT is trying to fix some product they know nothing about.
1 Posts
Very good article. I find it interesting that where I work we've always had to deal with user 2.0, and none of us are old enough to really remember user 0.1 - 1.9. That reality has forced us to realize that we will never be able to anticipate all attack vectors. No matter how good you are at patching and locking things down, you have something that's vulnerable at this instant.

The way we've dealt with this reality is that we've put some base security requirements on all endpoints to be able to connect (firewall, updated av with certain settings, automatic updates enabled on everything, etc), and then watch all endpoints assuming they may be compromised any minute. If an endpoint is compromised, access is terminated immediately and automatically. We tell this to user 2.0 up front, and for the most part they're okay with it once we explain how dangerous it is both to the business and to their careers if something does happen. Interestingly, user 2.0 has grown up with the constant threat of malware and other nasties and so appears to have a tendency to be more understanding about measures to deal with them.

Regarding apps and devices: if any app or service has crypo we use it, even if it's running through a vpn, and we actively try to avoid things that don't support crypto. Yes this adds some overhead, but the extra overhead is not noticeable in practice. In addition, by default everything possible is blacklisted: USB devices for example must be brought in, virus scanned if applicable, and registered with the serial number before they will be enabled on the network at all. By doing this, we know every single USB device that's on our network, and who owns it. We also try to lean toward open source because we've found that it's easier to support (via google), and historically we've had fewer problems with it. Regardless of what anyone thinks about this, this approach has worked very very well for us.
Bit-by-bit, the whole concept of managers managing staff is changing, starting with the professional grades. No more jobs-for-life, today's model is guns-for-hire. The 'personal chef' concept is dead right: when I work for a client, I bring my brains and other toys, and am there to do a specific job in return for certain benefits, of which $$$ is just one element. I'm just as interested in the experience, learning and opportunities that arise, as in the pay. Just as you may consider it a threat to sack me, I may consider it a threat to resign. In other words, the balance of power has shifted.

If you employ me to be a "manager", I rather arrogantly take the position that my key role is not to "manage" (as you would think of it) but to provide an effective working environment for the people you call my "staff" to do their things. I won't tell them how to do their stuff (unless they ask or need to learn from my experience, and provided I can actually help), and will always try to jointly agree what we are meant to be doing and more importantly understand why. If my "staff" want to use their own toys, I'll try to find a way that maximises the benefits to us all.

There's more to killing off the Nay Department than just saying "Nay" less vehemently!

Sign Up for Free or Log In to start participating in the conversation!