At SecureWorld Expo, a two-day conference in Boston this month, vendors exhibited products and IT experts discussed threats and other problems. But one glaring issue did not get much attention. Ask any security specialist and most will tell you there is one threat that will likely never be contained: human nature.
"Always, in the end, user awareness is the problem," said John Manning, who attended the event. "People just don't want to bother."
Manning is a network engineer who worked for Hewlett-Packard Co. for eight years and now does contractual work for Akorri Networks Inc. in Littleton, Mass. He has spent many long nights dealing with security messes that could have been avoided if company employees understood the importance of complying with security policies. Other conference attendees agreed.
"The first thing a security policy should have is a way to make the end user aware," said Bob Dalimonte, a contract network engineer currently working for Computer Sciences Corp., in El Segundo, Calif. "It should educate on what kind of damage can be done."
The key to cultivating security awareness
Educating the end user has been a 17-year passion for Candy Alexander, a member of Information Systems Security Association (ISSA) New England, who heads up the group's educational initiatives program. "People are not going to do things that are not part of their routine," Alexander said. "Education programs should aim to change daily habits."
Alexander encourages enterprises to craft a good security awareness program for users -- one that will tell them about the consequences of their actions, or in many cases, inaction. She points to passwords as an example. "Many people think it is unnecessary to change their password every 90 days," she said. "You need to explain to them what can happen if they don't."
Alexander also thinks positive reinforcement works well when trying to entice end users to comply with security policy. In one company, she was able to accomplish a 75% compliance rate among end users by entering all cooperative employees into a raffle. "Raffles, giveaways," she said. "It's small, but it gives them incentives."
She also encourages IT managers to cut out the jargon when talking to users. Making security simple and understandable in their language is key. But above all else, said Alexander, making it effortless will probably pay off the most. Microsoft's Live Updates are an example of this kind of built-in security protocol that require little or no effort on the part of the user, she added.
"It's easier to add technology in than to have people change their daily habits," she said.
Can Vista manage the end-user menace?
The issue of end-user education is not lost on Microsoft. The software maker offers training and education for IT professionals in the form of webcasts and other online information available on its TechNet site.
But Windows Vista, Microsoft's next-generation desktop operating system, aims to achieve more of that effortless kind of security that Alexander spoke about -- the kind of security that protects with little room for human interaction.
"There are some improvements Vista will make on security, even for the unsophisticated user," said Michael Cherry, an analyst with Directions on Microsoft, a Kirkland, Wash., research firm.
Cherry points to the system's new focus on user and administrator privileges. According to Microsoft, Vista provides a simple and secure mechanism for running end-user accounts with standard user privileges, while eliminating the need for administrator privileges when performing common tasks.
"Certain tasks should be limited to someone with knowledge, and on Windows they have not been," he said. "That is a big reason why Windows is so vulnerable. One of the reasons spyware is such a problem on Windows systems is because you can run something called a drive-by install."
Cherry also noted that differentiating between user and administrator privileges is an area where Microsoft, with Vista, is just catching up to Apple and Linux systems.
The other feature security managers can look for in enterprise editions of Vista is BitLocker drive encryption. Cherry explained it as a feature that encrypts data so that only the explicit user of a certain machine can access it through an identification process. For instance, this sort of thing is useful, he said, in a situation involving a lost company laptop.
"The company would likely not want the records contained on that machine to be exposed," he noted. "BitLocker allows administrators to encrypt that data so that someone who finds that machine wouldn't know how to read that material."
BitLocker comes with hardware requirements for some modes. Two modes require a special cryptographic chip and a compatible basic input and output system. Cherry said the feature also comes with its risks. If you lose the key to the encryption, there is no chance for recovery, unless it has been backed up.
"To get that level of safety, there is a responsibility that goes with it," he said.