This month, it's time to get back to reality. Last month in SC Magazine, we discussed the first stage in the “Five Stages of Employment": idealism. This stage is that beautiful haze of starting a new job, where you think you can take on the world, free from bureaucracy, budget limitations or corporate politics. The second stage is realism, when you realize where your head had been lodged, when you were in stage one.
This month we'll take a look at the things that I learned when I had left my happy research habitat and started having in-depth conversations with people tasked with implementing corporate security policies. The things I learned can be summed up pretty succinctly:
- Policies should be in place to establish a penalty for creating security/malware issues.
- Web content-filters should be used to keep people from surfing to sites which could be considered HR violations.
- Social networking sites are a necessary part of business – data leakage prevention can be used to keep people from sharing business-sensitive information.
- Password length/complexity/freshness should be enforced, but not so strictly that people must resort to writing their password down to remember it.
- Software and operating system patches should be tested on a demo corporate image so as to ensure minimal disruption, and deployed as quickly as is feasible.
The first three rules are pretty simple. People will not always pay attention to educational lectures on proper internet hygiene. Some people will surf the web before drinking that first cup of coffee. It behooves you to use the tools which are available to help you prevent this sort of damage. And if a pattern of poor choices (or out-right malice) is shown, there should be a policy in place which can be used to address the problem.
It is a tricky thing to balance usability and security as in password requirements. That is no mystery. There are also innumerable tricks to help one to create and remember a secure password. One company I talked with implemented a policy where all passwords had to be at least 12 characters long, including capitals and lowercase letters, at least one number and one special character, with a limit of three repeating characters or sequential numbers/letters.
OK, not bad. But you couldn't use any of your last 10 passwords, including anything too similar to previous passwords. And the password had to be changed every 45 days. When one person had four different domains to log into with different passwords, this was essentially 40 passwords to keep in mind at all times. I'm pretty sure I'd have to forget the words to every TV theme song or commercial jingle I've ever heard, to remember all that. (Unacceptable! How would I win trivia night without that?) The company backed off of this policy before long – what a shock.
The last rule is a variation on the “mistakes happen” rule: Software programmers are human and screw things up too. However, with malware authors keen to cash in on new vulnerabilities, you still need to get those updates in place…yesterday. To minimize problems caused by software updates or patches, it is important to have a test machine (or a lab) set up to allow you to see if they will work in your environment. By having this set up in advance, you are able to test and apply those updates much more quickly.