Security versus Usability

I think it is safe to say that many of us in the technology sector are client focused, a server goes down (from a DDOS attack) - we face the music with the client, expecting nothing more than to be blasted back into last Tuesday (heaven forbid it be the Monday previous… yuck Monday) or we get an irate call from a customer because their local desktop machine or laptop is infected with the latest tastiest piece of Malware, from a porn site that they never visited… damn those porn fairies.

When are we going to pause and think “hold on, this user is damaging our equipment and we are the ones getting the blame”. Not real fair me thinks…

This brings me to the point of security versus usability. Where is the line that we must draw in the sand to say that this is the boundary, you cross it and you will have to pay some consequences.
Looking at this from the point of view of a business is: we are saving the business money and time by placing preventative measures in place before the user can destroy the business from the inside out (we are after all just a giant bit of candy).

Lets look at an example of this in practice:

USB Keys (the fun never ends) the user brings in some funny movie from home that they have placed on their shiny new U3 USB device. However, let us say, there is a new worm that has now compromised the CD ROM component on the device, which you can find more information on compromising the U3 CD pseudo-device from http://cse.msstate.edu/~rwm8/hackingU3/. This piece of malware now downloads itself onto the machine and transmits all of the word and excel files to an external email address, as in http://www.hak5.org/wiki/USB_Hacksaw .

What remedies can be taken?

How should we deal with this situation?

How will the business cope when johnny releases the new sales figures to the outside world?

What can be done about giving an even split to the Security versus Usability Debate?

Obviously prevention is better than cure, so we should implement the following:

• Develop a meaningful policy that encourages users to conform to standards and policies laid out by the corporation - in consultation with the users, ensuring that the policy errs on the side of security
• Enforce the policy to the letter - this must be followed by all staff, with no exceptions.
• Utilise deterrent software
• Disable functionality within the operating system
• Utilise physical means to restrict the ability to execute prohibited action
  

Many people say that this is not a real solution as it has been said/tried/implemented before and failed, but folks, if you don’t implement a meaningful policy and enforce it, then you have no chance of really making a difference.

What could we have done in this specific case?

Prohibiting the use of portable devices in desktop machines, using third party software tools (such as devicewall; http://www.devicewall.com) to disable the USB endpoints.

The use of a centralized computing and storage unit could have moved the data into the individual’s centralised storage once scanned and clean the user could have access to their data.

What remedies can be taken?

Depending on your business climate, the remedies could be from informing the user to a severe reprimand or even loss of employment, but it must be inline with the offence. Copying an image joke to an email from a USB key hardly warrants dismissal, however the distribution of pornography certainly would