Saturday, August 30, 2008

Computer Security - Human implementation

In the recent month, due to the Georgia - Russia cyberwar (we think), we have had a lot of trojan attacks. And we're worried about the SQL injection problems. As part of this, we tightened our passwords and put security on 100% of the computers that our staff uses.

But, there is always the question of implementation and the human element. Below is an actual email from the president of the company (me) to the head of engineering. (names changed). I wrote it a week after the CTO had reported that all the computers in the office were safe and secure with software on them for protection. It illustrated how there could be "many a slip twixt the cup and the lip" or, how hard real implementation can be unless you really focus and follow-up.

* * * * * * * *

I review the BitDefender logfile on my computer every morning to see that my computer is safe. There's a list of deleted files, quarantined files, and a few residual problems usually consisting of password protected files that couldn't be deleted or scanned.

I wondered why nobody else in the office seems to have issues. I walked over to Tom's computer and asked to see his log.

It reported that there was nothing found in the last week on his computer. I was happy! :->
I then checked if his software was updated and found that it updated last night: more smiles :->

Then, just to be thorough, I checked to see when the last scan was run.....August 20th! Over a week ago. Grrrr. His security software is Trend Micro which has a default setting to run once a month. :-<>

One of the staff who was listening then asked me: How does the security software run at night if I turn my computer off at night? (which she has been doing?). Obviously, it does not. Apparently, the security software on her computer has never actually been run.

Joan, a third staff member, then asked ---- I just close the report that is up on my screen when I come in every morning....am I supposed to look at it?

In short, the software that we had implemented was NOT providing effective security due to the human element.

Here's the plan.
Sally will visit each person/computer every morning for a while. She will verify in conjunction with the person who sits at the desk:
- that the scan ran the previous night
- that the software updated itself on the previous night
- that the scan that ran is a good one (ie deep scan) and that the settings ensure that all emails and downloads are being scanned.
- that the log report is healthy. If it's not, she'll get you to look at it with her. Soon, she should get good at reading it.

As part of this, we will have to do some purchasing since many of the packages that we installed are on 30 day trials.

This week, Sally, can you make a list as you visit each computer of:
- the security software on each computer
- whether it is purchased or a trial
- when the trial expires

Come back next week to find out whether the plan to off-load the daily review of each scan to Sally from the IT heavyweight is successful. And whether we have stopped the inflow of trojans onto our websites (we've had two contaminated in the last month).

Digg!

del.icio.us

1 comment:

Unknown said...

this is so funny and so true. it's the rationale for management. so manage.