There’s a thread going on PatchManagement.org listserve and according to some folks I am severely deficient in allowing my end users to leave their computers on.


Because they say, when a system is turned on, it opens up a hole for intruders to drop things on those boxes.


They only want the systems on when a user is there, and they trust their users to patch their machines.  That to leave the machines on for remote access is insane of me to even think of doing.


I find these ‘absolute’ conversations to be quite interesting.  Because it’s my belief that there is no such thing as a black and white answer in security.  It’s about risk analysis and finding a balance.  Of being just enough security, of the right amount, at the right time, in the right amount of annoyance so that end users don’t find a way around it.  Because at the end of the day, security HAS to take an equal weight with the business of the firm.  If it takes an extreme higher priority, then you might as well turn off the computers and servers, and stop doing business.  Because if you go and live on an island with no computers and no need for interactions, that’s probably the only way you will be absolutely secure from all technology risks like Identity Theft and what not.  Of course then you will have a new set of risks to worry about.  Just go ask the folks on the TV show Lost about the risks they face “without” technology around.


I find the thoughts that “you must turn off your system otherwise bad guys are sitting there dropping bad things on your systems” to be an interesting thought.  If you believe your internal network to be that infected, then yes, design your network with that risk and threat in mind.  In my mind you must then design the network such that you assume all tcp/ip packets are hostile and you cannot trust anything that you cannot verify coming from something you trust.


It’s my understanding that Microsoft designs their network in this manner with an IPSec set up so that unless you have a SmartCard you don’t get domain access.  Conversely all the new Network Access Protection stuff that’s coming down the pipeline looks very interesting to better protect and ‘vet’ the connections coming into our networks.  But in a small network, it’s my opinion that I can still do what I need to do to have a somewhat more ‘trusted’ internal network.  Now I’m sure I’m absolutely the naive one, but with the additional tools I have  –like the SBS build in monitoring email, and ISA 2004 and the Scorpion Software’s Firewall Dashboard (that just is releasing a final beta as a matter of fact) can help keep me a smidge informed that once something happens (please note I said when not if as one should always be prepared for the worst) I can act as fast as I can to take whatever actions I need to do.


But I think for someone to say “look at the packets hitting your desktop firewalls, all those bad guys trying to intrude” means that I shouldn’t be just calmly looking at those firewall logs, but having a heart attack and freaking out and trying to either block the entry point, or figure out what machine on my internal network has gotten owned and starting an investigation.  As someone coined the term… “draining the network” at that point and rebuilding it.


I guess I’m of the opinion that if I can’t reasonably protect with “good enough” security machines that are merely turned on, how in the world can I protect them when there are end users sitting at those machines using them?  Our end users are not trained in security AT ALL.  The entire computing industry has done a poor job in educating us at all on technology, let alone securely operating computers.  Walk into ANY office and talk to an end user about the application they are using and I’ll bet you that they don’t know how or if their systems are being backed up, they don’t know anything about patches, or care about firewalls, don’t understand that bad guys are being paid $10,000 a pop for vulnerabilities, and I would argue that it’s not their job to be that geeky and know all about that… it’s mine.  There job is to just do what they need to do, sticking sticky notes on the monitor for all the ‘to dos’ that they need to do.


I don’t trust my end users to be on top of patching like I am and I want to be the one installing and approving patches.  I don’t want them to be the one assigning risks to email attachments, it’s my job.  There are some users of technology that telling them to look for a button in a tool bar is asking them way way too much.  Now maybe we shouldn’t have those folks using computers, but the ugly reality is that we have these users in our networks, using technology.  So we’d better plan our networks for these folks.  Ensuring that as much as we can we build in secure processes that aren’t such an extreme bother that folks go around it and find another way to do their job. 


I know they say that the network guys shouldn’t be in charge of the security because there’s a conflict of interest, but where is it in the computer security book that the folks on the business side can’t be involved in this process of security as well.


Because folks at the end of the day this is about acceptable risk.  And quite honestly I cannot see how you can make a determination without a business hat at the table.


I just don’t think that the risks that are acceptable for my network are acceptable for yours.  Especially not if we’re not the same size and you don’t have the technology that I do (like Remote Web Workplace).


And you know what…. that’s OK.

 

3 Responses to Is leaving computers turned on a massive security risk?

  1. mark says:

    I am absolutely convinced that for ANY best practice we have learned and apply daily, there will be someone who says, “hey that’s not a good idea, because this *might* happen.”

    I always ask my users to keep their PCs turned on, and logged off or locked when they’re not there. I ask them to change their passwords, and push their management to make it happen. I run WSUS (or on occasion some 3rd party pkg) to keep PCs up-to-date. And last I checked, the owners of these businesses would prefer NOT to have patches installing during business hours.

    Keep them turned off? Uh…I don’t think so.

  2. Alun Jones says:

    I’d say defence in depth… turn off the machine when you’re not using it, where possible; use Wake-On-LAN to wake the machine up and apply patches, where possible.

    Turning the machine off doesn’t say “I know my network is crawling with crap”, it says “I don’t need to use my machine right now, and nor does anyone else”.

    Now, if your users can’t be trusted to apply their own patches (which covers most of enterprise space, since most users shouldn’t be dealing with such a complex task), then you must have a roll-out process, and that must happen while the users are absent. This may very well mean that you have to make the choice between patching machines and turning them off overnight.

    But there is a subset of people for whom this is not a choice they have to make. They can have one from column A and one from column B.

  3. Scott Cross says:

    If you’re going to leave patching upto your users then I think the least of your problems is whether they switch their machines off when they go home.

    What’s next a 2 hour working day to minimise the time the machine is running?