Trying to keep your company's information secure is a lot of work and is
unlikely to make you popular with users. Typically, the tighter you try to lock
down a network, the more hassle the network
is to administer as repetitive tasks become necessary for both end users and you. But there
are ways to ease the pain—often by deploying
automation technology. Let's look at six common security annoyances and practical, effective ways to overcome them.
Password Resets
Resetting passwords for users who forget them
is the bane of every administrator. A META
Group survey indicates that this thankless task
alone costs companies with 10,000 users well
over half a million dollars a year (http://www.microsoft.com/technet/security/guidance/
identitymanagement/idmanage/p2pass.mspx). But there are ways to reduce or even
eliminate this problem. My favorite solution is
to use electroshock therapy. With a few simple
modifications to a keyboard's wiring and a
device-driver hack, you can deliver 120 volts of
behavior-changing juice to the nervous system
of your users when they enter their passwords
incorrectly. A couple of jolts and your problem
is solved!
You can train users to remember passwords with less violent behavior-modification methods. The most effective password-memorization technique I've found is creating
passwords by using the first letter of each
word of a sentence that the user can remember. You'll need to use a sentence that has
some proper nouns and numbers so that this
technique produces a complex password with
upper-case letters and nonletter characters.
You can let users come up with their own sentences, but I've had better success assigning
users passwords based on a sentence of my
choosing. Assigning passwords this way carries
the added benefit of the enjoyment you get by
forcing users to mentally recite your brutally
honest observations about their personality
or appearance. Of course, if you have one of
those irksome corporate security policies that
says you shouldn't know everyone's password
(like you can't just run a password cracker,
right?), then you might have to look at other
alternatives.
Enter the automated password reset tool.
Let's think about it. Resetting a user's password is
a pretty mundane, clerical process: Authenticate
the person requesting the password reset, find
his or her account, and reset its password. Why
not automate this? A variety of self-service password reset solutions are already on the market to
take this burden off your shoulders, and it's not
hard to justify the cost when you consider the
savings in IT staff time. Solutions on the market
provide various methods for letting users reset their own passwords, from Web-based applications to telephone-based systems. Some of the
players include Avatier Password Station and
M-Tech Information Technology's P-Synch. Just
do a Web search for "password reset self-service"
and you're on your way.
Protecting Laptop Data
Protection of laptop data is receiving increasing
scrutiny from legislators and the media. When
an organization loses a laptop containing customers' personal information, the organization
is in for some hefty unexpected costs associated
with notifying each customer of the security
breach as well as the more-difficult-to-quantify
costs of bad press and loss of good will.
I've watched this problem and the technologies designed to address the risk of stolen
or lost laptops for years. Many solutions have
caused more problems in terms of stability or administration than they were worth.
Other solutions slowed down systems or were
too impractical because they depended on
users to encrypt or decrypt files or manage encryption keys. I've used Windows
Encrypting File
System (EFS) for
my clients, but
drawbacks and instance, EFS doesn't support whole-volume
encryption, so data can leak out from unencrypted folders.
Windows Vista's new BitLocker Drive
Encryption feature for whole-volume encryption and its integration with the Trusted Platform Module (TPM) found in most business
laptops today provides the best all-around
solution for protecting data on laptops. In fact,
I'd say BitLocker is the single biggest motivator
for migrating your laptop fleet to Vista.
With BitLocker, you divide your hard drive
into two volumes. One volume is very small
(just a few megabytes) and initially left empty;
you install Vista to the partition that occupies
the rest of the drive. Then you enable BitLocker and wait for it to encrypt the entire large volume. BitLocker installs a bootstrap loader on
the small volume, which is protected from tampering by the laptop's TPM. When the laptop is
turned on, the TPM checks, through hashes
stored in its tamper-resistant memory, whether
the tiny bootstrap partition has been modified.
If it hasn't, the TPM allows the bootstrapper to
load. The bootstrapper retrieves the encryption
key for the larger volume from the TPM and
proceeds to boot Vista on the larger, encrypted
volume. This description is a bit simplified, but
the bottom line is that for the first time, we have
laptop hardware, tamper-resistant key storage,
and whole-volume encryption all integrated
with the OS for the most transparent, best performing, and effective encryption solution I've
seen to date. To learn more about BitLocker,
see the Windows BitLocker Drive Encryption
Step-by-Step Guide (http://www.microsoft.com/technet/windowsvista/library/c61f2a128ae6-4957-b031-97b4d762cf31.mspx).
Lovely Spam,
Wonderful Spam
Spam is such a pain. Kind of the understatement of the decade, eh? We all hate it, and it's
a security threat because we can all too easily
open an attachment containing a virus.
If you aren't careful, though, your antispam solution can become an even bigger pain. No
antispam solution is 100 percent accurate. You
run two basic risks with an antispam solution:
user dissatisfaction with low catch rates and
user dissatisfaction with false positives, both
of which lead to increased care and feeding of
users by IT staff (i.e., support calls).
In my experience, an 80 percent catch rate
for spam is pretty reasonable; users shouldn't
expect much better unless they're willing to
regularly hunt down good email messages that
got caught by the spam filter. Many antispam
solutions claim a much higher catch rate but
don't mention their false positive statistics.
Moreover, catch rates vary from organization
to organization, and even user to user, because of the content and phrases peculiar to different
industries and what each user considers to be
spam. A marketing professional may have a
view of spam very different from a technician
who doesn't have much interaction outside the
organization.
In my opinion, Sender Policy Framework
(SPF) spam detection has the best potential to
significantly reduce spam, but too few companies have taken the time to publish an SPF
record for their DNS domain. An SPF record
published in your domain's zone file formally
declares the official SMTP servers for your
domain so that other organizations can determine if email that purports to be from your
domain really is. Don't delay: There are great
setup wizards on the Internet that will help
you build your own SPF record—for instance, http://www.openspf.org.