The Permanent Security Issue of Top Management

Tuesday, June 21, 2011

Bozidar Spirovski


Regardless of procedures and policies, a company can have a nearly permanent security issue in top management.

This issue results from the speed with which top management requires their services delivered.

No top manager wants to be bothered with the problems and challenges that security and IT guys are facing with their wishes. They want them resolved, preferably yesterday.

The security issue of top management results from their lack of time and insistence that everything works when they request it.

Usually that means that the security request aspects of the solution have not been researched or even familiarized with. All this results in a half-baked workaround solution.

We will provide two examples of security issues that can easily arise:

1.  The manager requests a new gadget - like a smart phone, tablet computer or a new 'bling computer' with a different OS. Procurement is quick to purchase the new device for the top manager that orders it.

When the new gadget arrives procurement informs him in a CYA (Cover Your A*s) approach that they have done their job. The manager expects it to run immediately, so this is what usually happens:

  • the gadget is set-up as fast as possible, using the basic instructions from the Internet or what little experience an engineer has with the gadget.
  • help to install the gadget is solicited from any current users of the gadget, who also assist in set-up to the best of their knowledge, but with little concern about security or compliance to corporate standards
  • the gadget is configured to provide all or most corporate services as used by the manager on the standard corporate computers.
  • the end result is a device which can connect to most of the corporate services, but which is rarely properly secured. If the gadget is stolen, there will be a whole lot of grief for security guys.
2.  The manager wants to open photos on a foreign USB - a guest arrives at the managers office, and he/she has an USB stick with photos. The manager wants to see the photos on his computer.

  • If the manager's computer has permissions to open a USB, he/she will read the USB, possibly opening a virus or Trojan.
  • If the manager's computer doesn't have permissions to open USB, it will be rushed through operations to enable access. Again, the end result can be a executing a virus or a trojan
  • If not captured properly, a Trojan may enter the computer network of the corporation, and collect data or cause havoc

The harsh reality is that these situations will happen, and cannot be avoided in most corporate environments. So what can be done to mitigate these situations?

1. Have antivirus with very frequent auto-updating and realtime scanning installed on everything. Even if an infected USB is inserted, this mitigates the risk of the virus/trojan infecting a corporate computer.

2. When configuring a new gadget, educate the IT team to first set up security - they should find out how to install/activate antivirus, put up a firewall and set up password protection for using the device. Even if you have limited amount of time with the gadget, it will have deterrents in place to reduce the risk of a stolen device.

3. Try to set-up the gadgets so they don't store corporate data locally - Access mail via IMAP or webmail, and computer services via VPN. Even if the gadget is stolen, all it takes is a password reset.

4. Have a good relationship with procurement - if they give you just a day advanced notice that there will be new gadgets, that is a day more to read up and prepare for a more proper configuration.

Cross-posted from ShortInfosec

Possibly Related Articles:
Enterprise Security
Information Security
Policy Management malware USB Drives Information Security Procurement
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.