RE: End users as security devices

["Daniel Sichel" <daniels () Ponderosatel com>]

Praise be to God for the User! They are powerful! They are trainable!
They
> > are my BEST defense!
> >
> > There. I fell better now.

You are onto a good thing and make a good point. 

At my last job the organizatios CAO insisted that security not block
ANYTHIHG any user wanted, IM, HTML mail, streaming audio, flash, even
desktop SMTP servers (no, I am not making this up). He also wanted NO
passwords (hard to remember, don't you know) but I talked him into at
least requiring weak ones. What a mess, viruses everywhere, keystroke
loggers, malware sucking up bandwidth and of course crash craah crash,
why is my app runnning slow? Naturally this mess was MY fault, had
nothing to do with the policy. 

Fast forward, I now work at a telephone company, discplined work
practices are ingrained and a MUST. Management believes in security and
allows my boss, the IS manager to set policies that everyone up to, and
including the owner, religously adheres to. My boss is dedicated to
providing full end user functionality but doing it securely. Result, our
machines hum, we are NEVER down, there is no spam and I can barely
remember the last virus I saw. This all works ONLY because end users
know and RESPECT the rules and actively support keeping our WAN secure. 

Don't lose faith, don't give up, keep explaining, and training. You CAN
make end users proactive participants in enterprise security. Just
remember, there will always be a few intellectually challenged folks who
need a bit of extra mentoring. Try to be patient, and NO, you can't put
handicap placards on computers used by those with IQs  below 90, sorry. 


Dan Sichel
Network Engineer
Ponderosa Telephone
daniels () ponderosatel com (559) 868-6367
 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/