If one asked what most network security managers considered the biggest threat to their networks would be, more often than not they would reply that the user would be at the top of the list. Bad habits and practices on part of the individual users can endanger an organization’s information network much easier than any hacker can from the outside.
The individual user must change their outlook and behaviors. Everything from opening strange emails to ignoring an organization’s network security policies can jeopardize overall security to any information network.
User Ignorance of Policies a Problem
As stated by IT professional Lynn Greiner, the largest factor concerning network security is not the tools or technology “… but awareness on part of the managers and users" (Greiner, 2009). There have been numerous incidents in recent years where the end user was responsible, however inadvertently, for a major network breach. In the fall of 2008, a large portion of the military unclassified network was compromised by a virus that originated from infected USB flash drives.
Network Compromise and the DOD Response
In the middle of the West Texas Big Country is a medium-size town of 150,000 people. This town of San Angelo is the site of Goodfellow Air Force Base, home to the 17th Training Wing and the Defense Department’s Intelligence Training School.
Aaron Hartford (pseudonym, real name withheld by request), 15-year veteran of the Air Force, now a DOD civilian is the Training Wing’s Site Information Assurance Manager. He is responsible for the administration and security of the computer networks along with ensuring that all DOD information security (INFOSEC) policies are followed by all personnel.
In a discussion with Mr. Hartford, he reveals (in an interview conducted with Suite101, April 19, 2010) that the biggest concern for security managers are the users themselves. Incidents in recent years that have led to the banning of USB flash devices on US Government computer systems were the result of users failing to follow established policies and the lax enforcement of those policies by some security managers.
As a result, the Defense Department ordered a service-wide directive banning the use of any external USB device on government computer systems. Several directives were in fact handed down ordering that all USB ports on the existing computers were to be locked down and disabled. This act impacted overall efficiency severely by effectively eliminating user convenience in favor of tightened security measures.
The author is aware firsthand of how the DOD directive impacted overall productivity while working to support the XM7 Spider Network Munition System project in Afghanistan. Communications and the ability to transmit critical documents and materials back to AAI were constrained, making an already stressful situation much more so.
Corporate Users
There is also a general consensus among corporate IT security analysts that the users of the systems are the largest security risk. Dave Ballard (pseudonym, real name withheld by request), an IT specialist for AAI Corporation, stated (personal interview, April 13, 2010) that
“…you can have the greatest system in the world…the best security software, firewalls, and hardware…and a single mistake or intentional malicious act by someone in your organization can allow a black hat (criminal or malicious hacker) to bypass all of those wonderful security measures that the company spent several million dollars on.”
To remedy the problem, there is but one solution. Users must pledge to adhere to their organization’s security policies and report violations. According to a survey taken in 2004, only 15 percent of individuals believe that they have a personal stake in their organization’s security (Barr, 2004). Users must take personal responsibility by educating themselves about the threats that are present and how to counter those threats. These steps include creating complex passwords, locking down workstations, and adherence to the organization’s rules and practices.
References
- Barr, James G. (2004, April). Proactive vs. Reactive Security. Faulkner Information Services
- Greiner, Lynn. (2009, April). Network Security Best Practices. Faulkner Information Services.
- Habiger, G. E. (2010, February 1). Cyberwarfare and Cyberterrorism: The need for a new US strategic approach. (White Paper 1:2010). The Cyber Secure Institute.
Chris Epley - The author has worked as a field service engineer in support of several DOD contracts that have taken him across the globe. His most ...
Join the Conversation