As many of you already know, I am a senior network security engineer for a Government entity. Over the years, I have watched the landscape of the industry and it’s subsets grow and change. The maturity of the internet, corporate acceptance of firewalls, new protocols, high speed technology and the list goes on and on.

Even though many new technologies have been introduced, some things have remained relatively unchanged. One thing is the basic methods used to access data. Everyone understands the concept of logging in. We do it at home, at work, at the ATM and basically everywhere life takes us. So why is it, after logging in has become a normal part of our lives, do we still allow end users to claim ignorance when we see them doing inappropriate things while logged in?

Over the past two years, my team and I have watched project leaders design applications under the premise that end users are operating on the same intelligence level as the common house fly. Applications were crippled because of the misconception. While management continued to operate with this mindset, our team, along with other IT groups tried pleading our case, but it fell on deaf ears.

My team and I decided to see exactly how smart end users are. I placed Websense, a content filtering enterprise solution, in place and sent out an organization-wide policy. More or less, it is exactly what people would expect. No porn, gambling, hate or other sites that could pose a legal issue for the entity. Can anyone guess what we observed over the past year?

The very same end users who are thought to be of sub human intelligence proved the exact opposite. These people tried everything from searching for generic IDs to obscure their identity, switching IP addresses to test the ACLs, trying sites by IP instead of FQDN, proxy server searches, keyword searches for generic terms used to beat content filters and the list goes on.

Let's look at one example that I find very interesting. Take the word, “twixys”. Now, this word wouldn’t appear as a trigger in very many content filters yet these people know to search for gay porn images using common or nonsense words like this. The previous example isn’t a real word used to search for porn. If anyone wants a real list, speak to me in private. The idea is that they A) Know that this will defeat (most) content filters (not mine). B) They know where to go in order to find word lists that associate for the content they want to see.

After watching this behavior by people of all backgrounds, professions and age, we concluded that end users know that corporate (or Govt.) culture allows them to claim ignorance and this will absolve them of any responsibility for their actions. We presented our findings to a council that we report to and we were given the green light to implement a policy that is virtually unheard of in Government.

“The end user shall be held responsible for *any* activities that transpire while the said end user’s account is logged in.”

That’s right. Responsibility has been placed on the shoulders of the end user. The only exception is when proof can be presented to show that the account was indeed in control of another user. To date, this has never come up.

Six months ago, we spent 60% of our time smacking the hands of end users who all seemed to know that ignorance set them free. Fast forward to today. We now spend 9% of our time smacking hands only this time we do it with a baseball bat laced with nails. End users understand that claiming technology ignorance no longer flies and they also understand that for the first time, they will be held accountable.

LESSONS LEARNED BY MANAGEMENT
====================================
1) End users have been using the same basic computer skillset for more than a decade.
2) Holding end users responsible for their account and its use/misuse is *very* effective.
3) Designing next generation apps can be done with greater emphasis on functionality instead of end user limitations.

Although this write up is relatively short, the content is extremely valuable. I hope that others out there can put it to good use. Keep in mind that I had to sanitize a great deal if information before I posted this but the lessons are 100% intact.

--TH13