Page 1 of 5 123 ... LastLast
Results 1 to 10 of 50

Thread: End User Ignorance - How long will we cope?

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    End User Ignorance - How long will we cope?

    As many of you already know, I am a senior network security engineer for a Government entity. Over the years, I have watched the landscape of the industry and it’s subsets grow and change. The maturity of the internet, corporate acceptance of firewalls, new protocols, high speed technology and the list goes on and on.

    Even though many new technologies have been introduced, some things have remained relatively unchanged. One thing is the basic methods used to access data. Everyone understands the concept of logging in. We do it at home, at work, at the ATM and basically everywhere life takes us. So why is it, after logging in has become a normal part of our lives, do we still allow end users to claim ignorance when we see them doing inappropriate things while logged in?

    Over the past two years, my team and I have watched project leaders design applications under the premise that end users are operating on the same intelligence level as the common house fly. Applications were crippled because of the misconception. While management continued to operate with this mindset, our team, along with other IT groups tried pleading our case, but it fell on deaf ears.

    My team and I decided to see exactly how smart end users are. I placed Websense, a content filtering enterprise solution, in place and sent out an organization-wide policy. More or less, it is exactly what people would expect. No porn, gambling, hate or other sites that could pose a legal issue for the entity. Can anyone guess what we observed over the past year?

    The very same end users who are thought to be of sub human intelligence proved the exact opposite. These people tried everything from searching for generic IDs to obscure their identity, switching IP addresses to test the ACLs, trying sites by IP instead of FQDN, proxy server searches, keyword searches for generic terms used to beat content filters and the list goes on.

    Let's look at one example that I find very interesting. Take the word, “twixys”. Now, this word wouldn’t appear as a trigger in very many content filters yet these people know to search for gay porn images using common or nonsense words like this. The previous example isn’t a real word used to search for porn. If anyone wants a real list, speak to me in private. The idea is that they A) Know that this will defeat (most) content filters (not mine). B) They know where to go in order to find word lists that associate for the content they want to see.

    After watching this behavior by people of all backgrounds, professions and age, we concluded that end users know that corporate (or Govt.) culture allows them to claim ignorance and this will absolve them of any responsibility for their actions. We presented our findings to a council that we report to and we were given the green light to implement a policy that is virtually unheard of in Government.

    “The end user shall be held responsible for *any* activities that transpire while the said end user’s account is logged in.”

    That’s right. Responsibility has been placed on the shoulders of the end user. The only exception is when proof can be presented to show that the account was indeed in control of another user. To date, this has never come up.

    Six months ago, we spent 60% of our time smacking the hands of end users who all seemed to know that ignorance set them free. Fast forward to today. We now spend 9% of our time smacking hands only this time we do it with a baseball bat laced with nails. End users understand that claiming technology ignorance no longer flies and they also understand that for the first time, they will be held accountable.

    LESSONS LEARNED BY MANAGEMENT
    ====================================
    1) End users have been using the same basic computer skillset for more than a decade.
    2) Holding end users responsible for their account and its use/misuse is *very* effective.
    3) Designing next generation apps can be done with greater emphasis on functionality instead of end user limitations.

    Although this write up is relatively short, the content is extremely valuable. I hope that others out there can put it to good use. Keep in mind that I had to sanitize a great deal if information before I posted this but the lessons are 100% intact.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    May 2004
    Posts
    519
    I couldnt agree more .. end users should be responsible and they should not be able to claim ignorance, they all sign the procedures and protocols (rules) of the domain before getting the log on. (by signing they acknowledge what they can and cannot do)

    so if they disobey the rules they should be held accountable

  3. #3
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    I couldn't agree more!! Bravo!
    -Simon \"SDK\"

  4. #4
    Originally posted here by fyrewall
    I couldnt agree more .. end users should be responsible and they should not be able to claim ignorance, they all sign the procedures and protocols (rules) of the domain before getting the log on. (by signing they acknowledge what they can and cannot do)

    so if they disobey the rules they should be held accountable
    Exactly - that's how things are done here at my work. All employees who are granted access to our networks are required to sign acceptable use policies and such, and any time those policies are not followed punishment is enforced. Punishments can be loss of network access; some have even been fired over misuse of the policies. As TH13 has noted, making the end user accountable for everything is a very effective method.
    - Maverick

  5. #5
    Junior Member
    Join Date
    Jun 2004
    Posts
    3
    Excellent post TH13! It's interesting how upper managment will "listen" when they are backed up against a wall! We have implemented similar polocies where I work and have integrated them into the company code of conduct which every employee agrees to and signs.

    catman

  6. #6
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    I've wondered about this for a while, and I have a (slightly) different opinion.

    There are two aspects to the end user's responsibilities:
    - the actual use of the network
    - the time he spends on that network

    The time he spends on that network is something the end user can be held responsible for: if the corporate agreement states that you're supposed to be working while at work, the end user could be held responsible if he spends work time doing something else. If a user is surfing news-sites all day, he could be nailed down: he's supposed to be working, not surfing (let's assume that the user doesn't work for a press agency...). There is no "work" reason for him to be on news sites.
    The same rules apply in this case as they do for people who play poker all day with their co-workers.

    But if the network settings allow him to surf to news sites, can he be held responsible for that?
    If my corporate network allows me to download games and my personal work-computer allows me to install them (due to the incompetence/negligence of the admin), can I be held responsible for downloading and installing those games? In my opinion: no. I can be held responsible for playing those games since I'm supposed to be working, but for downloading and installing them?

    The end result is the same: people are doing stuff they're not supposed to be doing. But my reasoning is a little different, I guess...

    It of course all changes when users are deliberately trying to circumvent security measures...

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    I almost agree with you negative and I have the same approach to developing rules that can be enforced. For instance I fall under regulatory compliance with the FDIC. Their best practices say a password should not be made up of dictionary words. Well in my network there is NO way to enforce that through technology I currently deploy; therefore if I state in a policy something that cannot be enforced then the peeps will do it regardless and I have a policy that is a joke. In fact when regulators come and look to see people ignoring the policy, that is much worse in my opinion than simply not stating that passwords will never be made up of dictionary words. This is different in the case that I will be inspected for policy compliance, which is a huge counter-productive pain in the ass.

    Having said that very confusing paragraph, I then go on with this issue and your games example: If the policy is clear that games will not be tolerated and that is communicated, then i don't have a problem holding the end user responsible. In fact I take the approach horse mentions and I state in policy a catch all, kind of my own CYA. The end user is responsible, sure there are many circumstances where the fault will fall on IT but there has to be a device where abusers can be dealt with. I even go so far as to say, end users are responsible to ensure THEY have backups of their important files. If they feel the heat a little, they are less likely perhaps to download that copy of Dig Dug. I believe if you have no way of blocking Texas Hold'em (my abusers love that card game) or you block one and they find another, and you say "You are not to play card games during work from this point on" and they still do it anyway because "they can" then they are responsible, just like the smoker who refuses to use the smoking area and smokes where ever they please because there isn't a fence and a lock around the area. (another of my issues)
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  8. #8
    All the Certs! 11001001's Avatar
    Join Date
    Mar 2002
    Location
    Just West of Beantown, though nobody from Beantown actually calls it "Beantown."
    Posts
    1,230
    It's about damned time!

    Good job thehorse13...

    I've encountered this myself before, and understand what a pain in the arse it can be. It's good to know that someone has tken the time to put the users in their places.
    Above ground, vertical, and exchanging gasses.
    Now you see me | Now you don't
    "Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
    sometimes my computer goes down on me

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Line 1 of our AUP

    "This is a business network and is to be used for business purposes only"

    I call it a "catch all". Play games, read personal email, surf shopping sites etc. and I catch you then you need to present a _business_ reason for the activity. If you can't then I will assist you in any way I can in finding the door. In several of the other policy items further down I even go as far as to say, "If this is not clear or you are uncertain see rule 1 above".

    Yes, wherever I can I have technological enforcement but with some 4 billion web pages out there there isn't a web filter that can get them all right all the time.

    I also have one advantage over many here. If I say "this should be so" my management buy in right away and if the users whine too much they respond with "Talk to Tiger Shark". You'd be surprised how few direct complaints I get..... (heh, maybe I should start calling myself Tiger Shark here, it might divert those last few whines..... )

    Nice post Hoss.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Neg,

    Yes, the points you make are perfectly valid, only I didn't cover that aspect in my post. As the security team, we *still* must create rules to prevent users from doing things that are harmful to themselves. We think of it much like child locks on cabinet doors. If a child is able to get to something behind the door that will hurt him/her, then we, (the "parents") are responsible.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •