What I have learned in IT security (so far)

I've worked as a resident consultant for a multinational company for 9 months. Our main product supported was SAV CE 10 which was later migrated to SEP 11. There is also a Symantec Mail security for Microsoft Exchange and have just recently installed Symantec Brightmail Gateway appliance. And this is what I have learned:

Whatever policies and security applications you've installed, someone is bound to bypass them. This company uses a firewall proxy that, as other companies have, blocks the user from visiting non-business related websites. And still when I walk past some users workstations, I can see them browsing social websites, hacking websites (mostly to bypass securities), blogs - sites which are clearly blocked or should be blocked by their proxy firewall. Some would try to bypass or disable any or all the security applications in place, so that they can “work faster”. And I bet that the first thing a user would do after bypassing the security is to put media files on a personal folder. Then enable file sharing. Before you know it, they have a large collection taking up needed disk space which would make you wonder why you can’t push an upgrade due to “insufficient disk space”. Nothing can stop the strong willed.

No matter how you set the scan settings, go to uber paranoid mode, malware can still reach the client. This has been discussed numerous times on the Symantec forums or other AV forums. It doesn't matter how well you implement your AV solution, malwares will still reach your clients. Malwares would need to be downloaded or in cases of USB devices be connected onto the clients PCs first before being scanned. This should explain why, one day, you'll receive hundreds of alerts quarantined, deleted, or cleaned. This is mostly temporary internet files from websites that are compromised or have hidden scripts in them. Other times, it is an executable file in the same folder. You may control the USB access in your company, but if they know how to bypass them, then be on alert. We don’t know where that storage had been. And then there are those clueless users who, out of pure luck, is able to destroy the OS even if everything is protected. I’ll never know what they do out of work, what websites they visit, with the flash drive connected waiting to accept a new malware which will be brought into the office the next day.

To give you a perspective, count the number of respectable AV vendors in the market versus the number of malwares being written. Malwares, a lot of them, are poorly written compared to AVs that we expect to run perfectly when installed. This attention to quality affects the turnaround and is the reason why AV technology is lagging behind (at least not that great of a lead). When AV vendors make an AV solution or upgrade an older one, they have to make sure that everything works well, does what it was designed to do and doesn't destroy your system or reduce productivity. This is being done by skilled programmers, quality control personnel, beta testers and other personnel which costs money. Malware authors and even script kiddies on the other hand, rarely uses any quality testing. Their code is designed to do one thing - create havoc. If their code is designed, for example, to steal user information and because of poorly written code, crashes the PC before completing its task, they’d still consider this as a success. The only thing they need to make sure is the survivability of the malware in the wild. Make it evolve faster that the time it takes for it to be listed on anyone’s definitions. This is as easy as adding a single line to the code.

IT policies are the least enforced company policy. I’m not saying that it isn’t being enforced, but it is not on top of the chain. I bet more people have received sanctions from violation of HR policies more than those that violate IT policies. This could be the reason that some users do what they do. Other reasons could be that users also, in time, tend to forget that the PC they’re using is company property or maybe because of the realization of that that they think they can break it because someone will fix it for free. However you see it, users treat their own computer at home differently than the computer they use at work.

Management will only be concerned about IT security when it is required or is already too late. Protection in general, whether it be a backup solution or a security solution is not on every managements to buy list. Top level management is mainly concerned about making a profit and adding assets to the company. Backup and AV solutions doesn’t generate any income, moreover, they cost the company in terms of licensing and support hence, in accounting terms, a liability. So administrators are left to make do with what they have. If the IT were on top of the list in the annual budget, we’d probably be having the top-of-the-line desktops, servers and all that. But don’t get me wrong here. If they’ve had a computer for quite some time, they are aware of the need for a security solution, but I doubt they’re aware or want to know anything more than what the advertisement or fact-sheet contains – “If it works, good. Otherwise, look elsewhere.” On the bright side, management’s realization on the importance of security grows with the size of the company. Compare the requirements of SMBs to large multinational corporations. Look at the products they claim they can do without because these things costs them.

So in the end, it is still up to the IT team, to be smarter than the end users, to be on alert for new risks and threats, to be able to explain their work to people (which is rather hard considering that technical people are stereotyped to lack interpersonal skills - joke) so that their decisions would be met with open minds. And we should keep our minds open to new information, additional knowledge and anything that would make us wiser. I still consider myself a student even though I've been doing this for a few years now.