3. Turning Off or Disabling Automated Security Tools
It still happens: A user, frustrated by the slow performance of an ISP link or the constant exclusion of specific types of files, finds a way to turn off the firewall on his remote PC -- or even at a branch office. Then, as if that's not bad enough, he "forgets" to turn the firewall back on, leaving that site open to all sorts of attacks until someone from IT finally recognizes the problem and reactivates the barrier.
And it isn't just firewalls: Every day, users reschedule automated virus updates, remote security patch installations, or requests to change their passwords. Security stuff, they say, is an administrative hassle and keeps them from doing their "important" work.
The disabling of carefully-evaluated, state-of-the-art security technology might be the most dangerous thing that users regularly do, according to the Enderle Group's Enderle. "This is what keeps many of us [IT and security professionals] up at night," he says. "Security applications take some overhead and may lower performance [of the end station]. Folks will turn them off as a result."
Cigital's McGraw agrees. "Sometimes you just have to postpone the old monolithic virus scan so you can get some work done," he notes. "There's always a tradeoff -- make sure you make the right one."
Most enterprise firewalls and antivirus applications now contain configuration options that enable IT to eliminate the "turn it off" option from the user's desktop, McGraw observes. In many cases, it may be better to force the user to accept a patch or a slow ISP connection -- and deal with the complaints -- than to leave the company's systems open to remote attack, experts say.
