End User Computing security seems to be in the hands of the users not actually the IT Security department. At least not yet. So what can we do about this? IT security can be draconian and not allow EUC devices into the office, but the users will be up in arms. They use their smart phones, tablets, laptops, and services on their desktops to get their job done. Draconian IT security measures will hamper timely completion of critical projects, deals, and workplace moral, thereby impacting the bottom line. However, the bottom line will be impacted just as heavily by the lack of security by the end user devices. So how can we alleviate this problem?Besides the solutions offered by many security companies such a Sky High Networks, VMware Horizon, Voltage Security, Afore CypherX, etc. there needs to be a ground swell of serious training of end users. I believe that technology will eventually solve the problem but if end users are in control of their devices, then they should be trained to use them securely. I do not mean trained in the security measures capable within the device, at least not initially, but more about situational awareness around and about their devices.
There are horror stories of stolen devices, people picking up passwords, hacking bluetooth, or other means of entry into the enterprise such as easy to catch MiTM attacks. We need to change the way our End Users think more than we need to explain security to them. I believe current security training mechanisms just do not work as they concentrate on the security measures of the device and what IT is doing for them instead of what the End Users can do for themselves. There are simple things that End Users can do such as:
- Do not share your device
- Look around before typing in passphases (words)
- Do not plug your device into any cable presented at a kiosk, actually do not use a charging kiosk unless you control the electrical plug
- Use your own power plugs and cables if you can
- Do not pickup and use USB sticks anywhere
- When connecting on a wireless access point or over 3G, 4G, LTE always check your SSL security fingerprints, if provided. Auch as those provided with SSL based VPNs, View, and Xendesktop implementations
- If accessing your bank account ALWAYS verify the server side security certificates
- Use passphrases
- Do not enable single sign on without the need to enter in a passphrase at some point (not just to the device)
- When using a bluetooth keyboard, never type a password or even username on the keyboard, use the on screen keyboard.
These simple steps, and I am sure there are more, would increase security of end user computing devices 100 fold, literally over night. So the goal is to train your users to follow good end user computing hygiene and this starts with training.
How many times have you gone to training and the SSL certificate check aspect of web access is ignored. As in the instructor just hits the ignore button in a browser? This has to stop. How many times are the passwords for a class nothing but some odd spelling if not the actual spelling of password, when a passphrase of a longer length that is easy to remember could be used. We are training our users to use poor security, because training uses poor security. This has to stop as well. So the first step would be to fix all training which is not quite possible.
What else can we do?
We can provide better training to the end users in the form of situational awareness and pointing out the unsafe behavior for safer behavior in some memorable way. Let us train our end users to be more aware of their personal risk and how to solve, which will in turn help on the side of corporate risk.
In essence, we need a different type of security training. Anyone know of such training?