Protecting the end-user

Sometimes security means protecting end-users from themselves

The recent OS X-specific Mac Trojan ignited many hot conversations on various security mailing lists last week. Supposedly, the excitement regarding the Trojan is that it is the first time profit-seeking criminals have paid attention to the OS X platform, versus script kiddies and the hobbyists. Personally, I don't know what the big deal is; Mac-based computers have been host to all the normal types of malware for more than two decades, albeit not as frequently as Microsoft Windows PCs.

Macs, PCs, and users

When I first started fighting malware writers more than 20 years ago, the only place you could find a PC virus was on a Mac. The first PC virus, Elk Cloner, was written for a Mac. Then DOS became more popular, so the virus writers started writing viruses for DOS. Next, Windows took over, and it's been the primary target of hackers ever since. Linux has its fair share of malware, and as OS X gains market share, malware writers are taking notice. I seriously doubt that the recent Trojan is the first malware attack against OS X by professional criminals.

The recent Mac Trojan waits for a user to visit a Web site promising, er, interesting video content. When the end-user visits the site, it prompts the user to download a needed QuickTime codec, which is really a Trojan program. If the user accepts the download and supplies their root password to install the bogus program, they get owned. The mail list conversations are all over the place, including the normal Mac-is-better-than-Windows-no-it's-not flame wars. How boring.

The one thread I found most interesting was whether or not malware that required end-user interaction and the root password could be counted as an exploit. Several very bright minds said something along the lines of, "If the computer is completely secure, but the end-user stupidly installs this obvious, malicious, crap piece of software, then it's the user's fault, not mine. It's not a security problem!"

Since I've documented that 86 percent of all (Windows) malware requires client-side interaction today, I'm not in that camp. Are we supposed to ignore the largest threat to our computer systems simply because our end-users disregard everything we tell them? Can I let my company get exploited over and over again, but tell my boss my hands are clean and I'm a success because I "secured" their computer systems?

The IM invasion

Most computer environments have an obligation to respond to threats that are caused by end-users unknowingly installing insecure software or using it in an insecure way. An example of this was when instant messaging began to take over the world. I personally didn't see the need or value of IM in my environment. "Heck, e-mail does everything IM can do, and with an audit trail," I said. But my opinion didn't matter.

One by one, end-users began to install instant messaging. I'd uninstall it on one user's workstation only to find it installed on the two PCs beside them. I was fighting a losing battle. I decided to block the IM network port to prevent the clients from connecting to the outside hosting channel servers, and the IM clients morphed to bypass the firewall settings. I went to complain to the company CEO, only to have him request that I install it on his computer. I didn't want to support IM, but eventually I learned that my job is not to decide what end-users or management should be running, but to secure as best as I can what they want to run.

The IM invasion (as I called it) was replaced with a p-to-p push, then music downloads (full of malware), and unauthorized USB keys ("Hey, what are those things?"). Then a major vendor, spending tens of millions of dollars on radio and magazine ads, convinced my end-users that they could not live without GoToMyPC. No need to get the IT staff involved. Firewalls are no problem. Right.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger A. Grimes

InfoWorld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?