A system administrator who has the task to make sure that the network is secure, will obviously be inclined to give a user the minimum possible access rights. This is because if there is some security breach, he would be the first person responsible, and it is assumed that users can’t do anything wrong if you don’t allow them to. But in most cases, this is an oversimplified solution, resulting in less productivity and frustrated workers.

Take one example – FTP access. In most cases, users do not need to access external FTP servers, so such access is blocked. In reality, however, most employees do many more minor tasks than their job description states, and in this example, some user might need to use FTP.

Now, that user has two options – one would be to ask his supervisor to get his manager to send a request to the administrator to allow access to that FTP site – a process that can take several days, resulting in missed deadlines. The other solution would be to visit a website that allows accessing FTP servers from the web, which would take the user just a few minutes to search for. If that FTP site requires credentials, in the second solution, that user will be sending out his/her username and password insecurely to the third party who happens to be running such a service. So, what happened here? We blocked FTP access, thinking that it’s more secure to do so. The result? The user found a way around it which made things much worse than if they were given access in the first place.

The FTP access example is just one of the multiple wrong assumptions that people make when trying to secure their network. It rises up to the debate about whether users should be forced to change their passwords frequently. In most companies, it is taken for granted that forcing users to change their password every 30 days is a good thing. But is it really? If I know that I will be using a password for a long time, I will select a hard to guess (and hard to remember) password, but would I do the same if I knew I have to forget it and remember a new one after just a month? The truth is that most people don’t care about security – all they care about is that their PC works. So what they end up doing is choosing the simplest password they can get away with, or if they’re forced to use a complex password, they will just write it down on a post-it note and stick it next to their monitor.

The aim of this article isn’t to say that what the industry is doing is wrong, nor that we shouldn’t care about security any more – far from it.  What I would suggest to anyone working to create a secure environment is not to take industry “best practices” as obvious solutions, because in most cases they’re not, and might even be worse than doing nothing! Before taking any security measure, always think about whom it will affect, what its actual effect will be, and whether it’s the right thing to do. In IT security, there’s never a one-size-fits-all solution, and the best security schemes are tailor-made for that specific scenario.

Every few months, some new threat sparks up in the news and every other journalist that doesn’t really know what the threat is about wants to write an article about it to raise awareness. I remember one instance when I was younger, on 31st March of some year in the last millennium, my sister had told me not to turn on the computer on 1st April because we’d get a virus. My reaction was “Huh? Can’t we get a virus every day?” to which the reply was “Maybe, but I’ve heard that whoever uses the computer on 1st April will get a virus.”

All these years have passed and I couldn’t believe I was experiencing the same thing againI’m obviously talking about the Conficker worm. I’m not saying that awareness is a bad thing or that malware threats should not be reported. However, I think that it’s about time that the general public is educated in another manner.

Conficker infected millions of machines by exploiting a vulnerability in the NetBIOS implementation in Windows. What most people never got to know was that this vulnerability was fixed by Microsoft when Security Bulletin MS08-067 was released on 23rd October 2008. The first variant of Conficker was discovered on November 20th – almost a whole month after this vulnerability was fixed. What this means is that if  all users kept their systems up to date, then this worm would never have started to propagate, thus relieving the worldwide panic that resulted afterwards.

It’s time that everyone starts to think about protecting their systems all year round and not just reacting to overhyped news.  You wouldn’t leave the doors and windows of your house open and then panic if some intruder enters the building! People have had front doors for thousands of years;  so, why should the security of a computer be treated differently? It’s about time that even grandma understands that a computer connected to the Internet is like a house connected to the ground – if you leave it open, intruders from outside can come in.

So what can the average person do?

First thing, keep your software up to date, especially the Operating System. If all systems are kept up to date, most malware outbreaks would never occur. Secondly, some form of anti-virus technology should be present. In a home environment, normally the only thing that can be used is a client-based AV; in companies, emails can be scanned at the gateway, and so can web downloads. Thirdly, every computer user should be educated, and by this I don’t just mean a one-time boring speech that is delivered and forgotten, but continuous reminders on what is safe and what isn’t. Don’t we get adverts warning us not to drink and drive? So why shouldn’t companies put up notices warning their users not to download animated emails to watch singing kittens?