Ed Pagett, WhiteHat Security
As a former CISO, I’ve had my fair share of frustrations when it comes to employee habits that make the lives of C-level executives at any organization much more difficult. While the employee habits I'm sharing here are frustrating, I can acknowledge that these behaviors sometimes occur from user lack of understanding of how detrimental these habits can be to the organization’s risk posture and a lack of C-level support in changing these habits.
These three bad habits should be viewed less as a hand-slapping but more as a tool for C-level execs looking to reduce their organization’s risk by educating their employees, influencing their organization’s culture and re-thinking their strategy to address current threats.
I call users who demand administrative rights to their local machine by leveraging their political capital within the organization "convenience admins."
Typically these individuals have enjoyed (at home, at their previous workplace or their current workplace) the ability to do anything with the machines and devices that have been given to them. Yet they do not have a legitimate need for administrative rights.
Unfortunately, in my experience, most employees rarely understand or deal with the consequences of such a decision. When this sense of entitlement is translated into an IT request, for some organizations this turns into a political decision and these individuals are given persistent administrative rights simply for "convenience."
Mature companies still have these struggles, but typically only at the highest levels of the organization. Nonetheless, without truly understanding the risk that the decision leads to, these "convenience admins" put their machines, the information they access and their organization at increased risk. Employees who do not need routine administrative rights to function on a daily basis are significantly more susceptible to compromise by malware and phishing attacks due to the inherent privileges that administrative rights have on their system.
Additionally, these users have the unbridled ability to increase the surface area of exposure by installing software that is not consistently maintained by their organization’s IT staff and subject to its security processes.
CISO Response: CISOs should actively work with executives, executive admins and other political stakeholders to educate on how such persistent administrative access can be detrimental to the security posture of the organization and how support/access can be provided to them in other timely ways (e.g. tiered help desks). In addition, they can discuss other strategies to address whatever an individual perceives is the lack of convenience in not having administrative rights.
Some CISOs are able to budget for tools to facilitate a more granular approach to administration rights for specific use cases, providing just enough access to perform the needed function and no more. A few of the vendors providing these types of solutions have published reports showing as much as 80 percent reduction in exploitable vulnerabilities by restricting such administrative rights.
Poor Password Retention Practices
Users choose to accept their browsers' request to remember passwords and/or they leverage the same passwords across disparate applications and organizational boundaries to ease their access to Web-based systems. In either case, these form a dangerous proposition.
Such behavior puts the organization at increased risk, given the existence of malicious sites that attempt to automatically farm/leverage this information directly from the browser and/or compromise credentials in one system/application that can be leveraged across many systems/applications.
CISO Response: CISOs should remind their users not to leverage passwords across multiple systems (especially crossing internal and external third-party systems). However, it will likely be tough to actually monitor their success in convincing employees not to do so. The use of an enterprise password management system to assist users in creating and securely using distinct, complex passwords across a myriad of systems securely appears to offer the most significant uplift in providing convenience to the user while maintaining the uniqueness, strength and complexity for secure access.
Click Anything/Open Everything
Some users live by the rule "if you see it, click it." They believe that anything capable of reaching their email inbox or their browser has been deemed safe enough to click on and/or open -- and wow, how they click! These employees ignore pleas to leverage discernment in clicking on links, dialog boxes and other tempting material. Some seem unable or unwilling to build their observation skills to identify even the obvious ploys to have them open malicious content.
CISO Response: CISOs should continue to address this problem as they always have, with defense in depth. They continue to find new and innovative ways to motivate the user by combining security awareness with culturally appropriate visibility and accountability. CISOs continue to improve their perimeter defenses (e.g. spam, phishing, malware, APT filters) to reduce the likelihood of the user being presented with these temptations.
Finally, CISOs are also shifting to an "acknowledgment position" that some interaction will always be insecure and therefore should be isolated by design. It's a good idea to virtually (or physically) isolate activities such as Internet browsing and email to containers where their expected compromise is short lived and relatively innocuous.
Do any of the user habits mentioned above ring a bell for your organization? I’m sure we can all point to a time where we’ve either been the employee causing the headache or were the executive in charge left to respond to a security incident. It’s my hope that we’ll learn from each other’s mistakes, and share essential practices to increase the general security posture of your organization.
Are there any other bad user habits you’d like to add to this list?
Ed Pagett is a strategy consultant for WhiteHat Security. An information security and risk management executive with more than 20 years of experience, he is the former chief security officer of Black Knight Financial Services (BKFS). During his tenure he built an information security and risk management framework that was applied across the $4 billion organization’s multiple divisions and offshore activities. He has also served as corporate information security ofﬁcer of the First American Corporation and as practice director for several information security and technology consultancies providing services to Fortune 500 organizations.