Page 40 - Cyber Warnings
P. 40
Convenience Does Not Overrule Common-Sense and Industry
Standards
Applications
by Charles Parker, II
In IT, convenience has taken much more of a focus as of late. Businesses don’t upgrade or
update for a number of reasons. The user’s requests or “requirements” are being used as an
example and may state this is needed for their respective role, regardless of how many times
the subject matter is used per month or quarter. At best, the rationale for these tends to be
shallow and not well thought through, documented, or analyzed. Their request is taken as being
acceptable as is.
Examples of this abound in the enterprise. In certain businesses, the autorun functionality may
be engaged. This function would probably not be actively used, however simply is there. The
users don’t want to change the configuration in place, even though the need for this is not
significant and easily remedied with a click from a dialogue box. The potential risk and issues
have not been analyzed and reviewed. The files could be malicious and contain a variety of
viruses, Trojans, and other programs coded to ruin the CISO’s day, week, or month, depending
on the depth of the issue. The autorun option being configured as enabled would allow these
automatically to be put on the system. The autorun simply opens the drawbridge to the laptop or
desktop and enterprise, and invites the malware in for dessert as the keys are on the table.
Enabling the USB ports also has proven to be problematic. The USB port generally is not
utilized by a majority of the users. This is however actively used by a select group, comprising a
less than significant number of the totality. The users with a strong and robust voice still demand
this functionality as they claim this is vital for their role, although it is not. This has been treated
as more of a right, than a privilege.
The risks with this are bountiful. A large percentage of malware is introduced into the enterprise
with the USB. The issue has been one of portability. The user cannot be completely sure where
the USB had been used or plugged into, along with other USBs have been plugged into the
same equipment. The USB used by a parent, could have been borrowed by a child and used at
their school prior to being returned. Anywhere the USB is used, any malware on that system
could be transferred.
The users and groups tend to hold onto old technology, for example using SHA-1 or TLS 1.1.
These and other outdated technology continues to be used and the associated parties refuse to
change. This steadfast holding onto the outdated technology and protocols tends to be due to
legacy systems requiring this. The business may not want to require this from the vendors due
to the costs involved, and the vendor “refusing” to update their systems. To enforce this, the
person or group may also slow the decision process. The status quo would rather be maintained
40 Cyber Warnings E-Magazine – July 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
