Posted by: Troy Tate
administration, anti-virus, antivirus, CIO, Data security, DataCenter, DataManagement, malware, Mobile, Network Admission Control, Performance, Policy, policy enforcement, reporting, Security, tools
How often does this happen to you? A user is going to travel to another company location and they want to checkout a laptop for the journey. However, they tell you the morning of the travel rather than in advance. So you do not have time to check out the device and ensure that it is really in good operating condition or up to date on patches and anti-virus.
As they say, “Poor planning on your part does not constitute an emergency on mine”. However, this is a real business situation and IT responds to the user’s needs.
We recently had a situation where IT staff at a site gave a laptop to a user for travel. The IT staff cut corners due to time restraints and not understanding the implication of following corporate standards. The outcome of this: the user was given administrative rights on the laptop and non-standard software was installed. The combination of these two events created almost the perfect storm when the user reached their destination at another company facility.
The traveling user’s device created a denial of service (DOS) since it was infected with a virus and was unprotected due to anti-virus protection that had not been updated for over a year. This DOS took down some manufacturing equipment so production stopped. This took away one of the three legs of the information security triad: AVAILABILITY. Users were unable to access the systems or services they needed to do their jobs. The user was also unable to use the travel laptop in this condition.
Needless to say, the problem device was removed from the network and corrective actions were taken.
Both sites now understand why we have the procedures in place that we do. Users are told that they will submit their travel laptop request at least one day in advance. IT will no longer add these users to the local administrators group on the travel laptops. Let’s hope that these actions help reduce the likelihood of this happening in the future.
Network admission control (NAC) is a good method of enforcing policy on devices attaching to the network. However, this takes significant investment in equipment, software, policy creation and enforcement activities. Well, maybe someday I will be able to move in this direction. In the meantime, communication, understanding and enforcement will help all involved, users, IT and management.
Thanks for your time. Let’s be good network citizens together & practice safe networking!