Safe user sandbox?

Application security
Current threats
Digital certificates
Disaster Recovery
human factors
Identity & Access Management
Instant Messaging
Intrusion management
Microsoft Exchange
PEN testing
Platform Security
Product evaluation
Risk management
Secure Coding
Security Program Management
Security tokens
Single sign-on
vulnerability management
*This question is from a reader: I'm in a position to redesign our IT systems (network, servers, PCs, software, etc.) this summer, and I am undecided on which path to take. I'd like to disconnect our systems from the Internet so that we don't have to deal with all of the garbage that comes from the Internet via e-mail, browsing, etc. However, I also need to provide Internet access for our company to run its business. My company has about 50 employees and all have computer accounts, e-mail and Web access. I'm looking for an innovative solution in which we are not dependent on an arsenal of prevention and detection hardware and software, but instead I'd like our systems to not be vulnerable in the first place. For example, our e-mail gets scanned through four virus detection systems, and we still have seen viruses pass right through since updated virus definitions were not available in time. Yes, we could switch to Macs or Linux or some other less popular systems, but eventually they too will become targets. So I'm hoping that there is enough good technology available such that we can design an invulnerable system (and/or procedure) for safe computing. As an analogy, we can get lots of advertising in our home snail mailbox, but all we have to do is throw out the stuff we don't want, so only the good mail gets in through our front door. Similar idea regarding a bookstore or library -- we go there to read, watch videos, checkout books or buy books to bring home. So how can we do that in the computer world? Perhaps some kind of user sandbox for any Internet related activity -- e-mail viewing, browsing, downloading, streaming video, etc? I've seen several possible solutions -- ShadowUser and ShadowSurfer, DeepFreeze and FreezeX, using a thin client connecting to a Citrix server that runs a Web browser and e-mail program (i.e. Internet Explorer and Outlook), etc. The big issue I see with some of these sandbox or freeze programs is that there are some changes that need to be made to a PC or a user's profile as part of their business use of the PC. It seems that it would be difficult to freeze some parts of the profile and/or registry but not others due to the underlying Windows design. One other thought is to buy some one appliance that does it all regarding prevention and detection of bad stuff (however I'd buy this device regardless of my final strategy as a backup filter). I spend a good deal of my time with security issues when my time should be spent improving the IT systems and helping our users take more advantage of software that can help their jobs and the company in general. I was hoping that someone might have some suggestions? There must be a simple strategy to keep our systems safe other than pulling the Internet plug.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Simple: there is no such thing as an invulnerable system. I wish there were one too. See the 10 Immutable Rules of Security, especially the following:
Rule #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
and Rule #10: Technology is not a panacea
You are looking for something that doesn’t exist.

You really need to do a comprehensive risk assessment and determine what risks you have and how much they are worth. Yes, I know. Who has time for that… Based on your findings from the risk assessment, do a cost/benefit ratio to determine if the vulnerability is worth the cost of the safeguard. Why would you spend half a million dollars on a robust security system on something that is only worth $1000 to replace?

Hopefully you start looking for the right direction: risk mitigation, not force fields. You should be able to find plenty of answers when you ask the right questions.

Hope this helps,

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Drmatthewsusa
    I'm afraid Sony's right. The only entirely safe system you can offer your users are Etch-a-Sketches and then you have to teach them about the screen saver function (turn it upside down and shake!) that wipes everything they've been working on so it can't be stolen. Your biggest vulnerability and in fact the biggest resistence you'll get to any of your good ideas, will be your users. The best and least expensive thing you can do to increase security in any environment is user education. That said, there are some technological solutions out there that might help and you've listed many of the best. But the bottom line is that technology is not going to help you with securing technology until you've done the risk mitigation exercise that Sony recommends and have changed the culture of your users to one of extreme security awareness. Best of luck from an empathetic peer, A Deputy CISO, and a CISSP, GSEC.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: