Page 736 - StudyBook.pdf
P. 736

720    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery


                Educating People on What Not to Do
                With so many people having computers and Internet access at home,
           Notes from the Underground…
                users of a company network not only need to be educated on what to do,
                but also on what  not to do. Many users may have installed software,
                printers, or modified settings on their home PCs. In many cases, they will
                even use the same operating system at home as is used at work. Because
                they have done certain tasks successfully at home, they may assume that
                they are able to, and have permission, to perform the same actions on
                network computers at work.
                     Because the systems may be locked down or have unique configura-
                tions, a user’s actions could cause the system to function in an unexpected
                manner (or not at all). Users must be taught that they are not allowed to
                perform certain actions on the Internet, use equipment for personal use,
                install software or hardware without permission, or perform any other
                actions restricted by policy.
                     For example, a user owned a computer business outside of work.
                Because he felt he was an expert in computers, he decided to install soft-
                ware on a company machine, not realizing that it was locked down to
                prevent reconfiguration. Only part of the software installed before the
                installation failed. “Expert” that he was, he thought the problem was
                with that particular computer, so he proceeded to try installing it on
                other machines. The partial installations caused conflicts on these
                machines. When told of the problem, this person still did not compre-
                hend why users were not allowed to install software. He argued that he
                should be given the administrator password so that he could install soft-
                ware and fix problems. While the problem was partially ignorance, a
                larger issue was the arrogance and unwillingness to understand what
                they were not allowed to do.
                     It is important to remember that in the wrong hands, a little knowl-
                edge can be a dangerous thing. Users can be dangerous if they have too
                much knowledge of a system, just as they can be if they have too little. If
                they have proper access, users may attempt to perform unauthorized
                actions using information that was passed along to them. Security is
                always a tradeoff, so administrators need to be careful as to what infor-
                mation they pass onto users of their network. As mentioned earlier in this
                chapter, security policies may be used to control a user’s actions by speci-
                fying what they can and cannot do on a system.










          www.syngress.com
   731   732   733   734   735   736   737   738   739   740   741