IT Forum: Windows Vista and Security

In a recent survey, 70% of (male) drivers said that their driving skills were "above average". Which tells you that most people think that they are better drivers than the others on the road. Well, PC security is probably like this - most users think that they know more about making the right decisions than the "average user". Which means they are likely to think that security features are there to protect others from their own mistakes - whereas they themselves, surely, don't need security measures because they know what they are doing. Of course, you know this isn't true (except, of course, in your case!)

So this morning at IT Forum, I joined a security session with Rafal Lukawiecki & Steve Lamb, subtitled "How to do more business with less risk". I was interested to hear their perspective, because my main experience of IT is as a user, and security always seems to be designed to get in my way and is designed to stop me doing things I need to do (okay, I'm realistic, and do recognise sometimes that it's there for my benefit)

Rafal and Steve's perspective was that while there are many new areas of security that are built-in to Windows Vista, there are 3 or 4 key features which everybody should be looking at, and thinking how it will help them to manage their IT infrastructure.

Here are those key security features:

• User Account Control (UAC) - For me, this is definitely contentious, because along with the upside of enhanced security, comes the downside of more frequent warning messages, and the user being asked to allow applications to run. One of the unfortunate side effects of UAC is that it tends to be quite intrusive in the first few weeks of a new PC. This means, as you're getting used to Windows Vista, you get a pile of messages popping up saying Are you sure you want to install this software? Do you really want to add a printer?  Defragment your drive - are you sure? It's a classic case of security versus ease of use. The ease of use view (ie the one from your users) argues for switching it off - to stop them being interrupted as they work and install programmes. The security argument (ie yours!) is to leave it enabled, so that your users have the safest settings.
  
  The really important message that came out, from both the speakers and those IT administrators in the audience, is that after a couple of weeks, the level of interruptions reduce dramatically, so don't rush to disable UAC in the first few days, but live with it for a fortnight, by when it will be a lot less intrusive. By leaving it on, you get enhanced security, and you, and your users, will have more protection.

• BitLocker - Rafal counted this as one of the key security elements of Windows Vista, specifically because it's a "set and forget" security technology. Once you have enabled BitLocker encryption, all of the data on your hard drive is secured against unauthorised access. For any organisation when IT users may have personal data on laptops (and education definitely fits into that category, especially given the amount of sensitive student data that sits outside of the core database), it's something to explore and implement (did you know that worldwide, 350,000 laptops were stolen or lost in 2006?)
  
  The important thing to remember when you enable BitLocker is to make sure the access key is stored away somewhere you can get it - perhaps in your Active Directory - so that you can recover the data if the user forgets their logon credentials. Rafal talked about an unnamed customer, where they had a requirement that any attempt to access the data would destroy it - even a system administrator inside the organisation. So for them, the recovery keys were not stored - if the user lost their logon credentials, that would be the end of the data on the hard drive!

• Network Access Protection - this is the ability to set connection policies for devices - checking they've got up-to-date anti-virus signatures, the latest security updates etc. Education is potentially quite a different scenario to business, so I'm going to interview Steve Lamb later, and write more about this for you.

• USB controls - there was a discussion about the use of USB controls, to stop users adding memory keys and potentially introducing viruses, unauthorised software and allowing the removal of critical data. One of the points that came across was to think at a higher level - because if you block USB, you simply move the problem to another place (eg my laptop has an SD Card slot  - so I could do all of the above through that instead). The recommendation was to start by looking at what you are trying to prevent - looking at the behaviour - and then addressing that through better policy management and more proactive management of your data and users.
  

Two excellent security nuggets from Rafal and Steve:

• Passwords - At the office, I have to use strong passwords - which means at least 8 letters, including upper and lower case, and non-alphabetic characters. As you can imagine, this is a bit of a pain to remember, every time I have to change my password. The recommendation from Steve & Rafal was for teach users about "pass phrases", to help them to create and remember strong passwords. It's good because it works for students and staff. The basic idea of a pass phrase is that you encourage the user to create and remember a phrase (like "This Week Is Get Safe Online Week 2007"), and from that I create a strong password using the first letter of each word ("Twigsow2"). The password is more memorable to me - I remember the phrase, but unintelligible to anybody trying to guess my password, because it makes no sense.

• Keyboards - Always used a wired keyboard if you are worried about security. I know it's cool and trendy to use wireless (either bluetooth or RF wireless) keyboards, but did you know it is possible to pick up a signal from a specific RF keyboard from a satellite in space! Think about it next time you type in your strong & secure password!

The overarching message was:

- You need tight security to make your systems reliable, and keep your data secure

- Your users want ease-of-use, and security gets in the way of that sometimes

The answer is to find the right compromise, because too much security will encourage users to find ways around your security; too little security might make your users happy but give an unacceptable risk for your business systems.

One recommended way to get your users on your side is to show them what the implications are if they don't pay attention. For example, if a user leaves a computer logged on, and leaves their desk, what information could another person see? Or who could be emailed from their Contacts list? Simple examples help to reinforce the message that a simple step like locking your machine (Windows Key + "L") is simple and improves security significantly.

Steve's blog is a good source for further information on this subject, and to explore the subject further.