I just read an article about how invasive species are presenting severe threats to the wildlife in the national parks here in the USA. It’s not just a problem in the USA: regions around the world have to face the consequences of a more interconnected world when those connections bring in a non-native species that begins to take over the environment, destroying delicate ecosystems in the process.
Of course, my thoughts made a connection to IT security. So, I’m going to write about my thoughts. 🙂
What makes an invasive species so invasive and dominant is that it doesn’t have a natural predator in the new region, so it is able to reproduce and consume resources without limit, until the land can’t support them any more. But, at that point, they’re pretty much dominant in that region. If a natural predator of that species is brought in, it could wind up being invasive in and of itself, wiping out other species that were already threatened by that first invasive species.
In IT, we have systems that are created and maintained to provide a particular level of service with a particular level of security. We expect those systems to maintain equilibrium – employees are typically told not to bring in other devices and IT staff have to comply with standardized purchasing and acquisition processes to bring in new gear, typically chosen carefully to work well with all the other systems.
An invasive species in IT is something, be it a hardware platform, a website, or piece of software that allows employees or other users of IT resources to evade security, go around processes, or even to create systems of their own that exist outside IT standards.
Once introduced, there’s no stopping these invasive IT elements without some drastic measures. Consider a scenario in which a company wants to improve productivity by blocking YouTube and Facebook on both employee and guest networks. Mobile devices become an invasive species, as employees bring those in and use LTE networks to access the prohibited material. If an employer wants to stop those mobile devices, it’s looking at introducing discipline for their users – which would destroy morale – or introducing cell phone signal jammers – which will destroy morale and possibly violate local laws.
While I’m aware that many would want to argue with the wisdom of blocking YouTube and Facebook, we can all agree that employees deciding to start using resources outside of IT’s control on a regular basis is an eventual trouble spot. What if there is a way to access company data in the cloud via those mobile devices? Then it’s possible for the data, now on those mobiles, to be shared outside the purview of any dlp software that exists on the company-managed laptops and desktops. It’s easier for the employees to share data – properly or improperly – and they’ll keep doing it. Is there a way to shut down cloud access to just company-owned devices? If so, does that then put a negative impact on the flow of business, overall? Does this introduce another layer of complexity, and will this new scheme be stable? Scalable? All the other questions we ask about the viability of a solution? Certainly, it’s an additional cost – is it worth it to implement, or does the company just abandon the cloud or DLP solutions altogether?
Abandon DLP? I’m sure some of the readers of that phrase would react with shock, horror, and disappointment. But, if we think like an executive, we have to ask the question, “Why should I pay for something that’s not able to get me what I want?”
When I was a high school teacher, I saw these invasive IT species all the time. I confess even to participating in their spread. I was a user, then, not part of IT security, so I had other concerns on my mind – getting my job done, for example.
We all had to use software purchased by the school district to provide class information. The software allowed for teachers to post links to online resources, contact information, class calendars, notes, and a discussion board. The software was also difficult to use and constantly crashed. I posted the bare minimum of information, never updated it, and ran a discussion board on my personal website that had some solid uptime numbers, if I say so myself. My students used it constantly and pretty much didn’t even look at the district system. After the district canned that system after 2 years and got another similar one that didn’t allow for teachers to port over their content from one to the other, that’s when the rest of the faculty revolted and either did the bare minimum, used an outside resource, or both.
My school district also blocked YouTube and Facebook. In the days before mobile devices, students using school-provided PCs would go for proxy buster sites. As fast as the district security could block one of those sites, another one would be discovered and quickly utilized. When I wanted to show a documentary on YouTube to my classes, it was much easier to go the route of the proxy buster than to submit the link weeks in advance for an official review. I knew the documentary on economics didn’t have any objectionable material in it, so I just went around the proxy server, just like everyone else did.
When the district just blocked YouTube on district networks, that’s when I brought in my personal PC, joined it to the unscreened guest wireless network, and plugged that into my display projector. Other teachers used their district-issued laptops, but connected them to mobile hotspots, making for the dreaded bridging between the Internet and office networks.
All along, I wasn’t trying to do anything evil. I was just wanting to get my job done. Any end-user facing a choice between finishing work or security is going to choose finishing work, and that can mean the introduction of an “invasive species” that gets adopted by many other users, once word gets out about how it lets them do their work.
Not all invasive species in IT are themselves IT. How many times have those annual security trainings been foiled by lists of answers for the test at the end of the training? Given a choice between paying attention to the training or just clicking through it while getting real work done, nearly all employees are going to click through with the sound off and then go CBBADECCAE for the test at the end, just like the answer list tells them to do. Jumble up the questions? Not a problem, as the list of letters is annotated with notes like, “Question about mouse hovering – C”. Jumble the answers? “Question about mouse hovering – different link revealed.” Give them an honesty affirmation at the start? That gets clicked through, too, if the pressure is high enough to get stuff done.
So how can we deal with invasive species? All I can think of are proactive measures. Make sure that the only way to interact with the corporate network is with a corporate device, be it through NAC or VPN, or both. For situations where employers want to control online activities of employees, perhaps the solution lies with human resources and one-on-one meetings instead of proxy servers and firewalls. When employees complain about how lack of IT response isn’t letting them get their jobs done, listen to them and respond to their satisfaction. Once those complaints stop, it’s too late – they’ve found the invasive species and your security posture is likely compromised, with a high chance it’s a severe compromise.
There are reasons why nations highly dependent upon agriculture will fumigate your checked bags before you’re allowed to collect them. They don’t want any invasive species. We can’t fumigate our employees, so we instead have to be sure that security policies and practices don’t create a need for an employee to introduce an invasive IT species.