The Weakest Factor is STILL the Human Factor in Security

At SMB Nation I was re-enforced with the notion that human nature will trump security best practices time and time again. While sitting in the hallway in the Microsoft Conference Center with Susan Bradley, preparing for our talk on securing Small Business Server, I was using her TabletPC to make a change to a slide.

I was explaining to her the fastest way to show that someone is TYPICALLY running with least privilege is by clicking on the time/date control on the task bar. You will only be able to get the "change" dialog if you have those privileges (which typically only admin accounts have). As I was saying this, and expecting the double click to fail... up pops the dialog.

What the...

Susan doesn't run with least privilege on her own machine!!!!! Will wonders ever cease??? The diva that runs so many posts on least privilege does not herself do it on her TabletPC. Her reasoning? Because she is lazy. That shocked me. It shows how even those who KNOW about least privilege don't always use it. As I dug deeper, what she seemed to really mean was she felt the risks weren't that great because she doesn't connect it to a domain, and some currently configured apps would be difficult to reset (ie: Thunderbird, installed with an admin profile). I then asked the next logical question... "do you even let it touch the corporate network"? When she said "yes"... I said that's it... its all over. Domain or not... she is a conduit of potential risk to her corporation.

Then our presentation started. We entered the Kodiak room and started with all the introductions. Then Susan, willing to admit her mistake, told me to "out her" on stage. And then everyone had a laugh at her expense. It came close... I almost picked up the "Susan 2x4"... but then I reflected a bit deeper. This could have been me. It could have been you. It could be anybody.

What can we learn here? Well first off, I think this incident shows how the need for an easy to use LUA in Windows Vista has never been more prevailant. The fact Susan was running as admin because it was to cumbersome to change it is inexcusable. We all know that Susan, as both a SBS and Security MVP, GETS what has to be done. But in her focus to get her work done day to day... humanity trumped best practices.

Secondly, I think this shows how layered security on ALL hosts on a network has to be considered... especially with ingress and egress filters. Her TabletPC was a conduit of potential risk. She had it on vile network backbones while in Vegas, and then went and plugged that into her corporate network. Who knows what she could have brought along with her. Ensuring that machine has NO privileges to touch anything on the corporate net could mitigate against this risk.

And finally, it was a wake up call. As security professionals we cannot just TALK THE TALK. We have to WALK THE WALK.

So Susan, here is my challenge to you. IMMEDIATELY create a new limited account on your TabletPC called "Bonehead". Then create a shortcut on the desktop, point it to Thunderbird and set it up to run with the credentials of your "Susan" administrator. It is a short term fix for everything else until you can properly reinstall Thunderbird and move your mail spool over. At the same time, it will reduce the other risks you expose to yourself by making the rest of the system run with least privilege. Then, I want you to read this article by a fellow MVP and convert your bloody harddisk to NTFS. Get rid of that FAT32 crap.

Fix your TabletPC before you plug it into another network. You know better. You have two weeks before the MVP summit. You're lucky I won't be there to check on you. Maybe a fellow MVP can do that for me :)