Note: I took this picture myself - it's not a fake.
Clearly we don't want to use scare tactics for Information Security but my ongoing frustration with users who fail to bother locking their PC desktop sessions when leaving their machines unattended makes me wish perhaps we could be more direct:
"Do NOT Leave you machine unlocked whilst it's unattended as someone nasty may come along and commit crimes and embarrasing activities in your name using your electronic identity"
- OK so it's hardly eloquent but you get the idea.
The reason some people do not heed the advice from computer security experts is not because you don't make sense, it's that you're simply being ignored. Let me elaborate:
Doctors tell EVERYONE to not smoke, watch their weight and to be active. Nobody disagrees. But most people ignore "parts" of this advice.
Dentists tell EVERYONE to brush AND floss regularly. Nobody disagrees. But most people "justify" not flossing three times a day.
Network Security Experts are in the same (good) company. People think they can get away with "flossing" (updating) their software less often etc.
Don't take it personally. You are indeed being listened to - it's just
that sometimes you're simply being ignored! Ha ha
That's some sign but yeah I couldent agree more with you, but the fact is that some users will just not learn! :(
July 10, 2006 Good Morning: Top of the news this AM is InformationWeek&#39;s global security survey. They talking to 2000 or so folks and gathered some interesting statistics. Things are too complex, duh! Folks continue to have issues with malware,
Can't sleep, so thought I'd blog. oh well...
I've been meaning to post this for a while actually, so...
Last year in India as I approached the airport in Delhi I saw the best sign ever. It said: "SECURITY FOR INCONVENIENCE" omg I laughed so loudly! Alas, the battery in my camera was dead!
OK, so why not just set their screensaver timeout to 5 minutes, it keeps people clicking!! to stop it locking.........
We have a 15 minute screen saver / lock out setting here. Some of us have limited it to even 5 minutes but it does not matter. As infrastructure engineers we always try to catch eachother off gaurd. You can literally turn around for 10 seconds and someone will slide in beside you and ninja out an email offering to take over everyones projects. I think short lock out times are useful, but you will never be able to completely eliminate the ability for another user to access that machine... not as long as people themselves are required physical integration. Physical access is after all, the end all be all of computer security. Sweet sign though... it is right up there with a park bench that just said "SWEET!".
Jordan> I find that general users get frustrated if the screen lock's set to such a short interval as it tends to lock when they're on the telephone or discussing with team mates. Using competition as you've described is a really good idea.
@ MSFT out computer use policy states that we're not allowed to tamper with each other's machines even if the vulnerable machine was the result of a careless user.
Our computer policy has the same dictation, however it also states you should not leave your computer in a vulnerable state... :-) I would be willing to bet that even though your policy states the inability to tamper, you or someone in your area has flipped someones screen or taken a screen shot and set it as their background. That type of activity is what makes working with the same analytical engineers day in and day out a tolerable situation especially in high stress / responsive environments. I think the ability to mess with eachother enables you to openly discuss issues as well. Off topic and not in relation to security though, I digress.
What we need is an RFID tag in employees ID badges, and a proximity sensor (perhaps in the keyboard - similar to current biometric keyboards). Step away from the keyboard more than a few feet, and the session is locked. I'm sure this is do-able.....?
Martin> Such devices exist - I have one. They provide a possible form of identification though rarely do they provide authentication - being near to your PC is enough. Being in a different room or outside your office can be enough to trigger the unlock function.
I bought mine out of curiosity - I don't use it.
That's interesting - I've never come across them.
I was thinking of something a little more dumb (from the lock workstation point of view).
The technology only needs to perform a CTRL-ALT-DEL (Lock) when a user moves away, then a CTRL-ALT-DEL, when they return. The user should still have to provide authentication in the usual way.
I guess this technology is relatively expensive to deploy, but would be a useful addition to a layered policy (using password enforced screensavers etc all driven from GP).