Dealing With People Who Avoid Restrictions
Whenever restrictions are imposed on people, stopping them from carrying out certain activities, or trying to restrict their access to information, there will always be a portion of the population that goes out of their way to avoid and defeat these mechanisms in order to access what is being blocked.
Sometimes this is done out of necessity, and in these cases the restrictive blocks really are a hindrance to carrying out their work or other activities that they have a need to do so.
Other times it is being done out of ignorance of the new, accepted procedures. People are happy with their old ways and will work a little bit harder at placing themselves in a position where they can still do what they used to.
The most risky cases are where it is done out of malicious intent, done only to prove that they can defeat the system or out of fear that the newer restrictions aren't as useful as they could be and the users fear approaching the network administrators and state their case effectively.
Corporate network administrators face problems like this on a daily basis, encountering users who fall into each group who are running head first into the restrictions on approved applications, approved websites, blocked websites, and approved email usage. The wrong thing to do is to tighten the restrictions further, as it will drive some of the casual by-passers into the camp of the willful by-passers and will do nothing to dissuade the already willful by-passers. The number of casual by-passers and those who need to bypass the blocks who give up as a result are going to be outnumbered by those who now intentionally bypass restrictions.
Some workplaces choose to punish those working around the restrictions, irrespective of the actual reason for doing so, and this can lead to resentment and distrust between the frustrated users and the network gatekeepers.
There are cases in other domains that mirror what goes on with network restrictions. With the increased concern about the spread of H1N1 influenza, some countries are using body heat scanners at points of entry to scan for passengers who might be running a fever as an early indication of possible influenza infection. On the surface it sounds like a reasonable step to take and can help rapidly sort incoming individuals into categories where it might be worth taking a closer look at their condition to confirm the presence or lack of H1N1 infection.
As this is a potential barrier to entry to a country, it is a restriction that is causing people to seek a way around it. Vietnam recently reported that some incoming passengers were using fever reducers that resulted in them passing the body heat scan despite actually being infected with H1N1.
Just like a disaffected user introducing non-approved network hardware or potentially malicious storage devices or software into a corporate system, an ill person avoiding the body temperature scanner is introducing a potential health risk to the wider population (or a security risk to the wider user-base).
How do you handle such cases?
Banning use of relief medication by an affected individual isn't going to work, though this is the path that many network administrators take when dealing with users who have bypassed network restrictions. It just forces people to take steps that are more extreme than really necessary.
You can't always rely upon people to tell you the truth when questioned, especially when the truth might jeopardise the holiday that they have already commenced and have almost reached. The fear of losing out on such an investment of time and money due to something that feels like a cold won't be well received, especially when they are so close to their destination.
Sometimes, that is what has to be done, each case investigated individually and appropriate remedial action taken. Most cases investigated should amount to nothing (though with an excellent first filter this will rise), allowing resources to be dedicated to the cases which are actually significant.
Applying this approach to network security can help ease perceived restrictions for the majority of users while still managing and actioning those cases of significant breach of policy. By demonstrating a well-run and well-managed set of restrictions, it will make users more comfortable to exist within the boundaries set and will make them more comfortable about approaching administrators for the times when the restrictions need to be bypassed.
Not everyone is going to be able to have such a system, but every step towards such a system is going to be of benefit to the end users and administrators alike. Such systems, both network and body temperature scanners, need to be monitored and continually improved upon to demonstrate that they aren't just for show and are actually effective (at least partially) at what they claim to be doing.
22 June 2009
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.