Security at the Employee Level

[wenwilder]

Having AV software on a network is only a small part of protecting it. One of the main problems facing any business, with a network and employee's, is stopping viruses and malware at the employee level. Unfortunately employee's still download those lovely programs with malware attached to them, and they still open attachments.

I'm curious as to how many members have a policy in place addressing this issue and how you "police" your employee's?

Is disciplinary action taken if a malware infested program or virus is discovered on an employee's computer? What have you found to be most effective?

Do employee's have access to training on the matter of security?

With virus creation and quicker releases of new versions security is more of an issue now than it once was - and growing rapidly. There are many companies who are not taking it as seriously as they should because of lack of information or mis-information. There are companies who do take it seriously, thankfully, but even they fall short in area's. Having an AV program is not the solution it's only a drop in the bucket. I rant about this all the time, I know :) I am really curious to see the responses - so I'll go sit down and be quiet. :)

[mushroom]

As harsh as it gets.
Anyone caught using a windows machine on the internet is fired.
They are for testing and internal use only, all internet activity must be done with Linux.

[wenwilder]

Considering security threats these days, I do not think that is to harsh. If more companies would incorporate that - sys admins would breath a bit easier I'm sure.

There's just not enough education or implementation going on and it's sad. The threat is getting worse and unless steps are taken....people better cross their fingers that all back-ups are done previous to infection.

[netman4ttm]

We are not as Dragonian as Mushroom.
If your PC gets infected, you get to use the emergency, Gateway PC. A 486 with 16 megs of ram and Windows for Workgroups while your PC is repaired. Its amazing how frequently, Windows update and Norton get checked.

[StuW]

I retired a few years ago but the policy was never as strict as some of your replies. I worked in a large company in Silicon Valley for about 10 years and nobody was ever penalized for using the internet.

I actually think our IT department enjoyed it when a computer got infected. That let them get new virus info. Our computer network (a few hundred or more PCs) was constantly updated with McAfee Virus protection nearly daily. I don't know of anyone in our company with a computer that was down for more than a few hours.

[Deep13]

Hi,
I have setup small neotwork of 25 machines in our office...

I have done following things to stop users from downloading virus or spyware files..

1. blocked download of exe,msi files
2. virus check of all the mails on mail server
3. allowed only certain files as mail attachments
4. I have blocked all the ports except some standard ones like 21,80,22...

infact our firewall does support scanning of web pages for virus also but i have disabled this feature for the time being...

I think if you are on Windows server then I would suggest using Kerio Winroute Firewall and applying rules..and for mails MDaemon is very good

you can even setup Active Directory and block access to running unknown files on user machines using Group Policies...

for linux machine Squid or Safe Squid (very impressive) and for mail server qmail or sendmail....

Regards
Deep

[mikmik]

Haha, Deep13, you beat me to it.

GPE is basically pretty simple to set almost anything on a Windows network, or single workstation or user basis:

http://www.theeldergeek.com/gp05.htm

http://support.microsoft.com/kb/307882/EN-US/

[mushroom]

Quote:

Originally Posted by StuW

I retired a few years ago but the policy was never as strict as some of your replies. I worked in a large company in Silicon Valley for about 10 years and nobody was ever penalized for using the internet.

A few years ago the risk was not that great, and Linux had not become a easy to use as it is now.

[netman4ttm]

Qmail is great.
Plus spamassassin and real time blocking Spamhaus for examble.

[blackhawk]

Employee education is the key to security. The computer is a tool an employee uses in the process of their job.

If they cannot use and maintain it properly the are not qualified for the job.

Would you hire a driver if the didn't have a drivers license?

Excessive restrictions like limiting downloads and access only emphasizes the employees incompetance.

For all of the money spent on antivirus software and appliances, I think a properly developed and implemented training program can be far more beneficial than the typical bandaids and wheel spinning.

"Social engineering" is so successful from the outside because companies fail with positive "social engineering" internally.