We all do it. We are so caught up in what we do, and what we are, we give what seems to be good advice, but really is impractical advice. The world of Information Security is all about a balance that reduces risk while still allowing productivity, and we service, that is right SERVICE not only the company, but the end users.
The latest round of Cisco WebEx vulnerabilities produced a lot of the same advice. Patch now, make sure you are patched, please patch etc… you know the usual advice. Then I come across this on my feed:
Running WebEx in a VM seems like sound advice, almost a no brainer. Almost, is the key word. Let’s look at this from a more realistic perspective.
First, how many normal, everyday, end users that you know of can spin up a VM? Not many, which immediately makes this advice not practical for the every day person. Then add on licensing of the OS, driver compatibility for sound and video, memory amount and processor specs. All of that can create an issue too. So the theoretical secure answer of “Use a VM” becomes rather impractical overall.
Now, what implementing this solution might do is create a backlash from the sales force, the C level executives and possibly more. Add on that there is still nothing preventing them from not using the VM, and instead just using their desktop. What have we done? Basically given our department a black eye. Shown that we are not thinking of the needs of the people we service, let alone the company at large.
We do this all the time. I see solutions posted for different things, that just do not seem practical from a different perspective. Even patching can be detrimental, especially with legacy software which is why patch testing is important. The thing we need to do is work across the business units, talk with them, find people willing to try what might be an impractical solution if we really want to push for it. We need to get into the heads of the normal user and think like them. I use the (grand)parent test mentally. Is this something I can see my parents or grandparents who are non-IT people use. If not, then throw it in the impractical pile and find a different solution.
In the perfect world, our solutions should have little to no visibility to the end user when working properly. Reality is that this might not be possible, but we can still strive for it. We need to learn that the end user is not a burden, they are the reason we have jobs in this field in the first place.