I saw this this morning and found it very interesting: http://www.schneier.com/blog/archives/2006/02/proof_that_empl.html
The main article is interesting but what’s really interesting are the comments. I didn’t read through all of them, but enough to get a general idea. My $0.02 is people are really missing the point. Security is not about blocking people from launching CDs from certain machines. Because tomorrow it could be USB ports. And it’s not about blocking USB ports because the next day it could be something totally different. Security is not about blocking physical access (although it helps). In my mind there are two facets of security physical and electronic. Physical means gaining physical access to the machines. This is exploited, mostly, be using social engineering tactics – think of the scene in Mission Impossible where Tom Cruise used a fake fire alarm to gain physical access to the building. Think of “tailgaters” – those who enter a secure building right behind someone else. How often do you ask to see their badge? This type of security is mainly about psychology and education.
Electronic security is much harder. I believe this is mainly because we just don’t have clean industry standards for creating secure software. Many software vendors take shortcuts that effectively thumb their nose at security. It means to install the legitimate software you have to circumvent some level of system security. It may mean that you have to be an Admin on the machine to install the software – should that just a policy and shouldn’t that policy be separate from other Admin tasks? The answer is yes, it should be. The reality is we’re not there yet. And even when we are, there will be legacy software that doesn’t use the correct APIs to install and will require additional policies to be installed. There is where the average home user becomes frustrated because they want to play some game and it won’t install. Therefore, they open their system up and become vulnerable. This really isn’t an education problem. It’s a software problem. Vista will take some great steps in the right direction, but there will be pain. But consumers need to put heat on other software vendors to write secure software. While at the same time, MS needs to provide easy to use and affordable tools for creating secure software. This is happening and will continue to get better.
My point here is that security is incredibly complex. I believe that anyone who really wants access to something can and will gain access. There are just too many weak links in the chain. All you have to do is find one (a disgruntled worker) and you’re in.