Skip to main content
September 13, 2007

Security Policy Without Enforcement Doesn't Work

It’s a security issue One of my first "real" jobs in security back in the 90's was working as an IT security engineer for a government contractor and internet backbone provider. One of our tasks was finding people who bridged the internal network with the internet. We found one guy who had been running his own ecommerce business on our external network. He showed up on our scans because he had 2 network interfaces on his machine with one connected to the external network and one connected to our internal network. He didn't seem to understand that if there was a network vulnerability on his machine that he was compromising our internal network by bridging the firewall. He had signed a form when he requested an external network connection that he knew the risks and that he would not bridge the internal network. The penalty for such an egregious policy violation was termination.  But HR refused to terminate him. We disconnected the network and shook our heads saying "policy without enforcement means he or someone else will just break the policy knowing there is no recourse." About 6 months later we detected him bridging the network again. Again HR refused to enforce the security policy with termination. I left the company but I would place a bet that there is a nice bridge in their internal network right now. We also  found a contractor with a home ISDN line connected to our internal network on a machine with a DSL line connected to the internet. That contractor was quickly removed from the contract because the contracting company didn't want to lose their contract. This fact was well publicized through the company grapevine so people could see there were consequences, well at least for contractors. The sign at the top of this page has the text "Please" and  no consequences for violations. Guess what? The sign is ignored.

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.