If you insist....
No, definetely this is not what I'm saying.
Is what you think or read I'm saying.
In case you've missed it, I've said: "Endpoint control and endpoint security is just a part of the equation".
It's quite the opposite, as I'm saying that every little detail counts in the defense in depth strategy, as I've said in other threads too.
This is becoming so boring, but it is in the same time so amusing...
By the way, those "questions" were just jokes, which did not require any answers.
Dude, why don't you give a google search, say for "skype portable" or "yahoo messenger portable" or so.
Also read why do people "need" such applications, it's all out there, the "users" will tell you why.
Yes, because they run at work under a user with restricted permissions so they can't install "whatever they want" or they've been given a corporate laptop along with a user account with limited permissions.
You can't search for an application which you do not know its name, as they can simply rename it, or for an application at the time of the search does not exist on that machine.
So your "creative" defense mechanism might not work, whether you want to admit it or not.
Following your logic, for example there would be no car accidents.
In my country, for people to earn their driving licenses, they must pass a psychological exam, a medical exam, an intermediate theoretical exam, a final theoretical and practical exam.
They are told and they are aware of the fact, that if they broke the laws they can loose their licenses, pay fines or even go to jail.
Still, they broke the law, pay for that and do it again. They are adults, ordinary, normal people in the day by day life, not criminals or so.
They are watched by police, speed cameras or by cameras which make them a photo when they drive on read lights.
They know of the existence of these cameras and still broke the law.
Even worse, they know and saw it happening, that if they broke the law, people might die, innocent people and they can loose their own lives too.
And still, they keep on doing it, and people are killed.
What would be the logic of saying that management will educate people to conform to the company's security policy, therefore people will do so 'cause otherwise they will get sanctioned.
What would be the logic of saying that people would not install a tiny thing like Yahoo Messenger or Skype on their work computers because they are educated and they are afraid of sanctions, when some people put their lives and others lives as a bet.
What would be the logic of saying that you should not have hired such people in the first place, as bad drivers should have not obtain the driving license, it's only the management's faults, bad decisions were taken.
Bad might look as good, good may go bad, it's just human nature, it's happening for thousands of years, and it will happen in the future too.
Management (driving instructors, medical personel, the ones who make laws and so on) and police must do their job together, and not separated.
This is what I'm saying, management and the security department both should do their jobs, together, and not to function independent of each other.
For example, the use of IM applications on the corporate network might be considered a threat because:
- the users of such application were targeted by certain viruses.
- the users can chat with their buddies who are at home, on a computer already p0wned.
- the users can exchange files through such applications, so they can download on the corporate machine infected files or malicious software.
- if there is a new virus targeting these applications or hidden within the exchanged files, there is likely that the antivirus will not catch this virus, until a signature is released for it.
- users can talk with "anybody", a new "cool" person they met on usenets
- affect work productivity
- disrupt and consume network bandwitdth
In this case, the management should take care of users' education and give to the security department the resources(like money) to solve this issue at a technical level.
At the end of the day, you will have good users, like good drivers, and bad people, like bad drivers. Life's so.
Some will respect the company's policies, some will not. Education will never totally fix or totally control that.
Here is where the security department comes, and has to prevent, log when, from where and from who the company's policy was broken and inform the management, so that management can apply sanctions.
A simple thing that can be achieved with simple solutions. Just tell the IPS to block Skype for example.
We would always want police to prevent the accidents happening, rather than investigated it, same is true about the security department.
As there are bad users, there are bad managers and bad security departments too.
Also at the end of the day, we will not have technical means for everything.
That's what I'm saying, every network is different, it's a live entity, which must be studied and understood, before anything can be "applied".
If certain solutions will work on a network, for a certain company, this does not automatically mean that they will work everywhere, at least not as expected.
The security department does not tell/teach the management how to do their job, and the management does not tell/teach the security department how to do their job.
If this happens, then you have a bigger problem than hapless users.
The two work together closely, complement each other, develop company's security policies...., at least in theory(as does police with the driving instructors, with the ones who makes laws and so on).
In practice, this is where most of the time consultants come and get big bucks, taking on the management, on the company's security policies, on the security department, on the users and on the current security level. Find what's not working, if it's working as expected, and give solutions.
However, there are good and bad consultants too.
All of the above IMHO.