H1.1 Introduction
Some attacks cannot be effectively prevented by technical controls alone. Unwary users can be enticed to do unsafe things. Clever users can find unsafe ways to get things done, unintentionally exposing the company to attack. To protect against attacks exploiting these weaknesses, administrative controls supplement technical and physical controls.

In time, technical controls may be able to enforce policies that proscribe user behavior. In the mean time, to make those administrative controls effective, organizations need to trust but verify to identify policy violations so corrective action can be taken. Enforcement (i.e. a process to bring systems back into compliance with policy whenever violations are detected) is also essential.

H.1a Unauthorized and/or infected devices on network

The best efforts to secure an information system are futile if unauthorized devices are allowed to connect to the network. A rogue wireless access point can be an open door to a hacker. A personal laptop that is brought into the office can introduce whatever malware it has collected into the corporate network. An unprotected company laptop that has been connected to an unsafe public network will eventually bring back all the malware it has collected to be shared with the entire company. A router or PC secretly connected to an open ethernet port by a visitor can give him a private, open back door into the company network. A USB flash drive carrying a virus can infect a machine simply by plugging it in.

At the same time, networks administrators must take care of users who return to corporate or private networks. Policies can tell users what is authorized, but testing and network access control can ensure the policies are being followed.

Continuous data flow monitoring can immediately identify unauthorized devices. In addition, network access control systems can scan company laptops for viruses, trojans, spyware, and adware to reveal hidden vulnerabilities brought into the network from the outside. They can then segregate vulnerable systems, and correct the problem, and then allow them appropriate access rights.

H.1b Excessive User Rights and Unauthorized software

Unmanaged software introduces multiple risks for the corporation. That software may contain security vulnerabilities, and users may not be sufficiently diligent about applying patches. Sometimes users may install software which, unknown to them, contains malware which could compromise the entire network. Also, sometimes users may install software providing functionality (eg. P2P) that invites new vulnerabilities into the network. Those who are responsible for securing networks should consider implementing policies, and associated detective and corrective controls, to mitigate this class of vulnerabilities.

You are vulnerable if your users can install their own software, and you have not taken steps to control that process.

The key control that protects against this set of problems is a fully enforced policy of limiting user rights. If users can install software without authorization, than malware that gets on those systems can also install software. Additionally, lists of authorized software (white lists) help limit problems, as long as all systems are checked for unauthorized software when they connect to the corporate network.

H1.2 References
www.isaca.org

www.techweb.com

technet.microsoft.com

http://www.sans.org/resources/policies/Password_Policy.pdf

http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf

http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/

http://www.csoonline.com/caveat/062306.html