Slashdot Mirror
Employees Are The Biggest Security Threat
blankmange writes "BBC News is reporting that the employees of a company pose the biggest threat to security. "Digital cameras, MP3 players and handheld computers could be the tools that disgruntled UK employees use to sabotage computer systems or steal vital data, warn security experts. The removable memory cards inside the devices could be used to bring in software that looks for vulnerabilities on a company's internal network. The innocent-looking devices could also be used to smuggle out confidential or sensitive information." Unfortunately, this is not news, but it is amazing how slowly the general public, corporations included, comes around on issues like these. "
If you're really worried about corporate security, that kind of stuff is a real risk. It's not even the employees who are doing it, it's just the fact that there is a channel that data is flowing on in and out of the company that isn't protected and not subject to it. Once that exists, it's just a matter of someone hijacking it to use it for their own plans.
I have, and have for the last 7 years been in position of trust. I have earned that trust, I have never "screwed" any of my former employers even though I am generally so rooted into their systems , removing any and all access can be nearly impossible. BUT I wouldnt ever screw anyoneover and they know it. I am, the biggest potential hazzard to any company I work for, I once had a company take out 250,000 insurance policy on me for th company, It was matched by a personal policy of the same amount, they figured that was about what they would lose in 1-3 months following an early demise on my part.
My (ex-wifes) Uncle was a VP of a F-250 in HR, He had been out of work almost a year when he got the Job and was only there 2 years, He quit, we all thought him quite mad. He was going to start a company specifically for consulting of HR risk managment, it had an IT Slant, all the major companies putting these 200 million dollar implementations of ERP's in place made for a lot of problems if a 6$ an hour lackey ordered 10000 of something by accident and didnt catch it, the real time nature of the transactions througouth the company from purchasing to production to HR makes for a lot of fear on the corprate side. Fear SELLS Simply put. He is now about 40 and worth well over 5 million, 7 years ago he couldnt pay his morgate, all money made on the fears, and(solutions) to fear based on employee liability.
The company is made by employees, it can be broken by the employees, very simple........
Sig went tro...aahemmm.....fishing........
for instance, where i work, they've decided to block any web-based email (through a fairly thick piece of software, which just blocks any site with sendmail includes). This makes some sense, because you really can't trust people, no matter how many times you tell them, not to open attachments... they can't filter through each of these sites which bypass the main email systems..
however... here's the absurd part... they still seem to allow rampant use of peer-to-peer connections. People use AIM all the time... as if this were secure! And security argues that it serves a "business need." ahem.
I can't believe it's not lard!
I visited a large Asian electronics manufacturer last year. When entering the facility, they inspected every piece of electronics I entered with. Cameras (both film and digital) had to be left at the desk. Laptops had their memory slots and peripheral slots covered with company-issued security tape to be sure I didn't add or remove anything. CDs, tapes, and other recording media were not permitted in the building. When leaving, my bags were X-rayed to be sure I wasn't taking anything forbidden out.
I usually find management and owners are the biggest threar to security, not employee's. At lease not the tech ones.
>Another brilliant common hole (at least in financial companies): block ports 21 and most others through the firewall so employees won't ftp files to or from their workstations over the intranet. Of course no employee is smart enough to configure their ftp client to use port 80.
h tml
hehehehee...reminds me of something i did at my last job. i used to work at a very large financial company, the only access to the internet was http via a proxy server. i couldn't get access to my external email accounts. so i built an http tunnel to encapsulate ssh back to my box at home.
http://www.nocrew.org/software/httptunnel.
from there i could do anything i wanted. moral of the story : never f with a network engineer.
Here is a link to the original report on which the article is based. I'd like to point out that the report actually states that the percentage of "worst incidents" caused by insider attacks has gone down, starting on page 11 of the document.
ARRRRRRRGGGGGGGGGHHHHHHHHHHHHHHH!!!!
It's clique people. Not clic, not clik, not click. It's fucking clique .
Depends on whether or not he knew he would be searched when he bought the tickets. If he didn't know and the ticket sale never mentioned it, he has an awfully good chance of getting his money back, nonrefundable or not, if he threatens to bring the lawyers out.
Chris Mattern
Oh, definitely.
I can't count the number of companies I've done work for that had glaring flaws in their physical security practices. Like one door with Pentagon level security, and a back door with absolutely none. I've walked through doors on military bases I shouldn't have been able to get NEAR, and that was without even trying.
The sad fact is that a lot of organizations haven't dealt with that revelation in any kind of rational, or even internally consistent manner. They generally react with panic, and implement a whole lot of rashly designed security plans that sound complete, but are actually so riddled with holes they might as well have done nothing.