Slashdot Mirror
Employees Are The Biggest Security Threat
blankmange writes "BBC News is reporting that the employees of a company pose the biggest threat to security. "Digital cameras, MP3 players and handheld computers could be the tools that disgruntled UK employees use to sabotage computer systems or steal vital data, warn security experts. The removable memory cards inside the devices could be used to bring in software that looks for vulnerabilities on a company's internal network. The innocent-looking devices could also be used to smuggle out confidential or sensitive information." Unfortunately, this is not news, but it is amazing how slowly the general public, corporations included, comes around on issues like these. "
You could just bring a floppy/cd with you - if the companys security is already so tight that you forbids those, the fact that you can use stuff like digital cameras, mp3 players or usb keyrings to bring in data shouldn't come as a surprise.
Resistance is not futile - www.gnu.org
Yes, sounds stupid, but I would find it to be a better idea than to implement some kind of 1984/Farenheit 451 security "utopia". It should also help the companys success in the future. Happy people work better and doesn't try to screw you over (in the bad sense that is).
Ultimately it is employers who set the tone for a company. Employees actions are (in part) a reflection of how they are treated by employers.
Unfortunately, this is not news, but it is amazing how slowly the general public, corporations included, comes around on issues like these.
Employees could bring in matches and burn the building down too. You need to have employees you can trust. Sometimes you will get it wrong and one of them will betray you.
People who have access to your premises or systems could misuse that access.
Nothing new here, so what issues are people slowly coming around on?
I just thought of something, if a person wanted to KILL a whole bunch of people...they probably could. DUH!!
This is some serious social breakdown we're seeing here. I remember the days when you would get hired by a company, and then not only would your employer actually give a fuck about you...they would assume that you were on their side by default. Maybe this should tell us something about the mindset of modern management. They hate us...they naturally assume that we hate them. Gattaca here we come.
It's much easier to bring in a floppy or ls-120 disk, we even have several cd burners around here.......no one can install any new hardware on any of the pc's.....
--fetch daddy's blue fright wig, i must be handsome when i release my rage
Every PC in this office has a CD-RW in it. If I wanted to grab the source code for a particular product and take it home there would be no problem doing so.
They used to have a network drive that had several application on it so the sys admins could just mount the drive and install from there. If somebody wanted to copy those apps to a CD and take them home, that would have been easy too.
If people consider PDAs, MP3 players, and digital cameras a security threat as a channel for bringing data in and/or out of a company, just wait for the next generation cell phones/PDAs. When you have a 3G/GPRS/GPS/Bluetooth/802.11/IrDA/Ethernet/USB/Fir ewire/etc. capable personal phone, would employers let you bring it into work? Even if you had no hostile intentions yourself, your phone might be compromised by a trojan or virus that might attempt to spread from your phone into the corporate network over whatever communications medium is available.
With the wireless connectivity becoming so common, network security is losing its "air gap".
It might be noted that the IP Rights protection software might end up being a problem for Open Source software acceptance in the market and work place. Not necessarily due to (most) corporations really concerning themselves about people copying music, but with employees copying confidential files to unsecured devices.
An operating system/networking system that provided built-in guards for transferring confidential/private data from secured/official devices to unsecured/private devices might have a lot more appeal to a corporation than one that has no protections against random file copying.
(Given that we are reaching the point where we have more memory and CPU power in computers than we know what to do with, I would be highly interested in seeing more OS development that allows for (security) meta-data to be associated with areas of memory as far as the permissions/state of that memory goes. It would be really nice to see a system where, say, image data loaded from a website might be marked in the OS as "image (jpeg) from foo.bar.com -- unauthenticated, non-executable", so that if some thing else tried to trigger the CPU to jump to that area of memory and execute it, the OS would reject the attempt. This is going to be more important with Bluetooth/ad-hoc connectivity, 'media' which are almost programs in themselves (Flash, Java, JavaScript, etc.) -- simply turning off all support for 'dangerous' media may not be practical if their use becomes wide-spread. This sort of internal OS meta-data system would have a high overhead, of course. And yes, the side effect is that it makes IPR-type enforcement much more possible, but the security issues may start pushing systems development in that direction. Free software folks should think about this one -- it would be highly ironic if by implementing IPR management software in Windows, Microsoft then stepped up and managed to make an OS with a superior internal security model based on extending the IPR system to manage internal data/executable security. Better start looking for quad Athlon servers...)
For a guy worth $500,000, your grasp of English isn't worth shit.
_sig_ is away
Sadly, the NTFS file system has a richer system of file and directory permissions than anything Linux has to offer. Which is of course made moot by exploits that give the Microsoft user system level privileges, but the simplistic owner/group/world permission structure common to *nix systems is not a key selling point. The best permission structure I've personally dealt with was Novell's NDS, but they mistreated their sales channel so badly over the years they'd have troubling selling water to a guy who was on fire. Too bad, their cascading inheritance model was just amazing.
All of this is beside the point anyway, as the article deals with folks misusing resources they already have access to, not problems with people getting at files they are not normally allowed to see. A Linux user is just as capable as a windows user of burning files he has rights to onto a CD.
You're just jealous 'cuz the voices talk to *me*
And your guests stand for this?
Folks, three times in recent months I've walked out on places, or canceled tickets to an event that said they wanted to search me. Yes, it's their right to ask, and it's my right to say "No". Then it's up to them to decide which they want more - me, or their rule
To quote a Sci-Fi story being written by a guy on the net:
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
The way an employee acts, in many cases, is a direct reflection of how you're treated by your employer.
In my last (regrettable) job, everyone was treated as an enemy (unless you were related to the boss, but lets not go there). The way people were scrutinized and monitored was ridiculous. Even those of us who'd been there for a while, and had proven ourselves 'loyal' were given this scrutiny. It ended up creating an environment where resentment and suspicion made one feel they were under seige. That atmosphere fostered more employee dishonesty than anywhere i've worked before or since. I still remember the
Of course, the places I worked before and after treated people with a 'we'll trust you until you do something to destroy that trust' mentality, which I'm finding is rarer and rarer these days. But you know what? The crew at the place I'm at now is completely loyal, the turnover is practically nil, and the job satisfaction surveys are at about 90%. Compare that to my last job...
In summary, do unto others yadda yadda... if you treat your employees like criminals from day one, they won't disappoint you.
Moral indignation is jealousy with a halo - H. G. Wells
Amen brother!
How many times have I had to respond to "urgent network problems" only to find out the problem was someone installed some shit like "NetAccelrator" on a LAN connected computer (they say they saw an error message telling them their connection wasn't optimized...) or CyberPatrol so their kids can play afterhours. Nevermind the problems with clients DoSing us with their Outlook/IIS/Sircam worms, the biggest DoS is people installing Gnutella and other sharing programs and giving downloaders full bandwidth, thinking it will make their downloads faster.
Even software that doesn't usually mess up a computers network stack or even use the network can wreak havock. Enter the user who thinks he knows everything he needs to know, but really only knows how to break everything he touches. Send him to a training course? Only if you want to teach him how to break more stuff, even with the best ACL's!
The theoretical permissions are one thing, the actual ones used in practice are another. As Microsoft Office requires the %WINNT% directory to be world writable, that means in practice, the majority of NT setups are insecure.
Just how exactly does it improve the security of your systems to punish employees for exposing flaws? This guarantees that the only people scanning for vulnerabilities are outsiders and insiders with evil intent. Give scanning tools to employees and offer to pay them a bonus for reporting problems!
There is so much wrongheaded thinking out there, it is no wonder to me that security problems remain so numerous.
A lot of people seem to be posting comments that amount to "well, Duh!" in response to this, but I think there are some interesting tidbits. Specifically the observation that "48% of large companies blame their worst security incident on employees" but "75% of those questioned named external hackers and criminals as the biggest threat to security." The BBC article doesnt seem to want to extrapolate on the reason for this, but I'm willing...
Companies like labelling the nefarious and elusive "black hat" as the primary risk because it makes it incredibly easy for them to say "There's nothign we can do!" or, perhaps in more cases, "We're doing everything we can!" This is roughly equivalent to a heroin addict telling someone that they've done everything in their power to avoid being gunned down in cold blood by their dealer. Never mind the fact that more junkies die from overdoses than from being gunned down by their dealer. Admitting the greater risk would entail acknowledging that employees aren't happy and might want to cause the company harm. This in turn indicates some flaw in the way the company conducts business, and opens them up for criticism. It's not surprising in the least that companies fear black hats more than they fear their own, because to fear their own would be to admit fault.
I'm just curious, of the 48% that report insiders as he cause of their greatest breaches, what percentage of those could be chalked up to insane or psychotic renegade employees as opposed to employees that may have had a semi-legitimate complaint that were driven to malice by a company's own policies and practices.
And all this USB key chain/MP3 player crap, I mean come on. If an insider wants to move data out of a company, its easy. In this arena these new devices are about as original as the floppy disk. Virtually anyone could e-mail attachments of reasonable size off site. I've never worked for a company with a proxy that blocked HTTP uploads (although I'm sure they exist) and what about the xerox machine? Should we get rid of that too?
This too shall pass.
I originally thought the same thing - the employers are making the crappy workplace. That may or may not be the case. Over the last 8 years, I have seen so many slackers, dead-wood employees that have been kept on for no good reason. I started to wonder why. Then I heard about the pending lawsuits from former employees. Nowadays, you can't even fire someone without getting sued. It is stupid. People get stuck in a hole, and the company doesn't want to give them anything worth doing. Since they can't fire them for being un-driven losers, they give them crap jobs. Instead of working harder to actually reverse the situation, the employee just gets more bitter and lazy. I have seen people steal many many things from a company, because they feel the company "owes them". In one case, a guy claimed 20 hours of OT every week for about 8 months. His manager signed off on it because he was too spineless to challenge him. I know he didn't work it, because *I* was working it and he was nowhere to be found. In true corporate fashion, when it was discovered (by me), nothing was done. Nobody wanted to confront the situation. The guy eventually got PROMOTED! I figure he made out with about $30k.
I guess my argument is that no matter what your environment is like, people are going to try to screw the company. Granted, the worse the environment, the more it probably happens, but there are always going to be those disgruntled nut-jobs who feel the world owes them something. And I have seen companies do pretty crappy things too, like during the company meeting, announcing layoffs and those who weren't at the meeting were being escorted out of the building by police. This was to "preserve their dignity". Uh-huh.
Believe me, I know what it is like to be unhappy at a job. But you know what I did? I left. Employers have to cover their asses even more nowadays, when someone with the knowledge could easily F up their network, steal code/secrets, etc. Saying "don't piss off your employees" is no solution. Of course companies should have a good work environment, that is a no-brainer. But there will always be someone who wants more. You let people wear jeans, someone wants to wear shorts. Let them wear shorts, someone walks in with their bag hanging out. Let them wear sandals, someone walks around barefoot. No matter where I have worked, there has always been someone who was unhappy.
My beliefs do not require that you agree with them.
The only employee who should be 'scanning for vulnerabilities' here is me. Anybody we catch scanning without express written permission (generally from the CTO) is assumed to have 'evil intent'.
You can't just go off on your personal quest for vulnerable systems randomly on your employer's network, unless you actually want to end up like Randal Schwartz
Speaking of 'wrongheaded thinking'. Consider the risks of encouraging random scans by non-security employees:There are numerous reasons not to encourage random employeers to scan your network.
- Some badly-written scanners will DOS even well-written OSes and applications.
- Some legacy systems still running in corporate networks react badly to being scanned. This isn't good, but it is a reality.
- Who needs 1,000 identical 'Tool X' scan reports of the same network?
- Scanning generates extra network traffic and 'hits' on IDS systems. See previous item.
- Allowing random 'good' employees to run scans will make it harder to detect the 'evil' employees.
- How do you detect when a worm (Nimda?) or a trojan included in some shareware package starts scanning your network without the user's knowledge?
- What happens when 'Tool X' is distributed with a trojan, or simply hacked to silently CC the report summary to scanreport2002@hotmail.com?
- When 'Joe minimum wage' finds an easily exploited hole in the payroll server, you expect him to report it before trying it out for himself?
- Scanning random remote IP ranges can 'bring up' backup ISDN and other toll circuits, incurring a real expense.
- Do you encourage your average employee to check for unlocked doors and cabinets outside of their own work area, or do you have dedicated security personnel?
I agree that somebody should be scanning the internal network, just as somebody should be checking for unlocked doors. But that somebody should not be just any random employee who takes it upon themselves to test security....
I do not deploy Linux. Ever.
And yes, some employers are enforcing security measures that would do Dilbert's boss proud. And yes, employers should work on a basis of trust with their employees.
But to ignore the security issue is very, very wrong for a number of reasons.
- In some cases, the employer's clients may demand certain measures be taken to protect ther data.
- In some cases, not having proper measures against theft of confidential data, can make one liable for *huge* lawsuits if the data is stolen. (Think medical records).
- Most importantly: in any group of employees, there'll be a couple of rotten apples in the bunch, no matter how nice and cuddly the employer. Those same employees are the ones that might steal wallets or other stuff from their co-workers desks. It's sad, but it happens everywhere, and to not be on your guard against it is plain silly.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
I used to work in the security department of a large retail organization for 4 years. I'd regularly point out why the modem on the CEO's desk that went into our corp network was a risk, and I'd be told to just overlook that one. Etc, etc.. After seeing every executive and his secretary overstep security policy, it made me believe that corporations don't believe in security as a whole.
Beauty is truth, truth beauty. That is all ye need to know on Earth, besides TCP/IP.
they just put into their prices
Go read up on "the elasticity of demand" and then study the common agricultural policy and how governments destroy food to keep the prices up to protect the economy.
I would never threaten or attack any member of staff, they are just people but I'll abuse their trust and enjoy the intellectual arms races in removing stuff from stores. Heck, it's not even that I can't afford it. Stealing is fun.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter