Slashdot Mirror
Employees Are The Biggest Security Threat
blankmange writes "BBC News is reporting that the employees of a company pose the biggest threat to security. "Digital cameras, MP3 players and handheld computers could be the tools that disgruntled UK employees use to sabotage computer systems or steal vital data, warn security experts. The removable memory cards inside the devices could be used to bring in software that looks for vulnerabilities on a company's internal network. The innocent-looking devices could also be used to smuggle out confidential or sensitive information." Unfortunately, this is not news, but it is amazing how slowly the general public, corporations included, comes around on issues like these. "
Like I said in one of my previous posts on the subject (that I cannot find now for the life of me!), the company that I work for is already very wary of it's data and the "toys" people bring into the office. And now thanks to those keychain-sized USB drives, every guest has his keychain checked before he enters, and has to empty his pockets. Of course, you could still sneak one in, anything is possible as we aren't going to be implementing strip searches anytime soon. ;)
In the mean time, we keep all the sensitive data as locked down as possible, and hope for the best. I suppose in the end it is just part of human nature; even the most honest, trustworthy of people will steal from you if given the right motivation. Caring managers and a good working environment go a long way to prevent theft (and general unhappiness/turnover!), perhaps even moreso than good security personnel.
Reading the article I went "duh." But why are these "non-conventional" things getting blamed? How is this more dangerous than bringing in a floppy disk or a "music" cd with a data track on it?
This bit of lucidity brought to you by..something!
Oh yes, we should definately come around on issues where the 'biggest threat' is from the people with the 'inside track'. There's no better way to raise a generation on folx free from the confines of ethics and responsibility .. where anything that they can do technically and physically must be AOK, or else it would be impossible to to it.
You really have to be kidding me here. If your employees are truely taking their time to use their mp3 players to screw your business, you have more pressing concerns than the 'vulnerability' of the systems from the people who built them.
I suppose since most premeditated murders happen between people who know each other, we'd better wake up and start hiring personal bodygaurds to protect us from our loved ones too!
"Old man yells at systemd"
Isn't this a reason for corporations to be using Linux?
Microsoft has loaded up their system with so many features that its almost impossible to stop someone finding a backdoor way in. While you can pretty much tie up a M$ system, its not easy to do and you will probably be patching it till the cows come home. Surely better to have *nix systems which can really lock down the user to the required tasks? Particularly with regard to things like file accesses and so on? I still think that there is a huge potential here for *nix OS's - anything to do with security generally leaves M$ smelling less that rosy.
My 2c worth,
Michael
There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
Another cause is common stupidity / ignorance. My wife works in a bank. Last year this bank interrogated two employees regarding theft of quite a large sum of money. It turned out to be one of their collegues, who used their terminals to make a few transactions. Those two wrongfully accused employees had a habit of not logging out or locking their terminal when leaving the desk. Cases like this make you wonder how often does this happen in other companies?
The basic principle here is ; trust.
You also trust your employes not to burn down
the office, but you are still allowing them
to use matches. How is that different?
Simply put, it's very hard to keep something secure when a person's well-being is threatened. If someone held me up at an ATM, building entrance, anything with password access, you'd bet I'd most likely give up the information to survive.
It's interesting to note that the article mostly focuses on malicious intent on the part of employee. That's not surprising, but far more surprising are the holes left by the everyday user. Take a look around the non-development areas of your company. How many have passwords on post-its? How much good will a secure network do if the front door to the building isn't locked down just as tight?
If your security as as lax as my company's, the artical is easy to believe. I work on PCs in my depatment while the company itself handles thousands of consumer electronic components list above per day. Sure, you go through a metal detector and the guard wands you, but I swear i could sneak out with a full desktop stashed in my pants and still get away with it. It's for show. Then when they actually find something missing, security gets intense for about a month with people removing everything from their pockets, jackets, etc. After a month, it goes back to being business as usual. If these other companies are as irresponsible as mine, I could easily see the trend. Hmf. Must be desperate for when this post makes for slashdot news but the cool planetary alignment doesn't? Mod me down, bay-bay!
And for cryin' out loud, You with anal ascii pic, grow up. How many sites do you visit with that pic anyway? "hehe! Hehe! *snort* It's the highlight of my day! *snort* hehe!" Get a life.
You need a FREE iPod Nano
I looked at that, and had to laugh. I'm just waiting for someone to complain about the data carrying capability of my CD/MP3 player when I am expected to take my laptop with a 30 Gig hard drive home each night.
Are they going to ban CDs too?
I know that employees are the biggest security risks, but there has to be some sort of diminishing return in this. Besides, locking down your network on both the internal and external side is work that can't be avoided or established through policy.
I thought that is why we have e-mail, "hum, I want to work with that at home, I'll just e-mail it to myself."
or worse... what happens when someone realizes that instead of a 500 dollar mp3 player... they can use a 5 cent floppy disk! Lord no! we must eliminate such things.
Help Brendan pay off his student loans
Many companies leave their "usual" security too simple anyway. Take the financial trading company I work for as an example (name and url left out intentionally). Sometimes a 50k jpg or mpg attached to an e-mail coming into the intranet through our firewall is moved into a "safe zone" where the employee gets notified he/she must call the help desk to request it. Other times the jpg's and mpg's of any size come through fine while only exe's and vbs's (VB Scripts) are blocked. However, all outgoing attachments are allowed, with the understanding that they're monitored. But since I know they're using Outlook and Lotus Notes on Windows to monitor, I can rename a zip file of data to .mpg, comment on the funny joke I pretend is inside, and send corporate info into or out of our intranet.
Another brilliant common hole (at least in financial companies): block ports 21 and most others through the firewall so employees won't ftp files to or from their workstations over the intranet. Of course no employee is smart enough to configure their ftp client to use port 80.
Companies are getting scared of the latest techie gadgets, but so often don't even take care of what should be obvious to any educated IT security employee.
Developers: We can use your help.
Not sure how sarcastic you're being, but in retail the biggest cause of merchandise lost IS the employees (remember that the next time some employee is wrongfully acting like you're a thief : The more likely scenario is that they are).
We had a SW Architect who was really anything but. He WAS a great salesman and was able to BS his way out of trouble for ~2 years before they tossed his butt out. When he left, I had been there for ~6 months. In that time, he had burned roughly 150 CDs, he said for backup of our project (our TOTAL source was less than 2 floppies). He also password protected all of his PCs (forcing us to remove the BIOS battery).
Further, on the server, about 7GB of a 13GB HDD was of a format not recognized by the Mandrake installer. The only thing I could think of was that it was encrypted. Who knows what data was taken or what was on that partition. We reported what we saw and re-formatted...
Add another 4 months. They fired this guy but didn't revoke his user/pass. So he manages to find a server with telnet exposed to the internet and "hack in" (using his still working user/pass). He then procedes to go to every server he can find and rm -rf on every directory where he has access. They ended up rebuilding 3 Sun boxes.
No charges in either case.
Computer Science is Applied Philosophy
This is the same debate that rages on over MP3's, video games, guns, etc. Is the video game to blame for violence, or is the player's lack of self control to blame when he/she goes postal? Is it the software that allows CD's to be converted to MP3's to blame, or the person who posted them to the internet illegally? IMHO, it is always the person who should be held responsible, not the hardware/software or its designers. Alfred Nobel created dynamite to help miners, not to hurt people, and when his invention was used for harm rather than good, people blamed him. Just my $0.02
today is spelling optional day.
I saw a good talk by Dr. Richard Walton, the director of the Communications Electronics Security Group.
To paraphrase, he said, "Currently we know that about 80% of threats come from inside. But no one ever asks what the desirable value for this number should be. I propose that it should be 100%." He said we should trust insiders rather than outsiders, and trust people rather than machines. Or again paraphrasing, he said that we can trust machines to correctly do whatever they are told, unfortunately machines can't distinguish whether a set of instructions are "good" or "bad", whereas most of the time, most of the people inside your organization will do the right thing.
In my much younger days, back in the 70s, I worked on a loading dock of a department store. They had a guard there at all times making sure we didn't toss some merchanise into the back of a truck.
We worked our asses off for minimum wage (back in the 70s when jobs were REAL hard to come by). The joint treated us like slaves. They even removed the chairs where we wrote up the paperwork and install a table at standing height. Some manager was concerned we were taking too long to write up paperwork. We also in the beginning got two 15 minute breaks a day and then they took one of them away.
So they started having a huge problem with shrinkage out of the stock room. The more they clamped down, the more stock just disappeared. They "doubled the guard" and rotated out the old one and still the shrinkage continued.
What they weren't guarding was the trash compactor. They'd be pissing off employees so bad that some would go and grab a $500 stereo (our fulltime take home pay was $77/week) and tossed it into the trash compactor and hit CRUSH. A shitload of merchandise went into that thing...
Oh, and for the record, the company was Almart, they went out of business in the 80s, I never did anything like that (didn't have the balls). I eventually got fired, but not for that. I got fired for trying to get the UFCW union to represent the employees and the stupid idiots voted it down. Just as well though, since the store went "tits up" three years later. If the union got in there, they'd be blaming the union for them going out of business...
Gee Ma, this game looks really fun!
"I think we should tax people who stand in water! " - Mr. Gumby
This is a quote quoted in The CSI/FBI Computer Crime and Security Survey:
"Over its seven-year life span, the survey has told a compelling story. It has underscored some of the verities of the information security profession, for example that technology alone cannot thwart cyber attacks and that there is a need for greater cooperation between the private sector and the government. It has also challenged some of the profession's 'conventional wisdom,' for example that the 'threat from inside the organization is far greater than the threat from outside the organization' and that 'most hack attacks are perpetrated by juveniles on joy-rides in cyberspace.' Over the seven-year life span of the survey, a sense of the 'facts on the ground' has emerged. There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace. Post-9/11, there seems to be a greater appreciation for how much information security means not only to each individual enterprise but also to the economy itself and to society as a whole. Hopefully, this greater appreciation will translate into increased staffing levels, more investment in training and enhanced organizational clout for those responsible for information security."
In other words, please give up on this nonsense about how there's more risk from the inside. It's kind of obvious, really: how many more people are there on the internet than there are inside a typical organization? I personally have dealt with 10's if not 100's of external breakins. I've only dealt with one internal breakin, and that one started from on-campus, looped through an offcampus host, and only then came back oncampus.