Slashdot Mirror
Employees Are The Biggest Security Threat
blankmange writes "BBC News is reporting that the employees of a company pose the biggest threat to security. "Digital cameras, MP3 players and handheld computers could be the tools that disgruntled UK employees use to sabotage computer systems or steal vital data, warn security experts. The removable memory cards inside the devices could be used to bring in software that looks for vulnerabilities on a company's internal network. The innocent-looking devices could also be used to smuggle out confidential or sensitive information." Unfortunately, this is not news, but it is amazing how slowly the general public, corporations included, comes around on issues like these. "
You could just bring a floppy/cd with you - if the companys security is already so tight that you forbids those, the fact that you can use stuff like digital cameras, mp3 players or usb keyrings to bring in data shouldn't come as a surprise.
Resistance is not futile - www.gnu.org
I've had 10 time more computer problems with users trying to install thier own software than any virus.
Plus when someone is about to be fired they try to e-mail 500 megs of files to thier 10 meg home account. E-mail Bounce of Death anyone?
You say things that offend me and I can deal with it. Can you?
Yes, sounds stupid, but I would find it to be a better idea than to implement some kind of 1984/Farenheit 451 security "utopia". It should also help the companys success in the future. Happy people work better and doesn't try to screw you over (in the bad sense that is).
Ultimately it is employers who set the tone for a company. Employees actions are (in part) a reflection of how they are treated by employers.
call the BSA hotline.
Like I said in one of my previous posts on the subject (that I cannot find now for the life of me!), the company that I work for is already very wary of it's data and the "toys" people bring into the office. And now thanks to those keychain-sized USB drives, every guest has his keychain checked before he enters, and has to empty his pockets. Of course, you could still sneak one in, anything is possible as we aren't going to be implementing strip searches anytime soon. ;)
In the mean time, we keep all the sensitive data as locked down as possible, and hope for the best. I suppose in the end it is just part of human nature; even the most honest, trustworthy of people will steal from you if given the right motivation. Caring managers and a good working environment go a long way to prevent theft (and general unhappiness/turnover!), perhaps even moreso than good security personnel.
Sig: What Happened To The Censorware Project (censorware.org)
I just thought of something, if a person wanted to KILL a whole bunch of people...they probably could. DUH!!
This is some serious social breakdown we're seeing here. I remember the days when you would get hired by a company, and then not only would your employer actually give a fuck about you...they would assume that you were on their side by default. Maybe this should tell us something about the mindset of modern management. They hate us...they naturally assume that we hate them. Gattaca here we come.
Oh yes, we should definately come around on issues where the 'biggest threat' is from the people with the 'inside track'. There's no better way to raise a generation on folx free from the confines of ethics and responsibility .. where anything that they can do technically and physically must be AOK, or else it would be impossible to to it.
You really have to be kidding me here. If your employees are truely taking their time to use their mp3 players to screw your business, you have more pressing concerns than the 'vulnerability' of the systems from the people who built them.
I suppose since most premeditated murders happen between people who know each other, we'd better wake up and start hiring personal bodygaurds to protect us from our loved ones too!
"Old man yells at systemd"
If you're really worried about corporate security, that kind of stuff is a real risk. It's not even the employees who are doing it, it's just the fact that there is a channel that data is flowing on in and out of the company that isn't protected and not subject to it. Once that exists, it's just a matter of someone hijacking it to use it for their own plans.
Another cause is common stupidity / ignorance. My wife works in a bank. Last year this bank interrogated two employees regarding theft of quite a large sum of money. It turned out to be one of their collegues, who used their terminals to make a few transactions. Those two wrongfully accused employees had a habit of not logging out or locking their terminal when leaving the desk. Cases like this make you wonder how often does this happen in other companies?
I have, and have for the last 7 years been in position of trust. I have earned that trust, I have never "screwed" any of my former employers even though I am generally so rooted into their systems , removing any and all access can be nearly impossible. BUT I wouldnt ever screw anyoneover and they know it. I am, the biggest potential hazzard to any company I work for, I once had a company take out 250,000 insurance policy on me for th company, It was matched by a personal policy of the same amount, they figured that was about what they would lose in 1-3 months following an early demise on my part.
My (ex-wifes) Uncle was a VP of a F-250 in HR, He had been out of work almost a year when he got the Job and was only there 2 years, He quit, we all thought him quite mad. He was going to start a company specifically for consulting of HR risk managment, it had an IT Slant, all the major companies putting these 200 million dollar implementations of ERP's in place made for a lot of problems if a 6$ an hour lackey ordered 10000 of something by accident and didnt catch it, the real time nature of the transactions througouth the company from purchasing to production to HR makes for a lot of fear on the corprate side. Fear SELLS Simply put. He is now about 40 and worth well over 5 million, 7 years ago he couldnt pay his morgate, all money made on the fears, and(solutions) to fear based on employee liability.
The company is made by employees, it can be broken by the employees, very simple........
Sig went tro...aahemmm.....fishing........
"I don't think its a coincidence that most employee sabotage is done by employees." - Scott Adams
-- Probability does not dismiss possibility --
The basic principle here is ; trust.
You also trust your employes not to burn down
the office, but you are still allowing them
to use matches. How is that different?
Simply put, it's very hard to keep something secure when a person's well-being is threatened. If someone held me up at an ATM, building entrance, anything with password access, you'd bet I'd most likely give up the information to survive.
It's interesting to note that the article mostly focuses on malicious intent on the part of employee. That's not surprising, but far more surprising are the holes left by the everyday user. Take a look around the non-development areas of your company. How many have passwords on post-its? How much good will a secure network do if the front door to the building isn't locked down just as tight?
I looked at that, and had to laugh. I'm just waiting for someone to complain about the data carrying capability of my CD/MP3 player when I am expected to take my laptop with a 30 Gig hard drive home each night.
Are they going to ban CDs too?
I know that employees are the biggest security risks, but there has to be some sort of diminishing return in this. Besides, locking down your network on both the internal and external side is work that can't be avoided or established through policy.
I thought that is why we have e-mail, "hum, I want to work with that at home, I'll just e-mail it to myself."
or worse... what happens when someone realizes that instead of a 500 dollar mp3 player... they can use a 5 cent floppy disk! Lord no! we must eliminate such things.
Help Brendan pay off his student loans
If people consider PDAs, MP3 players, and digital cameras a security threat as a channel for bringing data in and/or out of a company, just wait for the next generation cell phones/PDAs. When you have a 3G/GPRS/GPS/Bluetooth/802.11/IrDA/Ethernet/USB/Fir ewire/etc. capable personal phone, would employers let you bring it into work? Even if you had no hostile intentions yourself, your phone might be compromised by a trojan or virus that might attempt to spread from your phone into the corporate network over whatever communications medium is available.
With the wireless connectivity becoming so common, network security is losing its "air gap".
It might be noted that the IP Rights protection software might end up being a problem for Open Source software acceptance in the market and work place. Not necessarily due to (most) corporations really concerning themselves about people copying music, but with employees copying confidential files to unsecured devices.
An operating system/networking system that provided built-in guards for transferring confidential/private data from secured/official devices to unsecured/private devices might have a lot more appeal to a corporation than one that has no protections against random file copying.
(Given that we are reaching the point where we have more memory and CPU power in computers than we know what to do with, I would be highly interested in seeing more OS development that allows for (security) meta-data to be associated with areas of memory as far as the permissions/state of that memory goes. It would be really nice to see a system where, say, image data loaded from a website might be marked in the OS as "image (jpeg) from foo.bar.com -- unauthenticated, non-executable", so that if some thing else tried to trigger the CPU to jump to that area of memory and execute it, the OS would reject the attempt. This is going to be more important with Bluetooth/ad-hoc connectivity, 'media' which are almost programs in themselves (Flash, Java, JavaScript, etc.) -- simply turning off all support for 'dangerous' media may not be practical if their use becomes wide-spread. This sort of internal OS meta-data system would have a high overhead, of course. And yes, the side effect is that it makes IPR-type enforcement much more possible, but the security issues may start pushing systems development in that direction. Free software folks should think about this one -- it would be highly ironic if by implementing IPR management software in Windows, Microsoft then stepped up and managed to make an OS with a superior internal security model based on extending the IPR system to manage internal data/executable security. Better start looking for quad Athlon servers...)
for instance, where i work, they've decided to block any web-based email (through a fairly thick piece of software, which just blocks any site with sendmail includes). This makes some sense, because you really can't trust people, no matter how many times you tell them, not to open attachments... they can't filter through each of these sites which bypass the main email systems..
however... here's the absurd part... they still seem to allow rampant use of peer-to-peer connections. People use AIM all the time... as if this were secure! And security argues that it serves a "business need." ahem.
I can't believe it's not lard!
So that's the problem! That's it, I'm getting rid of all my employees!! In today's day and age, how can any company risk having autonomous entities of unknown motivation and capability wandering around?!? touching the company's stuff?!!? accessing the company's data?!!!? looking at things?!!!!? Ahhckg!!! Fire them all!!!!!
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
I visited a large Asian electronics manufacturer last year. When entering the facility, they inspected every piece of electronics I entered with. Cameras (both film and digital) had to be left at the desk. Laptops had their memory slots and peripheral slots covered with company-issued security tape to be sure I didn't add or remove anything. CDs, tapes, and other recording media were not permitted in the building. When leaving, my bags were X-rayed to be sure I wasn't taking anything forbidden out.
Many companies leave their "usual" security too simple anyway. Take the financial trading company I work for as an example (name and url left out intentionally). Sometimes a 50k jpg or mpg attached to an e-mail coming into the intranet through our firewall is moved into a "safe zone" where the employee gets notified he/she must call the help desk to request it. Other times the jpg's and mpg's of any size come through fine while only exe's and vbs's (VB Scripts) are blocked. However, all outgoing attachments are allowed, with the understanding that they're monitored. But since I know they're using Outlook and Lotus Notes on Windows to monitor, I can rename a zip file of data to .mpg, comment on the funny joke I pretend is inside, and send corporate info into or out of our intranet.
Another brilliant common hole (at least in financial companies): block ports 21 and most others through the firewall so employees won't ftp files to or from their workstations over the intranet. Of course no employee is smart enough to configure their ftp client to use port 80.
Companies are getting scared of the latest techie gadgets, but so often don't even take care of what should be obvious to any educated IT security employee.
Developers: We can use your help.
Sadly, the NTFS file system has a richer system of file and directory permissions than anything Linux has to offer. Which is of course made moot by exploits that give the Microsoft user system level privileges, but the simplistic owner/group/world permission structure common to *nix systems is not a key selling point. The best permission structure I've personally dealt with was Novell's NDS, but they mistreated their sales channel so badly over the years they'd have troubling selling water to a guy who was on fire. Too bad, their cascading inheritance model was just amazing.
All of this is beside the point anyway, as the article deals with folks misusing resources they already have access to, not problems with people getting at files they are not normally allowed to see. A Linux user is just as capable as a windows user of burning files he has rights to onto a CD.
You're just jealous 'cuz the voices talk to *me*
Big Corporate Manager: "Goodness, it says here that our biggest security threat is our employees! Well, I suggest that in order to keep them under control, we should institute a set of draconian rules on their behavior and treat them with the utmost resentment possible! Also, take this down, we should constantly address them like they are a liability instead of an asset."
Big Corporate Lackey: "We already do that, sir!"
Big Corporate Manager: "Damn, that was a close one! I thought for a moment there we had a security breach on our hands. Good work. Let's go play some golf."
Big Corporate Lackey: "I'll get the clubs, sir!"
Not sure how sarcastic you're being, but in retail the biggest cause of merchandise lost IS the employees (remember that the next time some employee is wrongfully acting like you're a thief : The more likely scenario is that they are).
There's some things money can't buy, for the rest; raid the retirement fund.
We had a SW Architect who was really anything but. He WAS a great salesman and was able to BS his way out of trouble for ~2 years before they tossed his butt out. When he left, I had been there for ~6 months. In that time, he had burned roughly 150 CDs, he said for backup of our project (our TOTAL source was less than 2 floppies). He also password protected all of his PCs (forcing us to remove the BIOS battery).
Further, on the server, about 7GB of a 13GB HDD was of a format not recognized by the Mandrake installer. The only thing I could think of was that it was encrypted. Who knows what data was taken or what was on that partition. We reported what we saw and re-formatted...
Add another 4 months. They fired this guy but didn't revoke his user/pass. So he manages to find a server with telnet exposed to the internet and "hack in" (using his still working user/pass). He then procedes to go to every server he can find and rm -rf on every directory where he has access. They ended up rebuilding 3 Sun boxes.
No charges in either case.
Computer Science is Applied Philosophy
The "biggest threat to security" is almost always the folks working in the Security Department. This has been the case for more than 50 years.
There could be a good research paper here. Is it because these folks have too much idle time on their hands? Is it because the line of work keeps them focusing on negative activities? Is it because they are exposed to the company's weaknesses and become tempted by them? Is it because this line of work attracts thieves? Is it because companies use the 'it takes a thief to catch a thief' philosophy? Do 'Heads of Security' purposely hire thieves to keep levels of theft up, so as to justify bigger budgets? Outsourcing 'Security' does not solve the problem, it just makes it into someone else's profit center.
My father tells the story of a guy working at an auto assembly plant who took home an entire car -- piece by piece!
This 'article' is not News. Look at it's source. It's a marketing piece. Slashdot fell for someone's FUD marketing. I know it's Monday morning, but still...
The way an employee acts, in many cases, is a direct reflection of how you're treated by your employer.
In my last (regrettable) job, everyone was treated as an enemy (unless you were related to the boss, but lets not go there). The way people were scrutinized and monitored was ridiculous. Even those of us who'd been there for a while, and had proven ourselves 'loyal' were given this scrutiny. It ended up creating an environment where resentment and suspicion made one feel they were under seige. That atmosphere fostered more employee dishonesty than anywhere i've worked before or since. I still remember the
Of course, the places I worked before and after treated people with a 'we'll trust you until you do something to destroy that trust' mentality, which I'm finding is rarer and rarer these days. But you know what? The crew at the place I'm at now is completely loyal, the turnover is practically nil, and the job satisfaction surveys are at about 90%. Compare that to my last job...
In summary, do unto others yadda yadda... if you treat your employees like criminals from day one, they won't disappoint you.
Moral indignation is jealousy with a halo - H. G. Wells
I saw a good talk by Dr. Richard Walton, the director of the Communications Electronics Security Group.
To paraphrase, he said, "Currently we know that about 80% of threats come from inside. But no one ever asks what the desirable value for this number should be. I propose that it should be 100%." He said we should trust insiders rather than outsiders, and trust people rather than machines. Or again paraphrasing, he said that we can trust machines to correctly do whatever they are told, unfortunately machines can't distinguish whether a set of instructions are "good" or "bad", whereas most of the time, most of the people inside your organization will do the right thing.
The theoretical permissions are one thing, the actual ones used in practice are another. As Microsoft Office requires the %WINNT% directory to be world writable, that means in practice, the majority of NT setups are insecure.
Just how exactly does it improve the security of your systems to punish employees for exposing flaws? This guarantees that the only people scanning for vulnerabilities are outsiders and insiders with evil intent. Give scanning tools to employees and offer to pay them a bonus for reporting problems!
There is so much wrongheaded thinking out there, it is no wonder to me that security problems remain so numerous.
In my much younger days, back in the 70s, I worked on a loading dock of a department store. They had a guard there at all times making sure we didn't toss some merchanise into the back of a truck.
We worked our asses off for minimum wage (back in the 70s when jobs were REAL hard to come by). The joint treated us like slaves. They even removed the chairs where we wrote up the paperwork and install a table at standing height. Some manager was concerned we were taking too long to write up paperwork. We also in the beginning got two 15 minute breaks a day and then they took one of them away.
So they started having a huge problem with shrinkage out of the stock room. The more they clamped down, the more stock just disappeared. They "doubled the guard" and rotated out the old one and still the shrinkage continued.
What they weren't guarding was the trash compactor. They'd be pissing off employees so bad that some would go and grab a $500 stereo (our fulltime take home pay was $77/week) and tossed it into the trash compactor and hit CRUSH. A shitload of merchandise went into that thing...
Oh, and for the record, the company was Almart, they went out of business in the 80s, I never did anything like that (didn't have the balls). I eventually got fired, but not for that. I got fired for trying to get the UFCW union to represent the employees and the stupid idiots voted it down. Just as well though, since the store went "tits up" three years later. If the union got in there, they'd be blaming the union for them going out of business...
I originally thought the same thing - the employers are making the crappy workplace. That may or may not be the case. Over the last 8 years, I have seen so many slackers, dead-wood employees that have been kept on for no good reason. I started to wonder why. Then I heard about the pending lawsuits from former employees. Nowadays, you can't even fire someone without getting sued. It is stupid. People get stuck in a hole, and the company doesn't want to give them anything worth doing. Since they can't fire them for being un-driven losers, they give them crap jobs. Instead of working harder to actually reverse the situation, the employee just gets more bitter and lazy. I have seen people steal many many things from a company, because they feel the company "owes them". In one case, a guy claimed 20 hours of OT every week for about 8 months. His manager signed off on it because he was too spineless to challenge him. I know he didn't work it, because *I* was working it and he was nowhere to be found. In true corporate fashion, when it was discovered (by me), nothing was done. Nobody wanted to confront the situation. The guy eventually got PROMOTED! I figure he made out with about $30k.
I guess my argument is that no matter what your environment is like, people are going to try to screw the company. Granted, the worse the environment, the more it probably happens, but there are always going to be those disgruntled nut-jobs who feel the world owes them something. And I have seen companies do pretty crappy things too, like during the company meeting, announcing layoffs and those who weren't at the meeting were being escorted out of the building by police. This was to "preserve their dignity". Uh-huh.
Believe me, I know what it is like to be unhappy at a job. But you know what I did? I left. Employers have to cover their asses even more nowadays, when someone with the knowledge could easily F up their network, steal code/secrets, etc. Saying "don't piss off your employees" is no solution. Of course companies should have a good work environment, that is a no-brainer. But there will always be someone who wants more. You let people wear jeans, someone wants to wear shorts. Let them wear shorts, someone walks in with their bag hanging out. Let them wear sandals, someone walks around barefoot. No matter where I have worked, there has always been someone who was unhappy.
My beliefs do not require that you agree with them.
no,
:)
:"Oh, sorry Sir we don't have those" :"Oh bugger, now I'll have to unpack all this stuff and put it in bags"
I use a lead bag, the sort for protecting film's through x-ray machines
never failed me yet. I used to stand behind the plain clothes store detective in HMV while I put the CDs in it. Not for any reason other than it makes a better story
I got nicked pushing a trolley through the doors @ ASDA (now wal-mart) with over £170 of er goriceries in it my bravado having taken over my reasoning. Can't complain though I'd had over £200 of groceries out of the same store that week. My best haul was going up the the security guard in the door with a full trolley and asking him where the cardboard boxes where so I could use them to put the groceries in:
sg
me
sg : "That's ok Sir, I'll get someone to do it for you"
And I stood there watching the ASDA employees putting my unpaid for shopping into bags for me so I could carry it to the car!
happy days
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The only employee who should be 'scanning for vulnerabilities' here is me. Anybody we catch scanning without express written permission (generally from the CTO) is assumed to have 'evil intent'.
You can't just go off on your personal quest for vulnerable systems randomly on your employer's network, unless you actually want to end up like Randal Schwartz
Speaking of 'wrongheaded thinking'. Consider the risks of encouraging random scans by non-security employees:There are numerous reasons not to encourage random employeers to scan your network.
- Some badly-written scanners will DOS even well-written OSes and applications.
- Some legacy systems still running in corporate networks react badly to being scanned. This isn't good, but it is a reality.
- Who needs 1,000 identical 'Tool X' scan reports of the same network?
- Scanning generates extra network traffic and 'hits' on IDS systems. See previous item.
- Allowing random 'good' employees to run scans will make it harder to detect the 'evil' employees.
- How do you detect when a worm (Nimda?) or a trojan included in some shareware package starts scanning your network without the user's knowledge?
- What happens when 'Tool X' is distributed with a trojan, or simply hacked to silently CC the report summary to scanreport2002@hotmail.com?
- When 'Joe minimum wage' finds an easily exploited hole in the payroll server, you expect him to report it before trying it out for himself?
- Scanning random remote IP ranges can 'bring up' backup ISDN and other toll circuits, incurring a real expense.
- Do you encourage your average employee to check for unlocked doors and cabinets outside of their own work area, or do you have dedicated security personnel?
I agree that somebody should be scanning the internal network, just as somebody should be checking for unlocked doors. But that somebody should not be just any random employee who takes it upon themselves to test security....
I do not deploy Linux. Ever.
In the lates issue of Duh! magazine:
Health: Cigarettes cause cancer!
Politics: Research shows politicians like money.
Business: Profit helps businesses grow.
Computer security: Your employees' root access is a security threat!
... "Give me a woman who loves beer and I will conquer the w
they just put into their prices
Go read up on "the elasticity of demand" and then study the common agricultural policy and how governments destroy food to keep the prices up to protect the economy.
I would never threaten or attack any member of staff, they are just people but I'll abuse their trust and enjoy the intellectual arms races in removing stuff from stores. Heck, it's not even that I can't afford it. Stealing is fun.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter