Slashdot Mirror
The Enemy Within the Firewall
Mel Tom writes to tell us The Age is reporting that many businesses are now considering employees a much bigger threat to security than most external threats. From the article: "With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing."
If companies treat their employees like criminals, they are likely to get what they expect.
Man, you really need that seminar!
Isn't this covered in Security 101 -- most instances of stealing information, destroying data, etc. occurs from the inside (or ex-employees).
This has been why email attachments are regularly stripped and IM is forbidden here. Still, we get stuff because people bring it in on CDs, infected PDA's in dock, etc.
A feeling of having made the same mistake before: Deja Foobar
It's not just malicious activity that worries me, either. Employees are running around with laptops, telephones, and USB flash drives without any sense that these are security risks.
Employees are the biggest threat to any company. Especially if the CEO is shoveling the loot out the backdoor.
to get rid of all the employees.
Seriously, how can anyone get any work done with all this security risks running around?
The disguntled employee has always been the biggest security threat to any company. The only new thing today is how much easier it is to disrupt security and how often security is breached accidentally. I still see idiots send out passwords in plain text e-mails all the time. Educating employees is just as important as not disenfranchising them and properly securing networks.
Developers: We can use your help.
Gee someone ought to come up with a name for this... let's see, we can call it "Social Engineering". Hopefully no bad guys will read about this and start using it now....
I am shrugging at this, because it seems fairly obvious to me. After all, haven't all the e-mail worms of the past decade gone through corporate firewalls because some guy in the office just opened an e-mail he though had some interesting photos in it? Or some guy happens to leave his blackberry with hundreds of sensitive emails on it on a subway train or in Starbucks?
That's precisely how Sasser hit us at work a couple years ago. All it took was one laptop to infect the whole network. Thank heavens we still had some NT 4 boxes and UNIX workstations, which were completely immune, so people could still get work done. None of the XP machines ever stood a chance at knowing what hit 'em. Even to this day, we now have a Sasser-detecting script on all machines, but realistically, that's only a patch to a potentially bigger problem.
IM forbidden? Tunnel it through SSH on port 443. Works every time and the company can't spy on what you're IMing.
Developers: We can use your help.
I work for a consulting firm that provides all types of HR services. We get data on client personnel that includes EVERYTHING: SSN's, addresses, spouse info, dates of birth, EVERYTHING
The article mentions scarce spending on addressing internal security threats: im looking around my office, and there is just nothing you can do! Even if you completely lock down desktops (the latest image was set up as to disable all HW and SW installs), and I personally had an admin pw within days!), there is still email. And loaner laptops.
I hear that this type of complete personal information fetches $10 per record amongst certain unscrupulous Brooklyn programmers.
Come think of it... where DID i put all my floppies?
Contemplate the marvel that is existence, and rejoice that you are able to do so.
Perhaps they're the ones who shouldn't be allowed ipaqs and laptops.
Employees often suck. In retail, they rip you off more than your "customers". (I can't call a shoplifter a customer
Kevin Mitnick was able to get employees to give him tons of "sensitive" information just by asking for it. They take their laptops home and surf porn and get 0wn3d and bring the trojans and malware inside the firewall. Hell, they can even VPN the crud in from home or Starbucks too.
I suggest 1) firing all employees you can 2) treat the remaining ones to a paycut 3) installing spy mechanisms inside of their office, computer, and bathrooms to "keep them honest", and let go of the ones that don't make the cut.
We don't need no stinking happy employee. We need one that does what they are told, and is already happy to do what they are told. Thats it.
I stole a firewall. For some reason it is making me lol.
If you're a company that respects its employees, rewards them appropriately and values them, do you think internal threats are going to be such a large issue compared to the faceless megaopolies that most American companies have mutated into?
- Just my $0.02, take with a grain of salt, your mileage may vary.
"opportunities for workplace crime are growing"
This may be more because of incompetent netadmins than vile employees. Maybe more so because of lax security. Tighten up the computers, the type of traffic that can travel, the ports, the installed apps, passwords etc and an employee on a mission cant break in except into her own account. Security in a workplace lan is more than just put an MS Windows 2000 Server Firewall, its segregated security groupings per department and employee.
Security is good. Give it a shot.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
I'd venture to say that most windows users stolen software from work where they were given access to the right disks/installers. That's not their copy of Photoshop or Visual Studio at home - it's pirated from work. Funny thing, though... I don't see this kind of behavior from many F/OSS users.
So yes, I'd say that employee theft is very real among the IT crowd and the article is totally right.
Sadly, many of these guys use sad excueses (well, I was going to use it for work anyway; so that makes it OK for me to violate the license terms) - and don't even admit that they're criminals.
While businesses should take reasonable precautions to secure their networks, data and physical assets, I've found that the employer/employee relationship is beginning to evolve into one of suspicion and severe distrust that is fostering resentment, anger and inhibiting productivity. No one wants to work anywhere they are treated as being one step removed from a hardened criminal from the moment they walk in the door on their first day. There is a fine line between taking sensible precautions to prevent opportunistic breaches of security, and indulging in paranoia and broadcasting an implicit belief through actions and words that everyone there is just waiting for the right moment to take the entire company for all they're worth.
Employees are no longer being thought of as possible risks, but confirmed dangers that must be actively confronted every step of the way. Proactive security measures enacted in a passive way that does not interfere with day to day work in an unreasonable fashion, or impact the work environment in a disproportionate manner are giving way to managers that are far more focused on what their employees are deliberately doing wrong, than on the actual work at hand.
By creating this atmosphere of hostility and distrust which cannot be overcome by proving oneself through hard work and carrying out duties in a thoughtful, honest way, managers are encouraging high-turnover, poor communication between workers, poor attitudes towards work and customers, and an atmosphere of little or no respect for the organization which anyone can tell you is the first step towards encouraging workplace crime.
I like how they lump everyone into one big category. Unless you've been living in a cave for the past 5 years, it should be obvious who the biggest crooks are. Hint, they all have 3-letter acronyms for titles.
I'd fire myself but I heard that firing yourself can make you go blind.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
Careful screening during hiring, sufficient training and re-training during employment, as well as attentiveness are the keys to mitigating these problems. Restricting e-mail, firewalls, etc., are simply putting fingers in the dike.
If you're in a situation where you really have to worry that much about your own people, doesn't that just show that management has failed to provide a good working environment and create loyalty?
The only effect of security is going to be that the few loyal employees you have get pissed and turn against you too. And for anyone who has done only a little bit of hacking, we all know useful security is way too expensive... You'd need to audit virtually everything that's going on on a server and there are only a few government agencies that can efford that much money.
So why not do something more useful with the money? Free coke for employees on tuesdays. Or fix that darn pothole at the entrance of the parking lot. Put a few plants up in the office... That is all money better spent than on some lack luster, process bound security measures...
Peter.
I work in the biotech biz. We've been warned about Chinese "students" snafing our secrets. Thought it was a lot of tinfoil hat paranoia until we saw logs of HUGE attachments going to Asian hotmail addresses. Guess what some of those attachements were? Research data going straight back to China.
Needless to say, his worker agreements were terminated and the person shipped back.
Is this story just belated hype for the movie Firewall starring Harrison Ford?
Sure its not well timed if that what it supposed to be. But it has the the same elements as the movie. Employee threatened to help criminals breach his companies security. The headline even contains the name of the movie. Maybe it was submitted weeks ago, but was kept in the slush pile until needed as filler now.
At least if it was hype it would be better than if if a tech writer had to pull his story ideas from Hollywood. Or at least more understandable.
-- 3 events that reshaped the world in the 20th century: WW1, WW2, and WWW
If you can't trust employees, who is securing the network for you? As a network admin I have full access to a company's full network within a week of starting a new job, otherwise I am unable to do my job.
There will always be a level of trust needed between employers and employees since even if the president of a company can set up the security for a company they would still have to trust someone to enforce it, and that person would have the ability to abuse.
I just wrote about this topic, and it's something that has been ignored for far too long. http://fak3r.com/articles/2006/02/06/rating-the-ri sks The idea that people can come and go with USB drives on their keychain, a 60GIG drive in their iPod and unfethered Internet access is just an unlocked door. I'm all for privacy and freedom of speech, but a company HAS to be able to control it's DATA. IMO this is not happening anywhere in corp America.
fak3r.com
I've got a patent on that.
Muuuhahahaaha!
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
...for tools like this one. Banks and other regulated industries are all over it.
As a SysAdmin I'm much less worried about the activities of a person I can just walk over to and beat the living crap out of. And since all the employees know that if they do something wrong on my network I will come over and beat the living crap out of them it's not really a problem at my company.
See the contradiction? Why should an employee care about something they don't own?
Given that the majority of companies wouldn't hesistate to act against the employees interest if there is any suggestion of compromosing the companies's interest, why should an employee protect a typical company's interest apart from doing the bare minimum required to preserve their own job?
Companies are just repaing the "benefits" of years of treating employees as "production units".
Yes I'm posting as an AC because I don't want any potential employers to know that I don't really care about their company apart from the fact it pays me money.
(I'm not advocating slacking off in life or being bitter and twisted. Just make sure the things you dedicate yourself to are either THINGS YOU OWN or a charitable cause that you think is worthy. Working for someone else's profit is what you do to make money so you can do do what really matters. Don't dedicate your life to making profit for someone else.)
And Floppy disks weren't a security threat?
Seriously, except for images, it's not difficult to fit a *ton* of data on a floppy disk. Just export to an ASCII-based file format, then zip it up.
Some other formats compress pretty well. Access databases, for example.
tasks(723) drafts(105) languages(484) examples(29106)
Breakfast served all day!
You need to do a few things to handle employees and security: 1. Do a thorough background check. This includes employment and criminal. You don't want to hire someone who did time for stealing from an employer. 2. Only allow them access to information they need for their jobs. I've had jobs where I could have walked out with all the personal info on past and current employees, and I had no need to access that information. 3. Run a good hardware and software anti-virus and firewall system. This means not letting every employee and their cousin having admin access to their machines. 4. Try to run a work place where people are happy to be there. I had an employer that I seriously thought about turning in software piracy because of the way he treated everyone in the office. Instead, I found a new job and left him with no technical people (it was a computer parts reseller).
How many managers think of themselves as a security threat?
When approached for comment, Mr. Warwar replied, "Claudia can think its terrorists and criminals all she wants. I know it's that pervert Jason in accounting!"
I'm not tense. I'm just terribly, terribly, alert.
http://www.fortinet.com/ Ever since implementing Fortigate Router bundles in all of my offices, which include AV, Antispam, IPS and Content Filtering services, user-induced havoc is much less of a concern for us. I've been called a Nazi a few times since turning on certain webfiltering but I usually laugh and tell my users to take it up with the boss to have their favorite gambling/file storage/message board/etc unblocked and the subject is immediately dropped. lol. Price vs performance I personally dont think these appliances can be beaten. Good news is they're about to go IPO as well.
"To err is human, to mod Funny divine."
Simple solution: There are two networks: an internal and an external. The internal one contains all company-related data and cannot connect to any other network, and external devices (e.g. flash drives) cannot be connected without authorization. The external one contains all non-company-related data and can connect to the Internet freely. External devices can be connected. Neither network is connected, and data cannot be transferred from one to the other. You say you want to work from home? Tough luck. Too much of a security risk.
Insiders can be real threats, the BIGGEST threats. An insider can steal much more than a hacker ever can. And many insiders think they can get away with it. Just look at the porn-billing iBill incident made public last week.
The best policy is to log everything that happens in an enterprise, to a level required to reconstruct past bad behavior. You can't keep your insiders away from information they need to do their jobs. Trust, but also verify! There are products out there like Sensage (http://www.sensage.com/ ) that can collect, centralize, and make available years of log data for an IT organization. While this might not prevent the theft in the first place, a company can crack down on and prosecute current/former misbehaving insiders. Sensage will do very well, as will many other companies in this space (including recent Slashdot heavy banner-advertiser Splunk (http://www.splunk.com/ ) ).
I look forward to seeing how well these products do. It's time one of them went public so we can gauge interest.
I've been on the wrong side of this issue. I found a couple of security holes. Reported them. Was asked to quit (4 weeks after a promotion).
The holes?
1. Well known 'tech support' password, and
2. An unsecure website on the intranet used to do employee evaluations.
Management's Q: How did you find this?
A1. I'm in IT and I login to several servers every day. When I don't have an account, I try the tech-support pwd.
A2. I don't use IE. So, the holes are as far away as right-clicking
Management: So, you hacked our network servers and our employee evaluation system!
Me: No!?!? (WTF) That's not what 'hacking' means... and, I reported it to 'cyber-security'
Management: (He's a liability -- and I don't understand anything about 'view source', 'remote logins', etc. Cyber Security has no record of his complaint...) "We hold our IT staff to a higher standard...." SEE YA!
I'm one paranoid SOB, now. I don't want passwords, or access rights, and I'm thankful when I don't have to login to any other machines. In hindsight, that job sucked. So, this was a good thing. My new job is much better.
"People are becoming the weakest link. A fluid work force with diminished loyalty to organisations is being exacerbated by the fact that people do not always realise the value of information that they deal with,"
The "fluid workforce" and its disloyalty is the fault of the organizations themselves. When employees are viewed as interchangeable commodities, and swapped out willy-nilly for an overseas "body" that is a few thousand cheaper, there just isn't going to be any loyalty to the organisation. When a company shows no loyalty to you, there is less and less reason to be "loyal" to it, especially when, for a while there, the only way to get a raise was to change jobs.
So yes, people are the weakest link to security. This is nothing new - ask Mitnick about social engineering.
The fact that senior management is still a bit sparse on ethics (cf Global Crossing, WorldCon, Enron) also doesn't inspire ethical and/or careful behavior with company data by the rank and file.
How to reverse the trend? I don't know if it's even possible. Even high profile prosecutions don't seem to slow it down.
use Sig::Witty;
...cannot work without trusted employee.
Same as Trusted Computing, you either trust your employee and allow highest degree of freedom, or like DRM: don't trust your employee and banned them for everything possible.
I'm beginning to realize how brilliant that outsourcing is!
"Ah, yes... nothing like creating an atmosphere of fear to motivate your employees and maintain productivity."
Obviously your parents don't believe in corporal punishment.
With all the wholesale raping of employee pension funds and wholesale dumping of jobs, it's only normal that any employee will cover his ass by making sure he can inflict maximum damage to a company when it will screw him.
The goal is to always have more dirt on your employer than they have on you.
Screw hacking the server. Spend a few months running the license paperwork through the shredder, and then call the BSA. If you do it right, you may even be in line for a reward.
Seriously folks, if you want to treat your employees like criminals, hire people who are already institutionalized. At least you can find out what their predilection is.
Quis custodiet ipsos custodies -- Juvenal
Sounds like a plan, hell DieBold has been following that method for years and they seem to be doing quite well for it.
"Don't mess with him, he taunts the happy fun ball."
Meanwhile, you are reading and posting to /. from work.
You may not be a Nazi, but you are a hypocrite.
Of course, we are still using Windows, IIS, IE, and Outlook on all our systems. I guess Gmail is more of a security threat than any Microsoft products...
"Trying is only the first step towards failure." - Homer
I often spend up to two weeks at a time on the road, doing customer-critical work that has to coordinate with work and people back in the office. If I can't access company email, and resources on our internal network via VPN, I'm screwed, and so are our customers.
IST recognizes this, and works with us to get us the resources and knowledge to minimize the risks.
Even more, they realize that when we are on the road with our only computer being our work computer, we ARE going to be doing personal work on that computer, accessing personal email, entertainment web sites, and so on. We have to; is is either that, carry a second computer, or have absolutely no personal life on our own time. Forbidding personal use while traveling would cause a riot (well, more realistically, a flood of outgoing resumes). Again, they recognize this, give us the resources (a good firewall, virus and adware scanners, an encrypted partition for sensitive data, and so on) some education, and some policies that DO allow reasonable personal use, to help us keep our computers and the network safe.
It's just common sense on their part; they know that if they forbid it, it is going to happen anyway, but without their involvement and therefore with greater risk.
Honestly, i've *seen* what's in a lot of corporate databases and it's not all that interesting or special. Sure there's some ssn's in there and maybe some spreadsheets that shouldn't get out but it's not like every single file on every single machine contains critical proprietary data.
Obviously, managers should evaluate what the mission critical data is and take steps to keep it off of laptops and the corporate network but frankly I think they're too lazy--they'd rather blame rank and file employees and place restrictions on everyone and everything than sit and think for a second about what subset of their data is actually *harmful*.
for companies that think of employees as liabilities...treating employees like family is a better approach...My mother, for example, has a computer with very strict security policies that she can't change.
How exactly is that different, other than in tone?
[ insert meme here ]
"With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing."
Oh please. I suppose that's true but in my shop we are far more afraid of workplace stupidity than crime.
Users will do things like copy files from a home computer onto their work computer never thinking about the possible implications. There are also more cases where a user will connect a wireless switch to their RJ45 jack so that they can move their laptop anywhere they want and still be on the network. Do they think about encrypting the connection? No. That's the kind of stuff we worry about more than crime.
The race isn't always to the swift... but that's the way to bet!
Has anyone else heard the term "social engineering"? Wasn't that first applied to the idiot employees that gave out passwords over the phone? Surely, 98% of all employees are honest, for the most part, and realize that damaging the employer's systems can come back to kick them in the ass. But there's always a few that think they can get away with something. I've seen it happen - the treasurer who embezzles, the office clerk that keeps cash and deposits only checks. Eventually they get caught. Employees - can't live with 'em, can't live without 'em.
== First cross river, then insult alligator.
I wonder how many companies have introduced spyware internally to 'combat internal threats'?
It isn't a new idea that threats come from inside the network, and lots of remote desktop, keylogging and similar spyware has advertised itself for the 'legitimate' use of monitoring employees or children to 'prevent threats to security'. Even Back-Orifice used to claim it was a sysadmin's best tool..
I have heard lots of people in different jobs saying they have to be careful of getting caught surfing or emailing 'at the wrong time', but how many offices actually use potentially malicious spyware as a 'security measure'? If so, how does it work with the network anti-virus? Honestly, I would love to know, even from anonymous posters - has anyone reading this officially spied on their colleagues?
[ insert meme here ]
I noticed that we had a lot of nationals working here, but no such security policy towards dealing with IT espionage.
We have a 'No Fratronizing' policy, which made me laugh a bit, but no IT Espionage Policy.
So, even if we have spies working here (in the development dept.), there isn't much infrastructure in place to detect their illicit activities, much less protect our data from being stolen by developers who have access to it.
It's a bit of a serious issue imo, but the upper-mgnmnt doesn't seem to care enough to do anything about it, other than call me 'pro-actively paranoid'. =p
the only permanence in existence, is the impermanence of existence.
99% percent of the time, employees are not a threat because they're malicious...they're a threat because they're very, very stupid.
Too simple to be useful. How do you email another company a document you have been drafting? What if you want to copy and paste some (relatively unimportant, non-threatening) financial data into it?
Apart from anything else, people dont want to use seperate computers at the same desk, and you still need some link between then, even if it meant using usb keys or something. That's why firewall engineers are employed to create layers of protection, so you get a similar effect to different networks, but with far more control over which channels stay open to 'the oustide'.
Also, there is a workforce benefit to complex networks: If you take the attitude "You say you want to work from home? Tough luck" then you can kiss goodbye to those skilled,computer-literate professionals - they will be happy to be headhunted by someone who can offer them a bit of freedom..
[ insert meme here ]
Tis a symptom of the widespread problem corporations have with hiring many stupid people instead of a few smart people.
~= scwizard =~
Fortunately, my job does stimulate me (it's not perfect but it's more good than bad) & allows me to live comfortably within the law. I'm treated pretty well, fairly autonomous in what I do & I have no interest in screwing over my employer - I don't care what money I was offered for "trade secrets", I wouldn't do it; my integrity is far more important to me.
The point I'm trying to make is that in my experience, most people are like me rather than potential criminals - it's just a shame that anyone who works for an American company at the moment (like me) constantly has Sarbanes Oxley rammed down their throats & endless training about "work ethics" purely because a few corrupt CEOs in other companies have decided not to work ethically.
At the end of it all, it is *just* a job and most people are inventive enough to find other sources of legal income if they choose to resign and walk out the door. If I chose to walk out the door, my employer can take their laptop back & any backups of my data - I'm just not interested in keeping it/
Sure, there are internal security threats in any organisation but mostly it's due to employee stupidity rather than criminal activities - and in my view, no company spends enough on training employees to be less stupid; it's far easier to close down a few more ports on the firewall and put a few more banned sites in the web proxies than educate people about the dangers of webmail.
And I am *STILL TRULY AMAZED* at the number of Windows users around me who do NOT change that STUPID default setting of "Hide extensions of known file types" - the BIGGEST security threat of all... believe me, turn that setting off and tell people not to open .BAT, .EXE and Office documents from sources they do not 100% trust & your security problems will dramatically reduce overnight.
Gentoo Linux - another day, another USE flag.
And that's the crux of it. If you have discretionary access controls (or no meaningful access controls at all) then you're as trusting as the person who leaves a spare key under the doormat. Under a totally trusting environment, that actually works very well and can improve efficiency. Where trust is unrealistic or inappropriate, you need better defenses.
I believe it has passed the point where most businesses should be using B1-comparable systems for as much as possible, and should use secure networking where practical.
IPSec for all traffic would be good. All web traffic over SSL would be excellent, Kerberos is good. SSH is good. Telnet is bad. Rsh/Rlogin is evil. Both easy-to-guess and impossible to remember passwords are diabolical. Wireless without 802.1x security or better is satanic. Unpatched computers that "don't matter" (and so never supervised or monitored) are so far beyond the deepest pits of Hades that they should be burned at the stake and their transistors scattered to the four corners of the world.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
One of the most fundamental contributory factors to internal security problems in companies is the attitude of many IT departments and IT managers, who would basically like to run their business as a police state. As in "real life", security is always the ideal excuse to give IT managers more power and to downgrade the rights of system users.
Of course, draconic security policies are very rarely backed up by any commitment from IT staff to provide efficient services and smoothly functioning systems. I've seen long documents discussing IT policy that expounded at great length on IT security, but failed to make any mention at all of service quality or system performance.
The natural, logical, entirely human result of this is that users will rebel and take revenge by cheating on security policy. And why not? It is not as if the IT department is of much use to them, anyway, so it doesn't get any sympathy. But when you get to this point, none of your security policies is worth the paper they are carefully filed on, in triplicate. Basically, when you have lost goodwill, you have lost everything. No overload of carefully crafted security polices and security systems is going to help. The IT people will be the first ones to ignore them; they know how to get around the barriers.
Of course IT will react to this by declaring that the users are the problem. Not so. IT is a supporting department, not more. If the users are unhappy and unruly, then IT is the problem; it is a strong indication that the department is failing in its mission.
Rule One of an efficient IT policy is to understand the business your are supporting and its requirements, and to finely tune your policy to achieve the best compromise between security and functionality. When IT is experienced as a burden to users, instead of a support, you've lost the game. It can, and will, only go downhill from there.
Frankly, past a certain point IT policy itself becomes a serious threat to the competitiveness of a company. Most CEOs would balk at giving everyone a 10% raise, but inept IT policy can cost them considerably more than 10% of the time of their workforce. Few of them realize this, because they regard software as too technical to be understood.
I was written up recently for sending personal e-mail "all day, every day", which was actually 11 e-mails in 3 months. 9 of those e-mails were related to my work schedule. Even though the "electronic use policy" allows limited personal e-mails, that was obviously too many.
Of course my using the phone on my lunch break was also regarded as "excessive", and I was written up for my wife calling to tell me that the ceiling was wet and falling down in our apartment (they said I can only use the phone for Life or Death reasons now, my wife going into labor is not a valid reason either).
Anyplace that uses surveillance is expected to _use_ it, and have hard evidence for allegations. No "might have". Either they got the tape, or they don't.
In actual medieval cities there were city walls and then the inner castle.
In a good computer network their perhaps needs to be an outer firewall and
and an inner firewall.
Not even having `root` hurts only rarely, but then you get to blame those who _do_ have root.
Wow, you mean that Microsoft's three year effort has not made it easier rather than harder to get 0wned in big dumb company land? Are you telling me that all the effort expended to forbid music players and cell phones was just a waste of time? Do we get to pry the epoxy out of the USB ports now? How far do you have to go to apologize for M$'s massive failure to deliver PCs that have half lives longer than 12 minutes and networks that can be compromised by disgruntled employees?
The only thing that has not really changed is Microsoft's inadequate security model. You can blame the user all you want, that won't make it so. Industrial espionage and routine bot net activity is what you should be worried about and the fix is to rip Windows out and replace it with *nix.
Friends don't help friends install M$ junk.
Would your company be running a notoriously bad OS from Redmond?
Friends don't help friends install M$ junk.
Would the real AC please stand up ;)
There's no place like localhost
"I would rather have 1 good spy, than 10,000 good warriers."
And what is the difference between a spy and an emplyee?
Bo
All this may be true.
However, I'm pretty damn rigorous about using work Internet access for work. No personal email at work, no messaging client, no browsing news sites, nothing like that.
However, I still get incredibly pissed off when IT decides to try to regulate my behavior. Currently, the IT department where I work is the primary reason that I'd want to work somewhere else.
For example, they cut any TCP connections that run for longer than a certain amount of time. The justification was that some people were listening to Internet radio. This is really irritating when trying to download *all the CD images* for the current Fedora and having my connection constantly drops. They filter Web access (anything with "proxy" or "WINE" in the URL, for example) -- fun when I was writing a piece of software for Windows that needed to interoperate with proxies. They block outgoing SSH access. Frankly, it is absolutely not IT's balliwick to be stomping on employees who are goofing off. They can go to the employee's boss, and provide him with that information, but IT should never be in a position of trying to regulate employee behavior. That's the responsibility of that employee's superior.
It pisses the living hell out of the rest of us, who are treated with no trust (even aside from the direct impact of, for example, not having access to my addressbook and other data on my home computer from work).
Frankly, every IT person who has managed to wedge themselves in the position of regulating employee behavior has become an obstacle to getting things done rather than an asset to the company. I'd like to see nothing more than those people fired, yesterday.
You don't want someone at work who doesn't get anything done, who is "sending amusing flash/avi/mpeg between themselves, forwarding jokes someone outside sent to their gmail account (and they've cut-n-pasted them into work mail), etc."? Great. Let their managers fire the little unproductive bastards. But IT needs to stop trying to make themselves "second managers". They suck at it, and they deserve the dislike that comes back at them when they try it.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
The failure is that 90% of the world's computer users have not been moved yet. My wife and 4 year old daughter use Linux without problems. I also teach a newbies class, filled mostly with retirees. If they can use it, anyone can. If I can support them, Michael Dell can. There really is no excuse for selling a computer without a proper user based security model, or decent, multi user multi screen GUI. The inconvenience, insecurity and poor performance of Windows is mind boggling.
Friends don't help friends install M$ junk.
Assuming you are running XP (and I imagine anything else relatively recent. (ok, my Linux has devolved to ...) It just requires that you have a compitant admin for your OS of choice, and someone who is willing to put some time into your workflow.
The main problem you are referring to is often called the "analogue hole." (At least that's what the last column I read about called it.) and it could be minimized by workflow custimization, as well as workstation lockdown. (No USB storage devices, no floppies, no cd-burning, NO IPOD (That was supposed to be a shout))
Of course, this requires someone who is technically compitant - as well as someone who can explain why the computers belong to to company. The big hole you have is prob. printing. (Hard to pitch employees to clients without hard copy somewhere.) Heck, just locking down computers tends to cause a backlash. (MINE!!!!!)
Of course, if you set up a Terminal Server / Citrix Server and LOCKED DOWN Thin Clients. (Can you say if 50-500 people are using the server it better damn well be well locked down.) And started taking time "Fixing" any non Thin Clients (Not the recommended configuration - how about a nice recommended "Quiet Office PC" we can get it in today...) You might get somewhere. Oh never mind, you don't have a good admin anyhow - you got WHAT access within three hours?
PEOPLE, *come on*...The oppurtinuity has *always* been there, just the same with printers, FAX machines, photocopy machines, briefcases, and telephones. What the hell is all this crap about? Why are people so goddamn paranoid about new technology and oblivious to old? If it's gonna get out, it will, one way or another - PERIOD.
Treat employees as one of your own - build LOYALTY, and these things won't happen.
Treat employees as criminals, they will be DISLOYAL, they will be there only because you feed them paychecks, and this will happen no matter WHAT you do.
At all three companies where I've been an IT worker, there has been a common problem: managers who are generally good managers - good people skills, organizational skills, ability to look at the big picture - but who advertise their "technical ignorance" to anyone who will listen. They let the IT department and all other departments know that they will defer to the IT department on technical matters.
So, you end up with technical decisions that serve the people who deal with technology, as opposed to serving the users who are doing the main work of the company, or serving the company's goals as a whole.
I'm not sure what causes effective managers to decide to take a different approach to technical issues than they do with others, but I'm convinced that's the root cause of the sort of problem described by the poster.
I believe top management - and department managers, following their lead - should be pressing IT managers to break down technical issues to the point where they can make effective decisions. When the IT manager says "it will take 3 months to set up a new mail server" and the sales manager throws her hands in the air, their boss should sit down with the IT manager and make them explain what the factors are that will make it take that long. And if it's too technical and they don't understand, they should SAY so, and make the IT manager explain it again. Until they understand. Then, they should say things like "what would it take to do it in 1 month?" and by that time, they should be informed enough to reject bullshit answers like "we need another $75k employee."
"technical ignorance" is not an excuse, when you have people on staff who are capable of educating you. And IT workers who perpetuate the myth that it's "beyond a non-technical user's understanding" merely for their own convenience should be...fired.
If your management doesn't see things this way, there's probably not much you can do about the problem.
Pete Forsyth
HumanFirewall.org
The site is being updated, but google the concept. (AKA This is such old news)
Fear of employees, fear of Arabs owning the ports, fear of non existent WMDs in Iraq, fear of porn, fear of violent video games, fear little Johnny will be kidnapped if he's out of eye sight for even a millisecond, fear, fear, fear, it's all the MSM and our "leaders" speak of these days. Ever since 911 the U.S. has become a nation ruled by fear and paranoia. Is anyone sick of it yet?
Whatever happened to rugged individualism, proud freedom, and respect for individual dignity without need for spying on employees, and fretting about "intellectual property" and "national security." How diminished we have become, how pathetic, how cowering.
Fight back damn it, join unions to protect your rights at work, protest, make yourself heard before the candle of freedom is extinquished entirely.
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
"It's more likely that it's the end result of a permissive parenting. At least two generations have grown up without learning self control or learning that, there are limits ones actions - and you have to live with them even if you don't like them."
Hell yeah! Now if you'll excuse me. I have some RIAA/MPAA/Valve/O'reilly to download.
"many businesses are now considering employees a much bigger threat to security than most external threats"
And the Federal Government considers U.S. citizens more of a threat to security than most external threats.
You can see where this is heading. Smile for the camera, and, um, bend over.
Be heard || Be herd
System administrators tend to want to restrict users. For example, I'm behind a proxy at work. This happens to interfere with my job sometimes so I work around it in ways that are worse then just opening up the proxy (like doing some of my work at home where I am in control over the network).
Users tend to walk around obstacles in their path. A usb stick is only one of the many ways users can work around restrictions. The solution is to enable them to do their thing. If allowing them to do their work conflicts with security the stupid solution is to prevent them from doing so. Instant messaging clients are a good example. Many corporations block this kind of software. Many employees work around this. For example by doing it from their home pc. Before you know it they're sending work related files to colleagues over msn from home over an unsecured dialup connection on a home pc loaded with spyware. That's actually much worse then selectively allowing IM type communication over the corporate network. Corporate networks are full of these social hack enabling type holes.
Jilles
Maybe the news is that companies are beginning to realize it? If so, they also need to understand that there is a big difference between knowing that the threat exists and treating all your employees like potential criminals.
Here you will find a very interesting read about the subject. (quote: "This new trend is viewing one's colleagues as literally the enemy. I feel a need to rail against it because I believe it to be not only immoral, but destructive to business")
...applies in this case, as it frequently does. Things that you don't actually need the privileges to do, you shouldn't have privileges for. You *needed* (I expect) access to the production database as part of your work. OTOH, by default I expect that most people in that organization did not actually need admin privileges on their desktops.
In general your IT department should have tried to figure out a way to empower you (give you privileges) to be able to defrag your hard disk, but part of the problem is the non-obvious ways that Windows expects privileges to be assigned. After many years of always having admin privileges for my regular work account on my company-provided laptop, I've been trying for the last several months to work with only "Power User" privileges and then use the "runas" command in a window to do things with admin privileges. It's inordinately painful.
In this case, your IT department's intentions were probably good, although the implementation leaves something to be desired...
What's this you say? Workers are as high a threat, if not a bigger one, than external sources? The horror!
Or, welcome to 2000 when this idea was already commonplace.
"On a scale from 1 to 10, people are stupid"