Slashdot Mirror
The Enemy Within the Firewall
Mel Tom writes to tell us The Age is reporting that many businesses are now considering employees a much bigger threat to security than most external threats. From the article: "With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing."
If companies treat their employees like criminals, they are likely to get what they expect.
Man, you really need that seminar!
Isn't this covered in Security 101 -- most instances of stealing information, destroying data, etc. occurs from the inside (or ex-employees).
The disguntled employee has always been the biggest security threat to any company. The only new thing today is how much easier it is to disrupt security and how often security is breached accidentally. I still see idiots send out passwords in plain text e-mails all the time. Educating employees is just as important as not disenfranchising them and properly securing networks.
Developers: We can use your help.
I am shrugging at this, because it seems fairly obvious to me. After all, haven't all the e-mail worms of the past decade gone through corporate firewalls because some guy in the office just opened an e-mail he though had some interesting photos in it? Or some guy happens to leave his blackberry with hundreds of sensitive emails on it on a subway train or in Starbucks?
That's precisely how Sasser hit us at work a couple years ago. All it took was one laptop to infect the whole network. Thank heavens we still had some NT 4 boxes and UNIX workstations, which were completely immune, so people could still get work done. None of the XP machines ever stood a chance at knowing what hit 'em. Even to this day, we now have a Sasser-detecting script on all machines, but realistically, that's only a patch to a potentially bigger problem.
IM forbidden? Tunnel it through SSH on port 443. Works every time and the company can't spy on what you're IMing.
Developers: We can use your help.
While businesses should take reasonable precautions to secure their networks, data and physical assets, I've found that the employer/employee relationship is beginning to evolve into one of suspicion and severe distrust that is fostering resentment, anger and inhibiting productivity. No one wants to work anywhere they are treated as being one step removed from a hardened criminal from the moment they walk in the door on their first day. There is a fine line between taking sensible precautions to prevent opportunistic breaches of security, and indulging in paranoia and broadcasting an implicit belief through actions and words that everyone there is just waiting for the right moment to take the entire company for all they're worth.
Employees are no longer being thought of as possible risks, but confirmed dangers that must be actively confronted every step of the way. Proactive security measures enacted in a passive way that does not interfere with day to day work in an unreasonable fashion, or impact the work environment in a disproportionate manner are giving way to managers that are far more focused on what their employees are deliberately doing wrong, than on the actual work at hand.
By creating this atmosphere of hostility and distrust which cannot be overcome by proving oneself through hard work and carrying out duties in a thoughtful, honest way, managers are encouraging high-turnover, poor communication between workers, poor attitudes towards work and customers, and an atmosphere of little or no respect for the organization which anyone can tell you is the first step towards encouraging workplace crime.
I like how they lump everyone into one big category. Unless you've been living in a cave for the past 5 years, it should be obvious who the biggest crooks are. Hint, they all have 3-letter acronyms for titles.
Careful screening during hiring, sufficient training and re-training during employment, as well as attentiveness are the keys to mitigating these problems. Restricting e-mail, firewalls, etc., are simply putting fingers in the dike.
If you're in a situation where you really have to worry that much about your own people, doesn't that just show that management has failed to provide a good working environment and create loyalty?
The only effect of security is going to be that the few loyal employees you have get pissed and turn against you too. And for anyone who has done only a little bit of hacking, we all know useful security is way too expensive... You'd need to audit virtually everything that's going on on a server and there are only a few government agencies that can efford that much money.
So why not do something more useful with the money? Free coke for employees on tuesdays. Or fix that darn pothole at the entrance of the parking lot. Put a few plants up in the office... That is all money better spent than on some lack luster, process bound security measures...
Peter.
If an employee wants to screw up his employer, there are 1001 ways to do that-- with or without involving IT staff or systems.
There is nothing new here except that more and more companies are treating their employees as disposable temps that can be dropped simply to increase share price. It is not surprising that in today's enviroments employees are more likely to feel they need revenge.
Security lapses happen for a reason. Instead of attempting the sisphian task of "locking down" all systems, perhaps companies should address the root causes that incentivise their employees to behave badly.
The beatings will continue until morale improves!!!!
I've seen companies that have syadmins spend who their time monitoring employees and sacking the ones who use gmail from work, post to Slashdot, or other non-authorized activities under the guise efficiency and security. But it is really an excuse: it was cheaper to hire several semi-technical wannabes to monitor employee activities than to pay one good sysadmin to properly secure the network.
Most of the employees only have a computer on their desk to send email and use Microsoft Office. Those people don't need to be administrative users.
If you can't trust employees, who is securing the network for you? As a network admin I have full access to a company's full network within a week of starting a new job, otherwise I am unable to do my job.
There will always be a level of trust needed between employers and employees since even if the president of a company can set up the security for a company they would still have to trust someone to enforce it, and that person would have the ability to abuse.
See the contradiction? Why should an employee care about something they don't own?
Given that the majority of companies wouldn't hesistate to act against the employees interest if there is any suggestion of compromosing the companies's interest, why should an employee protect a typical company's interest apart from doing the bare minimum required to preserve their own job?
Companies are just repaing the "benefits" of years of treating employees as "production units".
Yes I'm posting as an AC because I don't want any potential employers to know that I don't really care about their company apart from the fact it pays me money.
(I'm not advocating slacking off in life or being bitter and twisted. Just make sure the things you dedicate yourself to are either THINGS YOU OWN or a charitable cause that you think is worthy. Working for someone else's profit is what you do to make money so you can do do what really matters. Don't dedicate your life to making profit for someone else.)
And Floppy disks weren't a security threat?
Seriously, except for images, it's not difficult to fit a *ton* of data on a floppy disk. Just export to an ASCII-based file format, then zip it up.
Some other formats compress pretty well. Access databases, for example.
tasks(723) drafts(105) languages(484) examples(29106)
You need to do a few things to handle employees and security: 1. Do a thorough background check. This includes employment and criminal. You don't want to hire someone who did time for stealing from an employer. 2. Only allow them access to information they need for their jobs. I've had jobs where I could have walked out with all the personal info on past and current employees, and I had no need to access that information. 3. Run a good hardware and software anti-virus and firewall system. This means not letting every employee and their cousin having admin access to their machines. 4. Try to run a work place where people are happy to be there. I had an employer that I seriously thought about turning in software piracy because of the way he treated everyone in the office. Instead, I found a new job and left him with no technical people (it was a computer parts reseller).
Insiders can be real threats, the BIGGEST threats. An insider can steal much more than a hacker ever can. And many insiders think they can get away with it. Just look at the porn-billing iBill incident made public last week.
The best policy is to log everything that happens in an enterprise, to a level required to reconstruct past bad behavior. You can't keep your insiders away from information they need to do their jobs. Trust, but also verify! There are products out there like Sensage (http://www.sensage.com/ ) that can collect, centralize, and make available years of log data for an IT organization. While this might not prevent the theft in the first place, a company can crack down on and prosecute current/former misbehaving insiders. Sensage will do very well, as will many other companies in this space (including recent Slashdot heavy banner-advertiser Splunk (http://www.splunk.com/ ) ).
I look forward to seeing how well these products do. It's time one of them went public so we can gauge interest.
I work in the biotech biz. We've been warned about Chinese "students" snafing our secrets. Thought it was a lot of tinfoil hat paranoia until we saw logs of HUGE attachments going to Asian hotmail addresses. Guess what some of those attachements were? Research data going straight back to China.
Needless to say, his worker agreements were terminated and the person shipped back.
How convenient... Since you shipped him back, he can explain to his Chinese counterparts the details that were not covered in the attachments.
Way to go!
The overlooked reality is: Most work never requires internet access. Email should be for work only.
Prior to the internet, instant messaging, skype, etc. there were actually jobs and people got things done. Now there's the internet and people seem to feel (and I certainly notice this attitude on slashdot) that it's some kind of right for anyone in the company to check the news, view personal email, surf the web, even post on blogs, all on work time. Remarkable. I certainly find it aggrevating when I'm at work and someone's personal cell phone is going off every half hour. Before cell phones people got things done, too, but now there's some human rights issue about how much crap people can do rather than work, just to keep them happy? Whoa. I'm sure during interviews prospective employees don't enquire on how much internet freedom they can expect, as that would likely raise a red flag. Spend some time thinking about why.
A feeling of having made the same mistake before: Deja Foobar
"With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing."
Oh please. I suppose that's true but in my shop we are far more afraid of workplace stupidity than crime.
Users will do things like copy files from a home computer onto their work computer never thinking about the possible implications. There are also more cases where a user will connect a wireless switch to their RJ45 jack so that they can move their laptop anywhere they want and still be on the network. Do they think about encrypting the connection? No. That's the kind of stuff we worry about more than crime.
The race isn't always to the swift... but that's the way to bet!
Fortunately, my job does stimulate me (it's not perfect but it's more good than bad) & allows me to live comfortably within the law. I'm treated pretty well, fairly autonomous in what I do & I have no interest in screwing over my employer - I don't care what money I was offered for "trade secrets", I wouldn't do it; my integrity is far more important to me.
The point I'm trying to make is that in my experience, most people are like me rather than potential criminals - it's just a shame that anyone who works for an American company at the moment (like me) constantly has Sarbanes Oxley rammed down their throats & endless training about "work ethics" purely because a few corrupt CEOs in other companies have decided not to work ethically.
At the end of it all, it is *just* a job and most people are inventive enough to find other sources of legal income if they choose to resign and walk out the door. If I chose to walk out the door, my employer can take their laptop back & any backups of my data - I'm just not interested in keeping it/
Sure, there are internal security threats in any organisation but mostly it's due to employee stupidity rather than criminal activities - and in my view, no company spends enough on training employees to be less stupid; it's far easier to close down a few more ports on the firewall and put a few more banned sites in the web proxies than educate people about the dangers of webmail.
And I am *STILL TRULY AMAZED* at the number of Windows users around me who do NOT change that STUPID default setting of "Hide extensions of known file types" - the BIGGEST security threat of all... believe me, turn that setting off and tell people not to open .BAT, .EXE and Office documents from sources they do not 100% trust & your security problems will dramatically reduce overnight.
Gentoo Linux - another day, another USE flag.
And that's the crux of it. If you have discretionary access controls (or no meaningful access controls at all) then you're as trusting as the person who leaves a spare key under the doormat. Under a totally trusting environment, that actually works very well and can improve efficiency. Where trust is unrealistic or inappropriate, you need better defenses.
I believe it has passed the point where most businesses should be using B1-comparable systems for as much as possible, and should use secure networking where practical.
IPSec for all traffic would be good. All web traffic over SSL would be excellent, Kerberos is good. SSH is good. Telnet is bad. Rsh/Rlogin is evil. Both easy-to-guess and impossible to remember passwords are diabolical. Wireless without 802.1x security or better is satanic. Unpatched computers that "don't matter" (and so never supervised or monitored) are so far beyond the deepest pits of Hades that they should be burned at the stake and their transistors scattered to the four corners of the world.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
One of the most fundamental contributory factors to internal security problems in companies is the attitude of many IT departments and IT managers, who would basically like to run their business as a police state. As in "real life", security is always the ideal excuse to give IT managers more power and to downgrade the rights of system users.
Of course, draconic security policies are very rarely backed up by any commitment from IT staff to provide efficient services and smoothly functioning systems. I've seen long documents discussing IT policy that expounded at great length on IT security, but failed to make any mention at all of service quality or system performance.
The natural, logical, entirely human result of this is that users will rebel and take revenge by cheating on security policy. And why not? It is not as if the IT department is of much use to them, anyway, so it doesn't get any sympathy. But when you get to this point, none of your security policies is worth the paper they are carefully filed on, in triplicate. Basically, when you have lost goodwill, you have lost everything. No overload of carefully crafted security polices and security systems is going to help. The IT people will be the first ones to ignore them; they know how to get around the barriers.
Of course IT will react to this by declaring that the users are the problem. Not so. IT is a supporting department, not more. If the users are unhappy and unruly, then IT is the problem; it is a strong indication that the department is failing in its mission.
Rule One of an efficient IT policy is to understand the business your are supporting and its requirements, and to finely tune your policy to achieve the best compromise between security and functionality. When IT is experienced as a burden to users, instead of a support, you've lost the game. It can, and will, only go downhill from there.
Frankly, past a certain point IT policy itself becomes a serious threat to the competitiveness of a company. Most CEOs would balk at giving everyone a 10% raise, but inept IT policy can cost them considerably more than 10% of the time of their workforce. Few of them realize this, because they regard software as too technical to be understood.
While I do sympathise with the situation, and agree about logging and 'personal ownership' clauses, I find the family model awkward, but accurate.
I, and several of my colleagues (of varying degrees of computer competency) have at different points needed permission to install programs, set up laptops on the home network etc.. My gf was given a laptop by work, which we cannot use on our home network as the permissions are too strict and the proxies are pre-set, hidden and locked away. Should I hack it? Back up the HD image and replace it? Let her lug a crippled machine around and transfer things by USB when we have a wireless network? Make her work at her home PC when at home?
Problem is, she doesn't have the time (and they also take a dim view of her trying) to nag IT about every thing, little or big. It does, however, limit her performance, as she often finds quick internet access really helps her function. That said, she installed Kazaa on her home PC the moment I left her alone.. She is a typical professional idiot (I meant that in the nicest possible way, dear), and needs a lot of guidance, and someone on call to tend to her IT hiccups. At home, that's me, but they cant afford the workplace equivalent.
Can't be let loose, cant afford on-call support, dont want to constantly monitor - so the employee does not function effectively..
I would suggest that workers at all levels are treated (unless they prove otherwise, literally, through testing) as a DMZ; left to function (as you suggest), not monitored except in case of an overt issue, but not 'trusted' to be wise unless they can prove it. This would be more meritocratic, and less freindly than the typical family model often used, but would probably allow the employees (except possibly the tech support) to function more effectively.
[ insert meme here ]
All this may be true.
However, I'm pretty damn rigorous about using work Internet access for work. No personal email at work, no messaging client, no browsing news sites, nothing like that.
However, I still get incredibly pissed off when IT decides to try to regulate my behavior. Currently, the IT department where I work is the primary reason that I'd want to work somewhere else.
For example, they cut any TCP connections that run for longer than a certain amount of time. The justification was that some people were listening to Internet radio. This is really irritating when trying to download *all the CD images* for the current Fedora and having my connection constantly drops. They filter Web access (anything with "proxy" or "WINE" in the URL, for example) -- fun when I was writing a piece of software for Windows that needed to interoperate with proxies. They block outgoing SSH access. Frankly, it is absolutely not IT's balliwick to be stomping on employees who are goofing off. They can go to the employee's boss, and provide him with that information, but IT should never be in a position of trying to regulate employee behavior. That's the responsibility of that employee's superior.
It pisses the living hell out of the rest of us, who are treated with no trust (even aside from the direct impact of, for example, not having access to my addressbook and other data on my home computer from work).
Frankly, every IT person who has managed to wedge themselves in the position of regulating employee behavior has become an obstacle to getting things done rather than an asset to the company. I'd like to see nothing more than those people fired, yesterday.
You don't want someone at work who doesn't get anything done, who is "sending amusing flash/avi/mpeg between themselves, forwarding jokes someone outside sent to their gmail account (and they've cut-n-pasted them into work mail), etc."? Great. Let their managers fire the little unproductive bastards. But IT needs to stop trying to make themselves "second managers". They suck at it, and they deserve the dislike that comes back at them when they try it.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Fear of employees, fear of Arabs owning the ports, fear of non existent WMDs in Iraq, fear of porn, fear of violent video games, fear little Johnny will be kidnapped if he's out of eye sight for even a millisecond, fear, fear, fear, it's all the MSM and our "leaders" speak of these days. Ever since 911 the U.S. has become a nation ruled by fear and paranoia. Is anyone sick of it yet?
Whatever happened to rugged individualism, proud freedom, and respect for individual dignity without need for spying on employees, and fretting about "intellectual property" and "national security." How diminished we have become, how pathetic, how cowering.
Fight back damn it, join unions to protect your rights at work, protest, make yourself heard before the candle of freedom is extinquished entirely.
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?