Slashdot Mirror
The Enemy Within the Firewall
Mel Tom writes to tell us The Age is reporting that many businesses are now considering employees a much bigger threat to security than most external threats. From the article: "With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing."
I work for a consulting firm that provides all types of HR services. We get data on client personnel that includes EVERYTHING: SSN's, addresses, spouse info, dates of birth, EVERYTHING
The article mentions scarce spending on addressing internal security threats: im looking around my office, and there is just nothing you can do! Even if you completely lock down desktops (the latest image was set up as to disable all HW and SW installs), and I personally had an admin pw within days!), there is still email. And loaner laptops.
I hear that this type of complete personal information fetches $10 per record amongst certain unscrupulous Brooklyn programmers.
Come think of it... where DID i put all my floppies?
Contemplate the marvel that is existence, and rejoice that you are able to do so.
That's a bit naive. Most of our employees are devious little buggers. As soon as no-one is looking they're sending amusing flash/avi/mpeg between themselves, forwarding jokes someone outside sent to their gmail account (and they've cut-n-pasted them into work mail), etc.
What it really comes down to is establishing a policy and what sanction will be forthcoming on violations. I knew one company that had zero tolerance. A couple sackings and everyone left was quite clear on proper behaviour.
A feeling of having made the same mistake before: Deja Foobar
If you're a company that respects its employees, rewards them appropriately and values them, do you think internal threats are going to be such a large issue compared to the faceless megaopolies that most American companies have mutated into?
- Just my $0.02, take with a grain of salt, your mileage may vary.
I work in the biotech biz. We've been warned about Chinese "students" snafing our secrets. Thought it was a lot of tinfoil hat paranoia until we saw logs of HUGE attachments going to Asian hotmail addresses. Guess what some of those attachements were? Research data going straight back to China.
Needless to say, his worker agreements were terminated and the person shipped back.
Is this story just belated hype for the movie Firewall starring Harrison Ford?
Sure its not well timed if that what it supposed to be. But it has the the same elements as the movie. Employee threatened to help criminals breach his companies security. The headline even contains the name of the movie. Maybe it was submitted weeks ago, but was kept in the slush pile until needed as filler now.
At least if it was hype it would be better than if if a tech writer had to pull his story ideas from Hollywood. Or at least more understandable.
-- 3 events that reshaped the world in the 20th century: WW1, WW2, and WWW
What is new is that apparently some companies are actually starting to get it.
You don't have to treat your employees like criminals in order to reduce the threat that an insider may pose. You just have to take rational approaches to tighten access.
...for tools like this one. Banks and other regulated industries are all over it.
It's a good thing I'm a nice guy. I was fired from my last admin job for matters beyond my control (corporate admin wouldn't take the blame for something they did) and I walked with access to everything.
Even when they brought in a new guy and he changed the VPN, the admin passwords, and everything else he could think to change, *my* preferred method of access remained online...a windows station on a fixed external IP that would let me connect directly to the network. They even missed my backup admin password. Probably because it's the login for the backup software. If I hadn't landed a better, higher-paying job the same day I was fired I might be inclined to do something unpleasant to them.
Restricting access to things you do not own is not treating you like a criminal.
True, but taking my fingerprints and putting them on file at the FBI within the first hour of a new job is criminal treatment. After all the SEC, FBI, and other background checks you still get put on file at the FBI when taking a job at most brokerage firms (at least here in NYC).
It's beyond technical. At many companies you're treated as if they need to always look over your shoulder. Those cameras aren't there for your benefit. They're there to catch you if you do anything wrong.
Developers: We can use your help.
Where do things like arbitrary background, credit & criminal checks fit in, I wonder.
At my last 3 jobs (Over 4 years), it was required to take these things. Along with the occasional piss-in-the-cup drug test. At many workplaces, companies are running background checks on existing employees. The tests are a "requirement of your continued employment here at the company".
Does this make people feel like a criminal?
94% of Repubs and 21% of Dems voted to renew the Patriot Act
I've been on the wrong side of this issue. I found a couple of security holes. Reported them. Was asked to quit (4 weeks after a promotion).
The holes?
1. Well known 'tech support' password, and
2. An unsecure website on the intranet used to do employee evaluations.
Management's Q: How did you find this?
A1. I'm in IT and I login to several servers every day. When I don't have an account, I try the tech-support pwd.
A2. I don't use IE. So, the holes are as far away as right-clicking
Management: So, you hacked our network servers and our employee evaluation system!
Me: No!?!? (WTF) That's not what 'hacking' means... and, I reported it to 'cyber-security'
Management: (He's a liability -- and I don't understand anything about 'view source', 'remote logins', etc. Cyber Security has no record of his complaint...) "We hold our IT staff to a higher standard...." SEE YA!
I'm one paranoid SOB, now. I don't want passwords, or access rights, and I'm thankful when I don't have to login to any other machines. In hindsight, that job sucked. So, this was a good thing. My new job is much better.
I'm beginning to realize how brilliant that outsourcing is!
I've worked at one employer that understood.
They had separate computers set up in the lounge area for IM, web email, games, etc. They were outside the network, and the rules on using them were very lax. We could do whatever we wanted on them, but IT wouldn't come running all that quickly if they were broken. Basically, it was like having a foosball table, but far more practical.
The flipside of this policy was that all the other machines were for pure work-related usage...period. Company email was for company business...period. As wierd as it sounds, the employees really liked this setup.
It's the 21st century...employees have an expectation of being reachable by family and friends when they are on the job, even if it's not a life-threatening emergency. Companies that institute an outright ban on this behavior are living in the past. Companies that let a single computer be used for both personal and professional business are asking for a world of pain.
That does sound pretty draconian, I must admit.
But my employer is more than welcome to monitor my "private" activity on their network because if they choose to do so they'll just see the occasional boring email between me and my wife discussing what we're having for dinner that evening or maybe an email related to an eBay transaction for a CD or DVD I've just bought - it might be "embarassing" for me for my employer to know I hate fish, am a pasta nut, have a penchant for 70s progressive rock and love Man From U.N.C.L.E. movies & classic British comedy shows but, what the hell, I'll live with it...
And if they do choose to scrutinize me that closely and use what they see against me, I will insist they also check their logs of my network login activity - where they will clearly see the number of additional hours I've worked where I've been entitled to claim overtime but haven't which will far outweigh the amount of worktime I've spent on personal emails.
Gentoo Linux - another day, another USE flag.
Amen!! The sooner you learn this leason the better off you'll be. Use employers just as they use you. Exploit them for everything you can (honestly, nothing unethical or illegal) and do your best to profit from it. No company cares about you further than they can profit from you and to take any other attitude toward a company is foolish.
Companies may own the source code you write but nobody can take the knowledge you obtain in creating that source. That means you can always take what you know to the competition and market yourself to maximize your profit or use it as a lever to do better with your current employer. Don't blackmail them and don't act as though you're holding all the cards (you don't) but use your knowledge to get the most out of your employer. Heaven knows that they'll sell your job to anyone else they can get to do it cheaper. You need to have the same philosophy toward them.
Now, if there were an increase in actual instances of industrial espionage or leaking of trade secrets, I would see some meagre justification for this corporate stance to not trust employees. However it appears from my viewpoint that corporations are modelling their expectations of employee behaviour from their own behaviour. This model should be carefully assessed before implementing a corporate direction on security, because all security measures have a cost in employee effectiveness (and some, such as email scanning, adversely affect morale and in fact could lead to adverse behaviour).
“Our opponent is an alien starship packed with nuclear bombs. We have a protractor.” — Neal Stepnenso
Ever heard about a non-compete? True, they can't take the knowledge, but they can prevent you from using it elsewhere.