Slashdot Mirror
Enemy At The Water Cooler
Trent Lucier writes "On most networks diagrams I've seen, the internet looks like a cloud. Sometimes it's a fluffy white cloud. Other times it's a dark ominous cloud. Regardless of the artistic style, the depiction usually conveys the mystery and danger of putting your company's network on a global information grid next to a billion users, kind of like those old maps with dragons drawn at strategic places in the ocean. Not surprisingly, corporations spend much time and energy protecting themselves from The Outside World. In Enemy at the Water Cooler, Brian Contos argues that just as many resources should be spent on defending against insider threats. Will this book help you detect the enemies at your water cooler?" Read below for the rest of Trent's review.
Enemy at the Water Cooler: True Stories of Insider Threats and Enterprise Security Management
author
Brian T. Contos
pages
302
publisher
Syngress Publishing
rating
8
reviewer
Trent Lucier
ISBN
1597491292
summary
A thorough introduction to insider threats and the countermeasures that can be used against them
Contos, a Chief Security Officer himself, has written a primer on insider threats and the counter-measures that can be deployed against them. The book is written for a wide audience, so don't expect low-level details about encryption algorithms and security protocols. However, if you have to deal with a large company's IT infrastructure, you may benefit from Contos' descriptions of enterprise security concepts and anecdotes.
According to the book's terminology, an insider is someone who has more privileges than the common person and uses those privileges to abuse the system. It's important to understand the full scope of the term "privileges". In addition to computer privileges, Contos is also talking about physical access to hardware, paperwork, and even other employees that can be exploited in social engineering attacks. Even if a piece of information is useless to the insider, it may be something that a competitor would be willing to buy for the right price.
The early chapters provide background on all the standard attacks that are in the news these days: phishing, denial of service, keylogging, etc... What makes these sections interesting are the statistics that are sprinkled throughout the text. In a survey conducted by CERT examining known attacks, 49% were committed by insiders that were married. This goes against the profile of the insider being someone who has less personal risk (such as a family) at stake. In fact, the prevailing image of the last 30 years depicting a computer criminal as a socially awkward young male has started to become less accurate as organized crime has turned into the biggest threat.
Enemy At The Water Cooler does a great job of putting statistics in context. The book is always careful to mention that the crime statistics represent only the known incidents. Contos often explains why certain numbers matter. Near a chart showing that 59% of discovered crimes were committed by former employees, the author explains that recently fired employees can be highly motivated to commit revenge and still have access to accounts and passwords, which is a dangerous combination.
How does the book propose that businesses deal with threats? At the end of Part I, Contos introduces a technology called Enterprise Security Management (ESM). This is a blanket term used to describe a collection of enterprise-level tools that can perform information analysis, display event feeds, manage policies, and do everything else in the world besides make toast. The remainder of the book constantly mentions this technology, so if you are not interested in learning about ESM, this book may not be for you.
At this point, it should be noted that Brian Contos is the Chief Security Officer of a company that sells ESM products. The book is neutral on which product you should use, although some screenshots show Contos' program for illustrative purposes. I did not feel that the book was biased or trying to sell me something. Regardless of who the author works for, he makes a compelling argument that ESM systems are necessary for big companies that need to manage their IT security.
Case studies comprise Part II of the book. This is the entertaining stuff, and probably the type of thing most people want to read when they pick up a book called Enemy At The Water Cooler. There are 8 main case studies, each running about 5 pages in length. Contos puts the "study" in "case study" as he illustrates how tools (ESM) and training could prevent many of the scenarios he describes. Those expecting light reading in the form of amusing anecdotes about IT security will be disappointed. However, if you're looking for a detailed analysis of insider crime, these chapters provide it.
Many times, greed and hubris are the ultimate undoing of the insider. In one example, a company discovered that their servers were hosting pirated software. Little did the company know that the employee that was asked to clean up the server was actually the one who put the software there to begin with. The insider would have gotten away with it if only he hadn't bragged to a co-worker about how dim-witted his company was.
In other situations, employees can be blackmailed into committing crimes. In the case of a Spanish company, an employee was forced into planting a wireless access point in one of the development labs. The employee had lied about his educational background on his resume, and criminals threatened to expose him if he didn't cooperate by planting the device.
The final portion of the book discusses further capabilities of ESM. The main point is that ESMs should be able to monitor everything. Contos explains a scenario where an employee pulls financial information from a proprietary system and then uploads it to a P2P network. Most companies do not have the technology to detect such an action. Not that Contos claims technology is the only answer. It is just a tool, and it is useless when not supported by trained employees and policies. At the end of the book, the reader gets information about "soft skill" topics like incident management, hiring processes, and some legal case history regarding insiders.
The book's viewpoint is very top-down with regards to the corporate hierarchy. Executives will no doubt love all the capabilities that Contos claims can be at their fingertips, but individual employees might feel it is slightly Orwellian. Can all this information that the ESM vacuums up be used for evil? The book's implicit answer seems to be "yes", since it is repeatedly made clear that no one can be trusted. But there is never any explicit information given on how the ESM itself can be protected from abuse.
Enemy at the Water Cooler provides a thorough introduction to insider threats and the countermeasures that can be used against them. If you are just interested in stories about insider security crimes, then you may want to pass. (The section on case studies is only about a third of the book's content). However, if you are interested in learning about technology that can help defend against these threats, then this book provides a comprehensive overview.
Trent Lucier is a software engineer. His latest experiment is localhost80.com"
You can purchase Enemy at the Water Cooler: True Stories of Insider Threats and Enterprise Security Management from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Contos, a Chief Security Officer himself, has written a primer on insider threats and the counter-measures that can be deployed against them. The book is written for a wide audience, so don't expect low-level details about encryption algorithms and security protocols. However, if you have to deal with a large company's IT infrastructure, you may benefit from Contos' descriptions of enterprise security concepts and anecdotes.
According to the book's terminology, an insider is someone who has more privileges than the common person and uses those privileges to abuse the system. It's important to understand the full scope of the term "privileges". In addition to computer privileges, Contos is also talking about physical access to hardware, paperwork, and even other employees that can be exploited in social engineering attacks. Even if a piece of information is useless to the insider, it may be something that a competitor would be willing to buy for the right price.
The early chapters provide background on all the standard attacks that are in the news these days: phishing, denial of service, keylogging, etc... What makes these sections interesting are the statistics that are sprinkled throughout the text. In a survey conducted by CERT examining known attacks, 49% were committed by insiders that were married. This goes against the profile of the insider being someone who has less personal risk (such as a family) at stake. In fact, the prevailing image of the last 30 years depicting a computer criminal as a socially awkward young male has started to become less accurate as organized crime has turned into the biggest threat.
Enemy At The Water Cooler does a great job of putting statistics in context. The book is always careful to mention that the crime statistics represent only the known incidents. Contos often explains why certain numbers matter. Near a chart showing that 59% of discovered crimes were committed by former employees, the author explains that recently fired employees can be highly motivated to commit revenge and still have access to accounts and passwords, which is a dangerous combination.
How does the book propose that businesses deal with threats? At the end of Part I, Contos introduces a technology called Enterprise Security Management (ESM). This is a blanket term used to describe a collection of enterprise-level tools that can perform information analysis, display event feeds, manage policies, and do everything else in the world besides make toast. The remainder of the book constantly mentions this technology, so if you are not interested in learning about ESM, this book may not be for you.
At this point, it should be noted that Brian Contos is the Chief Security Officer of a company that sells ESM products. The book is neutral on which product you should use, although some screenshots show Contos' program for illustrative purposes. I did not feel that the book was biased or trying to sell me something. Regardless of who the author works for, he makes a compelling argument that ESM systems are necessary for big companies that need to manage their IT security.
Case studies comprise Part II of the book. This is the entertaining stuff, and probably the type of thing most people want to read when they pick up a book called Enemy At The Water Cooler. There are 8 main case studies, each running about 5 pages in length. Contos puts the "study" in "case study" as he illustrates how tools (ESM) and training could prevent many of the scenarios he describes. Those expecting light reading in the form of amusing anecdotes about IT security will be disappointed. However, if you're looking for a detailed analysis of insider crime, these chapters provide it.
Many times, greed and hubris are the ultimate undoing of the insider. In one example, a company discovered that their servers were hosting pirated software. Little did the company know that the employee that was asked to clean up the server was actually the one who put the software there to begin with. The insider would have gotten away with it if only he hadn't bragged to a co-worker about how dim-witted his company was.
In other situations, employees can be blackmailed into committing crimes. In the case of a Spanish company, an employee was forced into planting a wireless access point in one of the development labs. The employee had lied about his educational background on his resume, and criminals threatened to expose him if he didn't cooperate by planting the device.
The final portion of the book discusses further capabilities of ESM. The main point is that ESMs should be able to monitor everything. Contos explains a scenario where an employee pulls financial information from a proprietary system and then uploads it to a P2P network. Most companies do not have the technology to detect such an action. Not that Contos claims technology is the only answer. It is just a tool, and it is useless when not supported by trained employees and policies. At the end of the book, the reader gets information about "soft skill" topics like incident management, hiring processes, and some legal case history regarding insiders.
The book's viewpoint is very top-down with regards to the corporate hierarchy. Executives will no doubt love all the capabilities that Contos claims can be at their fingertips, but individual employees might feel it is slightly Orwellian. Can all this information that the ESM vacuums up be used for evil? The book's implicit answer seems to be "yes", since it is repeatedly made clear that no one can be trusted. But there is never any explicit information given on how the ESM itself can be protected from abuse.
Enemy at the Water Cooler provides a thorough introduction to insider threats and the countermeasures that can be used against them. If you are just interested in stories about insider security crimes, then you may want to pass. (The section on case studies is only about a third of the book's content). However, if you are interested in learning about technology that can help defend against these threats, then this book provides a comprehensive overview.
Trent Lucier is a software engineer. His latest experiment is localhost80.com"
You can purchase Enemy at the Water Cooler: True Stories of Insider Threats and Enterprise Security Management from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
you have now made an enemy at the water cooler..
All your base are belong to the water cooler!!
From the PHP manual: "Also note that it is your responsibility to die() if necessary."
We removed our water cooler so that this scenario never happens.
I'm confused here - is he talking about protecting my corporations network from myself?
LINUX ONLINE POKER: Linux Poker
Does anyone have Visio stencils of those ominous dragons? I'd love to replace my Internet clouds with these.
640YB ought to be enough for anybody.
I have no idea why Slashdot linked to B & N here, when Amazon has it considerably cheaper (see the "Used and new from..." listings).
While internal security is important but the priority should always be towards protecting your self from external attacks. Internal security problems can be minimized because there is a smaller group of suspects. As well as good hiring practices can reduce it a bit more. Next is the Cost/Benefit of putting the effort into internal security. First there is the cost of designing and implementing then there is the cost of maintaining it and keeping the employees useful. If Employee X needs to put in a request to access some data and it takes a couple of hours to do so that is a time of loss productivity.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
So what next - snitch networks? Informants?
Pissed off people (and assholes) will always remain so.
Employees like to feel trusted. The kinds of security measures that will really protect your information are the kinds of security measures that will create a semi-oppressive environment.
I guess that's something that has to be balanced: the effects of your security implementation on morale/productivity vs the cost of a possible breach
[Fuck Beta]
o0t!
Not quite. Only around 20% of registered, reported attacks come from an insider threat, and of those, only 10% are from IT. You can find this at a Jan 23rd posting on CERT about insider threats.
http://www.cert.org/
Therefore, implying that the insider threat looms as large as others is highly divisive and misleading. Further, you can take concrete steps to reduce the risk of an insider threat, while you cannot have that level of impact in threat reduction (vulnerability and asset risk reduction, yes, but not threat) for the rest of the world.
- musides
Every employee thinks about striking out on their own and about taking some data or IP along with them.
Windows Vista Forum
In France they have a different approach. At lunch everybody takes a glass of wine and it's considered normal. Should replace the watter with wine and it will drastically reduce security threats :) Len
Puke Skyborker: Damn it, P-3-P-Hole, I can't contact Slam Bolo in Accounting.
P-3-P-Hole: Master Puke, Bart Vlader is approaching. He's been chatting up your receptionist. I believe he has taken Slam Bolo hostage.
Duke Skyborker: Get ready P-3-P-Hole. I'm armed with my onion and salami sandwich. The Force is strong in me, and I really loaded up at Starbucks.
Bart Vlader: Young Skyborker, we meet again. I have hacked into your workstation and used your email address to spread old lady pr0n throughout the internal mail system.
Duke Skyborker: You'll find I've grown since we last met on Friday. Prepare, Vlader!
Bart Vlader: You have learned much, but you are not an executive yet. The Vice President in charge of Advertising will know what to do with you.
Duke Skyborker: Noooo! Obiblown Nairobi, save me!
P-3-P-Hole: Master Puke, Obiblown is no more! He was transferred to our Helsinki operation last September. Oh, if only Slam Bolo would appear. Oh dear. By the way, Master Puke, while your up for reprimand, you won't be eating that Danish.
The world's burning. Moped Jesus spotted on I50. Details at 11.
I'm definitely going to be purchasing this book, as we've recently had an 'incident' and in the health care field these kinds of things could mean jail time for me as the person responsible for security thanks to HIPAA.
Can we end the "talking around the water cooler" cliche? Very few people stand around the water cooler. They walk up to it, fill their cup or bottle, and walk away.
If someone wanted to have a good chat with their workmates, they'd wander off to a nearby cafe, where their conversation isn't going to be seen or heard by their managers.
-- Even if a god did exist, why the fsck should I worship it?
but maybe it was switched with Folger's Crystals to see if I'd know the difference. Now, don't you think you owe me an apology?
It really sounds to me like this is just a continuing tune on the terrorist theme. Watch out, you aren't safe anywhere, you can't tell who might be out to get you, no one is excluded from suspicion.
My assertion is that looking behind you all the time and treating everyone as a potential threat causes more damage than the problems it supposedly avoids. If the patriot act is the cure, I'd rather have the disease, thank-you. The same goes in the office.
Nothing sinsister about it, I'm afraid. The cloud is used because it does not matter how the internet works, only that you put packets in one place with the right address, and they come out at that address. How they got there, we neither know or care. Hence the cloud, not because there is mystery, but because maybe it's fiber, maybe copper, maybe SDSL, or Frame Relay, maybe it's satellite, maybe it goes via Hamburg, maybe via London, we don't care because it doeesn't matter.
~~~~~ BigLig2? You mean there's another one of me?
FREEDOM of Information.
All Information WANTS to be free and public knowledge.
And to fight against it is WRONG.
What if your company's network weren't connected to the internet at all? Naturally, a lot of companies "need" this, but I'm sure there are other companies that can operate fine without the internet at all. Not only does it save the company from worrying about "outside" threats, but I imagine it also helps to deter inside threats. For example, look at the employee that hosted pirated software on company machines. Without the 'net, how is he going to host it?
I wonder how many companies, in an attempt to defuse "the enemy at the water-cooler", have treated employees with such contempt that they have created even more and more aggressive internal enemies. The more companies treat their employees as adversaries, the more adversaries they create.
Yes, companies should take prudent steps to oversee the security of their networks and systems. But I suspect they need to do more to enlist the aid of the allies at the water-cooler and in creating a positive work environment than in draconian control measures.
Two wrongs don't make a right, but three lefts do.
the solution to 99% of these problems is NOT to treat the employee like he/she is a disposable papoer towel. Treat the employees with oppressive measures and youre more likely to have your security breached. The solution is not to treat people like shit. Maybe start by renaming your "Human Resources" department to "Personnel" for starters. And the same goes for your customers. no, they are not moronic cattle grazing "consumers" but people who buy your stupid products i.e. CUSTOMERS.
The big fluffy, white clouds representing the internet are nice and all, but wouldn't it be more accurate to represent the internet on diagrams with a mugshot of Al Gore, instead?
Why do people keep insisting that their old and over-used references are obligatory?
Slashdot posts do not watch you, we do not need to welcome our slashdot overlords, our base do not belong to anyone, there is plenty to see here, and so on.
Stop trying to justify your re-use of an old joke by saying it is obligatory. It isn't. Come up with something new, or just don't post.
(Arms flailing in the air wildly)
What is it with people today who act like working in an office in corporate America is filled with intrigue and tales of espionage? Read this now: CORPORATE AMERICAN OFFICES ARE DULL AS HELL. There are no real secrets because the monkeys who work in these glorified cages have no real power of any kind. They have no knowledge of any value. They are basically button pushers who want to feel important after watching fantasies like Fox television's 24 series. Trust me, I've seen it all from a pretty priveledged position and I can tell you that there's nothing to see. Nothing to worry about when you look at the cubicle farms. The people who really need to be watched carefully are the people doing the watching.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Every few months someone writes and article or publishes something talking about how insider threats are the largest avenue for security breaches. Usually, they are trying to sell some new "spy on your employees" device. My company even makes a device that tracks employee internet usage and finds abnormalities. We have one deployed internally and anyone can look at it to see what other people have been doing. Sometimes we'll make fun of someone for being the most frequent visitor to Slashdot this month, or some-such. That said, we have deployed an incredibly effective system for stopping insider threats. Such a system used to be commonplace in many companies, but has since fallen into disuse due to modern business strategies and short-term money saving concerns. This fabulous system is called, "beer in the fridge."
By spending a small amount of money to keep the kitchen fridge stocked with free beer for all employees, the company has cheaply bought all our loyalty. Sure we could perform extensive audits and spend time spying on potential insider threats and implement physical security to stop people from bringing in portable drives they could use to steal our customer databases, but really the beer is a lot cheaper. It has added benefits too. If an employee is gets a job offer elsewhere they often ask about the free beer situation. I think it is worth about 20K of salary in most people's comparisons. If people are moving on, they stay in touch with people here and recommend us to work for and to buy products and services from. People give lots of notice and will stay on to finish a project or train someone else. People are a lot more likely to stay late or come in on the weekends to work on something because of the free beer.
Yes, the fabulous "beer in the fridge" system has many advantages.
Treat employees well, like people instead of mercenaries. Be their friend as well as their boss. If they can't come in some day because they have something come up, or an old friend comes into town, let them take a day off. Make sure people don't fear they will be fired because management needs better numbers for the year. Make sure they know they are valued as employees and people. Take them out to lunch now and again or order a pizza, or get free donuts. Well treated people almost never betray their employer and tend to treat their boss well in return. This isn't rocket science.
I prefer to think of the glass as half-full
I agree. Let's start with your Social Security Number. It wants to be FREE.
Isn't that exactly what they'd want us to believe ?
May contain traces of nut.
Made from the freshest electrons.
Barnes and Noble is selling this book for $49.95, but Amazon.com is only selling it for $32.97!
Save yourself $16.98 by buying the book here: Enemy At The Water Cooler. That's a total savings of 33.99%!
I have had the shower on for 2 weeks straight.
My internet cloud in my house is really fast now.
does anyone know how to stop all the water from dripping everywhere ?
My father, three of his brothers and their father all worked for the same company for all their working life. They were well taken care of and they returned that loyalty several times over in the course of their careers.
Today, companies are more concerned with cutting another 10,000 employees so their stock price will jump a few cents for a couple of weeks than creating a relationship of trust and security with their employees. Benefits are cut, unions are fought, jobs shipped overseas and life is generally made as miserable as possible for the people who sweat blood on the shop floor. Meanwhile, the differential between what the CEO makes compared to the average employee has gone from 20 to 1 to 20,000 to 1.
I'm not surprised that corporations find themselves loathed by their employees and having to exert effort and money trying to protect themselves from their own people. What surprises me is that we don't see more all-out sabotage by disgruntled employees.
It's not coincidental that the period of enormous growth and prosperity of the few decades after World War II happened to also be a period of improving conditions, organization and influence for the workers. A period when labor unions were considered a crucial part of the economic system. Those unions were the only reason the US had such a strong and deep middle class from 1950 until their demise began at the hands of that doddering tool of the Right-Wing Rich, Ronald Reagan, who, if God is just, is burning in Hell.
You are welcome on my lawn.
The glass is twice as large as it needs to be.
Check out my lame java blog at www.javachopshop.com
An acquaintance of mine has a startup that is devoted entirely to insider security tracing what comes outwards from within the firewall. He says business is very good.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
When people ask me what I do, I reply "Information security for a bank." This typically provokes the follow-up "What does that mean?" My reply has always been "I keep the bad guys out, and the employees in... and the latter is the more difficult."
] D
Good points, but I'd say the picture is *slightly* more complicated than what you suggest. In particular, while it may be tempting to draw clear boundaries around presidential administrations (and often reasonable, by the way), it's still too much of a black-and-white manuever.
Related: All the unions in the world aren't going to stop the flaming crash that seems to be our destiny. We could all be Nuke Engineering PhDs, but if someone similar in China / India will do the work for 1/10th the cost, we're screwed.
Finally, one of the biggest (and unrecognized reasons) for our country's decline has to do with prosperity... too much of it. We're not the lean-and-hungry folks we used to be.
Banks have been aware of insider threats for centuries. They have a battle-tested set of policies and procedures such as separation of duties to control the threats. Banks have been able to stay in business for a long time before ESM became available.
Banks have also gone out of business due to the insider threat people seem afraid to discuss. There's an old saying, "The best way to rob a bank is to own one". Crooked senior management stole one Sagan (billions and billions) of dollars during the 1980s US savings and loan disaster. Sometimes the thefts are even considered legal, as when a CEO walks away from a ruined company with a hundred million in "performance bonuses". How is ESM going to protect against Ken Lay, who did more damage than any random thousand "disgruntled former employees"? (*)
Banking procedures, such as requiring people to take vacations, have the other advantage that they don't risk violating privacy laws. In some countries you may not be allowed to spy on your workers to the extent you can in others.
(*) Who disgruntled them, anyway?
>Will this book help you detect the enemies at your water cooler?
No. I will have to find out myself who took my red stapler.
*walks off muttering*
You can't talk about Wikipedia's flaws on Wikipedia
Also, CEO pay has skyrocketed in comparison to worker pay, and no company that pays hundreds of millions of dollars to departing executives can also afford to be loyal and supportive to the workers. In the corporate culture of today, executives are seen as the movers and shakers, the visionaries who create the value, while the workers are seen as expenses.
it happens all the time... but i'll bet it doesn't often make the papers.
the word sabotage comes from the french word "sabot" which is a kind of wooden shoe or clog. during the industrial revolution, angry workers would kick the machines they worked on or throw the shoes into them, resulting in a "clog" in the output.
in the intelligence community, disgruntled soldiers and public servants make some if the best moles or double agents. in government, many whistleblowers act not out of a sense of duty or responsability but as a means of exacting revenge.
sarcasm:
-noun
1. harsh or bitter derision or irony.
Although this post is technically only relevant to the OP's commentary, please don't mod me OffTopic..
:)
-W5i2
I was wondering, "wtf? dragons? maps?" and rather than post an annoying OT question, I looked it up. Very interesting, and if you're wondering about the OP's reference above, I found a useful page here and here.
And don't flame me for not knowing this either. At least I'm sharing the knowledge now
[BEGIN PGP PUBLIC KEY]: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVI
ridiculously paranoid and power-crazy sys admins who lock our pcs down so tight its almost impossible to do any software development work on them.
I'll call Jesus. He'll get right on it.
...it's game over. If you have to watch what they do on the network that closely, then you also probably need to have them on camera constantly. You should make sure they are not bringing in any picture phones, usb keychain drives, or burnable CDs. You need to inspect them coming and going. Lunch hours. Bathroom breaks. Constant inspection. They have a name for this: prison. Yes. Why mess around with time-consuming and expensive processes like background checks, building trust, and insuring against potential loss? Why not send employees straight to prison? It seems to work very well in some countries, and in several novels written during the 20th century. Any more stupid questions?
Does *anyone* remember Avant!? The company started with stolen IP??? My recollection is the data wasn't stolen by loyal employees who had been crapped on one too many times. These guys were nothing but greedy thieves. Hence the *need* for information security products like those provided by(shameless plug) http://www.provilla-inc.com./
I work for a large security oriented IT company and our managed client firewalls are effectively, wide open from the inside out. We assume that anything inside is fine. This does in fact get us into trouble but it's easier to do that than re architect all our applications to work in bi directionally secure world.
You have no idea how right you are
I suspect the cost in lost productivity of treating your employees as potential enemies far outweigh the benefit in reduced risk of sabotage and theft. It might not even reduce the risk, people in general have a strange tendency of behaving the way you expect them to, so if you expect them to betray you, they are more likely to do so.
No, the reason we have to put up with "the kinds of onerous security protocols..."
I think it's more the result of the Enron implosion creating a bureaucratic solution in the Sarbanes-Oxley legislation.
It is "easy" to make the rank-and-file IT workers change their password from one unmemorizable string to another every 30 days, and remove access that lets them do their jobs efficiently. That way, auditors from companies whose sole purpose in existence is to justify their consulting fees, can find more ways to show how the staff should not be trusted.
Never mind that it was the top management of companies like Enron who broke the public trust by reporting performance that fit their greed rather than the true numbers coming out of the IT systems.
"At this point, it should be noted that Brian Contos is the Chief Security Officer of a company that sells ESM products"
...
Ah, So
"In one example, a company discovered that their servers were hosting pirated software"
Does the book tell us the names of the companies and the individuals involved.
"In the case of a Spanish company, an employee was forced into planting a wireless access point in one of the development labs. The employee had lied about his educational background on his resume, and criminals threatened to expose him if he didn't cooperate by planting the device"
If this anecdotal evidence is true why would the employee engage in industrial esponage merely to cover up how he lied on his CV, something most everyone does. Do the criminals think no one would find the wireless access point. Why go to the bother since they have a man on the inside.
"Contos explains a scenario where an employee pulls financial information from a proprietary system and then uploads it to a P2P network. Most companies do not have the technology to detect such an action"
Anyone attempting such a thing would first get admin rights on the ESM and delete the audit rail. It's best to login as the PHB as he would never go looking for his own files. If your company can't spot a P2P node on their network then maybe they should be in the sandwich selling business instead.
davecb5620@gmail.com
anyone with a red stapler muttering to themselves...
or the guy gutting a fish in his cube.
You want what? by when? Sorry we haven't finished the time travel project yet... that's next week.
Why should an employer have any more loyalty to his employees than a shopper does to the stores he shops at? You should owe your employer nothing more than your labour; your employer should owe you nothing more than your wages. If someone else can provide the same labour for fewer wages (or more labour for the same wages), your employer should contract with that person instead; if someone else can provide the same wages for less labour (or more wages for the same labour) then you should contract with that employer instead.
I don't owe Safeway my patronage; if I discover a better price at Albertson's then I'll buy there. Why should an employer be any different?
The biggest problem in my eyes is that in America currently, employers want all the benefits of the old system with none of the costs. That is, rather than negotiating a proper contract with each employment, one which spells out exactly what is required from each party and under what terms (e.g. 40 hours a week, time-and-a-half overtime, no more than twenty hours of overtime may be compelled), and under what conditions the contract may be ended (e.g. with two weeks' notice)--instead of doing this, they want every employee to be employed at-will, with even work done on personal time to belong to the employer. This is a relic of the old-fashioned semi-feudal way of doing things.
It's highly advantageous to the employer, but rather negatively so to the employee.
The real solution is for all of us to be under a firm, negotiated contract. When a corporation provides a service to another corporation, there's a contract involved. When you or I provide a service to a corporation, most of the time there's only an implied contract. That's pretty crazy, when you think of it: we're selling a valuable commodity under very vague terms.
Just say, so far, this guy has had an exemplary performance record...
Then this comes up.
If the guy would have went to his boss and explained his situation, would his boss nail him on the spot ( thereby opening his company for a rehire which may not be as forthcoming )? Or will he be understanding that making one's resume as juicy as possible for the lure of hire is much like a "campaign promise"?
Not that I advocate lying on resumes, but I have seen where honesty gets you if you are dead honest. From my corporate experience, no one likes a "boy scout" and looks for someone to "take risks" and "think outside the box".
It always seems the boss will find out anyway about any untruths on the resume and can later hold these findings with great power over the hiree.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.