Slashdot Mirror
Workers Cause More Problems Than Viruses
Technical Writing Geek writes "A new report finds that, for the first time, virus infections have slipped to the second spot on the list of computer security troublemakers. In first place— a company's own workers. 'The Computer Security Institute has just released the 2007 edition (PDF) of its long-running "Computer Crime and Security Survey," and it offers some dreary news for overworked computer security admins: average losses from attacks have surged this year. More surprising is the finding that the single biggest security threat faced by corporate networks doesn't come from virus writers any more; instead, it comes from company insiders.'"
As of 2004:
"CEOs are increasingly aware of the risks posed to company information by insiders, but they aren't acting on this knowledge, according to the "2004 Ernst & Young Global Information Security Survey." More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative."
A case of 'ignorance is not bliss'.
CC.
TaijiQuan (Huang, 5 loosenings)
Stop hiding your porn, hiding porn is a security violation.
Time to place your order.
Virtual Betting on Facebook for non-geeks.
It brings to mind the old saying 'loose lips sink ships'. Ive only had a few years experience as a sysadmin, and it was drilled into my head quite early that the one thing you can never secure is the user. Lets come up with a real story now please.
If sharing a song makes you a pirate, what do I have to share to be a ninja?
wWo could have ever imagined...
http://slashdot.org/articles/07/09/17/1226245.shtml
Completely obvious and expected would be a better description.
and when it comes to computers, faxes, phone system or staplers we call him the Human.Virus
God forbid you leave your iPod near him!
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
Viruses made it to the top spot at one point?
Deleted
I hope they don't consider an animated gorilla that pops up and scares the hell out of you while you're trying to masturbate in your office during your lunch break a "problem".
No shit; I'm surprised this hasn't been the case all along. Every IT dept I've been in has been treated by the employer as a reactive service. Most of the time, we are given something to install. Not asked if it'll fit in our current IT environment, but given and asked how soon it can be installed.
USB thumb drives are an on going headache, and an attack vector on top of that. I'm forced to wonder how serious any of these issues would be if we didn't live in a windows centric world.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
If we give every employee access to everything, yes problems will happen. But if we give most employees access to most things their jobs are a lot easier, and more work gets done (or the same amount of work gets done, but with less stress and overworking).
If one of our employees decides to steal information, we'll deal with it with that employee, but that's as far as we go. We can't live in fear of an inside attack just because it's more likely than a virus (especially for a linux only shop like ourselves). A balance must be struck between full access and full security.
><));>
Because there's no patch for human stupidity. http://www.jinx.com/men/sweatshirts/geek/social_engineering.html
Power is the ability to make a change.
...for hiring robots. Unless of course the robots are infected with a computer virus...
GetOuttaMySpace - The Anti-Social Network
It's all well and good to have the tech locked down; however, the system is only as good as its weakest link - the humans. There's only so much you can do when a luser decides to keep all of his passwords on a post-it note...
Cool! A use for all that non lethal weaponry the US military has been developing.
Deleted
I don't think viruses are a source of security problems as much as they are an annoyance. And in that vein, anti-virus software is typically even worse than the viruses themselves. They are invasive, pop up ads (for themselves), slow down your computer, make it malfunction, and just generally cause hardship 100% of the time. As opposed to the viruses that only cause such hardship while you actually have one.
I tell people that anti-virus software is like medicine -- don't take it if you're not sick!
dom
I'd have never....
RUN ALEX! They're onto us!!
Karma Whoring for Fun and Profit.
The security literature has been saying this for years. And, depending on who you classify as a 'user' this is a much broader problem. The TJX breech? If I consider that the company IT dept. allowed latitude in where computers were connected to the company intranet (for convenience) and which computers could be connected, the the protocols surrounding handling of data (either VISA, [PDF]or otherwise) become superfluous. the 'user' that wants to be able to check stock at a kiosk inserts problems not considered in the protocol.
This is largely fixed by changing/following protocol (although following PCI would not have eliminated the TJX breech, just limited it). dictating access limits to machines, enforcing those access limits through user and key management. Enforcing segregation of data by pushing it back from the user space. Etc.
In a lot of cases, these things can be eliminated only through design--not draconian regulations. By design I mean something separate from limitations. A limitation (for example) would be to block any traffic going to popular webmail accounds through a browser. This is pretty easily circumvented by a half dozen trivial (read: largely non-technical and non-threatening) solutions. A design solution would be to incent users to use the internal mailing system to organize their mail and to VPN to it while away. Using Outlook as a primary means to communicate makes me pine for the responsiveness and search functionality of Gmail. eventually, rules be damned, I will migrate my work email to gmail (assuming I'm not security conscious) because it offers so many inherent advantages. The solution, bein to eliminate those advantages.
Without that, you are in the same boat that you were before. More rules, but the same incentive to break them.
This is basically saying to me that antivirus packages and software systems have finally gotten to the point where they're being effective. In response to this, hackers have developed more sophisticated techniques in order to penetrate systems. It's not that anyone is doing their job worse. it's that technology is moving at such a rapid rate that it's nearly impossible for one person or a small group to keep up with all of the new attacks being implemented each day. I for one commend IT admins from doing as good of a job as they have done.
"Can we get you on Mastermind, Sybil? Our next contestant, Sybil Fawlty from Tall Key, special subject, the Bleedin' Obvious..."
IT Guy: I'd like to share a revelation that I've had during my time here. It came to me when I tried to classify your species and I realized that you're not actually mammals. Every mammal on this planet instinctively develops a natural equilibrium with the surrounding environment but you humans do not. You move to an area and you multiply and multiply until every natural resource is consumed and the only way you can survive is to spread to another area. There is another organism on this planet that follows the same pattern. Do you know what it is? A virus. Human beings are a disease, a cancer of this planet. You're a plague and we are the cure.
I mean, I wouldn't have had to set the place on fire if they would have quit moving my desk and asked me to kill cockroaches and kept on stealing my stapler.
Monstar L
...I require network traffic to use secure protocols (SSL/TLS, etc) on the internal networks I administer, even if they are protected from external attackers by a firewall. Use POP3S/IMAPS to prevent the employees from accessing others' mailboxes. Run your intranet website on HTTPS. Use LDAPS. Force CIFS connections to be signed and encrypted and to use LMv2/NTLMv2.
Workers have probably displaced viruses simply on the strength of MediaDefender's e-mails all going public this weekend due to the truly stupid actions of one person, whom I'm very glad today that I'm not him!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The ultimate attainable security ... is when your systems lose/corrupt/release data more often due to the stupid (non-malicious) actions of your people than due to crackers.
The human level is the last limit. Don't focus on technology that will get you that last 0.0001% when the people running your systems will causing the problems 100x more often.
PEBCAK
Using unlicensed software / bypassing security is not 100% the workers fault. Some times they need to do it to get the job done on time and the official way takes to long. Some bosses have even setup there own severs for testing just to get it done faster as some times the official way takes a lot of time for every little update to the project. Some times even IT works do things like this and it seems to happen more when the IT boss is clueless about IT.
.. according to the BOFH.
Have gnu, will travel.
Even when I do have a small virus outbreak, its because people are visiting sites that they know they shouldn't. I have Sophos setup to block installations of all toolbars except for Google, users cannot run Limewire, Kazaa, Bearshare, or so forth (BitTorrent is still enabled), and soforth. Before I upgraded Sophos and it was not able to block apps, I was always having problems with people going to SmileyCentral, or downloading Weatherbug. Now they can go to the websites all they want, it will not let them install the software.
But yeah, most problems are user related. Broken pins on power adaptors, caused by users jabbing the plugs into their laptops, out of harddrive space, fixed by deleting their iTunes, computer running slow, i go and remove tons of crap the user has installed, user has e-mail bouncing, because user had ignored notifications from IT that they were approaching their e-mail quota, Illustrator on the Mac will not start because user has deleted system fonts, modem not working after user used modem during lightning storm (I am actually looking at my tickets as I am writing this, these are my tickets).
Flamebait, n/t troll
494 out of 5,000 responded. I wonder if the 9% who did are at all unlike the 91% who did not? Could it be, ya think??
It's called non-response bias.
They admit right up front that the results (even if there were no non-response bias) don't generalize to IT in general, since their members are not drawn from IT in general.
I don't mean, alienating them as employees — that's another story. I mean alienating them as computer users — by bullshit like blocking certain sites or other services (such as instant messengers), in particular.
You will then not have to chase the violators and waste time (money) on the fruitless pursuit... The pursuit, which also severely hampers the productivity of the best of your users... "Access from home? No, you'll need five approvals for me to allow that."
In Soviet Washington the swamp drains you.
Maybe it's cheaper to not bother with security education initiatives, because the people who are going to commit security fraud won't change their minds knowing that it's wrong -- they already know it's wrong. The people who unwittingly violate security probably wouldn't be able to regularly practice the secure workaround, thus exposing the same security holes as always, just less frequently exposing them.
stuff |
Then you have to worry about the robot service person. That's your weak link.
So bring on the new attacks, the more determined villains, the organised crime groups. It's the closest thing to a job for life i'LL ever have.
Everything I needed to know about life, I learnt from Blake's Seven
USB thumb drives are an on going headache, and an attack vector on top of that. I'm forced to wonder how serious any of these issues would be if we didn't live in a windows centric world.
Outside windoze, the attack vector is gone, there's little need for a thumbdrive because network services work securely, and finally it's easier to make sure information is shared on a need to know basis. That these services are lacking in the non free software world is an indictment of the non free software way, which starts with secrets to begin with. Beyond these precautions, you are left with HR type issues like not hiring someone who's going to sell your client information. Before these precautions, blaming employees is a waste of time.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
The obvious conclusion is all the workers should be fired and replaced with viruses.
...is to fire everyone.
In Soviet Russia, I ruled you
- I voted for Nintendo and against Bush
Mod parent down. Offtopic once more...
Glad to hear that finally there is some understanding that any solution to the problem of endpoint security must take into consideration the human issue. There are even companies now who offer central granular control over devices and application whitelisting, both technologies that will help you secure the laptop or desktop.
If this surprises anyone, I hope they don't act like they are IT professionals. EVERY IT PRO knows this fact, and it's been well documented for years.
Your biggest security threats have always come from the inside. That's why a total-network solution like Active Directory using group policies is so important, rather than just having a bunch of computers thrown onto a network, with no control over anything.
It's also smartest to maintain two internal networks: one only for domain computers, and one for anything else.
"Virii" is the plural of the latin word "virius", which isn't in my dictionary. The plural of the English word "virus" is "viruses".
"Q: What is the most common, preventable security hole you've seen?
A: Aside from users, I'd have to say updates. Users always ignore messages about updating software..."
I always thought that was funny, and wondered if anyone else caught the quip... more here: http://jaclynperrelli.wordpress.com/2007/08/16/beyond-modifications-to-the-infrastructure-a-hacker-interview/
If it works anything like Norton Anti-virus, how will I afford to pay all the new employees?
Please don't use "umm" or "err" or "erm".
That may be "the answer", but it is an expensive and resource-intensive answer. The more auditing and tracking you do, the more hardware, software, and performance overhead you add to your network. And the more man-hours you have to throw at it. I am quite sure that some firms would rather risk a few losses rather than deal with the extra cost and complexity.
This isn't a big surprise to me. I've noticed over the years that IT folk are less and less concerned with users and more concerned with hardware. Desktop support seems to be the one thing that no one wants to do, probably because it pays the least.
Mad Software: Rantings on Developing So
So let's look at the possible solutions. We've got "lock everything down" in the lead - that's fine in its way but causes worker dissatisfaction because they can't use the creative solutions they've developed, can't use the tools they're used to in the way they're used to, etc. Ultimately, if you get things limited to the point that all possibility of damage is prevented you've also created a situation where productivity is severely limited or prevented. And it's just a matter of time before it's pointed out to you that you weren't as secure as you thought you were.
Then there's the "monitor and log everything" plan - give the users a quick class in acceptable use of IT assets then "correct" anyone who violates the rules. This overlooks the very real truth that most of the harm caused by users is not intentional; it's almost always an unexpected result from a silly mistake. The result of this plan is to create an environment of fear where everyone is careful to follow the rules exactly, won't do anything that's "not my job" and if something goes wrong nobody saw anything. Ultimately you end up with all the problems you had before but with no useful information on how it happened / how to prevent it from happening again - and low productivity due to the workers being unwilling to do any more than necessary.
The real answer is that You can't solve personnel problems with technological solutions. Forget what they taught you in your MBA program and what the security software vendors told you, treat the workers like human beings and help them to understand what can go wrong and how to avoid it. Remember that IT's mission is to support the workers. Offer classes on information security, available to all, and on paid time so they'll have the chance and ability to take part. IT works much, much better when the rest of the corporate staff are partners, not antagonists.
The technical term I believe is an ID10T error.
~Vexed and loving it!
Here is some well-meaning advice from our IT department that gives great insight into this mess:
TIP #5: Good Passwords
Never write down your password! Instead, try to come up with passwords that are hard to guess but easy to remember. For example, you could use the first letters of a favorite rhyme and add some special characters. Such as:
Hickory dickory dock, the mouse went up the clock.
Might become: Hd2,tmwutc.
Do ya *really* think that 'Hd2,tmwutc.' is easy to remember? If so, you must be an IT pro! If not, you are merely human.
Pretty much all organisms will spread to new areas under competition.
Engineering is the art of compromise.
Just because 59% of respondents are "affected" by employees installing crap they aren't supposed to, that does not necessarily translate into a $168,000 security breach. The writers of the article consider all incidents the same with regard to how they affect the companies, and simply because only 52% had viruses and 59% had users that installed something without permission, they now jump to the conclusion that users installing software without permission is now the #1 threat.
So, if 59% companies have a single employee that installs firefox without permission, and 52% of companies are infected with viruses/spyware that are making copies of their credit card databases, how the hell are viruses/spyware not the number 1 threat still?
Whaaaaa.....no....NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO...... I....I AM an ignorant American.... *cries inconsolably*
Actually, I've never been too worried about the typical post-it under the keyboard (I've been an IT security consultant). Why? Because if someone is able to look under the user's keyboard, your security has already been compromised.
There are a few things which are vital to REAL security. Access controls are a big one, logging is another. Logging only helps after the fact, but a majority of the time, you will only know something is wrong after the fact anyway.
Personally, I *hate* what I call "keys to the kingdom accounts". I'm a big fan of giving admins two accounts: their usual user account, in which they will typically work, and then an admin account which will allow them to do admin tasks. Another really good setup is to use something like a Citrix Published Application for admin tools, since you will have to log in to them, and it will only be run from one machine (thus making it easy to keep track of, since those tools being run from elsewhere is an anomoly, and thus more than likely a potential security breach).
But your biggest danger is always disgruntled workers. One important thing which employers are really stupid about: PAY YOUR WORKERS WHAT THEY ARE WORTH!!!! When a worker gets screwed over during a review, or finds out people who do less work (or even work for them: true story!) are making $20k or more than they are, it makes it really hard to have that person be happy with their job and the company. So companies need to have a strict pay scale, and make sure people are payed at least the average salary for that position.
The least of worries is that a disgruntled worker is just creating random problems, like disconnecting users from the network. It can get far, far worse, like releasing viruses... but even worse is if they start digging into confidential information. I've seen lots of stuff, like secretaries stealing from their bossses, and I've heard about people caught selling confidential info. And you know what? It's rarely ever reported to authorities, because it would cause problems for the organization: people who are supposed to be on top of this would be scrutinized for not knowing about it, the victims would get in trouble for not securing their information better, and it would damage the organization's reputation, especially if it's somewhere where rep is very important.
But sadly, anyone who has done IT security knows it's the ultimate in thankless jobs (even moreso than email server support): the only time anyone knows the people doing security is when something goes wrong... and many times (at least in my experiences), the security concerns are never given enough concern beforehand (and certainly not enough funding).
At last, my years of effort poured into this anti-worker security application are validated! Soon it will be in cubicals everywhere, preventing work.
Here's a sneak preview.
http://www.thepcmanwebsite.com/media/pacman_flash/
He hurt my feelings.
Hail Eris, full of mischief...
E pluribus sanguinem
US Population Growth
Net gain of one person every..................... 10 seconds
You can't discount immigration without discounting emigration as well. But immigration/emigration don't have enough of an effect to say that without them there isn't any growth.
World Population Growth
The growth rate is slowing (going down), but the population is still going up.
Are you posting from the future, oh offspring of my housemate?
Consciousness is a myth. Trust me.
Let's see... we could spend lots of money putting more security and watchdogs in, to make it harder for disgruntled employees to engage in sabotage or espionage - and make sure, all the while, to let our employees know that we don't trust them even a tiny bit...
Or... perhaps companies could learn to treat their employees better, pay them fairly, and get rid of sucky employees so that people who have good work ethics can find jobs?
This is surprising? I, and many others in the information security business, have been saying this for years. Most security threats come from inside. It's either malicious (the dude that made a CD with 100,000 credit card holders' information in India) or negligent (we can all think of those cases). The outside attackers can get to plenty of individual machines, but most companies are actually pretty secure against outside threats.
As a sysadmin many years ago, I learned two sayings that still hold true. "User is a four letter word". "User rhymes with loser (luser)".
At many companies, the phones will show you the caller ID information for inside calls. When I worked at an unnamed semiconductor company, it even showed if the person was calling from Sunnyvale, Singapore or Dresden. So verifying that it's Sally from HR was no problem.
Security, like most of IT, is viewed as a cost center. So they try to minimize expenses. And wind up losing money on the proposition. There are numerous papers out there on the value proposition of security. But upper management doesn't read them. They don't read anything.
>"Hiding porn on an office PC, using unlicensed software, and abusing e-mail all count as security incidents,"
That's an easy way to rack up a lot of security incidents, just classify every policy violation as a security incident.
Those all should be a lot cheaper than the six-figure average response cost the survey claims.
Throw out the people, and employ the viruses.
What a depressingly stupid machine.
I would remove "aware of" from that first sentence. In my experience, it is the CEO (or some other look-at-my-shiny-new-laptop) who takes his laptop full of sensitive information home so his eight year old daughter can play and chat on it online using the open WiFi connection to the router that is conveniently configured to route all incoming traffic to the laptop.
Musicians don't die. They just decompose.
It's not about YOU. It's about THE COMPANY.
YEARS AGO!
yep. nowadays people are getting more ignorant. to me, that's just selfish. some doesn't even know what they are facing and when told about the possible attacks..they would only loose their interest when we are not even halfway in explaining to them. being ignorant is one thing, not knowing is just another thing. that's just plain stupid.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe."