Workers Cause More Problems Than Viruses

← Back to Stories (view on slashdot.org)

Workers Cause More Problems Than Viruses

Posted by ScuttleMonkey on Monday September 17, 2007 @05:30AM from the going-postal dept.

Technical Writing Geek writes "A new report finds that, for the first time, virus infections have slipped to the second spot on the list of computer security troublemakers. In first place— a company's own workers. 'The Computer Security Institute has just released the 2007 edition (PDF) of its long-running "Computer Crime and Security Survey," and it offers some dreary news for overworked computer security admins: average losses from attacks have surged this year. More surprising is the finding that the single biggest security threat faced by corporate networks doesn't come from virus writers any more; instead, it comes from company insiders.'"

25 of 191 comments (clear)

Min score:

Reason:

Sort:

Ignoring the Human Factor is not Bliss by foobsr · 2007-09-17 05:31 · Score: 5, Insightful

As of 2004:

"CEOs are increasingly aware of the risks posed to company information by insiders, but they aren't acting on this knowledge, according to the "2004 Ernst & Young Global Information Security Survey." More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative."

A case of 'ignorance is not bliss'.

CC.

--
TaijiQuan (Huang, 5 loosenings)
1. Re:Ignoring the Human Factor is not Bliss by king-manic · 2007-09-17 05:41 · Score: 4, Insightful
  
  "CEOs are increasingly aware of the risks posed to company information by insiders, but they aren't acting on this knowledge, according to the "2004 Ernst & Young Global Information Security Survey." More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative."
  
  A case of 'ignorance is not bliss'. You do have to weigh company morale vs security. Requesting the whole organization use tinfoil hat Linux boxes; with 256bit end to end encryption; with all outgoing and incoming packets sniffed, duplicated and logged; 16 character mixed special char, numeric, and alphabetic passwords; Faraday cages around every office; may be excessive even for the NSA. You have to trust your employees at least a little or else it becomes a Us vs them situation.
  
  --
  "There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
2. Re:Ignoring the Human Factor is not Bliss by gravos · 2007-09-17 05:45 · Score: 4, Insightful
  
  Implementing good security practices tends to waste time.
  
  If Cindy from HR calls me and I have to verify that she is, in fact, Cindy from HR, every time she calls me, that reduces my productivity by a certain amount.
  
  There are ways to spend money instead of reducing productivity (like installing dedicated phones between offices that don't link to the POTS network), but losing money is hardly better than losing time.
  
  The moral of the story is, until losses from poor security exceed losses to productivity caused by rigorously following security protocols on average, people will not be inclined to rigorously follow those protocols.
  
  --
  This game will waste your life. Don't clicky!
3. Re:Ignoring the Human Factor is not Bliss by an.echte.trilingue · 2007-09-17 05:59 · Score: 4, Insightful
  
  No, implementing good security practices saves time, every time.
  
  It requires an upfront investment of time to implement and maintain the system, but it beats the hell out of spending your week re-ghosting all of the computers in the accounting department because some ex-employee decided it would be funny to install a back door, and now you have to lock down every system he had access to and also try to figure out what he could have leaked so you can notify your soon to be ex-customers of what you lost. Feel free to repeat every month or so, depending on the size of your organization.
  
  Or, you could give users a limited access account (which is easy to do even in windows), implement a sane permission system on your servers, implement something like a kerberos server, and make your employees read and sign a "good security practices" memo once a year so that they understand your policy and why it is important.
  
  Security is time well invested.
  
  --
  weirdest thing I ever saw: scientology advertising on slashdot.
4. Re:Ignoring the Human Factor is not Bliss by SatanicPuppy · 2007-09-17 06:05 · Score: 4, Insightful
  
  Meh. All that is pointless, because it doesn't address social engineering or intentional internal sabotage.
  
  What you need are good audit and logging procedures, to help you pinpoint the vector of intrusion, and to minimize the damage caused. That's a basic principle for financial systems, and it's one that could benefit from being extended to general users.
  
  The goal is not even to do big brother crap (though this could be misused that way) but simply to have an accurate record of what's going on in your systems. Once you have that, all other problems can be addressed more effectively, and solutions can be generated that can provide security without overly hindering users. If you don't have an accurate idea of how your systems are being breached, you're forced to employ blanket policies that hinder productivity and breed dissatisfaction.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
5. Re:Ignoring the Human Factor is not Bliss by Anonymous Coward · 2007-09-17 06:59 · Score: 1, Insightful
  
  this reveal is more of a symptom.... The real problem exists in that corporations dont nurture employee loyalty and corp management seems to be only looking out for themselves. This breeds discontent in the workers and creates stats like the ones listed in the article..... Why should an employee care about protecting assets when they have no vested interest in corporate asset protection? Loyalty seems to be non-existent these days and corporate management methodologies seem to be it's killer. Elaborate automated security safeguards cannot fix this problem and in fact just further alienates the employees...
  
  The obvious, very lo-tech solution is to take care of your employees, consider them long term and valuable assets and earn their loyalty by making sound and knowledgeable decisions for the good of the company. Doesnt take an MBA to understand that.... In fact it seems that most MBAs dont understand that all...
6. Re:Ignoring the Human Factor is not Bliss by SatanicPuppy · 2007-09-17 07:39 · Score: 2, Insightful
  
  Yea. There are ways of doing black-box auditing and logging...Not the least to have a terminal-output hardcopy.
  
  It's not really an often-pursued option these days, however.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
7. Re:Ignoring the Human Factor is not Bliss by fishbowl · 2007-09-17 08:45 · Score: 2, Insightful
  
  > You do have to weigh company morale vs security.
  
  Most organizations have several classes of employee, one including those who could easily walk away and be employed at double or more times their salary the same afternoon. There's another class of employee that most organizations have, consisting of those who will put up with a great deal of abuse, disrepect, and follow any unreasonable or quasi-reasonable rule or workplace condition, because the balance of their value of job security falls in favor of the employee.
  
  The problem is, if decisions are made that adversely affect the former group, serious damage to the organization ensues. And there's a fuzzy line between decisions and polices that affect the latter group but don't disturb the former.
  
  This is part of the reason why all the bitching comes from the lower tiers. Those in the lower tiers seem consistently unable to elevate their positions, and unable to seek elevated positions elsewhere. Those in the higher tiers know that lateral opportunities abound. There are probably a lot more ingredients in the equation, but they include: Experience, Education, Financial ability to *buy* a personal stake, and Personality.
  
  --
  -fb Everything not expressly forbidden is now mandatory.
Duh by grasshoppa · 2007-09-17 05:40 · Score: 4, Insightful

No shit; I'm surprised this hasn't been the case all along. Every IT dept I've been in has been treated by the employer as a reactive service. Most of the time, we are given something to install. Not asked if it'll fit in our current IT environment, but given and asked how soon it can be installed.

USB thumb drives are an on going headache, and an attack vector on top of that. I'm forced to wonder how serious any of these issues would be if we didn't live in a windows centric world.

--
Mod me down with all of your hatred and your journey towards the dark side will be complete!
1. Re:Duh by czmax · 2007-09-17 05:56 · Score: 2, Insightful
  
  IT should be a reactive service. Ideally there would be more communication than just "please install this", maybe something more like, "we need this service and think this would provide it". But frankly I'm tired of IT thinking they know more about my job, and what I need, than I do.
  
  If your current IT environment isn't capable of supporting my needs then fix it.
2. Re:Duh by CodeBuster · 2007-09-17 06:35 · Score: 3, Insightful
  
  As you so aptly pointed out, most users (and managers) just approach IT with a demand to "please install this" only it is really an order and not a request. The users have needs yes, but often times that have already decided that a particular piece of software is "ideal" for their needs based upon the word of a salesman without even asking IT. You say that you are tired of IT thinking that they know more about your job than you do, but really that is exactly what you are doing to IT when you have already selected whatever software that you are going to use lock stock and barrel without consulting IT first about what it is that you are trying to do or asking for suggestions or an opinion on the software or possible alternatives. Remember that IT has to be concerned with what is best for all of the users and the network, not just your immediate needs. I cannot tell you how many times I have had to dissuade a user from a poor software selection merely because they heard a good sales pitch at their last conference where the salesman told them to "just ignore IT objections, because they don't know what they are talking about"...yeah and that salesman doesn't have a horse in the game either way right? wrong.
  
  The problem is responsibility. The IT department doesn't want to be responsible for a poor software choice that they had absolutely no input on and for which there were any number of superior alternatives. You might say that everyone wants to go to the party, but nobody wants to hang around afterwards to clean up the mess and it is always the IT department that is left without a chair when the music stops (even if IT did not champion the culprit software and was ordered to "just install it").
  
  If your current IT environment isn't capable of supporting my needs then fix it.
  
  It is often the case that this requires money which nobody ever wants to provide for more "expensive IT toys" and so problems go on until they become so notorious that somebody higher up actually approves a last minute purchase or budgets staff time to research and fix the problem.
Security vs. Performance by fishybell · 2007-09-17 05:41 · Score: 4, Insightful

My company is constantly tightening the security belt on its employees, but we find we can only tighten it so much.

If we give every employee access to everything, yes problems will happen. But if we give most employees access to most things their jobs are a lot easier, and more work gets done (or the same amount of work gets done, but with less stress and overworking).
If one of our employees decides to steal information, we'll deal with it with that employee, but that's as far as we go. We can't live in fear of an inside attack just because it's more likely than a virus (especially for a linux only shop like ourselves). A balance must be struck between full access and full security.

--
><));>
Mitnick is right by Enlarged+to+Show+Tex · 2007-09-17 05:42 · Score: 3, Insightful

It's all well and good to have the tech locked down; however, the system is only as good as its weakest link - the humans. There's only so much you can do when a luser decides to keep all of his passwords on a post-it note...
1. Re:Mitnick is right by Carrot007 · 2007-09-17 06:14 · Score: 3, Insightful
  
  When the user writes all his passwords down on a post it note this shows you that either IT or Management have implemented a passowrd policy that is over complex and or changed to frequently. And if it is Management then IT are to blame for not adiqualty advising them that such a policy would make the system less secure though post it note activity.
  
  Don't pass the blame. Deal with the problem.
  
  --
  +----------------- | What is the question!
The ultimate attainable security ... by khasim · 2007-09-17 06:01 · Score: 3, Insightful

The ultimate attainable security ... is when your systems lose/corrupt/release data more often due to the stupid (non-malicious) actions of your people than due to crackers.

The human level is the last limit. Don't focus on technology that will get you that last 0.0001% when the people running your systems will causing the problems 100x more often.
1. Re:The ultimate attainable security ... by sufijazz · 2007-09-17 06:27 · Score: 2, Insightful
  
  From TFA
  Hiding porn on an office PC, using unlicensed software, and abusing e-mail all count as security incidents, though all pale in comparison to one successful phishing trip." They are not even talking about "stupid" actions or even losing/corrupting/releasing data. If this is what you are measuring as a security incident, no wonder the number of security incidents being caused by insiders is going to be higher. If I am a hacker, why would I use a PC in a hacked corporate network to store my porn?
  
  --
  2+2=5 for very large values of 2.
2. Re:The ultimate attainable security ... by cdf123 · 2007-09-17 10:11 · Score: 5, Insightful
  
  If I am a hacker, why would I use a PC in a hacked corporate network to store my porn?
  If I was a hacker, the last place I would store anything incriminating, is my own PC.
  One of the big reasons to store off site is to use the hacked PC for free/illegal hosting. This makes it harder to trace back to the hacker, and doesn't waist resources of the hacker's PC (storage/bandwidth). Think of how long it would take to find something on a PC if it was just used as a web server, serving files stored in some rootkit hidden directory. Virus scanners wouldn't find it, as the files aren't viral. Unless a firewall log audit, or internal port scan picked up the web server application, it could go unnoticed for months, or maybe years. Now do this to about 20 hacked systems, and you have a semi-reliable distributed network for all your hosting needs.
  Sounds like a reasonable thing for a hacker to do to me.
Duh! by gravis777 · 2007-09-17 06:08 · Score: 4, Insightful

Even when I do have a small virus outbreak, its because people are visiting sites that they know they shouldn't. I have Sophos setup to block installations of all toolbars except for Google, users cannot run Limewire, Kazaa, Bearshare, or so forth (BitTorrent is still enabled), and soforth. Before I upgraded Sophos and it was not able to block apps, I was always having problems with people going to SmileyCentral, or downloading Weatherbug. Now they can go to the websites all they want, it will not let them install the software.

But yeah, most problems are user related. Broken pins on power adaptors, caused by users jabbing the plugs into their laptops, out of harddrive space, fixed by deleting their iTunes, computer running slow, i go and remove tons of crap the user has installed, user has e-mail bouncing, because user had ignored notifications from IT that they were approaching their e-mail quota, Illustrator on the Mac will not start because user has deleted system fonts, modem not working after user used modem during lightning storm (I am actually looking at my tickets as I am writing this, these are my tickets).
1. Re:Duh! by myz24 · 2007-09-17 06:51 · Score: 2, Insightful
  
  Don't allow your users to be local admins, this has done well for me to prevent installations.
CSI study is, and always has been, crap by 44BSD · 2007-09-17 06:13 · Score: 2, Insightful

494 out of 5,000 responded. I wonder if the 9% who did are at all unlike the 91% who did not? Could it be, ya think??

It's called non-response bias.

They admit right up front that the results (even if there were no non-response bias) don't generalize to IT in general, since their members are not drawn from IT in general.
Don't alienate users by mi · 2007-09-17 06:16 · Score: 2, Insightful

I don't mean, alienating them as employees — that's another story. I mean alienating them as computer users — by bullshit like blocking certain sites or other services (such as instant messengers), in particular.
You will then not have to chase the violators and waste time (money) on the fruitless pursuit... The pursuit, which also severely hampers the productivity of the best of your users... "Access from home? No, you'll need five approvals for me to allow that."

--
In Soviet Washington the swamp drains you.
Re:This has been the case for a long time by Vancorps · 2007-09-17 07:40 · Score: 4, Insightful

Yeah, we had a guy calling people in our office asking for voicemail passwords. He dialed through a company in New Jersey one day, California the next. Our system doesn't allow dialing out through the voicemail system so we weren't really vulnerable but we have a simple policy which is very easy to understand. It says no one will ever ask for any password in person, email, or over the phone. IT does not need your password for any task whatsoever so never give it out.

Time came with this guy calling and asking and surprisingly no one gave him their password. My faith was restored. Of course this is a reasonably small company. Make it simple and people will follow it though. They can even encrypt their stuff and I still won't need their password ever because I have the recovery keys. All the mechanisms are their so it's up to sysadmins to make it simple and easy for regular folks to understand. Afterall, the folks in accounting know more about taxes than I do because that is their job. I know a little about how our taxes are calculated because I've needed to, just like they've had to learn a little about security practices. I'd say it's as fair a system as any.
No big surprise by Mr.+McGibby · 2007-09-17 08:57 · Score: 3, Insightful

This isn't a big surprise to me. I've noticed over the years that IT folk are less and less concerned with users and more concerned with hardware. Desktop support seems to be the one thing that no one wants to do, probably because it pays the least.

--
Mad Software: Rantings on Developing So
Solutions cause more problems than workers by Whuffo · 2007-09-17 09:00 · Score: 3, Insightful

I don't think it's news to anyone here that users are the greatest threat to a corporate network. Even the classifications they use are useless; think about the times a virus has attacked your network and I'll bet it was a user doing something that was prohibited by company policy that set the virus loose.
So let's look at the possible solutions. We've got "lock everything down" in the lead - that's fine in its way but causes worker dissatisfaction because they can't use the creative solutions they've developed, can't use the tools they're used to in the way they're used to, etc. Ultimately, if you get things limited to the point that all possibility of damage is prevented you've also created a situation where productivity is severely limited or prevented. And it's just a matter of time before it's pointed out to you that you weren't as secure as you thought you were.
Then there's the "monitor and log everything" plan - give the users a quick class in acceptable use of IT assets then "correct" anyone who violates the rules. This overlooks the very real truth that most of the harm caused by users is not intentional; it's almost always an unexpected result from a silly mistake. The result of this plan is to create an environment of fear where everyone is careful to follow the rules exactly, won't do anything that's "not my job" and if something goes wrong nobody saw anything. Ultimately you end up with all the problems you had before but with no useful information on how it happened / how to prevent it from happening again - and low productivity due to the workers being unwilling to do any more than necessary.
The real answer is that You can't solve personnel problems with technological solutions. Forget what they taught you in your MBA program and what the security software vendors told you, treat the workers like human beings and help them to understand what can go wrong and how to avoid it. Remember that IT's mission is to support the workers. Offer classes on information security, available to all, and on paid time so they'll have the chance and ability to take part. IT works much, much better when the rest of the corporate staff are partners, not antagonists.
Re:IT Tips we could do without by Todd+Knarr · 2007-09-17 10:32 · Score: 3, Insightful

Actually that is easy to remember: the name of the rhyme you used plus the fact that you take the first letter of each word. The rhyme itself should come to mind instantly once you think of the name. The problem is that it's so hard to extract the letters and type it in that even I wouldn't want to have to use it.

And frankly, concentrating on password security misses the obvious: most attacks these days aren't on the passwords. Why should I (as an attacker) waste my time trying to crack your user's passwords when I can send them a simple phishing e-mail that'll get them to give me their passwords? Or maybe just a little trojan disguised as a neat-o screen saver or Web control that'll silently grab all the saved password lists from IE, Outlook, OE, etc. and send it to me? Or that'll install itself under your user account, authenticated and all, and let Windows handle the details of supplying your credentials whenever I want to do something? The big problem isn't keeping unauthorized users out, it's in what authorized users do with their authorization that they shouldn't be doing but are allowed to do anyway.