Slashdot Mirror
Workers Cause More Problems Than Viruses
Technical Writing Geek writes "A new report finds that, for the first time, virus infections have slipped to the second spot on the list of computer security troublemakers. In first place— a company's own workers. 'The Computer Security Institute has just released the 2007 edition (PDF) of its long-running "Computer Crime and Security Survey," and it offers some dreary news for overworked computer security admins: average losses from attacks have surged this year. More surprising is the finding that the single biggest security threat faced by corporate networks doesn't come from virus writers any more; instead, it comes from company insiders.'"
As of 2004:
"CEOs are increasingly aware of the risks posed to company information by insiders, but they aren't acting on this knowledge, according to the "2004 Ernst & Young Global Information Security Survey." More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative."
A case of 'ignorance is not bliss'.
CC.
TaijiQuan (Huang, 5 loosenings)
Time to place your order.
Virtual Betting on Facebook for non-geeks.
It brings to mind the old saying 'loose lips sink ships'. Ive only had a few years experience as a sysadmin, and it was drilled into my head quite early that the one thing you can never secure is the user. Lets come up with a real story now please.
If sharing a song makes you a pirate, what do I have to share to be a ninja?
and when it comes to computers, faxes, phone system or staplers we call him the Human.Virus
God forbid you leave your iPod near him!
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
No shit; I'm surprised this hasn't been the case all along. Every IT dept I've been in has been treated by the employer as a reactive service. Most of the time, we are given something to install. Not asked if it'll fit in our current IT environment, but given and asked how soon it can be installed.
USB thumb drives are an on going headache, and an attack vector on top of that. I'm forced to wonder how serious any of these issues would be if we didn't live in a windows centric world.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
If we give every employee access to everything, yes problems will happen. But if we give most employees access to most things their jobs are a lot easier, and more work gets done (or the same amount of work gets done, but with less stress and overworking).
If one of our employees decides to steal information, we'll deal with it with that employee, but that's as far as we go. We can't live in fear of an inside attack just because it's more likely than a virus (especially for a linux only shop like ourselves). A balance must be struck between full access and full security.
><));>
It's all well and good to have the tech locked down; however, the system is only as good as its weakest link - the humans. There's only so much you can do when a luser decides to keep all of his passwords on a post-it note...
And even with viruses, what percentage are them are installed through dumb users running executables they shouldn't? Most of the time it comes down to dumb users. There's been very few times that a Virus/worm has been able to work itself into the computer without user interaction. Granted in the case where this has happened, like when ports are left open, and the virus sneaks in from the internet, the infection rate can be very high. However, still, most viruses, and the majority of computer/security problems in general come from dumb users.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
The security literature has been saying this for years. And, depending on who you classify as a 'user' this is a much broader problem. The TJX breech? If I consider that the company IT dept. allowed latitude in where computers were connected to the company intranet (for convenience) and which computers could be connected, the the protocols surrounding handling of data (either VISA, [PDF]or otherwise) become superfluous. the 'user' that wants to be able to check stock at a kiosk inserts problems not considered in the protocol.
This is largely fixed by changing/following protocol (although following PCI would not have eliminated the TJX breech, just limited it). dictating access limits to machines, enforcing those access limits through user and key management. Enforcing segregation of data by pushing it back from the user space. Etc.
In a lot of cases, these things can be eliminated only through design--not draconian regulations. By design I mean something separate from limitations. A limitation (for example) would be to block any traffic going to popular webmail accounds through a browser. This is pretty easily circumvented by a half dozen trivial (read: largely non-technical and non-threatening) solutions. A design solution would be to incent users to use the internal mailing system to organize their mail and to VPN to it while away. Using Outlook as a primary means to communicate makes me pine for the responsiveness and search functionality of Gmail. eventually, rules be damned, I will migrate my work email to gmail (assuming I'm not security conscious) because it offers so many inherent advantages. The solution, bein to eliminate those advantages.
Without that, you are in the same boat that you were before. More rules, but the same incentive to break them.
"Can we get you on Mastermind, Sybil? Our next contestant, Sybil Fawlty from Tall Key, special subject, the Bleedin' Obvious..."
I mean, I wouldn't have had to set the place on fire if they would have quit moving my desk and asked me to kill cockroaches and kept on stealing my stapler.
Monstar L
Workers have probably displaced viruses simply on the strength of MediaDefender's e-mails all going public this weekend due to the truly stupid actions of one person, whom I'm very glad today that I'm not him!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The ultimate attainable security ... is when your systems lose/corrupt/release data more often due to the stupid (non-malicious) actions of your people than due to crackers.
The human level is the last limit. Don't focus on technology that will get you that last 0.0001% when the people running your systems will causing the problems 100x more often.
.. according to the BOFH.
Have gnu, will travel.
Even when I do have a small virus outbreak, its because people are visiting sites that they know they shouldn't. I have Sophos setup to block installations of all toolbars except for Google, users cannot run Limewire, Kazaa, Bearshare, or so forth (BitTorrent is still enabled), and soforth. Before I upgraded Sophos and it was not able to block apps, I was always having problems with people going to SmileyCentral, or downloading Weatherbug. Now they can go to the websites all they want, it will not let them install the software.
But yeah, most problems are user related. Broken pins on power adaptors, caused by users jabbing the plugs into their laptops, out of harddrive space, fixed by deleting their iTunes, computer running slow, i go and remove tons of crap the user has installed, user has e-mail bouncing, because user had ignored notifications from IT that they were approaching their e-mail quota, Illustrator on the Mac will not start because user has deleted system fonts, modem not working after user used modem during lightning storm (I am actually looking at my tickets as I am writing this, these are my tickets).
494 out of 5,000 responded. I wonder if the 9% who did are at all unlike the 91% who did not? Could it be, ya think??
It's called non-response bias.
They admit right up front that the results (even if there were no non-response bias) don't generalize to IT in general, since their members are not drawn from IT in general.
I don't mean, alienating them as employees — that's another story. I mean alienating them as computer users — by bullshit like blocking certain sites or other services (such as instant messengers), in particular.
You will then not have to chase the violators and waste time (money) on the fruitless pursuit... The pursuit, which also severely hampers the productivity of the best of your users... "Access from home? No, you'll need five approvals for me to allow that."
In Soviet Washington the swamp drains you.
The obvious conclusion is all the workers should be fired and replaced with viruses.
...is to fire everyone.
In Soviet Russia, I ruled you
That may be "the answer", but it is an expensive and resource-intensive answer. The more auditing and tracking you do, the more hardware, software, and performance overhead you add to your network. And the more man-hours you have to throw at it. I am quite sure that some firms would rather risk a few losses rather than deal with the extra cost and complexity.
This isn't a big surprise to me. I've noticed over the years that IT folk are less and less concerned with users and more concerned with hardware. Desktop support seems to be the one thing that no one wants to do, probably because it pays the least.
Mad Software: Rantings on Developing So
So let's look at the possible solutions. We've got "lock everything down" in the lead - that's fine in its way but causes worker dissatisfaction because they can't use the creative solutions they've developed, can't use the tools they're used to in the way they're used to, etc. Ultimately, if you get things limited to the point that all possibility of damage is prevented you've also created a situation where productivity is severely limited or prevented. And it's just a matter of time before it's pointed out to you that you weren't as secure as you thought you were.
Then there's the "monitor and log everything" plan - give the users a quick class in acceptable use of IT assets then "correct" anyone who violates the rules. This overlooks the very real truth that most of the harm caused by users is not intentional; it's almost always an unexpected result from a silly mistake. The result of this plan is to create an environment of fear where everyone is careful to follow the rules exactly, won't do anything that's "not my job" and if something goes wrong nobody saw anything. Ultimately you end up with all the problems you had before but with no useful information on how it happened / how to prevent it from happening again - and low productivity due to the workers being unwilling to do any more than necessary.
The real answer is that You can't solve personnel problems with technological solutions. Forget what they taught you in your MBA program and what the security software vendors told you, treat the workers like human beings and help them to understand what can go wrong and how to avoid it. Remember that IT's mission is to support the workers. Offer classes on information security, available to all, and on paid time so they'll have the chance and ability to take part. IT works much, much better when the rest of the corporate staff are partners, not antagonists.
Actually that is easy to remember: the name of the rhyme you used plus the fact that you take the first letter of each word. The rhyme itself should come to mind instantly once you think of the name. The problem is that it's so hard to extract the letters and type it in that even I wouldn't want to have to use it.
And frankly, concentrating on password security misses the obvious: most attacks these days aren't on the passwords. Why should I (as an attacker) waste my time trying to crack your user's passwords when I can send them a simple phishing e-mail that'll get them to give me their passwords? Or maybe just a little trojan disguised as a neat-o screen saver or Web control that'll silently grab all the saved password lists from IE, Outlook, OE, etc. and send it to me? Or that'll install itself under your user account, authenticated and all, and let Windows handle the details of supplying your credentials whenever I want to do something? The big problem isn't keeping unauthorized users out, it's in what authorized users do with their authorization that they shouldn't be doing but are allowed to do anyway.