Slashdot Mirror

← Back to Stories (view on slashdot.org)

Workers Cause More Problems Than Viruses

Posted by ScuttleMonkey on from the going-postal dept.

Technical Writing Geek writes "A new report finds that, for the first time, virus infections have slipped to the second spot on the list of computer security troublemakers. In first place— a company's own workers. 'The Computer Security Institute has just released the 2007 edition (PDF) of its long-running "Computer Crime and Security Survey," and it offers some dreary news for overworked computer security admins: average losses from attacks have surged this year. More surprising is the finding that the single biggest security threat faced by corporate networks doesn't come from virus writers any more; instead, it comes from company insiders.'"

16 of 191 comments (clear)

  1. Ignoring the Human Factor is not Bliss by foobsr · · Score: 5, Insightful

    As of 2004:

    "CEOs are increasingly aware of the risks posed to company information by insiders, but they aren't acting on this knowledge, according to the "2004 Ernst & Young Global Information Security Survey." More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative."

    A case of 'ignorance is not bliss'.

    CC.

    --
    TaijiQuan (Huang, 5 loosenings)
    1. Re:Ignoring the Human Factor is not Bliss by king-manic · · Score: 4, Insightful

      "CEOs are increasingly aware of the risks posed to company information by insiders, but they aren't acting on this knowledge, according to the "2004 Ernst & Young Global Information Security Survey." More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative."

      A case of 'ignorance is not bliss'. You do have to weigh company morale vs security. Requesting the whole organization use tinfoil hat Linux boxes; with 256bit end to end encryption; with all outgoing and incoming packets sniffed, duplicated and logged; 16 character mixed special char, numeric, and alphabetic passwords; Faraday cages around every office; may be excessive even for the NSA. You have to trust your employees at least a little or else it becomes a Us vs them situation.
      --
      "There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
    2. Re:Ignoring the Human Factor is not Bliss by gravos · · Score: 4, Insightful

      Implementing good security practices tends to waste time.

      If Cindy from HR calls me and I have to verify that she is, in fact, Cindy from HR, every time she calls me, that reduces my productivity by a certain amount.

      There are ways to spend money instead of reducing productivity (like installing dedicated phones between offices that don't link to the POTS network), but losing money is hardly better than losing time.

      The moral of the story is, until losses from poor security exceed losses to productivity caused by rigorously following security protocols on average, people will not be inclined to rigorously follow those protocols.

      --
      This game will waste your life. Don't clicky!
    3. Re:Ignoring the Human Factor is not Bliss by EvanED · · Score: 5, Interesting

      Requesting the whole organization use tinfoil hat Linux boxes; with 256bit end to end encryption; with all outgoing and incoming packets sniffed, duplicated and logged; 16 character mixed special char, numeric, and alphabetic passwords; Faraday cages around every office; may be excessive even for the NSA

      Actually I bet the NSA is doing everything you name, except for the 256bit thing. I'm sure they're using at least 4096 bit encryption (assuming RS). Maybe biometrics instead of the fancy passwords.

      But you can be sure that the rooms are faraday cages; even the CIA does that. ;-)

      (The CIA also has double walls between which they pump white noise so that people can't read the vibrations of the glass with laser meters. The building is magnetically shielded so people can't "read" the monitors of people remotely.)

    4. Re:Ignoring the Human Factor is not Bliss by an.echte.trilingue · · Score: 4, Insightful

      No, implementing good security practices saves time, every time.

      It requires an upfront investment of time to implement and maintain the system, but it beats the hell out of spending your week re-ghosting all of the computers in the accounting department because some ex-employee decided it would be funny to install a back door, and now you have to lock down every system he had access to and also try to figure out what he could have leaked so you can notify your soon to be ex-customers of what you lost. Feel free to repeat every month or so, depending on the size of your organization.

      Or, you could give users a limited access account (which is easy to do even in windows), implement a sane permission system on your servers, implement something like a kerberos server, and make your employees read and sign a "good security practices" memo once a year so that they understand your policy and why it is important.

      Security is time well invested.

      --
      weirdest thing I ever saw: scientology advertising on slashdot.
    5. Re:Ignoring the Human Factor is not Bliss by SatanicPuppy · · Score: 4, Insightful

      Meh. All that is pointless, because it doesn't address social engineering or intentional internal sabotage.

      What you need are good audit and logging procedures, to help you pinpoint the vector of intrusion, and to minimize the damage caused. That's a basic principle for financial systems, and it's one that could benefit from being extended to general users.

      The goal is not even to do big brother crap (though this could be misused that way) but simply to have an accurate record of what's going on in your systems. Once you have that, all other problems can be addressed more effectively, and solutions can be generated that can provide security without overly hindering users. If you don't have an accurate idea of how your systems are being breached, you're forced to employ blanket policies that hinder productivity and breed dissatisfaction.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  2. Norton Anti-Worker by biocute · · Score: 5, Funny

    Time to place your order.

    --
    Virtual Betting on Facebook for non-geeks.
  3. I work with my Dad by JohnnyGTO · · Score: 4, Funny

    and when it comes to computers, faxes, phone system or staplers we call him the Human.Virus

    God forbid you leave your iPod near him!

    --
    Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
  4. Duh by grasshoppa · · Score: 4, Insightful

    No shit; I'm surprised this hasn't been the case all along. Every IT dept I've been in has been treated by the employer as a reactive service. Most of the time, we are given something to install. Not asked if it'll fit in our current IT environment, but given and asked how soon it can be installed.

    USB thumb drives are an on going headache, and an attack vector on top of that. I'm forced to wonder how serious any of these issues would be if we didn't live in a windows centric world.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
    1. Re:Duh by Mattintosh · · Score: 4, Funny

      For this exercise, I'm going to assume you're in management.

      If your current IT environment isn't capable of supporting my needs then fix it.

      If your current needs outstrip the capabilities of our current IT environment, then fund the upgrade.

      mv shoe otherfoot

  5. Security vs. Performance by fishybell · · Score: 4, Insightful
    My company is constantly tightening the security belt on its employees, but we find we can only tighten it so much.


    If we give every employee access to everything, yes problems will happen. But if we give most employees access to most things their jobs are a lot easier, and more work gets done (or the same amount of work gets done, but with less stress and overworking).

    If one of our employees decides to steal information, we'll deal with it with that employee, but that's as far as we go. We can't live in fear of an inside attack just because it's more likely than a virus (especially for a linux only shop like ourselves). A balance must be struck between full access and full security.

    --
    ><));>
  6. PEBKAC by Protonk · · Score: 4, Informative

    The security literature has been saying this for years. And, depending on who you classify as a 'user' this is a much broader problem. The TJX breech? If I consider that the company IT dept. allowed latitude in where computers were connected to the company intranet (for convenience) and which computers could be connected, the the protocols surrounding handling of data (either VISA, [PDF]or otherwise) become superfluous. the 'user' that wants to be able to check stock at a kiosk inserts problems not considered in the protocol.

    This is largely fixed by changing/following protocol (although following PCI would not have eliminated the TJX breech, just limited it). dictating access limits to machines, enforcing those access limits through user and key management. Enforcing segregation of data by pushing it back from the user space. Etc.

    In a lot of cases, these things can be eliminated only through design--not draconian regulations. By design I mean something separate from limitations. A limitation (for example) would be to block any traffic going to popular webmail accounds through a browser. This is pretty easily circumvented by a half dozen trivial (read: largely non-technical and non-threatening) solutions. A design solution would be to incent users to use the internal mailing system to organize their mail and to VPN to it while away. Using Outlook as a primary means to communicate makes me pine for the responsiveness and search functionality of Gmail. eventually, rules be damned, I will migrate my work email to gmail (assuming I'm not security conscious) because it offers so many inherent advantages. The solution, bein to eliminate those advantages.

    Without that, you are in the same boat that you were before. More rules, but the same incentive to break them.

  7. Duh! by gravis777 · · Score: 4, Insightful

    Even when I do have a small virus outbreak, its because people are visiting sites that they know they shouldn't. I have Sophos setup to block installations of all toolbars except for Google, users cannot run Limewire, Kazaa, Bearshare, or so forth (BitTorrent is still enabled), and soforth. Before I upgraded Sophos and it was not able to block apps, I was always having problems with people going to SmileyCentral, or downloading Weatherbug. Now they can go to the websites all they want, it will not let them install the software.

    But yeah, most problems are user related. Broken pins on power adaptors, caused by users jabbing the plugs into their laptops, out of harddrive space, fixed by deleting their iTunes, computer running slow, i go and remove tons of crap the user has installed, user has e-mail bouncing, because user had ignored notifications from IT that they were approaching their e-mail quota, Illustrator on the Mac will not start because user has deleted system fonts, modem not working after user used modem during lightning storm (I am actually looking at my tickets as I am writing this, these are my tickets).

  8. The only logical conclusion by gorbachev · · Score: 4, Funny

    ...is to fire everyone.

    --
    In Soviet Russia, I ruled you
  9. Re:This has been the case for a long time by Vancorps · · Score: 4, Insightful

    Yeah, we had a guy calling people in our office asking for voicemail passwords. He dialed through a company in New Jersey one day, California the next. Our system doesn't allow dialing out through the voicemail system so we weren't really vulnerable but we have a simple policy which is very easy to understand. It says no one will ever ask for any password in person, email, or over the phone. IT does not need your password for any task whatsoever so never give it out.

    Time came with this guy calling and asking and surprisingly no one gave him their password. My faith was restored. Of course this is a reasonably small company. Make it simple and people will follow it though. They can even encrypt their stuff and I still won't need their password ever because I have the recovery keys. All the mechanisms are their so it's up to sysadmins to make it simple and easy for regular folks to understand. Afterall, the folks in accounting know more about taxes than I do because that is their job. I know a little about how our taxes are calculated because I've needed to, just like they've had to learn a little about security practices. I'd say it's as fair a system as any.

  10. Re:The ultimate attainable security ... by cdf123 · · Score: 5, Insightful

    If I am a hacker, why would I use a PC in a hacked corporate network to store my porn?

    If I was a hacker, the last place I would store anything incriminating, is my own PC.

    One of the big reasons to store off site is to use the hacked PC for free/illegal hosting. This makes it harder to trace back to the hacker, and doesn't waist resources of the hacker's PC (storage/bandwidth). Think of how long it would take to find something on a PC if it was just used as a web server, serving files stored in some rootkit hidden directory. Virus scanners wouldn't find it, as the files aren't viral. Unless a firewall log audit, or internal port scan picked up the web server application, it could go unnoticed for months, or maybe years. Now do this to about 20 hacked systems, and you have a semi-reliable distributed network for all your hosting needs.

    Sounds like a reasonable thing for a hacker to do to me.