Slashdot Mirror
Young Employees Pose Increasing Risk to Networks
buzzardsbay writes "Baseline is reporting on an upcoming survey from Symantec and Applied Research-West that confirms many suspicions about the generation gap in the workplace, namely that younger workers will use your corporate network to run most any device, technology or social networking software they can get their hands on. Dubbed "Millenials," these workers born after 1980 are nearly twice as likely to use cell phones and PDAs at work, and half admit to installing unauthorized software on their employer's computers. On the upside, the Millenials are more security aware than their older co-workers."
only 25% of pre-1980 employees install rogue software on corporate PCs compared to 46% post 1980. If that happened in the bank I worked for there would be hell to pay!
Interesting how you say that "installing unauthorized software" = "more productive"
I'm willing to bet that the vast majority of "unauthorized software" are things like chat clients, media players, RSS/Weather update notifiers, games and software for personal devices (iTunes etc).
=Smidge=
those who manage the networks and PCs get ticked off and impose what seem like draconian rules about installing software and locking people down. All that extra cruft takes its toll on network performance and consumes resources.
If you need a piece of software, yes, we will install it for you. You do not need the Gmail notifier constantly popping up and telling you you have new mail or checking for updates. Nor do you need to have Quicktime continually checking for updates. You most certainly do not need any kind of P2P software installed.
While it's nice these "new" people are more comfortable with technology, the downside is the proverbial, "Just enough knowledge to be dangerous".
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Sounded to me like he was pissed that there was no chance for promotion since young people get let go when their project is complete. That's not "starting at the bottom", that's "temporary slave".
Yea, the government. 'Nuff said.
Restricting browsers and stuff is amateur hour. I'll let anyone install pretty much any professional-grade software they can convince someone to pay for. I'm OSS friendly, but I'd prefer a heads up, or at least I'd prefer to know that the guy installing the software gets a good binary and checks the hash.
I restrict all my subnets pretty tightly, so I'm not worried about a lot of stuff leaking out if someone installs something bad. We don't really have problems with email viruses. I lock down the network mainly for convenience; most business environments only need a handful of ports available to the outside, and even fewer inbound.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Have you ever used IETab? It's a Firefox extension that brings up pages in a tab that uses IE. Our intranet is such that many sites that I have to use require IE6 but I use Firefox for most dev work. Most of the time, that extension gets me in just fine. Don't remember which user-agent string it supplies, though, but you might find it helpful if you don't already have it.
blah blah blah
I think most techs, and even admins are going to fall into the, "as long as it doesn't break anything, I don't really care." camp. As an admin, I couldn't care less which browser people use. We do have a few in house applications which are IE only, but as long as people are willing to deal with their own browser issues, if they want to use Firefox, Safari, Lynx, go for it. Just don't bug me when your browser of choice doesn't display correctly. Mind you, I work for a small research group at a University; so, YMMV.
On the other side of the coin, I do understand why IT departments can be heavy handed about the software on client systems. It's tough to support $diety knows what on a system that has a million different applications installed. While it's simple to tell people that we won't support anything which is not on the "approved" list, it's much harder in practice to tell someone that they have lost all of their data to a bug in a program that helps them in their work. As an example of this, part of my mission is to support certain masters level students and their computers. I had one poor lady who's entire master's thesis was nearly lost because of a third party application which helps with adding and managing endnotes. The official answer would have been, "we don't support that, sorry." But it takes a certain level of heartlessness to actually say that to someone. So, I spent a few hours figuring out how to get the document back out of the program.
And none of this considers the poor bastards who have to deal with HIPPA and/or Sarbanes-Oxley. With the security requirements mandated by both of those, I can kinda understand the BOFH approach and using mafia style tactics to enforce desktop policy. There are just some environments where security is a must, and the IT guys suddenly have to be the bad guys about it. Again, by way of example, my last job was setting up systems for physical security and access control systems. A guard level login to the system presented the user with a blank desktop, no taskbar, and a small application with a couple buttons on it to launch the required applications. Beyond that, they had nothing. The Start Menu was disabled, right clicking on the desktop was disabled, sticky keys and other accessibility options were disabled, autorun was disabled, the BIOS had a password, the system would only boot to the primary drive, etc. There was also the expectation that the system itself was going to be locked up to prevent physical access. It worked pretty well for what it was meant to do, which was prevent a bored guard from installing something at 3am.
Necessity is the mother of invention.
Laziness is the father.
That's why the ol' security maxim of basing authentication on "something you have and something you know." a.k.a. multi-factor authentication. It's a lot harder to social engineer something they have away from someone.
but also provided by manufacturer and the only way to do business
Then stop doing business with that manufacturer until they fix their software. Either that, or take it off the network. Or isolate it within a DMZ. Or call the helpdesk day in and day out asking for a resolution to the problem until it's fixed. Or get the higher-ups involved and tell them how they've had money stolen because their network was hacked or....well, you get the idea. Sometimes the only way to get shit fixed is to be a major asshole.
found that said software requires the admin to essentially open up the entire HKLM branch
I find that hard to believe. "Opening up" in terms of this discussion means to grant write access to protected areas of the registry. Are you suggesting that the software from your manufacturer needs to write to, say, the keys for Winzip? I can understand software needing to write to their own HKLM keys (I can understand it, I didn't say I agree with it), but not others. Granting users the ability to write to just those keys and subkeys is no big deal, but granting the ability to write to all of HKLM is a lazy admin not doing his job. Hell, the simplest solution is to fire up regmon, then launch the app and see what it starts poking around in and grant writes to do so. There's absolutely no reason this couldn't be done in less than half an hour, and that's with the person being REALLY thorough.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
Try SureTrack, Digger, Or P3. also a lot of old digitizer software.
You think that exposing your employer to risk is laughable? You think that the circumstances of your hiring justify you exposing them to risk?
You've agreed to a employment contract, and likely in that contract there is a clause about adherence to corporate policy, and there may even be a specific clause related to use of unauthorized or unlicensed software.
By saying that you don't care, simply because youre not happy with your employment contract, would suggest to me that the best solution is to terminate your employment contract.
In short, there's a time and place for everything, including employment negotiations, and blithely ignoring the risks you bring to your employer is just plain stupid.
It's very simple, really. Add the expected value of the risk you bring to the company to what you produce (note that the expected value will be negative). Realize that you're worth less if you add risk exposure. Reduce risk exposure to help justify a request for permanent employee status. Or, buy your own benefits and deal with it. You agreed to work for what they offered... and now you're doing something that harms the company. Why shouldn't they be upset?
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
I find that hard to believe. "Opening up" in terms of this discussion means to grant write access to protected areas of the registry. Are you suggesting that the software from your manufacturer needs to write to, say, the keys for Winzip?
This appears as if it will work fine, until you realize the application makes a direct call to GetTokenInformation and verifies that the application thread possesses certain security privileges including SE_TCB_NAME before proceeding.
Naturally, there are many privileges only open to programs that run with administrative privileges. You break the application, by not running it with the intended permissions.
It's fairly naive to think the set of permissions MS assigns to admin users is exactly the set of permissions non-admins won't need.
There are many special features like RAW sockets that are restricted to apps running as admin. The assumption that only designated apps for administering that workstation need these features may not be well founded.
Even in the UNIX world there are apps which must have root privileges, and there's a fairly elegant setuid scheme I might add, to permit software to run an agent as root, so that only the parts of the application that _need_ special privileges have special privileges.
This is much better than conferring special privileges to the USER. Now you see, letting Winzip edit its HKEY_LOCAL_MACHINE\Software\Winzip folder when run as a regular user may open a hole that allows user A to compromise user B's account when user B logs into the workstation and runs Winzip -- which reads settings from that shared place: perhaps a setting including commands to execute while starting winzip.