Employees the Next (Continuing) Big Security Risk?

surely_you_cant_be_serious writes "A nationwide survey finds that most companies consider their systems vulnerable to attack. Historically, crime rates increase during recessions — and some believe that cybercrime may well follow suit, especially given massive layoffs and the dim prospects many laid-off employees face in finding a new job. 'One thing companies can start doing is monitoring their networks on an ongoing basis so that they understand the normal pattern of data flow and usage, Brill said. In many cases, companies may not have the internal capability to do this, but outsourcing options are available. Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.'"

Duh?

[eln]

Summary of story:

1.) Crime goes up when the economy goes into the tank and people start losing their jobs. Shocking, I know.
2.) There are plenty of security companies willing to scare your pants off in order to sell you expensive monitoring services. They will gladly use the statistic above to those ends.

Oh yah, and we'll throw a "cyber" prefix in front of "crime" to make this look like something new and different.

Re:Duh?

[qbzzt]

Exactly. It makes sense that crime by unemployed people goes up in a recession. But the main risk in a company's systems being hacked by insiders. If you have an effective termination process, which includes revoking access, laid off ex-employees are no longer insiders.

However, I'm sure this kind of service is important for some companies, such as Kroll Ontrack, to survive the recession.

Re:Duh?

[idontgno]

Well... revoking access is hypothetically a no-brainer. ("Hypothetically" because it's still shockingly uncommon.)

But a former insider may still know enough about your environment to make an extremely effective blackhat. Not much you can do about that without using a big hammer, a la Catbert, to remove your employee's detailed knowledge before escorting him/her out.

Re:Duh?

Termination processes help with things like passwords and accesses, but even so ex-employees always have the potential to have knowledge of operation which might be useful in order to commit crimes, and which are impossible or impracticable to change after each termination. Things like "the backup tapes are put into the post box each Monday for offsite backup" or "the East firedoor is usually propped open when we receive deliveries of paper, usually on the first Friday of each month".

Re:Duh?

[Anthony_Cargile]

Well the article does not say Ex-employees, so that means we should also consider employees still part of the "team" (as my manager puts it).

In a recession, somebody employed yet still enduring paycuts would probably be somewhat disgruntled too, even if not "terminated" per se (but with terminations all around said employee, or the looming fear of termination imminent). An employee with access to something worth anything would still be able to take it and run, and the possibility of him/her doing so in a recesssion/depression with constant paycuts and the constant threat of layoff is rather high, so this is where it gets hairy - how much do you trust your fellow employees? You can't cut present employees' access!

Well, now that I've struck fear into the heart of any employers/administrators reading this, I don't think this recession is quite to that point yet, but it may be something to watch down the road if things keep getting progressively worse.

Re:Duh?

2.) There are plenty of security companies, including the one that paid for this Slashvertisement, willing to scare your pants off in order to sell you expensive monitoring services

fixed that for you.

Re:Duh?

Actually the reports on the crime rate during poor economic times seem to vary. Here's an article that indicates just the opposite. Although it points out that there is a rise in domestic violence.

Re:Duh?

[Red+Flayer]

Good point. I'll add that it doesn't take pay cuts to motivate crime of this nature.

Employees who feel their jobs becoming less secure may decide to take out an insurance policy while they still have access to the important data.

Regardless of how you treat your employees, regardless of how secure their jobs are, in a crappy economy they may feel that their jobs are insecure, and that may lead them to the dark side.

Having good security standards and processes will lessen your exposure. Maintaining employee morale will lessen your exposure. In the end, though, as long as one person has access to critical data, there is risk of the data being misused.

Re:Duh?

[irtza]

of course its not remotely new - they're talking about insiders -its locally new!

thank you. thank you /exits stage right.

Re:Duh?

[Z00L00K]

Employees being a security risk with computers has been up a lot of times the last decades - about as long as there have been useful computers around.

So there is no new news on this issue, it's only the methods that are changing a bit.

Re:Duh?

[6Yankee]

I telecommute, you insensitive clod!

Re:Duh?

The only thing we need to worry about is the inevitable explanation to your parents why Windows Anti-Virus 2009 is not a real product...

Re:Duh?

[ElmoGonzo]

An effective termination process won't help if the person is aware of flaws. I know of a place which hosts data for many clients who access the data via http. Any halfway knowledgeable employee at any of those clients can easily fashion an injection that could trash an entire db. Yes, I have mentioned this to the place which hosts the data and the response was poo-poo, pish-tush, etc.

Re:Duh?

While everyone hates losing their job, it is not the job termination itself that leads to a disgruntled employee's wrong-doing. Rather, there are at least two underlying causes: a broken philosophy, and patently unfair treatment.
The first is pretty obvious: if you are a virtuous person, you do not commit the crime regardless of your feelings. Something is either wrong or not wrong. Period.
Having said that, when the "underlings" see themselves as victims, i.e., expendable, while the corporate execs get fantastic bonuses (and for failing policies!), then it is obvious that the "we're all a team" concept applies only to those who are expected to take a screwing. If you treat people like shit, don't expect that they won't return the favor!

Re:Duh?

[WuphonsReach]

how much do you trust your fellow employees?

Not very far.

Now is the time to make sure that your backup and disaster recovery planning is up to snuff and can deal with malicious intent.

(It doesn't cover data espionage, however... that's a whole different kettle of fish. But you won't have to worry about espionage if all of your systems have been hacked into the ground and your backups aren't any good.)

Re:Duh?

An employee with access to something worth anything would still be able to take it and run ....

Exactly right. And it may be a preemptive activity that's nearly undetectable.

At the time I was laid off, I had access to the backup tapes for the servers that held what might be considered the company's crown jewels -- the source code for programs used worldwide inn the financial industry. Sure, there was plenty of extremely valuable research behind the code but, in the end, it was all distilled down to the code that was the final product.

Many people would have paid big money to be able to read that source, as it had a great deal to do with everyone's financial behavior. My main regret, although I would never have sold it, was that I didn't snag one of those tapes, just to know I had it. And it would have been trivial to do, not to mention essentially undetectable.

crime also goes up

[thermian]

when employees think their employer is treating them like criminals with little more than dubious and extremely general statistics for proof.

Its amazing how fast people will start breaking the rules if you start on the premise that they already are, and treat them accordingly.

Re:crime also goes up

[Chris+Burke]

Maybe in some cases, but I actually commit less crime when my company treats me like a criminal, since I figure I don't need to work as hard to get the point across anymore.

Re:crime also goes up

[nine-times]

That might be true, but regardless it has always been true that employees have been one of the big security risks for businesses. In one way of dividing things up, security basically falls into two categories: denying access to people who shouldn't have access and preventing those who have access from abusing their access.

Think about a bank, for example. Protecting against bank robberies is one kind of security problem, but it's not really the hardest thing to do. You put things in a vault, lock the vault, install an alarm, hire security guards, etc. The trickier issue is that you have all these employees with access to the money, and if there are no security measures, it wouldn't be hard for a teller to pocket a hundred dollars every now and then. So banks have procedures where the tellers have to do account for the money in their drawers at the end of the day (or whatever the particular procedure is).

So computer security isn't really much different. Instead of vaults and locks and security guards, we have encryption and firewalls and antiviruses. Protecting against external threats isn't really that hard a lot of the time. Most of the time, the biggest dangers are either directly or indirectly from employees. It's a very tricky security issue to deal with, since you can't "plug the hole"-- employees are *supposed* to have access.

And when I talk about dangers that come "indirectly from employees", I mean that they might be the source of a breach even if they aren't themselves criminal or dishonest. I've heard hackers say that often social engineering (i.e. getting an authorized employee to give you access) is easier than actually exploiting any security holes.

Besides the danger of purposeful social engineering attacks, employee carelessness can also leave you exposed. People often choose bad passwords in spite of good password policies, i.e. just because you make them use a 10 character combination of letters/numbers/symbols doesn't mean they won't choose a password that's easy to guess (Passw0rd!!). Also people do things like access a secure webpage in an Internet cafe computer (which might have keyloggers installed for all anyone knows) and then walk out without closing or logging out, or put highly sensitive data on a usb stick and lose it somewhere. Sometimes employees even go through a lot of trouble to pierce their company's security (for example, in order to get Kazaa working inside the firewall) and effectively open a hole to potential hackers, too.

So overall, yes, employees are a big potential danger to securing your data. A criminally inclined employee can cause lots of damage, but so can a careless one.

Re:crime also goes up

[Belial6]

Sometimes employees even go through a lot of trouble to pierce their company's security (for example, in order to get Kazaa working inside the firewall) and effectively open a hole to potential hackers, too.

Companies could go a long way in avoiding this kind of behavior if they didn't fall for the false dichotomy of "Access to everything" and "Work is supposed to suck". I know you didn't say it, but these kinds of articles always bring out the admins that recommend that every machine should be locked down to the point of basically being a kiosk often actually preventing people from doing their job, and rationalize that since "it's the companies" computer, it cannot be used to make work a place people want to go.

This always gives me images of the bad boss from 9 to 5. After all, how much different is it for a real live admin to tell an office worker that they can't have a picture of their family on their desktop than the fictional manager who told the characters in the movie that they cannot have pictures of their family on their... desktop?

Businesses regularly spend money to try to make their business a 'good place to work'. There is a huge amount of safe area between "full access to anything" and "treat it like a bank vault". The PC is one of the least expensive ways to improve a work environment. A $2 set of headphones, or even just making sure that the CD drive can play music and let the employee bring their own headphones goes a long way to improving a work environment. Heck, have the admins 'certify' a safe CD ripping app, and you are less likely to have people downloading random rippers from who knows where.

Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses." a lot more than "Music is not allowed in our company". If you take the later route, you have a much higher risk of employees just ignoring the rules and going with Kazaa. Heck, the people that feel they MUST get music from Kazaa will still be safer in that they are more likely to do the downloading from home, and sanitize the files by first converting them to standard CD format, before bringing them to work and re-ripping them.

Instead of trying to prevent employees from accessing the internet, give them access to virtual machines that have no access to the company network. This makes the path of least resistance be not being a security risk, instead of encouraging people to try and circumvent the companies security AND making work a crappy place to be.

Re:crime also goes up

[thePowerOfGrayskull]

). So computer security isn't really much different. Instead of vaults and locks and security guards, we have encryption and firewalls and antiviruses. Protecting against external threats isn't really that hard a lot of the time. Most of the time, the biggest dangers are either directly or indirectly from employees.

While I agree with your point overall, I do disagree with this. A key difference is the lack of physical "stuff". I copy a file to a network share, access it randomly from someone's PC that got left unlocked, copy it to a USB stick... it's worse than no evidence, it's incorrect evidence.

The audit of physical goods (particularly money in a bank) is very comprehensive. The audit of information is much more complex, if not impossible, to maintain in a way that is guaranteed accurate. Unless you prevent humans from accessing your systems at all, you're at risk - firewalls, proxies, and audit data can reduce the risk, but it is impossible to eliminate.

Re:crime also goes up

[Fulcrum+of+Evil]

Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses." a lot more than "Music is not allowed in our company".

You know, you could just allow iPods - you could even hand out nanos as an onboarding gift. Solves the ripping problem nicely.

Re:crime also goes up

[maugle]

People often choose bad passwords in spite of good password policies, i.e. just because you make them use a 10 character combination of letters/numbers/symbols doesn't mean they won't choose a password that's easy to guess (Passw0rd!!).

Thanks a lot, jerk. Now I'll have to change my password after you leaked it all over the net.

Re:crime also goes up

I used to be the sysadmin for a high school with about 150 employees. My rules for employee workstations were as follows:

- I took the job to find employee workstations with the out-of-box Dell image, loaded down with crapware, and barely working. Some people loved the crapware and insisted on no re-imaging, and that was fine.

- All employees get speakers. I actually got Dell SoundBar clip-on-the-monitor speakers with my new orders, since external powered speakers would find up falling off cluttered desks and breaking. Or would just grow legs and wind up in employees' homes.

- If something goes wrong with your workstation, I'm not "diagnosing" the problem like some Best Buy flunkie. You get my base image, and you don't get local administrator unless you actually need it.

- You're welcome to rip/burn CDs and store music in your home folder. Windows Media Player only. Audio files (*.mp3 *.wma *.m4a) are not backed up, so if my server loses data, you don't get 'em back.

- We're behind a NAT firewall, so no running file sharing.

My biggest security risk? Employees, of course. The principal thought the workplace was a "family"--he was a lot like Michael in _The Office_--and that didn't really help.

Nobody was fired while I was there [teachers never get fired], but God help me if they did. True, I could disable their Active Directory account in a second, but I was powerless beyond that. You know you have security problems when:

- One teacher launched a tirade over a one-hour idle lockout, since she's too busy to hit Ctrl+Alt+Del and type her password once a day. I claimed I couldn't edit this GPO, since the principal would have forced me to.

- Teachers gave their passwords to subs and materni-temps. I wound up forcing password changes on the teachers and making the subs/temps fill out the school-district account agreement form, then giving them account. They officially weren't supposed to have accounts, but giving them accounts was better than password sharing. The worst: a teacher who gave her 10-year-old son her password so he could play games on her workstation, since the local private school's day off made her declare her personal "bring your son to work day".

- I disabled a teacher's account immediately after their death, and I got a call about it because another teacher was using the account to access their files.

- A janitor wants his home computer repaired, so he brings it to me. His home computer was listed as active inventory and had a property sticker on it. The last sysadmin was quite liberal in giving stuff to people just to make them shut up.

- The district food services sysadmin had all cafeteria managers' usernames and passwords on file. I asked him about it--he said he knows it's bad practice, but since the cafeteria managers forgot their passwords on a weekly basis, he found it easier than resetting passwords constantly.

- Nobody knew how many building master keys were out there, and about half the faculty had them.

- The janitors would let anyone into any room for any reason, no questions asked. Including letting students into computer labs after hours. I was yelled at for asking a janitor not to do this.

Re:crime also goes up

Think about a bank

I don't have to. I worked at one. They actually had a separate IT security group run by a former sheriff. The Sysadmins could not create accounts. They were created by the security group after the potential employee passed all his screening. The security group consisted of 24/7 live monitoring by about 5 to 7 people watching logins/outs and sensitive access areas. The funny thing is the IT support group was run by a former Arthur Anderson tech who hired all his buddies from AA/Enron to staff the support desks. the other funny thing is the local admin account on all the branch PCs was not disabled and they all used the same password. Everyone had the password and there were plenty of guys I would not have trusted with that information.

Re:crime also goes up

[Chess+Cardigan]

Exactly. Treat people like criminals and they will act like criminals.

Re:crime also goes up

[Grishnakh]

Think about a bank, for example. Protecting against bank robberies is one kind of security problem, but it's not really the hardest thing to do. You put things in a vault, lock the vault, install an alarm, hire security guards, etc.

What are you talking about? Protecting against bank robberies is nearly impossible these days (here in the USA), and it's ridiculously easy to rob a bank. It's been happening very frequently here in Phoenix. If you want to rob a bank, just do the following: write a note saying, "I have a gun, and will shoot people if you don't give me the money." Walk into a bank (don't bother getting a gun, just put your hand in your pocket), preferably wearing a mask, give the note to the teller, and they'll give you the money. Walk away. The police will be completely stumped and will never find you, most likely.

Sounds ridiculous, I know, but it's exactly what's going on around here right now.

Why is this impossible to protect against? I don't really know, but I guess it's cheaper to just give the money to the robbers and get paid back from the FDIC than to bother hiring a security guard. Whatever the reason, banks haven't done anything at all to protect themselves against this.

Re:crime also goes up

[techno-vampire]

Its amazing how fast people will start breaking the rules if you start on the premise that they already are, and treat them accordingly.

You mean like the **AA and their minions do? Or, for that matter, the way Redmond does with its WGA? Or, just maybe, the way the TSA does at the airport?

Re:crime also goes up

[techno-vampire]

So let me guess: your new password is w0rdPass!!

Re:crime also goes up

If your tellers can access the cash without valid information, that's a bank problem.
We fixed that on the other side of the pond a bunch of years ago.
Go in with a note like that and you'll find that the only money you can get away with is that which people already have on them.

Instead, you need to rob armored and guarded vans, basically requiring automatic weapons and explosives.
It still happens every once in a while, but it's virtually impossible to rob a bank here.
Our last major bank robbery was in the 70s.
I seem to recall a small one back in the early 90s, and that's it.

captcha: checkout

Re:crime also goes up

[nine-times]

I know what you're talking about, but as an admin I have to say it: the appropriate place is probably closer to "locked down completely" than "access to everything". That the following issue:

Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses." a lot more than "Music is not allowed in our company".

Honestly, my problem with people ripping music has never been viruses. Most people just use WMP or iTunes anyhow, so viruses aren't really the issue. The problem I've run into with ripping music in the past is that I get the complaint, "my computer isn't working," and when I check out the situation, the hard drive is full of music. Literally full. I've seen a single person fill up several hundred gigabytes because they insisted on ripping wave files because "MP3s don't sound good to me."

So you might think that I should just clear off music in those rare cases it becomes an issue, but there are a couple problems with that. First, it's not that rare. Second, it ends up being a big waste of my time.

If the rule is "you're allowed to put music on your computer," then people are going to keep copies of music on that computer without a backup. It always happens that people don't back things up. So that put me on the hook to support that usage. Whenever I re-image a machine, I have to copy their music library too. When their hard drive goes bad, people are going to ask me to recover those files. When their hard drive fills up, they're going to expect me to come up with a solution that allows them to keep their entire music library. Even if I specifically say ahead of time that I won't do those things, people will expect it. When I don't do it, I then have to deal with the politics of someone being pissed off at me.

So what I do is make the policy that you can't rip music to your hard drive, and if I see it, I'll delete it. I don't bother looking for it, because that would also be a big waste of my time, and honestly if I see it, I might just let it go. But I make a habit of explaining that, if I see it, I'll delete it, and every now and then I actually delete someone's library (usually after that person's computer is malfunctioning due to the music).

It's really just an issue of managing expectations. If you think I'm going to delete it, then you'll try not to make it my problem. If I specifically allow it, then I effectively have to support it.

Re:crime also goes up

[nine-times]

I copy a file to a network share, access it randomly from someone's PC that got left unlocked, copy it to a USB stick... it's worse than no evidence, it's incorrect evidence.

That's not incorrect evidence, it's just limited evidence. If you access it from someone else's unlocked computer, then all I know is that it was accessed from that person's computer. Someone who knows what they're doing will know that's the end of the audit trail, and that the information is limited.

I'm not saying that there aren't interesting aspects of security that are different for computer/network security, but in a lot of ways, it's not much different. Lots of the same principles apply.

Re:crime also goes up

[nine-times]

Think about a bank, for example. Protecting against bank robberies is one kind of security problem, but it's not really the hardest thing to do. You put things in a vault, lock the vault, install an alarm, hire security guards, etc.

What are you talking about? Protecting against bank robberies is nearly impossible these days (here in the USA), and it's ridiculously easy to rob a bank.

If it's easy to rob a bank, it's because their security practices aren't good-- or perhaps aren't designed to stop robberies. In your example, the banks have instituted security policies that are focused on preserving human life, and not securing the money. The idea is that people are less likely to get killed if you give a robber what he wants. They don't care very much about securing the money because, as you said, it's all insured anyway.

Re:crime also goes up

[billcopc]

Nice idea, but there's one problem: iPods break - a LOT! Not just because they're flimsy, but because they get dropped fairly often, and frankly any company property will get abused more than personal items, because "it's not mine so who cares".

In my opinion, people can bring their own music, and I would continue to block Kazaa and any other known P2P services at the network level. Bring a disc full of MP3s if you must, or stream them from home/radio/wherever... but opening up P2P will result in a few undesirable things:

1. It will consume all available bandwidth
2. People will spend a LOT of time searching and downloading
3. Viruses and malware galore!!!

Frankly, if a person can't find a streaming radio station to their liking, and can't be assed to bring their own discs or iPod, well they can go jump off a bridge. It should not be the sysadmin's or employer's problem.

Re:crime also goes up

[Belial6]

I agree, and by allowing them to use their own music, and even going so far as allowing them to stream from legitimate sources, you legitimize your decision to not allow P2P.

Re:crime also goes up

[Grishnakh]

If your tellers can access the cash without valid information, that's a bank problem.
We fixed that on the other side of the pond a bunch of years ago.
Go in with a note like that and you'll find that the only money you can get away with is that which people already have on them.

But then, the robbers will shoot someone (or at least, that's the thinking). So the banks are perfectly happy to hand over any cash they have access to to avoid that from happening.

Re:crime also goes up

[Belial6]

I would say that you are discribing yourself as the boss from 9 to 5. Work does not have to suck, and you are saying that if you have to put in any effort, you are going to block them from enjoying being at work. If you wanted to, you could easily find a solution to allow people to have music on their machines AND prevent big problems. Heck, you could go so far as to tell them that music must be on an external hard drive. Then your issue (which doesn't sound real plausible) that you are constantly having machines break due to too many music files, would not be an issue. Even ripped as waves, it is unusual for a CD to take up 500MB. So even if they had 100 albums on their drive, it would be less than 50GB. By today's standards, that is nothing.

Even worse, you place draconian policies, then turn around and only enforce it on your whim. You tell your users that following the rules makes them a chump, and that you are a petty kingdom builder. It doesn't matter whether you are or not, that is what you are telling your users, and the expectations that you are setting is that the rules are about politics and not about security.

You have divided your music loving users into two camps. Those that unnecessarily see their jobs as a place they don't want to be, and another that thinks connecting to P2P networks is just fine as long as they don't get caught. Neither is in the best interest of the company. The people in charge might not realize what you have done, but you have harmed the company. Of course, perhaps you work for a company that WANTS their employees to hate being at work. If that is the case, you are probably doing the right thing.

Re:crime also goes up

[Sobrique]

The danger of password policies is that more is not necessarily better.

Where I currently work, the policy is letter count, no dictionary words, and must include a number or 'special' character.

It also requires that it be changed ever 30 days, and starts notifying you the last two weeks.

Also, there's not much in the way of 'single sign on' despite having an active directory, and thus I have somewhere in the region of 10 different accounts, for various things with various privileges.

This almost inevitably leads to 'password exhaustion' - 10 new passwords every two weeks is near impossible to remember or keep on choosing stuff that's I know is 'good'. I can handle 8 random character passwords, and have done in the past, provided I get a sensible duration on cycling it. So I get to choose now - choose a 'good' password, fail to remember it and resort to post-it-note backup. Or choose a mediocre password that's within a dictionary attack domain, that I can remember.

Re:crime also goes up

[Hognoxious]

If the validity periods are in sync you could maybe use the same for everything, with exceptions for really important things - a production server, for example.

Alternatively, don't write the passwords down, but write down clues that only you would get.

But I agree, most people will write them on a post-it. At least some of them have the sense to hide it under the keyboard.

Re:crime also goes up

[Alex+Belits]

1.

- One teacher launched a tirade over a one-hour idle lockout, since she's too busy to hit Ctrl+Alt+Del and type her password once a day. I claimed I couldn't edit this GPO, since the principal would have forced me to.

2.

The worst: a teacher who gave her 10-year-old son her password so he could play games on her workstation, since the local private school's day off made her declare her personal "bring your son to work day".

I see the problem.

Re:crime also goes up

[Alex+Belits]

No, it's "password".

Re:crime also goes up

[ckaminski]

OMG? What did places do before MP3's and computer speakers and CD-audio in computers was common? Cd players, walkmans, and AM/FM radios. Nothing's changed, move on. He's making an intelligent policy, one I happen to agree with. If you let people store their music, soon it's their photo collection, and eventually videos.

I once had a user filling up a 100G network drive with 25G of home movies he wanted to share with people.

Well, do it the way your parents did, rent a projector, cook some dinner and invite your friends to your house.

Work is only marginally a place to enjoy - it's work, after all. You should enjoy what you do, but that doesn't mean I have to bend over and let you do whatever the hell you feel like doing. And yeah, I've been in that position as manager before... paying someone hourly, having a conversation with them that's personal and not about work, slowly realizing I'm talking myself out of $15/h. You come to work to work. When your online music becomes a problem, it goes - certainly the tools and data you need to do your job don't go, and if billy down the aisle can do his job with a 20G hard drive and no music, so should you.

Re:crime also goes up

[guruevi]

The problem in IT is that somebody could get away with valuables (data) without the original owner (the company) actually losing anything. If the cashier is short $100, that is $100 that the bank doesn't have. If you steal the data from a hard drive, the data is still there, there's now a valid copy elsewhere.

Re:crime also goes up

[nine-times]

I would say that you are discribing yourself as the boss from 9 to 5

Er... I don't know what that means, but I never said work has to suck. People can still play CDs on their computers, or they can use their iPods, plug their iPods into their speakers, or whatever. Hell, we even have a few game consoles hooked up to a TV in the office.

The point is that your computer is dedicated for work purposes, and anything that interferes with that computer's proper functioning has to go away. People filling their drives with MP3s interferes with the computer's proper functioning.

But anyway, if people still hate coming to work, that's really not my problem. It's not an issue of whether I want them to like coming to work or my company wants them to like coming to work-- it's simply that it's not my problem. They're being paid to come to work, and if the conditions are unbearable and they don't want to show up anymore, they can quit. In spite of that, I try to be friendly.

Re:crime also goes up

[nine-times]

I agree. I am actually of the opinion that the setup you describe constitutes a "bad security practice". Changing every 30 days with two weeks notice essentially brings your window down to 2 weeks, and worse still, I bet they have some kind of rule that doesn't let you use any of your last 15 passwords (maybe not 15, but... whatever).

My solution to too many passwords is to keep them all listed in an encrypted file. That way I only really have to remember the password to the encrypted file, and if I use any of the other passwords regularly, I remember those too. Other people have systems where their passwords follow a pattern. Like they have a strong 8 character password that they have memorized, and they add certain characters depending on the situation. That way, you only have to remember what characters you added where in order to remember the password.

But really, if nothing else, they should just extend that 30 day window (assuming there's not a specific reason for it to be 30 days). If a password is really strong, it should take more than a year to break it with brute force. If the password can be broken some other way, then there's a good chance it can be broken in less than 30 days.

Re:crime also goes up

[jcrousedotcom]

Heck, have the admins 'certify' a safe CD ripping app, and you are less likely to have people downloading random rippers from who knows where.

Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses."

Advocating ripping music on company computers make me wonder if someone couldn't get jammed up. I have got to believe not all of the music ripped would have proper license. I copied a CD from a buddy and then brought my copy into work and ripped it to my PC. I don't own the license for that music.

Couldn't this create an administrative, not to mention legal, nightmare?

Re:crime also goes up

[Belial6]

Your comment completely validate mine. Thanks.

Re:crime also goes up

[Belial6]

OMG? What did places do before MP3's and computer speakers and CD-audio in computers was common? Cd players, walkmans, and AM/FM radios. Nothing's changed, move on. He's making an intelligent policy, one I happen to agree with. If you let people store their music, soon it's their photo collection, and eventually videos.

Really? Really??? What they did was run on IBM XTs, or more often, didn't have computers at all. Is that really what your suggesting? Or are you suggesting that because it might take the slightest bit of effort on your part, the company should not use the equipment that it already pays for to make the work environment more appealing?

I once had a user filling up a 100G network drive with 25G of home movies he wanted to share with people.

I once had a user spill coffee on their keyboard. So what! Sometimes people make mistakes. Banning music on PCs because one user put 25G of home movies on a network drive makes about as much sense as banning drinks because a user spilled coffee on a keyboard.

Well, do it the way your parents did, rent a projector, cook some dinner and invite your friends to your house.

Are you seriously suggesting that we all start acting like it's the 60's or 70's again? Are you seriously suggesting that we all join in on an honest to goodness neo-luddite movement? Or did you say that because it makes a good sound bite, even though the statement is patently ridiculous. Seriously, you comments simply validate mine.

Re:crime also goes up

Grammar, people, grammar. It's clear would've been W0rdpass.

Re:crime also goes up

[joelmax]

Heck, you could go so far as to tell them that music must be on an external hard drive. Then your issue (which doesn't sound real plausible) that you are constantly having machines break due to too many music files, would not be an issue

Ahh but there is an even easier way for a disgruntled user to take confidential data out of the workplace, creating an even bigger security gap. Really, the solution would be to find a happy medium. Enable drive quotas for users, tell them they get X MB/GB of space, they fill it, too bad, THEY need to clear it out/maintain it. They come to you with issues, you tell them that their solution is to delete some non-important stuff. I have been down the road before and while you may piss off joe blow now and then, you are still making their workplace a little better overall, and you are ensuring that they are responsible for their personal data. Its as easy as a home drive.

Re:crime also goes up

[Belial6]

I think the worry of employees taking data is overblown. After all, they can get data out of the building through non-computer means, and we don't want to fall into the "it's on a computer so that makes it totally different than the same thing done on paper." mindset.

That being said, I agree that your solution of giving them a reasonable amount of drive space for personal files with a drive quota is generally going to be better. I only suggested an external drive because the other admin suggested that it was beyond his capabilities to perform the simple task that you suggest.

My point is that work environment is part of the cost/benefit ratio for employees. At ~$0.10/GB it is a very small price for companies to supply employees 50GB or so if that makes their work environment better. It is a real disservice to the company when an admin takes such an inexpensive way of making the company more valuable, and go out of their way to destroy that value.

By recognizing that the cost is small, and that it doesn't take much effort on the front end to mitigate any problems with disk space, you add value to the company, and show that you recognize that your roll as admin is to add value to the company by supplying computer services. If you do as you suggest, your company should be hyping that as one of the company benefits.

While I telecommute, so I have TBs of storage here for personal use, if I had to work every day in the office, I would rather have 50GB of personal disk space available all year than a Christmas party at the end of the year. The disk space would give greater value to me and cost the company less money to supply it.

Re:crime also goes up

No! it P@ssword

Duh?

[starfishsystems]

Move along, people. Nothing remotely new here.

Now if you want to actually do something to improve security performance, how about establishing some security metrics as a point of reference?

Employee's were the first security risk

[Freaky+Spook]

People have been around long before computers, and have always been the biggest risk to business.

Computers have just made it easier for employee's to do more damage, either through malicious intent or just plain negligence.

Having many SMB clients where cost is always placed over security, its scary just how vulnerable many businesses are to their employee's, from even ignoring the most basic security steps like using ACL's to secure files and basic auditing of file access, or even implementing basic password policies like "Do not give your password, to anyone, ever!"

Re:Employee's were the first security risk

[DragonTHC]

I was just about to post this.

People are always the weak link in the security chain.

Re:Employee's were the first security risk

In my previous job as a high-school sysadmin, I stood up in front of 100+ "professionals" at a faculty meeting to have a little chat about security. I said to never give anyone, myself included, their password. I said that my wife and I don't even share passwords. Everyone burst into laughter as if I was trying for some sexual innuendo.

These lectures and e-mails came from me on a regular basis. Passwords continued to be shared like candy. They all knew that the principal would never discipline them for it, so zero incentive.

First OnKrack

[Ethanol-fueled]

Did anybody else read "Kroll Ontrack" in the summary as "Troll OnKrack"? Seems to describe the people who would buy that crap as well as the users who necessitate it.

Re:First OnKrack

[ScrewMaster]

Did anybody else read "Kroll Ontrack" in the summary as "Troll OnKrack"? Seems to describe the people who would buy that crap as well as the users who necessitate it.

No I didn't, but your reading of it is much more entertaining.

Trust

[drooling-dog]

Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.

It's a good thing that Knoll Ontrack's employees are all totally uncorruptable, unlike the felons that must work for their clients...

Re:Trust

It's just a PR hit posing as a story. I'm surprised how often /. allows The Submarine to strike the front page as "news".

well this is sooo LY

[girlintraining]

So, let me get this straight -- Let's say Super Important Data Stuffs (SIDS) is in a database and as a company you want to protect it. But over 300 employees access that data every day. Evil Bad Hacker comes in and drops a trojan on one of those systems. A few days later, Evil Bad Hacker does a SELECT * FROM... fill in the blank... and in a few minutes it's compressed and uploaded. Super Important Data Stuffs was only 2 GB in size. How does your solution, or any solution, stop this while it's happening? Short answer: It doesn't. But you'll have a fine audit trail to give to the apathetic FBI, who will assure you everything will be done... Before promptly putting it into the circular filing cabinet.

You want your data to be less vulnerable? Stop having your servers practice unsafe hex with everyone who happens to be in the building. -_-

Re:well this is sooo LY

er, you don't let them do arbitrary SELECTs?

judicious use of views and APIs and which only allow access to specific records through a specific interface would probably help.

Re:well this is sooo LY

[RichardJenkins]

Select * from [[view containing records user has access to]]

Lots of business analysts will find themselves much less agile if they can't access their data sets in any arbitrary ways.

Though perhaps in some cases it would be useful if there was a security module in a database that could say for some set of users, abort any query that returns more than 3% of all the rows in the customers table and notify an admin.

Re:well this is sooo LY

[Fulcrum+of+Evil]

Depending on the specific sort of breach, making sure CC numbers and PII aren't in a commonly accessible DB will cut out a lot of the problem. Depending on what sort of analysis is being done, you might expose customer zipcodes and ids to them, but, of course, YMMV.

Re:well this is sooo LY

[Viceroy+Potatohead]

But you'll have a fine audit trail to give to the apathetic FBI, who will assure you everything will be done... Before promptly putting it into the circular filing cabinet.

i found the solution to that particular problem. They can do the same thing I did when I got broken into last night. Called DHS, told them someone broke in and stole my computer with the Anarchist's Cookbook, Terrorist's Handbook, and plans for a nuclear missile on it.

I feel very confident that they'll get the culprit...

[...]

Uh-oh, I've just come to a horrible realisati

[NO CARRIER]

Re:well this is sooo LY

[Peeteriz]

Enquiry that says 'select email from customers where status = ok' or 'select name, adress, zipcode from customers' would return most rows and would be a fairly common occurrance for a lowest-level employee sending out notifications or mass marketing.
Admins would just put any such notifications in the recycle bin, since they would occur commonly.

Re:well this is sooo LY

[hurfy]

Solved...we don't have enough bandwidth to send that out in less than X hours ;)

lol, now i have another reason for keeping my vintage DSL connection.

Obviously the right answer...

[afrop]

You're concerned that your employees or former employees will attempt to exploit their insider status to commit crimes against you. The most natural and obvious answer is to hire an entirely separate company, with a whole additional set of employees, and give them insider access to your network.

flow?

[Lord+Ender]

Most companies do have inadequate security, and many pay dearly for neglecting something so essential--they just cover it up so you don't hear about it.

But using data flows to catch insiders? A doubtful proposition. Insiders would likely steal/sabotage the data they work with daily, so it would be expected to see flows to those people.

Re:flow?

[plover]

But using data flows to catch insiders? A doubtful proposition. Insiders would likely steal/sabotage the data they work with daily, so it would be expected to see flows to those people.

Not necessarily.

In a well-designed system, the data would flow only from the source to the destination, with as few stops in between as possible, right? In the case of credit cards, they would come into a cash register, travel to the authorizing system where they would be sent to an authorizer, then travel to the accounting system to be submitted for payment. While a guy who operates the authorizing system may have the authority to see the traffic trickling by as it happens, if he requests a block of 10,000 authorization records all at once, that's not the normal flow. An IDS can theoretically tell the difference.

Or what if the guy in accounting suddenly emails a 10MB file? That's not his normal pattern either. Again, an IDS can see that difference between "normal" and "abnormal".

They aren't necessarily crimes -- maybe the authorizer was researching a bug, or maybe the accountant was sending big JPEG pictures of his cat to his daughter. But they were both anomalies, and there's definitely a correlation between network anomalies and insider data theft.

And I'm not saying IDS systems are perfect. Far from it. These systems can absolutely be worked around by a knowledgeable criminal, and there are plenty of false positive anomalies in a normal network to keep a team of investigators busy forever. But think about the damage they'd prevent if they did catch an evil insider before your data was sold to a Russian mobster. Just consider them one more layer in the security onion.

Re:flow?

[profplump]

If your thresholds are set tight enough to catch someone sending an "unusually large" attachment you'd be getting hundreds of alerts a day. It's not that "unusual" behavior can't be detected, it's that it can't be easily classified without a lot more knowledge than the typical automated detection system has (or could practically have). Some of the better solutions take a sample of what you consider to be "private" data and look for that in data flows, so you can hit on specific bits of data moving in ways you don't expect. But even those systems are only effective at stopping material you've already identified as private -- if the new CC numbers get processed into the detection system every day at 1 AM I could send out today's new CC numbers at midnight without being detected.

Re:flow?

[Lord+Ender]

I've worked with a system like that, and it was all false positives, all the time.

The best part is having to determine that everything is a false positive. "This IDS says someone in the bangalore office sent a lot of data to a mail server for the first time. I don't know who it was or how to contact him. Now what?" Meanwhile, the console fills up with 10000 other false positives...

There's no way to tune. "Larger" does not mean "more suspicious." DHCP is fun, too.

Re:flow?

And I've seen a system like that spot behavior that wasn't just a false positive. It's training them that's hard, but they can be another useful line of defense.

Bizarro world calling

[Progman3K]

Hire a bunch more people outside your business to snoop your network...
Wouldn,t that result in MORE people potentially tampering with your data, not less?

In other words....

I'm in ur job, riskin ur securitiez?

If you have physical access to a machine, the battle is already lost. Hell, you give your employees keys to your front door. You give them the four digit code to your security system (and the saftey word if the phone is called during a robery). You let them handle payroll. It's a no-brainer than an employee is a huge security vector.

Is this really news to anyone?

Hi Guys!

[fuzzyfuzzyfungus]

Worried that people with access to your data might steal it and cost you money? Pay us to have access to your network! Don't worry a bit, our office is staffed by American Professionals(tm) just like the ones you are laying off and worrying about! And never mind the fact that, when the marketing hits the fan, a dead-end schlub earning jack-all to do boring work counts as a Professional(tm) if he is wearing a tie with two or fewer stains!

Seriously. Ok, employees are obviously a potential security risk, they are the ones who have legitimate access to the gates and the keys, of course there is a risk. And, in some cases, you'll get genuinely bad apples, sociopaths, paranoics with bizarre persecution complexes, fred in accounting with the gambling problem, etc. In most cases, though, you are basically just dealing with people. And people will be a lot happier, more productive, and less dangerous if you spend less money on orwellian surveillance consultants and more on them. Does anybody seriously think that an office full of bitter, resentful employees, even under the all-seeing-eye of your consultants is less of a security risk than an office full of more or less satisfied people, with standard, basic, procedures in place(particularly given that, in a lot of cases, somebody with basically no assets can do damage that cannot be repaired and costs more than they could ever repay, even if the lawsuit goes well)?

Re:Dear Slashdot +1, Informative

[anothersockpuppet]

Oh yes, my overlord will need more sockpuppets to continue to gyp the moderation system...

24/7 Surveillance

[nurb432]

Just spy on your employees 24/7, and their friends, families.. datamine every movement they make and can them if they even think about looking sideways..

Re:24/7 Surveillance

[owlnation]

Just spy on your employees 24/7, and their friends, families.. datamine every movement they make and can them if they even think about looking sideways...

Are you perchance, a member of the UK Labour Party? Comrade Brown-shirt, is that you?

Re:24/7 Surveillance

[nurb432]

No, im part of the 'sarcasm party'.

It was a joke.

Uh, I think you missed something

This is such wonderful advice! When a company is laying off people by the billions because it's sinking faster than the Titanic, the last thing the purse-holder of the company will agree to is hiring some expensive outsourcing company to monitor their data flow and usage! Just thought I'd point that out.

More Paranoia?

Wait a minute, are you saying that due to the financial crisis a well known specific country in the world is going to be more paranoid and obsessed about fear and security than it is now already?!

And the financial crisis is going to assume the role of excuse for that in 2009?! (like other more or less credible excuses in the last years?).

Oh my..

A back-to-front mentality

[golodh]

The opening post breathes a mentality which seems to pervade US firms. It runs approximately as follows:

(1) view employees purely as resources (about on level with the printers and the staples)

(2) use every possible means to make their job manageable for the Human Resources department (which is shorthand "define all tasks in such a way that every individual instantly plug-replaceable by (a) your average worker in the job market with his job title and (b) any of his colleagues, actively remove any individuality, and rather waste someone's talents than allow him to enrich his job")

(3) use HRM to "Dynamically contribute to optimization of enterprise processes and results" (translation: hire people when they are marginally qualified for their job and let their colleagues educate them, fire 'em the instant they become overqualified and aren't immediately placeable in a higher function, or if they show signs of become tired, bored, jaded, cynical, or if they catch on to what Human Resource Management really means for them)

(4) use an elaborate system of "who reports to whom", physical access checks and "security" guards, to ensure that people are total strangers in the company they work for with the sole exception of the department they work (this enhances "security")

(5) determine scientifically that your employees may spontaneously become disgruntled and hostile towards the company they work for (or after being fired)

(6) determine that the company urgently needs to protect itself from the consequences of its employees becoming disgruntled and hostile

(7) further plan employees jobs and tighten "security" so that the amount of damage any disgruntled individual below the rank of executive can do is reduced to an acceptable minimum.

The final step (8) is to spend good money to outsource security and workflow monitoring to establish tight restrictions on what employees can mess up before being physically apprehended. Outside firms have nice glossy brochures that provide your board with plenty of reasons why employees should be treated as detainees rather than as collaborators. Recommending specialized outside firms to cover specific areas of employee containment definitively establishes you as a savvy and professional manager (and keeps you in line for that end-year performance bonus).

On the other hand, the suggestion of actually treating employees as if they were collaborators confuses simple PR slogans meant for glossy company brochures with actual management. Expecting people to behave civilly when treated like people is naive in the extreme and something no manager with an ounce of professionalism should sully himself with.

Recognize this mindset? I foresee that work-flow monitoring will become a growth industry.

Re:A back-to-front mentality

[owlnation]

Mod parent insightful.

So very true. Human Resources Departments are the biggest single barrier to progress on Earth. They are often filled with defective individuals with all sorts of complexes and psychological problems (I wander what percentage of HR workers are clinically obese? High, I'd think). Nobody, nobody, ever wanted to grow up to work in HR. You only work there if you can't do much else.

They are holding employees back, they are holding whole corporations back back hiring people who fit into check lists. They are holding back invention by homogenizing the workplace.

No small wonder employees steal.

Re:A back-to-front mentality

Can I quote you?

Re:A back-to-front mentality

[cdrguru]

A lot of this is B-school and management training simply observing general employment trends. It is very difficult to differentiate between groups of employees, especially nominally professional jobs (like IT people) and folks on the loading dock.

In the last 40-50 years the folks on the loading dock have seen a loss of unions, guaranteed pensions, guaranteed employment for life, and virtually nothing in return. Trying to explain to people that companies are no longer in a position to offer "employment for life" or pensions falls on deaf ears. People want assurances. They will do anything to get them, including voting in whomever promises to get this stuff back for them.

Obviously, the folks on the loading dock are very disgruntled. It is difficult from a management perspective not to think the more "professional" people aren't going to be sharing in being disgruntled also, and for the same exact reasons.

Hence, it is difficult to trust anyone - because at least large numbers of them are actively against management and the company. And they are going to do anything they think will get them some piece of what they think they have lost.

Will unions fix the problem? Sure. It will make sure that no company ever gets formed unless it can guarantee lifetime employment to everyone it hires. That is how it is in Europe for the most part and it is where we are headed in the US.

Re:A back-to-front mentality

[golodh]

In the last 40-50 years the folks on the loading dock have seen a loss of unions, guaranteed pensions, guaranteed employment for life, and virtually nothing in return.

Well ... ok.

Trying to explain to people that companies are no longer in a position to offer "employment for life" or pensions falls on deaf ears. People want assurances.

Well ... they want them, but they know they can't get them. On the other hand, people have a certain gross labor cost. Part of it goes towards pay, part towards benefits. Part of it could go onto a private (i.e. not company-owned) pension fund (our beloved 401(k) plans). a fund that *every* employer of an employee who has the misfortune of only being offered short-term contracts pays into. All you have to do to guarantee people's pensions is to make that contribution mandatory, mandate a low risk profile, and to set minimum wages that are high enough to ensure a pension after, say, 45 years of work.

Now setting minimum wages at that level (from what I hear from people in the EU that would amount to a minimum gross wage (including tax, health benefits, pension fund contribution, and pay) of about 2000$ per month) might squeeze certain jobs out of the system (I really don't know what a hamburger flipper makes). But then again you can ask yourself why we want to pay people so little. We do, and that's why we have so many million jobs that are filled by illegal immigrants, but that's another story. It isn't as if the economy can't support everyone getting that minimum wage: Sweden, Germany, Denmark, and France do so. They pay for that by (much) lower economic growth rates, but that's their choice.

They will do anything to get them, including voting in whomever promises to get this stuff back for them.

Which is why the Republicans almost won the elections, and why the middle-of-the-road Democrats did win, right? The party that promises to guarantee freedom of organization for employees and legal guarantees against union representatives being fired has been voted in, yes? No??? No political (read voter (!)) support for EU-style minimum wages and social security??? Perhaps your premisse "They will vote for whomever promises to get this back for them" is faulty then. Very very faulty.

Hence, it is difficult to trust anyone - because at least large numbers of them are actively against management and the company.

Does that follow? I don't believe that for an instant. I don't believe that employees are unreasonable. They know that the company is the cork upon which they all float. I know for a fact that even unionized auto workers agreed to take pay cuts. What I *do* think creates resentment is when a company systematically tries to pay them peanuts while showering the CEO with money in "compensation" packages. Perceived unfairness rankles.

Will unions fix the problem? Sure. It will make sure that no company ever gets formed unless it can guarantee lifetime employment to everyone it hires. That is how it is in Europe for the most part and it is where we are headed in the US.

I don't know where you got this gem of wisdom, but all it shows is that you really know d*ck about "how it is in Europe". I know people who live and work there, and I have worked there myself. Their economic system is firmly capitalist, and people can and *are* fired for under-performance, or even when they are surplus to requirements, and lifetime employment is only found in state-owned mail services (like the one in Italy) or the Government.

And yes, what you are right about is that it's a lot harder to start a company in Europe than it is in the US, and that firing people when times are bad is harder and subject to much more rules than here. Ok, be happy about that, it's one of our main assets. But their labor laws have since been

Remember 2003

[jellomizer]

During the time of the big viruses hit. Oddly enough it was when outsourcing became popular for IT staff. A lot of pissed off IT unemployed IT Guys and a lot of location without people local to fix the problems. Create prime virus spreading.

Better hurry

[Tubal-Cain]

One thing companies can start doing is monitoring their networks on an ongoing basis so that they understand the normal pattern of data flow and usage

Assuming theft isn't already the normal "data flow usage".

Written by a someone who says CEOs get more

[WillAffleckUW]

This reads like something written by someone trying to justify even higher pay for CEOs and Execs who are already too highly paid.

Seriously, your risk factor decreases the less pay you give your senior staff and the more employees think they are valued as contributing to the company, instead of wage serfs that work for the Pharoah (oops, CEO).

I've had senior execs ask me to destroy data that shouldn't be destroyed - and I've made sure it got copied. A lawyer would say I stole the data - a smart tech would realize I was trying to keep it safe from management incompetence.

Re:Written by a someone who says CEOs get more

>I've had senior execs ask me to destroy data that shouldn't be destroyed - and I've made sure it got copied. A lawyer would say I stole the data -

The last place I worked had retention policies where that lawyer would have nailed you to the wall. On the other hand, you wouldn't have been in a position to second-guess a data destruction protocol without being painfully aware of the personal (criminal) liability you were undertaking. It was a general counsel office where sometimes even the rationale for document retention was secret, and where some correspondence was more than just "attorney-client privileged" but also had some clients who were affiliated with federal agencies and the DoD. Not an environment where you want to face the consequences of making your own rules.

Re:Written by a someone who says CEOs get more

[WillAffleckUW]

destroying tax data before 7 years is almost always wrong no matter what the argument is.

I would be more concerned ....

about companies that offshore. These people have the possibility of make LOTS of money by selling what ever they can get a hold of. Verizon Business actually allowed Indians to touch several networks systems including a new one for the federal gov (it is suppose to be off limits, but managers were allowing Indians to come to America for a time and have full access to production systems). That network contains DOD and other groups on it. These foreigners are not stupid. Verizon has horrible internal network security. All that was required was to put in back doors and then access it later via remote means. Verizon, like ATT, Sprint, Qwest, etc. are in a hurry to offshore. It will be easy for China to pay these guys to access our system.

real world and virtuel

I figured out some time ago to add cameras to all offices. Then match the camera recordings with logs and suspicious activity. What I found is a lot less suspicious activity. Just the thought that they are being watched, was typically sufficient to reduce the number of people even messing around. It also seems to cut down in the screw around time, if you check browsing activity against the cameras. I also make it well known that that is what is going on. No hiding anything.

Much cheaper than sticking another boss in the room with employees.

Kevin Mitnik is correct

[Orion+Blastar]

the weakest link in any computer security are human beings.

I remember reading how some AOL employee took 26 CD-R disks, each one filled with a letter of the alphabet of data tables of AOL customers with phone numbers, addresses, bank accounts, and credit card numbers and passwords. He tried to sell it for millions but got busted by the FBI.

When I worked for a law firm, there was a department called Litigation Support that changed its name to Technology Services and competed with Information Systems. I was the main developer on a lot of software programs. My machine kept blue screening and crashing, and I installed Black Ice because it looked like someone was sending me the ping of death and ping floods. Black Ice traced the attacks to Technology Services PC systems. When I reported the fact to my boss, he told me to take Black Ice off my system. Then it started crashing again. Eventually it stopped, but I had missed a few deadlines because my computer would crash or freeze up or lose the network connection, and it wasted my time trying to develop programs. Later on I got a bad performance review, but my boss refused to listen to me about hacker type attacks from TS directed at my IP address, despite the proof I had from Black Ice logs. Apparently I think my boss was in on the sabotage because I earned too much money and they wanted an excuse to get rid of me. It really stressed me out, and I had to go on short-term disability and had to suffer from emotional and psychological abuse from coworkers and managers. I developed schizoaffective disorder, and once I came back to work, two weeks later I was fired for being sick on the job. But it all started with denial of service attacks on my IP address.

Re:Kevin Mitnik is correct

This and other things posted, lead me to the question of how dangerous it can be to fire/layoff/ pay cut, etc your current I.T. guys? I work as a I.T. supervisor overseas and would hardly be malicious as i would like to get back home to the U.S. but still, How would you feel or how could you even take the risk of firing the person/s that designed or maintained your security.

The Board first

[sane?]

As has been demonstrated recently, the board of the company is the biggest threat to the continued survival of the company. Not only are many incompetent, they are often woefully out of touch and prone to making decisions to protect their bonuses rather than the health of the company (excuse me while I take the corporate jet to beg for a loan so I can continue to pay my 'bonus').

What's needed is for an application that looks over the shoulder of each board member and reports back their actions to the shareholders. THAT would be a good place for an external, outsourced company. Monitor the board 24 hours a day and analyse the data flows.

Re:The Board first

[bickerdyke]

as the biggest stock holders probably will be some investment company, they are more then wiling to pocket short term earnings, and then sell their shares and leave the company to die.

You'd rather need to pay the bonuses not based on the quarterly results, but on the quarterly results in 20yrs time.

It's called "insider threats" and it's not new

[istartedi]

Protection from the "insider threat" was a selling point for the last two companies I worked at. BTW, I'm looking for work. Hey, if they can slashvertise, why can't I?

IT Imunology

A companies IT department is like its circulatory system. Its primary ever day job is to cary info and work around the body. Its secondary job is to protect against foreign invaders. Now we all have contractors to deal with but it is a symbiotic relationship for the most part. Like an obese person with worms; helpful non the less. We also from time to time get some punk breaking in to steal laptops or a spy/terrorist scoping out the place. I digress...
Management, fearful of what cancer may be brewing in the organization undoubtedly tries to do anything to limit their exposure. This entails the mighty websense ( blocker of pandora, youtube, orb, ect... I'll show you questionable material. ) or lack of floppy drives and audio. At some point, and I'm feeling a bit inflammatory here, the white knights of IT get a little over active and begins a company wide allergic reaction. As soon as the IT dept joins with Security, I feel we may be in store for proper body cavity checks to make sure no personal thumb drives pass through the system.

Re:Beware

Is that you, Biden?

Re: ouch

At least you're not paranoid if they're really out to get you!

Sucks though that they got away with that. If I had been one of your co-workers, I'd have helped you get even...

I think the important point has been missed

[rlh100]

From the original post:
"One thing companies can start doing is monitoring their networks on an ongoing basis so that they understand the normal pattern of data flow and usage".

The important point is not to snoop on each and every employee. Rather it is to "understand the normal pattern of data flow and usage". Which seems like a really reasonable thing to do. How can you detect an anomaly on your network when you don't know what normal is. So Joe is accessing the finance database at 10:00 on a Friday night. Is this normal? Yes if Joe works in accounting and has a history of accessing the database late at night when he works from home. No if Joe has a strict history of working 9 to 5. No if Joe works in sales and should not be accessing the finance database. How do you tell if you have no history of what "normal" is.

Now how you do something intelligent with this information is a separate matter. With the problem being that in most organizations there is a lot of legitimate non-normal traffic. If you raise an alarm every time something un-expected happens, your security group will go crazy.

I remember Marcus Ranum once saying in a talk that his biggest problem with installing intrusion detection software was that the customer would turn off the alarms. When he was called back and asked why the intrusion depiction software did not catch the intrusion, he would check the logs, find the alarm event, and discover the alarms turned off. When the customer was asked why the alarms were turned off, the would say "There were so many alarms ..."

It is hard work tuning the intrusion dejection software. When an alarm happens, someone needs to look at it. If it is allowed access, then a rule needs to be defined that characterizes the access and allows it so that an alarm will not go off the next time the event happens.

Terrible Idea

[mfh]

Alternatively, don't write the passwords down, but write down clues that only you would get.

This is one sure fire way to drive yourself insane, as clearly the parent has.

Also, nice sig, loser. I am e-famous!

here's an idea

[dhuff]

Hey, here's a novel concept: Don't treat your employees like crap, and they're less likely to treat you that way. (not a common idea in American Big Business, I know...)

Furry poster is a Furry.

Hognoxious, RU a furry? Hogs yiffing in furry suits, oinking and rubbing up. Rolling in mud together, grown adults.

You make me sick, furry lover.