Slashdot Mirror
Employees the Next (Continuing) Big Security Risk?
surely_you_cant_be_serious writes "A nationwide survey finds that most companies consider their systems vulnerable to attack. Historically, crime rates increase during recessions — and some believe that cybercrime may well follow suit, especially given massive layoffs and the dim prospects many laid-off employees face in finding a new job. 'One thing companies can start doing is monitoring their networks on an ongoing basis so that they understand the normal pattern of data flow and usage, Brill said. In many cases, companies may not have the internal capability to do this, but outsourcing options are available. Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.'"
Sometimes employees even go through a lot of trouble to pierce their company's security (for example, in order to get Kazaa working inside the firewall) and effectively open a hole to potential hackers, too.
Companies could go a long way in avoiding this kind of behavior if they didn't fall for the false dichotomy of "Access to everything" and "Work is supposed to suck". I know you didn't say it, but these kinds of articles always bring out the admins that recommend that every machine should be locked down to the point of basically being a kiosk often actually preventing people from doing their job, and rationalize that since "it's the companies" computer, it cannot be used to make work a place people want to go.
This always gives me images of the bad boss from 9 to 5. After all, how much different is it for a real live admin to tell an office worker that they can't have a picture of their family on their desktop than the fictional manager who told the characters in the movie that they cannot have pictures of their family on their... desktop?
Businesses regularly spend money to try to make their business a 'good place to work'. There is a huge amount of safe area between "full access to anything" and "treat it like a bank vault". The PC is one of the least expensive ways to improve a work environment. A $2 set of headphones, or even just making sure that the CD drive can play music and let the employee bring their own headphones goes a long way to improving a work environment. Heck, have the admins 'certify' a safe CD ripping app, and you are less likely to have people downloading random rippers from who knows where.
Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses." a lot more than "Music is not allowed in our company". If you take the later route, you have a much higher risk of employees just ignoring the rules and going with Kazaa. Heck, the people that feel they MUST get music from Kazaa will still be safer in that they are more likely to do the downloading from home, and sanitize the files by first converting them to standard CD format, before bringing them to work and re-ripping them.
Instead of trying to prevent employees from accessing the internet, give them access to virtual machines that have no access to the company network. This makes the path of least resistance be not being a security risk, instead of encouraging people to try and circumvent the companies security AND making work a crappy place to be.
Select * from [[view containing records user has access to]]
Lots of business analysts will find themselves much less agile if they can't access their data sets in any arbitrary ways.
Though perhaps in some cases it would be useful if there was a security module in a database that could say for some set of users, abort any query that returns more than 3% of all the rows in the customers table and notify an admin.
about companies that offshore. These people have the possibility of make LOTS of money by selling what ever they can get a hold of. Verizon Business actually allowed Indians to touch several networks systems including a new one for the federal gov (it is suppose to be off limits, but managers were allowing Indians to come to America for a time and have full access to production systems). That network contains DOD and other groups on it. These foreigners are not stupid. Verizon has horrible internal network security. All that was required was to put in back doors and then access it later via remote means. Verizon, like ATT, Sprint, Qwest, etc. are in a hurry to offshore. It will be easy for China to pay these guys to access our system.
I figured out some time ago to add cameras to all offices. Then match the camera recordings with logs and suspicious activity. What I found is a lot less suspicious activity. Just the thought that they are being watched, was typically sufficient to reduce the number of people even messing around. It also seems to cut down in the screw around time, if you check browsing activity against the cameras. I also make it well known that that is what is going on. No hiding anything.
Much cheaper than sticking another boss in the room with employees.
the weakest link in any computer security are human beings.
I remember reading how some AOL employee took 26 CD-R disks, each one filled with a letter of the alphabet of data tables of AOL customers with phone numbers, addresses, bank accounts, and credit card numbers and passwords. He tried to sell it for millions but got busted by the FBI.
When I worked for a law firm, there was a department called Litigation Support that changed its name to Technology Services and competed with Information Systems. I was the main developer on a lot of software programs. My machine kept blue screening and crashing, and I installed Black Ice because it looked like someone was sending me the ping of death and ping floods. Black Ice traced the attacks to Technology Services PC systems. When I reported the fact to my boss, he told me to take Black Ice off my system. Then it started crashing again. Eventually it stopped, but I had missed a few deadlines because my computer would crash or freeze up or lose the network connection, and it wasted my time trying to develop programs. Later on I got a bad performance review, but my boss refused to listen to me about hacker type attacks from TS directed at my IP address, despite the proof I had from Black Ice logs. Apparently I think my boss was in on the sabotage because I earned too much money and they wanted an excuse to get rid of me. It really stressed me out, and I had to go on short-term disability and had to suffer from emotional and psychological abuse from coworkers and managers. I developed schizoaffective disorder, and once I came back to work, two weeks later I was fired for being sick on the job. But it all started with denial of service attacks on my IP address.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
You mean like the **AA and their minions do? Or, for that matter, the way Redmond does with its WGA? Or, just maybe, the way the TSA does at the airport?
Good, inexpensive web hosting
As has been demonstrated recently, the board of the company is the biggest threat to the continued survival of the company. Not only are many incompetent, they are often woefully out of touch and prone to making decisions to protect their bonuses rather than the health of the company (excuse me while I take the corporate jet to beg for a loan so I can continue to pay my 'bonus').
What's needed is for an application that looks over the shoulder of each board member and reports back their actions to the shareholders. THAT would be a good place for an external, outsourced company. Monitor the board 24 hours a day and analyse the data flows.