Slashdot Mirror

← Back to Stories (view on slashdot.org)

Porn-Surfing Execs Infecting Corporate Networks With Malware

Posted by Soulskill on from the IT-admins-know-your-secrets dept.

wiredmikey writes "According to a recent survey of malware analysts at U.S. enterprises, 40% of the time a device used by a member the senior leadership team became infected with malware was due to executives visiting a pornographic website. The study, from ThreatTrack Security, also found that nearly six in 10 of the malware analysts have investigated or addressed a data breach that was never disclosed by their company. When asked to identify the most difficult aspects of defending their companies' networks from advanced malware, 67% said the complexity of malware is a chief factor; 67% said the volume of malware attacks; and 58% cited the ineffectiveness of anti-malware solutions."

31 of 151 comments (clear)

  1. Very disappointing article. by Anonymous Coward · · Score: 5, Funny

    It doesn't even include any of the URLs to go to!

  2. It's good to be the king. by themushroom · · Score: 3, Insightful

    -- Mel Brooks, "History of the World pt 1"

    --
    Laughter is the Spackle of the Soul.
    1. Re:It's good to be the king. by DavidClarkeHR · · Score: 4, Interesting

      It's good to be the king. -- Mel Brooks, "History of the World pt 1"

      Agreed. I'm one of the fortunate ones - my boss actually follows the rules, but I've worked in places where the boss is exempt from basic network security. One was a small business where the boss 'pays the bills', so he got to 'make the rules'.

      When his customer database was deleted he fired his IT guy in a fit of anger. He lost a lot of money in a wrongful dismissal settlement, and lost all of his business. It might have been the IT guy who did it - but the lawyers obviously felt that 'I don't need a slow virus scanner' was more likely the cause. Or at least, reasonable doubt.

      --
      - Nec Impar Pluribus, or so I'm told.
    2. Re:It's good to be the king. by Opportunist · · Score: 4, Interesting

      "Why do we need backups, we have it all here, right? So why do you want to have it there, too? Do you want to steal our customers?"

      I was actually asked that once.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Solution by girlintraining · · Score: 5, Interesting

    and 58% cited the ineffectiveness of anti-malware solutions."

    So the majority of experts agree the existing solutions are ineffective. And yet the solution remains the same: Buy more of it.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Solution by girlintraining · · Score: 4, Funny

      I'd rather be out of the job than stuck between "I need access to EVERYTHING for no goddamn reason" and "ME COMPOOTER IS BOKE-BOKE AGAIN FIX IT A+ PRIORITY ONE"

      Ah. The naitivity of youth. So refreshing. And yet they wonder why nobody hires them.

      --
      #fuckbeta #iamslashdot #dicemustdie
    2. Re:Solution by Billly+Gates · · Score: 2

      Why would you ever have to touch their computer? Put up a sacrificial server with a virtual host running Samba, and modify their login script and group to have them interface to this virtual host. Have something on the virtual host analyze and sanitize their crap, and physically isolate their network services so that they're not on the same network as everyone else. Give them their porn and keep them off of the corporate network.

      Right because executives never need to share files with the rest of the teams in the company. It is not like they have important things to do all day or anything

      --
      http://saveie6.com/
    3. Re:Solution by Opportunist · · Score: 4, Insightful

      Does Antivirus software get everything? Hell no. Is it useless because of it? No, far from it.

      The world is not black and white and neither is security. I mean, by the same logic you could say that anti-drug laws didn't work, so let's abolish them. Police didn't arrest every murderer out there, away with it. And since doctors fail at saving every patient, shut down those hospitals.

      Would that be stupid? Of course it would be. No, anti malware programs do not catch everything. But even the worst of them (interestingly named after its currently quite mobile founder) finds about 95% of the threats. Yes, that means that one out of 20 attacks could bet past it. But the other 19 do not!

      Not to mention that the best security system is powerless against user stupidity. I think I pull that link every time we're discussing this, but it just was true, is true and probably will be true forever until I find a way to kill clickmonkeys via internet: Given a choice between dancing pigs and security, users will pick dancing pigs every time. There is exactly NO way how you can secure a system against a clickmonkey that has admin privs. And those idiotic execs do! Not that they need them or know how to wield them, but they want that "in control" feeling. Needed or not.

      The very LAST thing I want is any kind of privileges beyond the bare minimum to do my job. Simple reason: Credible deniability. What I could not do, I most certainly did not do. Your database is missing? Could not have been me, I can only enter data but I can't delete or edit anything. Go look elsewhere for your culprit.

      But back on topic. Statistic is a multi-layer system. Relying on only one part of security is simply dumb. There is no such thing as 100% security. It's a myth. Like 100% uptime. You can lower the chance for a security breach, with technology (firewalls, antivirus), with policies (least privileges, secure processes) and a few other things. And yes, hence the solution to security is more security. Well, within reason and at sensible points, of course, but the solution can't be "can't stop it, so why bother trying?"

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Solution by triffid_98 · · Score: 2

      No, anti malware programs do not catch everything. But even the worst of them (interestingly named after its currently quite mobile founder) finds about 95% of the threats. Yes, that means that one out of 20 attacks could bet past it. But the other 19 do not!

      If my own corporate experience with antivirus/antimalware tools is any indication they actually find 120% of the threats.

      How do they do that you say? By flagging legitimate files as malware and trojans. It's a very real problem for small software development houses. Even if you can get your application whitelisted by the offending scanners (not easy), chances are the next revision of your build will get flagged the same way.

      That doesn't mean that they won't let malware through, it just means that they use fairly conservative heuristics in addition to file signatures. It's definitely possible to fool them.

  4. Re:malware and porn by ZombieBraintrust · · Score: 5, Funny

    executives must be in to weirder stuff than most mouth breathers

  5. So, in other words, they violate basic IT policy by generic_screenname · · Score: 5, Insightful

    The top threats listed in TFA are all common-sense things to avoid with work machines. (Visiting porn sites, letting family members use equipment, installing malicious mobile apps, and falling for phishing emails.) There is a reason us IT folks tell people not to do these things at work.

  6. Re:So, in other words, they violate basic IT polic by idontgno · · Score: 4, Insightful

    And there's a reason why the executive suite doesn't listen:

    "You're not the boss of me!"

    (Supported by "If anything does happen, it's your fault anyway.")

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  7. Re:So, in other words, they violate basic IT polic by boristdog · · Score: 2

    I was the execs personal IT support (not my job, but hey) in the last company I worked for.
    One day the CEO brought his "wife's" laptop for me to fix because it was really slow.

    I had never seen so much and so varied porn on one persons computer before. I learned so much back then...

  8. OS Design failure by ka9dgx · · Score: 2, Interesting

    So, none of this mentions the lack of a proper security design in the Operating System. When someone says run a program, it let it use this much ram, this much cpu, and this folder.... that should be it.

    But no existing commodity OS lets you do that, does it? Until capability based security becomes the norm, this will never be fixed, and information security jobs will flourish.

  9. Do different rules apply to senior managers? by grahamsaa · · Score: 5, Insightful

    I've never understood why people do stuff like this. Years ago I recovered data from a CFO's laptop, only to find the thing filled with porn. Senior managers generally make enough money to have personal devices to look at porn on -- why do they risk the embarrassment of being discovered misusing company resources? I guess now that I think of it, the CFO in question wasn't fired (or even really disciplined) for this, as far as I can tell, so maybe senior managers just think that they're important enough that rules and common sense don't matter. If the laptop had belonged to a lower-level employee, he or she probably would have been disciplined.

    --
    Facts have a liberal bias.
  10. Re:Safe Surfing by TWX · · Score: 4, Funny

    The obvious solution is for corporation to provide safe porn on their internal networks. What could possibly go wrong?

    I shudder to think of how this'll impact the BYOD policy...

    --
    Do not look into laser with remaining eye.
  11. Lets turn this around... by wjcofkc · · Score: 2

    If employees were bypassing security, and getting their machines and the network infected en-mass via porn. One of two or both would happen:
    A. A very stern email would go out to all employees regarding the issue.
    B. A whole lot of employees would get canned.

    Since it's executives, there will be no scolding or even talk of it. Not to mention their security for no good reason is low, so they access anything they want on the internet. It will just keeping going on. After all, this is hardly news. It's well known (at least in support) that executives have been infecting their machines and the network by the sackful for ages. When I did internal corporate IT support, I personally saw it. Over and over and over. The standard course of action? Remote into their machine, silently remark at the sheer number of porn related icons on their desktop, start removing things (toolbars too), climb around in the registry fixing all the damage the porn did, patch anything I had to, and then disconnect - walking away from the whole matter without a word. Also, these events were never properly documented to protect the executive, and therefor my job. The funny thing is, a lot of the higher ups would watch me while I was remoted into their machine, seeing everything they had been up to - they truly didn't give a shit due to their level of authority. I sometimes wondered if they got off on it. No shame at all.

    --
    Brought to you by Carl's Junior.
  12. http://yourbrainonporn.com/ by blahbooboo · · Score: 2

    http://yourbrainonporn.com/

    All that needs to be said...

  13. Re:malware and porn by Opportunist · · Score: 4, Interesting

    You don't think executives don't NEED those super important "power bars", do you?

    And of course execs have admin privs on their PC. They don't know what to do with it, they don't know why they got it, but don't you dare even suggesting taking it from him!

    Even as the CISO you get shouted down at the management meeting when you suggest something outrageous like that. What cheek! Those dumb techdroids having higher privileges on his PC than the CEO!

    Yeah, we had a good laugh.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. Re:Safe Surfing by Opportunist · · Score: 2

    I am more afraid of the sexual harassment problems looming over our heads with the BYOD crap.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  15. Re: Occam's Razor by Opportunist · · Score: 5, Insightful

    They don't get fired for it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  16. Oh yes. by clickclickdrone · · Score: 2

    I work in a major Bank and the support staff tell me the senior execs are all kept in a separate isolated LAN, not because of the security of the documents they work on but because they access so much porn and torrents etc that their bit of network is riddled with crap that needs daily cleaning up. And some of the porn is very much in the jail time category.

    --
    I want a list of atrocities done in your name - Recoil
    1. Re:Oh yes. by z0idberg · · Score: 2

      The support staff are either full of shit (which is the most likely scenario) or breaking the law themselves by not reporting this "jail time category" porn.

      And if they are more concerned with keeping their job than reporting it they are in the same low-life category as the execs accessing the stuff.

    2. Re:Oh yes. by DarkSoul42 · · Score: 2

      I also used to work in a bank, and there was this opt-in network (you actually had to ask for it, and it of course put you on a "watch" list for performance and such) on a regular home-grade connection, called "red cable". It got you access to a nearly unrestricted NAT connection (separation for each floor, wireless network segments, and meeting rooms), and incidentally allowed IT folks to download packages and other cumbersome images that the regular proxy would not download/filter.
      Meeting rooms also were wired in this fashion, in their own isolated VLANs so as to not infect guests with crap our execs would download. ;)

      On top of that we then could implement an HTTPS reverse proxy system (OpenBSD + nginx) to publish data used in meetings with outside people (vendors and such), with Kerberos password + client certificates for authentication, and very strict monitoring on said box to ensure no one accessed it out of planned timeframes.

      Cons :
      - The really cumbersome thing was, getting a restricted file (some legit packages like WireShark would get recognized as malware) on the main network, which also had its own restrictions of course, except for the IT admin floor.
      - A little more maintenance trouble, and execs throwing a fit when this supposedly "non business critical" connection went down, and it turns out someone was using it for "very important downloads". I dropped enough hints here, three guesses as to what these were.

      Pros :
      - This allowed BYOD relatively seamlessly for the execs, so they didn't feel the need to ask for admin privileges on their main network workstations.
      - And yes, some execs and IT goons would do insane torrenting and porn surfing on that network, and make a mess of it, but at least it was walled and easier to purge through fire when time called for it.

      They want to be kings ? Let them be kings of a pile of dirt, play with mud like kids, and con them in believing dirt is the new gold.

  17. Mangagement style by PopeRatzo · · Score: 5, Funny

    These porn-surfing execs are just taking a more "hands-on" approach to management and want to make sure they have a firm grasp on their critical infrastructure.

    It gives new meaning to The Peter Principle.

    --
    You are welcome on my lawn.
  18. Re:The real problem by Opportunist · · Score: 2

    Pretty much this.

    One of the core reasons this problem exists in the first place is that execs insist that the rules don't apply to them. Oh sure, we have insanely tight corporate rules concerning computer usage... but of course not for C-Levels, certainly not. And their secretaries (who are collectively ignorant enough to be a security crisis all by themselves) have to be exempt, too. And while we're at it, we not only need to bypass the firewall entirely but we also need administrative privileges on our machines.

    Trying to explain to them that it is a security nightmare what they're asking for doesn't help at all. This isn't about rational, logical reasons. It's purely about entitlement. Rules only apply to the plebs beneath me, but never to me. And when (not if, when) the crap backfires eventually, we'll certainly find some scapegoat to sacrifice.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  19. Re:The real problem by mysidia · · Score: 2

    Is executives trying to claim sovereign immunity to IT regulations.

    Perhaps.... but this is one of the reasons IT security cannot be built from the bottom up.

    IT security inherently requires management buy-in, and management has to be made to understand about leadership by example. They must be sold on it. If they themselves can't adhere to it, then they sure aren't sold on it! How could they expect their hired help to be sold on it, if they don't even agree with it?

    If the manager or their family don't follow the same rules, then they are teaching other people not to follow the rules either.

    Just like the family grocery store, that lets the owner's wife do her shopping, and take the goods out the back door without having to pay retail price.

    The cost to the store is much higher than the price of the goods; it includes the opportunity cost, lost chances to make up for the cost, lost profit.

    Customers will see it. Employees will see it. It will lead to more losses.

    It will instill in the manager, their family, and those around them, an attitude that will destroy the business.

  20. Re:what exactly is a "visit" to a porn site by Opportunist · · Score: 2

    Well, if you're googling for such perverted stuff, it's your own damn fault!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  21. get a linux box by cyfer2000 · · Score: 3, Insightful

    For the pron, get a linux box please!

    --
    There is a spark in every single flame bait point.
  22. Re:malware and porn by Anonymous Coward · · Score: 2, Insightful

    Most CEOs don't even have all the keys to the factories and plants, and when they need access for whatever reason, they go in with someone who knows what they are doing- just in case they screw something up - press the wrong button etc.

    But when it comes to IT - they just love logging in with an account with full domain admin privileges (you could create a different account for them to use if they ever need it - which could be rarely, but no, it has to be their main account).

  23. Re: Safe Surfing by Anonymous Coward · · Score: 3, Insightful

    You jest but the threat is real. We have a slew of android users who had their phone done over.

    It used to be that we would tell users "don't click that link. " where now web sites like yieldmanager throw apk files at them.. which download automatically .. they install... and we have to clean their phone and explain that their phone is a small pc. Sigh. The 90's all over again.
    Those who do not learn from the past.