Porn-Surfing Execs Infecting Corporate Networks With Malware

wiredmikey writes "According to a recent survey of malware analysts at U.S. enterprises, 40% of the time a device used by a member the senior leadership team became infected with malware was due to executives visiting a pornographic website. The study, from ThreatTrack Security, also found that nearly six in 10 of the malware analysts have investigated or addressed a data breach that was never disclosed by their company. When asked to identify the most difficult aspects of defending their companies' networks from advanced malware, 67% said the complexity of malware is a chief factor; 67% said the volume of malware attacks; and 58% cited the ineffectiveness of anti-malware solutions."

Very disappointing article.

It doesn't even include any of the URLs to go to!

It's good to be the king.

[themushroom]

-- Mel Brooks, "History of the World pt 1"

Re:It's good to be the king.

[DavidClarkeHR]

It's good to be the king. -- Mel Brooks, "History of the World pt 1"

Agreed. I'm one of the fortunate ones - my boss actually follows the rules, but I've worked in places where the boss is exempt from basic network security. One was a small business where the boss 'pays the bills', so he got to 'make the rules'.

When his customer database was deleted he fired his IT guy in a fit of anger. He lost a lot of money in a wrongful dismissal settlement, and lost all of his business. It might have been the IT guy who did it - but the lawyers obviously felt that 'I don't need a slow virus scanner' was more likely the cause. Or at least, reasonable doubt.

Re:It's good to be the king.

[Opportunist]

"Why do we need backups, we have it all here, right? So why do you want to have it there, too? Do you want to steal our customers?"

I was actually asked that once.

Solution

[girlintraining]

and 58% cited the ineffectiveness of anti-malware solutions."

So the majority of experts agree the existing solutions are ineffective. And yet the solution remains the same: Buy more of it.

Re:Solution

[girlintraining]

I'd rather be out of the job than stuck between "I need access to EVERYTHING for no goddamn reason" and "ME COMPOOTER IS BOKE-BOKE AGAIN FIX IT A+ PRIORITY ONE"

Ah. The naitivity of youth. So refreshing. And yet they wonder why nobody hires them.

Re:Solution

[Opportunist]

Does Antivirus software get everything? Hell no. Is it useless because of it? No, far from it.

The world is not black and white and neither is security. I mean, by the same logic you could say that anti-drug laws didn't work, so let's abolish them. Police didn't arrest every murderer out there, away with it. And since doctors fail at saving every patient, shut down those hospitals.

Would that be stupid? Of course it would be. No, anti malware programs do not catch everything. But even the worst of them (interestingly named after its currently quite mobile founder) finds about 95% of the threats. Yes, that means that one out of 20 attacks could bet past it. But the other 19 do not!

Not to mention that the best security system is powerless against user stupidity. I think I pull that link every time we're discussing this, but it just was true, is true and probably will be true forever until I find a way to kill clickmonkeys via internet: Given a choice between dancing pigs and security, users will pick dancing pigs every time. There is exactly NO way how you can secure a system against a clickmonkey that has admin privs. And those idiotic execs do! Not that they need them or know how to wield them, but they want that "in control" feeling. Needed or not.

The very LAST thing I want is any kind of privileges beyond the bare minimum to do my job. Simple reason: Credible deniability. What I could not do, I most certainly did not do. Your database is missing? Could not have been me, I can only enter data but I can't delete or edit anything. Go look elsewhere for your culprit.

But back on topic. Statistic is a multi-layer system. Relying on only one part of security is simply dumb. There is no such thing as 100% security. It's a myth. Like 100% uptime. You can lower the chance for a security breach, with technology (firewalls, antivirus), with policies (least privileges, secure processes) and a few other things. And yes, hence the solution to security is more security. Well, within reason and at sensible points, of course, but the solution can't be "can't stop it, so why bother trying?"

Re:malware and porn

[ZombieBraintrust]

executives must be in to weirder stuff than most mouth breathers

So, in other words, they violate basic IT policy

[generic_screenname]

The top threats listed in TFA are all common-sense things to avoid with work machines. (Visiting porn sites, letting family members use equipment, installing malicious mobile apps, and falling for phishing emails.) There is a reason us IT folks tell people not to do these things at work.

Re:So, in other words, they violate basic IT polic

[idontgno]

And there's a reason why the executive suite doesn't listen:

"You're not the boss of me!"

(Supported by "If anything does happen, it's your fault anyway.")

Do different rules apply to senior managers?

[grahamsaa]

I've never understood why people do stuff like this. Years ago I recovered data from a CFO's laptop, only to find the thing filled with porn. Senior managers generally make enough money to have personal devices to look at porn on -- why do they risk the embarrassment of being discovered misusing company resources? I guess now that I think of it, the CFO in question wasn't fired (or even really disciplined) for this, as far as I can tell, so maybe senior managers just think that they're important enough that rules and common sense don't matter. If the laptop had belonged to a lower-level employee, he or she probably would have been disciplined.

Re:Safe Surfing

[TWX]

The obvious solution is for corporation to provide safe porn on their internal networks. What could possibly go wrong?

I shudder to think of how this'll impact the BYOD policy...

Re:malware and porn

[Opportunist]

You don't think executives don't NEED those super important "power bars", do you?

And of course execs have admin privs on their PC. They don't know what to do with it, they don't know why they got it, but don't you dare even suggesting taking it from him!

Even as the CISO you get shouted down at the management meeting when you suggest something outrageous like that. What cheek! Those dumb techdroids having higher privileges on his PC than the CEO!

Yeah, we had a good laugh.

Re: Occam's Razor

[Opportunist]

They don't get fired for it.

Mangagement style

[PopeRatzo]

These porn-surfing execs are just taking a more "hands-on" approach to management and want to make sure they have a firm grasp on their critical infrastructure.

It gives new meaning to The Peter Principle.

get a linux box

[cyfer2000]

For the pron, get a linux box please!

Re: Safe Surfing

You jest but the threat is real. We have a slew of android users who had their phone done over.

It used to be that we would tell users "don't click that link. " where now web sites like yieldmanager throw apk files at them.. which download automatically .. they install... and we have to clean their phone and explain that their phone is a small pc. Sigh. The 90's all over again.
Those who do not learn from the past.