Slashdot Mirror
Survey: 2/3 of Public Sector Workers Wouldn't Report a Security Breach
An anonymous reader sends news of a survey of workers in the public sector conducted by Daisy Group, a British IT firm, which found that 64% of them would stay quiet about a security breach they noticed. The survey also found that 5% of workers admitted to disabling the password protection features on their work devices, and 20% said they don't update their passwords regularly. Daisy Group's Graham Harris said, "When it comes to data security, all too often organisations focus purely on IT processes and forget about the staff that will be using them. Human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force." 16% of respondents said they didn't know if data protection was an important part of their company's security practices.
if only we give the government more money
have you seen my sig? there are many others like it but none that are the same
The weakest link.
"If any question why we died, Tell them because our fathers lied."
Do we give out points on evaluations for "fully complies with security policy every time"? No, we slam plebs with metrics and quotas, after a childhood revolving around GPAs and diploma checkboxes and life-story-in-one-page application rodeos. We've trained society to game the system and if they're giving fucks in a certain, limited fashion, it's because the world only gives fucks in a certain, limited fashion.
Of-fucking-course they game the system. "Fear of reprisal" isn't even a core symptom.
Okay, the bit about how many folks wouldn't report a security breach is disturbing, but what's the fixation with updating passwords? I've been working in computer security for decades, and I almost never update passwords unless I'm required to or there is an incident. I'd much rather have my users pick strong passwords and not change them often than pick weak passwords because I insist they change them often. Sure, it's not just an either/or, but on the list of my concerns about system security, how frequently users update their passwords ranks WAAAAY down on the list.
Given that public jobs are relatively secure, you can assume this issue is much worse in the private sector.
You hear too often about someone who disclosed a security issue and was fired/sued for "hacking" or some other ridiculous reasoning.
What benefit would there be in reporting a security breach? Workers, especially in the public sector, are increasingly being treated as the enemy when they report this sort of thing. Governments have created an environment where any sort of whistle-blowing is viewed as a hostile action, and employees are often rewarded with termination, lawsuits, or jail time. Until that climate changes for the better, I'm just going to do my job and keep my fucking mouth shut.
Some companies actively create a culture of security silence. I was fired from a job once for reporting a software vulnerability to my manager. I have never reported a vulnerability of security weakness to an employer ever since.
What percentage of them would expect to receive zero praise and potential reprisal if they did report a security problem?
Yeah, sure, it's depressing that people aren't courageous moral heroes, or motivated to go above and beyond, most of the time, especially about boring stuff or things likely to get them in trouble.
Guess what? That's one of the areas where management is supposed to be earning its money. One of the differences between an effective organization and a trainwreck is how good the flow of information is: are important observations from the periphery being collated and passed on so that HQ can actually achieve a coherent larger picture of the world? Are directions and information passed back down usefully informed by that picture? Or do you have unrealistic demands and buzzword nonsense flowing down; and soothing lies flowing up?
This doesn't mean that 100% of employees are innocent('insider threats' are a subset of 'people who wouldn't report a security breach', since they create them; but not a terribly large subset); but if you have this problem on a large scale, that's because your organization is dysfunctional.
At my nameless three letter organization, here's how security works.
"Oh, you didn't name your database server according to our specifications required by our lame monitoring tool that can't handle nonstandard system names? Rename your server. Oh, and if it breaks the database, that's your problem."
"We just patched all the servers for greater security. Too bad you can't use your software to control or monitor them anymore, but that's your problem."
"Due to a breach, everyone must change their password. Too bad it happened while you were off for a few days and needed to log in for an emergency, but that's your problem."
Security's motto: We break stuff, put ALL the burden on the users, walk away AND we get paid for it!
I don't know any other job where you can receive money for making stuff *not* work.
Please do not read this sig. Thank you.
data protection isn't just a helpful suggestion, it's the LAW!
I can, will and have gone Jurassic Park on any public servant or official I catch accessing data for anything other than specified work related tasks. If you're trusted with private data, then I swear on my left nut I will destroy you if you breach that trust.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
At least 2 out of 3 are retarded...
Why would people who make a living fucking over the rest of the country care about what happens?
Just so we're all clear on this, what is the current official party line? Should we be reporting or not be reporting?!
Security systems need to work for everyone not just you. The more "special cases" the weaker the security is.
Oh, and if it breaks the database, that's your problem.
If renaming a server is not easily fixed by a config change then whoever wrote the system is an idiot. Sorry but we can't deal with your and the other 20 naming schemes that individuals though were "cool".
We just patched all the servers for greater security. Too bad you can't use your software to control or monitor them anymore, but that's your problem.
If you are relying on a outdated control or monitoring software it is your problem. Your software may even be using the security flaw.
Due to a breach, everyone must change their password. Too bad it happened while you were off for a few days and needed to log in for an emergency, but that's your problem.
This is exactly the same as a person forgetting their password in an emergency situation. If your system can't handle it then it is your problem. Should we leave the leaked credentials valid till we contact everyone in the database? Even those on holidays who might be unreachable?
What were the actual questions? Was it worded to elicit no's? Did the respondents understand the question?
What was the definition of "major security breach"? Was the threshold so low that things like not changing a password every 30 days is a major security breach? Who responded to the survey? Were they people who only see low level issues?
Surveys can be tailored to get any desired response.
And the vast majority of security breaches fall into THAT category for someone
don't do things that would allow it to become compromised by an attacker,
but there really isn't much point to all of this if you can't even plug your computer into the internet at all
This is why you have QA people, you pay them to tell you the things that everyone else is afraid to tell you. Management pays more attention when QA reports security problems, because it is their job.
Legit. Especially given the culture of "it's only wrong if you get caught" attitude towards breaking rules that pervades so many of our high schools and trickles up into college and the work force with every graduation, and then gets reinforced with every performance evaluation or annual bonus.
Would you please mark these as content free advertisements?
People will trade their passwords for a candy bar.
Plus, public sector workers at least have some job security. I've worked in the private sector for 20+ years, there's a reason it's called "at-will" employment. Sticking your neck out to report a breach won't win you any friends, doesn't gain you anything, and if it get someone who's politically savvy in trouble it could blow back on you. Safer and easier to keep quiet and keep your job.
I wish it weren't like that—and to be fair, the best teams I've worked with weren't (and aren't!) like that. But way too many offices run that way, and politics and sleaziness beats honesty and ethics nine times out of ten.
Building Better Software
I've been doing infosec for 18 years and fully agree. Forcing people to change passwords simply forces them to increment a number at the end or write them down. It also forces you to allow more failures in your brute force detection.
With pass phrases, it's mostly about using LONG ones. Yeah, pass phrases, not passwords. Then make damn sure your not using des hashes or something else that truncates passwords anywhere.
Or have you forgotten about FERPA, HIPAA, and the rest? No one wants to be liable for a federal crime by reporting it.
when reporting one takes filling out a TPS report and talking to 8 different higher ups meany non tech people who wants to do it?
Bullshit.
If you think that termination for the purposes of retribution is more likely (and more possible) in the private sector than the public sector, you're simply not dealing with reality. Of course, I've never heard of public sector employees facing termination for publicly unpalatable information disclosures (he said sarcastically).
In the grand scheme the public sector has something that no private business has: they can survive through the use of force rather than voluntary trade. If Target has a security breach, they announce it. We can argue about the timing of when companies announce, but they do. Why? Because if the information leaks out in an uncontrolled fashion it can be a very serious threat to their existence. Customers can choose not to do business with them. They can be sued. The longer they fail to disclose, the greater those damages. And all of that rightfully so. The government? Well, if my local taxing authorities get breached what consequences do they face? Can I elect to not do business with them? Can I go through some competitive taxing authority? Can I even realistically sue them for damages? There is no practical measure by which private business can get away with mishandling a breach that isn't a thousand times less consequential for a government agency.
I appreciate that this is a minority view here on slashdot, where the majority of those commenting and editing spend much of their day dreaming of being ass-fucked by Che, but someone has to point out the basic economics of the situation.
this is the same reason i never report anything (except for outright scam attempts from outside the org, like phishing).
first of all, it basically comes down to a question of cost, training, etc, and they dont want to spend the money or time on dealing with it. If nobody brings it up, they dont have to deal with it. Therefore, bringing it up is the problem, in their eyes (i.e. the problem is not really a problem. for them).
second of all, if you know much more about tech than everyone else, you are instantly suspect. keep your head down and it wont get chopped off.
oh but the invisible hand of the market will make sure those dysfunctional companies fail!!!! oh... you mean like Goldman Sachs, Morgan Stanley, Merill Lynch, Bank of America? Chrysler? General Motors? Fannie Mae, Freddie Mac? When they failed? How they went out of business? Target, PF Chang, Michaels, and on and on? oh wait, they didnt. None of them did.
in the 1990s while working in IT for a certain federal agency, I accidentally discovered that the entire C:\ drive of the PC used by a federal employee involved in negotiations over a multi-million-dollar subcontracting action had been shared out to the entire internal network where the contents could have been viewed by any of several thousand people. I wrote it up; sent it to the security folks. Their response? Crickets. Always made lots of noise about busting someone for the then-new pastime of porn surfing at work (this was back when very few people had Internet access at home) but when it came to things where actual business integrity was compromised, there was little care and little effort.
Get in the way of the method people want to do their work, and users will figure out very creative ways around it.
Some users think their way is the only and/or best way to do things. Their priorities are the most important no matter how much damage it can do to the company. Nothing else matters.
Tell a user they can get free apps, and they'll install and use SSH and the command line...
Not sure if you think that is funny but it is definitely untrue.
Morons are handling your most sensitive data.
My ism, it's full of beliefs.
We live in a very complex and difficult age. One where it's best not to make waves. One where not asking questions and avoid discussing things is the better long-term strategy. One where the key to a trouble-free existence is to stay under the radar. Avoid suspect at all cost, don't get singled out, don't voice dissension. Even suggesting you're "not happy" with the most trivial thing is enough to brand you as a "malcontent" and possibly "antisocial". In this world, pointing out a "security issue" (just uttering the word "security" will cause most people to gasp and shut out any further input, and flag you as "dangerous") is suicide. Stay calm. It's not your business. Feign ignorance. Think about what you could lose.
If you've chosen a strong one, you only should change when you suspect your account or the password is compromised.
And look what happens when you report on a security breach or other failures of a system that's politically liked. You get arrested or exiled or hounded into suicide.
For which you'll get paid a third less than you'd get if you went and worked outside,vilified as a scrounger and have you pitiful pension paraded as why you would never work outside the shithole known as public service.
Psssh... only high school and college? How about politics and big businesses?
your post only proves his point: it's a scare tactic, making you change passwords frequently or periodically. Hell, a good password when muscle memory has worked out how to type it is typed too fast for shoulder surfing to work. You'd need to take video footage and replay on slow mode.
Muscle memory for typing, though, takes time. And changing passwords means you have no time.
And you have to write it down or make it easy to remember (therefore easy to guess).
Why would you report?
See also: he who complains is at fault
You're right!
In the grand scheme the public sector has something that no private business has: they can survive through the use of force rather than voluntary trade. Customers can choose not to do business with them. They can be sued. The longer they fail to disclose, the greater those damages. And all of that rightfully so. The government? Well, if my local taxing authorities get breached what consequences do they face? Can I elect to not do business with them? Can I go through some competitive taxing authority? Can I even realistically sue them for damages?
You can move. If you don't want to deal with (eventual) the $15/hr minimum wage laws in LA or Seattle at the local level, or even the frankly minimal environmental protection regulation California has, you can move out of the state. You can also sue the government anytime you want, though you'll have to have money to do so, just as you would need deep pockets to sue any large company. If you don't want to live under the "terrible" despotism of the USA, you are free to find somewhere else if anyone is willing to have you. If you are young and skilled, Canada, Australia, NZ and maybe even the UK will take you in without even needing to learn a new language. If you have enough money for taxes to be a real issue, then you can buy an investor visa pretty much anywhere in the world - including the US if you are from abroad. If you are broke, Somalia has lax border control, I here it is a free market paradise over there - very little government regulation... perfect for free marketeers like yourself, whose only failing in life is being hobbled by the local government.
As far as the rest of your shrill screed, shell companies reincorporate all the time, playing shell games with assets and liabilities and vanishing when a judgement against them is about to land. I'm pretty sure even "Detroit" is still Detroit, for a recent whipping boy. I don't recall the last time the police union had to fork over damages for the actions of its members either, for that matter - and if you look closely, you will usually see ", Inc" after whatever PD "Police Benevolent Association", much less West Texas or "Freedom Industries" type egregious misconduct that no one responsible is being executed for what amount to mass murder. At least the local police forces are forced to settle once in a while. If you have enough tape, and a pattern of abuse from prior suits on the officers involved.
Why did you comment before reading the rest of the GP's comment?
We are a public university with a very high credibility and standing. We also have been attacked several times. Our instructions as per higher management are to keep quiet of the attacks in order not to damage our reputation. The problem here has we have uncovered a lot of interesting things, and learned a lot in the process, knowledge which could be shared with others to have a common front of fight against those problems, even writing quite interesting white papers, however, alas, we have our hands tied.
Something the FBI does with sensitive workers with security clearance in top secret projects is that they pose as foreign agents and try to buy access to their work.
The worker fails and is arrested if they accept the deal. It is basically entrapment but apparently it is legal. I don't especially mind either. I think entrapment is fine under a lot of circumstances.
If you gave me a gun with blanks in it and said I could murder some random person... I wouldn't do it. But if I tried, then I probably am not someone you want on the streets.
Anyway the FBI does like to do that and frankly this is a good way testing security. You have the FBI or whomever breach the system and then you see how the resident IT department deals with it. They cover it up then that goes into the report. If they report it that goes into the report. IF they stop it then that goes into the report. If they don't stop it then that goes into the report. If they don't even fucking notice then that goes into the report.
And based on that you can make further recommendations.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
When working within a crew of political buddy fuckers, the messenger is usually made the scapegoat.
I've had computers plugged into the internet since the 90's, and no issues so far.
What are you doing so wrong, that I am doing right?
Not surprising. I was recently laid off from a state* IT job for reporting too many bugs and security holes. You know the really funny part? I didn't report all of them. Why should I have? Nobody took it seriously.
*Not just a government problem. Same attitude at an insurance company. Though, accidentally catching two adulterous managers in the act didn't help.
Not surprising. I was recently laid off from a state* IT job for reporting too many bugs and security holes. You know the really funny part? I didn't report all of them. Why should I have? Nobody took it seriously.
*Not just a government problem. Same attitude at an insurance company. Though, accidentally catching two adulterous managers in the act didn't help...
If you're not willing to report a security breach, you don't deserve a job in the public sector, or anywhere else.
Facts have a liberal bias.
Despite civil service protections public employees are well aware that pointing out anything unpleasant or defective to the chain of command can cost you your job. They will fire you not for what you do but create situations with which what you do will be unacceptable. After all some big shot selected the security system and he has friends in high places. Rock his canoe by reporting a security issue and you are dead meat. The only protections for workers rest in strong unions and a legal system willing to punish public institutions.
for a hypothetical world where users adhere to anything you demand of them no matter how intrusive or onerous that is.
maybe you can get a few of your friends to help you beat on that straw man, that's not what I said AT ALL
I work in the financial lending industry and I can promise you that if we slacked off on security and user credit info is leaked or stolen, it won't matter that the breach came by way of social engineering, brute force password attacks or swarms of pigeons waving flaming torches, everyone in the department gets sanctioned. Some will get reprimands, some will get demotions and some will get fired.
If it comes to a choice of losing your job or inconveniencing a user with a password change every 30, 60 or 90 days, guess who has to learn a new password. And you can bet that if someone in the department notices a breach, they will report it and go on a witch hunt to find the "lazy S.O. B." that had both the responsibility and the authority to fix it.
I read the FA and I find their conclusions don't match my experience. I know, anecdotal evidence isn't evidence but reports like this, done this way will not effect change in either a positive or negative way.
Charter Member of The Committee Group For The Elimination And Eradication Of Repetitive Redundancy
please use drones next time you hack the government systems so that the hack can be detected from the vibrations of the afternoon cup of quality tea with milk and lemon juice, poured at the 80 decrees of units named after a swedish astronomer and served in small, white cups with a triangle sandwich with has been at the utility storage since the tory took over the kingdom and made sure our dominatrices are properly punished since they failed to include members of the parliament as their clients to be filmed while being punished.
A few years ago, at the company I work for, we got a spec to build an interface that would send passwords, in the open, to a vendor. Several of us warned upper management of the foolishness of this idea, but despite multiple attempts to push back on this request, management insisted that the process be written this way, so that is what was done. Perhaps 64% of employees would stay quiet about a security breach because so many managers are universally, fucking stupid, and it is always dangerous to tell the emperor that he has no clothes.
Proverbs 21:19
So once, I saw the Comp Sci department find out about pre-examination test sharing between the Chinese TAs and the Chinese students. The end result, quietly move the TAs to positions where that was less likely and make no attempt to correct the test grades.
Even the institutions that pretend to be "achievement through effort" are willing to throw their scruples under the bus when it's time to consider that there might be a backlash.
Personally, I would have felt much better if they simply retested the students in question, recalculated the grades, and let the chips land where they may.
The aforementioned 2/3 of 'workers' probably don't need to be online to do their work. The simple fix is for their connection to the outside world to be snipped. Physical security measures can be used to ensure that the data is then 'protected' for the most part.
Obviously there are other means and ways for data to be stolen and leaked out, but the first order of business needs to be:
"You're too casual about security for any hardware you can access to be connected to the outside." Take away their connection. Several public shared kiosks can be set up in the office area they work in for essential needs.
Sorry, Facebook. Sorry Google.
I discovered a security breach at my old job and it took a massive amount of effort to get anyone to take action on it (ie give permission to take site offline, notify public), and the first set of instructions were to just delete all evidence which is why they had to send letter to all applicants, they had no idea whose information had been exposed. I was looked way down on for jumping rank every time I got the answer to just not worry about it. One of the major reasons I eventually left public sector... http://www.maconbibb.us/networ... http://www.13wmaz.com/story/ne...
... did you only read the first 25/48 words in the GP's post?
I work for a multinational private company and we see the same thing, not just with security breaches.
The reality is, in most labor environments now, why would anyone make an effort to point something out that would get them marginalized or fired? This is especially true in the "outsourcing countries" -- most of the people working in these locations are extremely happy to have stable employment and will do anything they can to protect it. As a result, huge problems are hidden for as long as possible until they really can't be hidden anymore. In the US, that fear is instilled by the scarlet letter of unemployment. Even with an improving economy, I still see unemployed people who can't even get an interview because they have a gap in their employment history. Unemployment in the US equals financial ruin for most people -- your credit will be destroyed once you can't meet your obligations and unemployment insurance doesn't come close to replacing most salaries. And once your credit is messed up, most companies will pass on hiring you anyway because they have 20 people with good credit and clean background checks.
Also, regarding public sector vs. private sector -- I know lots of people who work for our state university system. Even though these positions are technically permanent, there's nothing stopping the internal politics of the system from making your life so miserable that you might as well quit. It's very similar to the way private companies manage people out -- start enforcing rules more stringently, change work assignments to something awful, etc. The public sector just has due process with regards to getting rid of someone. Soon as someone shows up for work 3 minutes late more than X times, they have their excuse, just like a private company does. So yeah, I have no doubt that anyone with a shred of self-preservation instinct would keep their mouth shut about a security problem unless it was directly attributable to them.
Sorry, I've worked in a number of sectors, and these days for a US federal contractor, and unless you're talking about some upper manager, or someone in bed with same, I don't see how they'd do that. Everywhere I've worked, using, and changing passwords is enforced by the IT dept, and by software. Since everyone's networked these days, you don't get on otherwise. And the places I've worked have *forced* less than simple password.
The next question that comes to mind is *why* they wouldn't report a breach. And what spread of organizations was this survey taken in?
mark
are still "blacklisted" because we DID report the breach, and some protected, underqualified but ethnically diverse Management tool got upset about it.
When the guy in charge of your entire Agency's Exchange system is creating security problems by hosting gigs of improperly downloaded movies on an on-site, trusted backup mailbox server and you don't realize the stupidity comes from The Top when you report it, you get this used against you for promotions and such for a decade (and going).
Like the Mafia, we're not supposed to talk apparently.
Agreed. Most people do not have integrity.
This this this!
I have run into this countless times.
They basically enact some draconian security policy regardless of any other consequences. It breaks stuff all the time. The response you get back is typically, too bad, this is how things are now, deal with it, it is your problem. They are a level above all IT that make arbitrary decisions, oftentimes ridiculous ones, and even going to the highest level of IT infrastructure, they are like sorry, nothing we can do, you'll have to take it up with Security.
Anyway as to answering the actually story about the survey, there are two points that are related.
1) Oftentimes, due to what we both just described, staff with no resources, sometimes have to get creative as to how to get critical systems and application to continue to function within the imposed framework. An example of this might be to get around a 1h mandatory firewall timeout, developers might put in a script to automatically do a small query simply to "touch" the DB behind said firewall just so your users connections are not dropped every hour of every day. If it every blows up in someone face, security will simply say, well we implemented our security policy, they are the ones that circumvented it, thus it is all their fault we hold no responsibility. Never mind they didn't consider the function of any applications it might break or what that would do to service, data integrity, or anything else. Another sore spot is locally imposed security policy making local backup pretty much impossible at any scale, however again, should something go wrong and data be lost, we'll we're the ones responsibility for local back up. Jerks.
2) As to why you don't say anything... Well apart from the obvious in that you really don't want to get in trouble, a lot depends on how that survey was worded. In many cases of a breach, either no one, or very few people know about it, and you want it to stay that way so as to avoid more breaches of the same. I doubt anyone really involved, wouldn't tell anyone, that is silly. However they may be very selective as to how they go about communicating the breach as they try to address it, usually as it may take a bit of time to do.
I complained multiple times about their users and nothing much seemed to being done. They ended up blocking my complaints. I would not trust them as far as I could spit out a rat.
So, if there's a leak and you find out about it, it may be in your best interests not to tell anybody?
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes