Slashdot Mirror

← Back to Stories (view on slashdot.org)

IT and Security Professionals Think Normal People Are Just the Worst (zdnet.com)

Posted by msmash on from the we-knew-that-already dept.

Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.

[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

13 of 296 comments (clear)

  1. User have been the problem forever by DarkRookie2 · · Score: 5, Insightful

    This is not new news. User have forever been a problem.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    1. Re:User have been the problem forever by Anonymous Coward · · Score: 2, Insightful

      I am pretty sure that electricians in the 19th century blamed electrocutions mostly on user error. A lot fewer of those happen these days and users have not become smarter. Instead, appliance and building engineering standards and certification requirements have evolved.

    2. Re:User have been the problem forever by ewibble · · Score: 5, Insightful

      Yes a computer system without users would be very safe but not that useful. But the real problem is that systems themselves allow users do stupid things in the first place or provide no easy alternative. Here is an example:

      I want to download and run an application from the internet, seems like reasonably common thing to do. However how do I know it is safe? Search the internet OK, but there maybe fake sites saying it is safe or it maybe piggybacking on a valid program. Run a virus checker, well OK but it could be virus that isn't picked up by that checker, and the virus checker should run automatically anyway. But you need to run the program so you do.

      What would be nice is option like run un-trusted, which starts a VM automatically and runs that, checks that nothing bad has happened to your computer as well

      I believe the responsibility lies mainly with IT, we should make easy for the user to do what they need to do, we are the experts, we need to take responsibility for it. Yes it is hard and you cannot always fix it but we should always be trying and not just blame it on the user.

    3. Re: User have been the problem forever by Spazmania · · Score: 3, Insightful

      I'm in the 9%. I'm not overconfident... I just realize that treating staff like potential enemies is a losing proposition.

      I have lawyers to deal with employees who violate my trust. Until it's time to get the lawyers involved, it's better for everyone if I assume they're trustworthy.

      I focus my efforts on the authentication and accounting side of the problem and handle authorization with a very light touch. Make sure you are who you claim to be and make sure I know what you did. Then get out of the way and let you do your job.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    4. Re:User have been the problem forever by skids · · Score: 5, Insightful

      It ain't the users. It's the products.

      They market themselves as easy to use and then ship with innumerable security holes and deficiencies. Half of them think they are in a living room with everyone in the same broadcast domain and spew exploitable multicast everywhere or want you to punch holes in your network to accommodate them. Cloud services tell users just put you data up here, no mention that they keep getting p0wned by leaving it up in unprotected mongodbs/repos accidentally. CDN-based apps with their thousands of IP addresses all shared by other services make L4 security filers impossible to define. Wifi supplicants and VPN clients which don't have any sane way to install, much less find, a corporate configuration profile that actually locks down the protocol sanely. Unmerited complete trust in DNS results. Self-help support operations that take opaque data dumps including PII, IP, and crypto keys over email to some outsourced support center who knows where.

      So its nearly 2020 and the bright side is you almost never see telnet servers in products anymore. That took decades. In the meantime we are inundated with new attack surface daily.

      90+% of all my problems, many of them security related, are because people want to use product X and product X is a dumpster fire. I don't blame the people for wanting to use it. It's what they were shown in an advertisement, and everyone they know is using it. I blame the manufacturers of product X for shipping crap.

      --
      Someone had to do it.
    5. Re: User have been the problem forever by c6gunner · · Score: 3, Insightful

      The problem with this advice is people cracking passwords don't just go through the alphabet, they use dictionaries. Since you're using words, you made their attack far more likely to succeed because the space of possible solutions is much, much smaller than "every character, number and symbol"

      Using dictionaries makes it easier, but that doesnt mean the passwords aren't any good.

      Pick 4 words at random from a very simple 2,000 word dictionary and it's roughly the equivalent of a 7 character password using alphanumeric and basic symbols. If you pick them from a 6,000 word dictionary then it's the same as 9 character password. That's assuming a dictionary attack.

      You can also repeat words without much penalty. "purpletablepurpletablepurpletable" is 6 words; even using a 2,000 word dictionary that's equivalent to a 10 character password. With a 6,000 word dictionary it's 12 characters. And it's insanely easy to remember no matter which words you pick.

      You can also do fun things like combine languages. This is easier for people who are multilingual, but anyone can do it. Pick 3 words from 3 different languages. Random example; "I like cheese" in Albanian, Japanese, and Danish: "une suki ost". There's a 10 character password (12 if you use spaces) which is very memorable and which makes dictionary lists useless. Want it longer? Add the word "green" in English, now you're up to 15-18 characters. That's only slightly weaker than the password "!e?@D71?kkvA", but infinitely easier to memorize.

      I use random passwords too, but those get stored in a password manager. For the password manager itself, or for any passwords which I have to type frequently, using actual words is the only way to go.

  2. And conversely... by herve_masson · · Score: 5, Insightful

    ...normal people think IT guys are just the worst, and they're both right from their point of view.
    What a scoop...

  3. We've forced our workforce to use advanced... by MindPrison · · Score: 2, Insightful

    ...passwords and two factor authentication simply because they'd chose such simple passwords to remember.

    People hate having to learn something complex to remember, even if it just takes the effort of putting a small note in your wallet for 4 days to help you remember, you'd be SHOCKED if you just knew what passwords even professionals choose, it's hopeless.

    So what we did at our big corporate, was to implement an Password A.I guide engine that helps people avoid bad passwords, so it picks stuff from a HUGE database of simpleton passwords (you know, guitar1234567) etc. it will simply explain to people why their passwords are not very good (we're polite, so we don't tell them that theyr'e simple and ...essentially not very IT savvy, they're good at something else, right?)

    People just want an easy life, most people working with computers as just a tool to get the job done, don't want a huge advanced routine to do their job, and when the password becomes a chore and hard to remember, it will stop them from doing their job, and since we're nagging people to change their password 4 times a year, with reminders that pop up every day for 14 days before it expires, people simply get seriously annoyed. And they will go through hellfire to find an easy to memorize password before they even try to train for a complex one (Here's a complex one for you, for those who simply don't get what that would be:

      J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use, even with a secondary two factor authentication device, and it's not hard to learn to remember it, sure - it's not as easy as guitar1234567, and it takes effort to learn it - but most people (if they just kept that note for a few days in the wallet, had to enter it 10 times a day) they WILL remember it, even the average Joe - and their personal security on the net would sky rocket in comparison.

    But...people are ...simple.

     

    --
    What this world is coming to - is for you and me to decide.
    1. Re:We've forced our workforce to use advanced... by sjames · · Score: 4, Insightful

      Remember way back in public school where each teacher individually assigned "just" 45 minutes of homework and proclaimed that 45 minutes is no big deal? And how by the end of the day you had accumulated 4.5 hours of homework?

      Same here. Everyone thinks their password requirements are not that big of deal forgetting that their little assignment is far from the only one people are dealing with.

      Don't tell them not to write it down, tell them where to write it down. And don't make them keep entering it every time something times out.

  4. Re: where's the lie? by Anonymous Coward · · Score: 3, Insightful

    I dont think long passwords are an issue, more like not being able to use the last 4 previously used passwords and having to change every 2 months. Yeah no, that's going on a post it. My job isn't my life.

  5. What you have actually done by SuperKendall · · Score: 2, Insightful

    We've forced our workforce to use advanced passwords and two factor authentication

    What you've actually done: Doubled the workplace's sticky note budget.

    If you are doing two factor why torture everyone with bullshit complexity requirements? For the LOLs?

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  6. Obligatory XKCD by sfcat · · Score: 2, Insightful

    I'm burning mod points to post this but I just can't let this go by. A huge part of the problem with security is IT itself. We have learned that long passwords are good and use of weird characters (numbers, capital letters, punct, etc) are bad. Plus most users shouldn't be required to know more than 2 passwords (normal and maybe an elevated one). But many IT personal keep with the same broken password policies from the past that we now know are bad. If you still use these outdated and problematic password policies, you can't blame the users, IT is still at fault...

    --
    "Those that start by burning books, will end by burning men."
  7. Victim blaming is NOT a solution by shanen · · Score: 3, Insightful

    That comment does NOT deserve "insightful" moderation.

    It's just cheap-shot victim blaming. The people who are supposed to make things better blaming the victims they failed to help and protect.

    Actually I blame Microsoft. One of the main keys to Microsoft's "success" and perhaps the main source of their YUGE profits was their leadership in escaping responsibility for mistakes. Read your EULA. Whatever happens to you, whatever damage you, your company, or your customers suffer, no matter how egregious the phuckup, you will find that Microsoft's "legal" liability is quite precisely limited, and in most cases limited to nothing at all. It didn't have to be that way, and if Microsoft (and other corporate cancers) had been held liable for their their mistakes, you can be certain they would have been more careful. There's a reason they call it moral hazard.

    (Microsoft's other key tactic was minimizing direct sales to the suckers... Er victims... Er, I mean end users. The very honorable end users, and it doesn't matter how much they wind up cursing Microsoft after the fact. Just recently I provided some technical advice on some new machines, but I could not persuade them to even consider skimping on one of the Microsoft taxes. They insisted on paying the OS tax and the MS Office tax to boot.)

    Not the saddest part. That's the lack of a solution approach. The solution is obvious, but it will never happen.

    Imagine cutting Microsoft into competing companies. NOT vertically, but horizontally. Each baby Microsoft would start with a copy of the source code and an equal share of all the corporate resources. Windows and Office would be standards, and the people would actually have the freedom to buy from the baby company that gets most serious about improving the security of the software.

    (My delusional implementation strategy would involve a progressive profits tax linked to market share. It is not a penalty for success. Rather the higher tax rate is a penalty for reducing freedom and the lower tax rate (after dividing the company as needed) is a reward for reproducing the good ideas into separate companies.)

    As usual, time's up, but I bid you ADSAuPR, atAJG.

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.