Slashdot Mirror
IT and Security Professionals Think Normal People Are Just the Worst (zdnet.com)
Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.
[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.
[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.
This is not new news. User have forever been a problem.
http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
Working as IT in a small business retail store. Customer walks in and asks "Hey, can I have your Wifi password?" - and a non-tech person just handed it over. Said non-tech person also used same password for full admin access on their Windows Server machine.
Needless to say, once I was made aware of this, passwords were changed, and now the wifi password is unique from everything else just in case some bumbling idiot decides to hand it out again.
If I had a dime for every person that asked me "can you just make it work without a password' or "why can't I just use the same password for everything". Usually this comes from manager-types.
I do not belong to the church of the lowercase 'i'
I work at a company with exceptional security and I'm still fairly confident some turd with their password written on a post-it will get us all hacked because they don't know any better and don't care. My computer's too slow, let me turn off disk encryption! Passwords have to be TWELVE characters ugh, I have to write that down!
Seems fairly obvious who the weak links are most of the time anyway.
n/t
We all know it's true; when it comes to technology, most employees are idiots. Management too.
I want to blame the technology companies a bit here; UX design is the root cause of a lot of these problems. It's bad enough on it's own, but companies like MS continually make radical UX changes between versions making it even worse.
Back to employees, however; a lot of them don't see the need to increase their skillset. They grudgingly use the technology, but refuse to becoming proficient with it. They adamantly refuse to accept that were they more knowledgeable with the tech they were using they'd do their jobs better.
So these results don't surprise me at all.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
...normal people think IT guys are just the worst, and they're both right from their point of view.
What a scoop...
...passwords and two factor authentication simply because they'd chose such simple passwords to remember.
People hate having to learn something complex to remember, even if it just takes the effort of putting a small note in your wallet for 4 days to help you remember, you'd be SHOCKED if you just knew what passwords even professionals choose, it's hopeless.
So what we did at our big corporate, was to implement an Password A.I guide engine that helps people avoid bad passwords, so it picks stuff from a HUGE database of simpleton passwords (you know, guitar1234567) etc. it will simply explain to people why their passwords are not very good (we're polite, so we don't tell them that theyr'e simple and ...essentially not very IT savvy, they're good at something else, right?)
People just want an easy life, most people working with computers as just a tool to get the job done, don't want a huge advanced routine to do their job, and when the password becomes a chore and hard to remember, it will stop them from doing their job, and since we're nagging people to change their password 4 times a year, with reminders that pop up every day for 14 days before it expires, people simply get seriously annoyed. And they will go through hellfire to find an easy to memorize password before they even try to train for a complex one (Here's a complex one for you, for those who simply don't get what that would be:
J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use, even with a secondary two factor authentication device, and it's not hard to learn to remember it, sure - it's not as easy as guitar1234567, and it takes effort to learn it - but most people (if they just kept that note for a few days in the wallet, had to enter it 10 times a day) they WILL remember it, even the average Joe - and their personal security on the net would sky rocket in comparison.
But...people are ...simple.
What this world is coming to - is for you and me to decide.
Now that all the tards in my extended family have a Chromebook, I'm never bothered by their "fixit" requests anymore. Chromebook is pretty bulletproof, safe from every retard.
Everyone at the top level always makes exceptions for themselves, which open vulnerabilities that can easily be leveraged, and they're also the most vulnerable to social engineering attacks.
-- Tigger warning: This post may contain tiggers! --
A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.
Well, yes and no.
Yes, you shouldn't trust that Nigerian prince, you idiot. Or give your password to someone who emails, etc.
No, because systems (in general, IT or otherwise) need to be resilient against a certain amount of human mistakes.
Any system that can be completely brought down with general calamity for the company just because Betty the cat cursor loving secretary makes a mistake isn't a very robust system.
We've forced our workforce to use advanced passwords and two factor authentication
What you've actually done: Doubled the workplace's sticky note budget.
If you are doing two factor why torture everyone with bullshit complexity requirements? For the LOLs?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
A few points:
- Users are "unwashed" compared to IT personnel? Have you *worked* in IT?
- The first thing IT professionals forget (speaking as one) is that computer management isn't the user's job. It may be *your* expertise, but it isn't *theirs*. They have a different job to do which you would probably suck at. Expecting them to be IT professionals on top of their regular job is an unreasonable expectation. So stop fussing about it.
- That said, often security issues really are kinda the user's fault. We told 'em and TOLD 'em, don't do that, you'll infect your.. ok, too late.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Here's the thing - every computer out there is insecure. We basically don't have the knowledge on how to build a secure computer that most of the population can use while remaining connected to the Internet.
There are really only two choices now: 1) disconnect from the Internet and don't face these risks 2) expect risks and pay to avoid incidents and/or clean up after them.
IT people are the worker bees of 2). Blaming the users for using faulty equipment is a waste of time.
Nobody seems to want to do 1) because overall there are profits to be made by being Internet connected. If your place of business wants to do 1) but not 2), then just run for the exits before it's too late.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
It is fundamentally incorrect to call in-house desktop support people "IT Professionals." These are desktop support technicians, not IT Professionals.
IT Professionals do not work "in house." We all work in consultancy, because we can. Nobody who is worth their salt as a Pro Neckbeard needs to work as an in-house lackey.
They are not "technophobes", afraid of technology. They are merely annoyed with it. You see, normal people do not think the way we do. To them, "increasing the skillset" means having to memorize more boring and pointless stuff. In school, the teachers only teach the test, and that habit continues throughout every normal person's life. To learn to use some program, a normal person, like my mother, will write out the exact sequence of steps needed to complete each particular task. Move the mouse there, click twice, select third option in menu, click OK, click I'M SURE DAMMIT, type "abracadabra" and press Return. Another task, another list. All these lists are followed precisely and without any conscious thought. If the UI changes, the procedure breaks and a new list must be created and memorized. This is how normal people do EVERYTHING. Understanding how the program works is not even conceived as an option.
A developer for one of my past organizations, a true rocket scientist, posited it the best: "The network would be great, if it wasn't for all of those users!" Cheers, Ron.
Professor Oak, director of the Ponemon Institute, had this to say about security bugs: "Gotta catch 'em all!"
#DeleteChrome
If you are alarmed by this result then you should immediately be wondering: is this is merely a perception by IT/Security Professions or are the normal people in fact as awful as perceived?
Anons need not reply. Questions end with a question mark.
You're kidding, right? Otherwise, it sounds like a narcissistic case of "I'm capable of remembering long random gobbledygook, so you should be also."
And, I don't understand why the password file cannot be implemented in a dedicated-hardware "lock-box" such that it cannot be file-copied, preventing say 500,000,000,000,000 attempts at it. Using regular-file-based password repositories is just a speed-race to the bottom.
Typically you'd have 2 of these lock-boxes, 1 as a mirror spare*. The only way to get file access would be to break it open, or find the physical key. Otherwise, all access is through a throttled API. The per account throttling would be tighter than the per lock-box throttling. I'm not saying such is completely unhackable, but far less so than a regular server file because it's designed to do one and only one job. (Crap, I sound like Al Gore.)
* If one breaks, the other is physically unlocked and a new spare hooked up directly up for re-mirroring, cable to cable.
Table-ized A.I.
Have gnu, will travel.
Users will constantly say things like "I just don't understand technology." or "I don't care whats wrong, I just want it to work". This used to put me in a bad frame of mind. I find it hard these days not to laugh at them. I wonder how long it took them to learn that fire will burn or not to walk down the middle of the freeway. They live in the same world as us but refuse to put a minimum amount of effort into learning how it works.
No matter what profession each of us is in, I am certain that we all have stories about "stupid users". They surely do exist. But there is a flip side to this story.
Many "stupid users' are not stupid at their jobs or life in general. They just do not cooperate well with the paradigms of computing and technology they are handed to them by "the industry". The makers of the technology are quite savvy about such things. But, they might forget that not everyone is so, or be dismissive of ordinary smart (or dumb) people who are not as learned about those things as the manufacturers and technical folk are. Those people decrying the IT "stupid user" are likely to be the butt of jokes about how dumbass they are when it comes to accounting their taxes or fixing their car or managing their own diabetes.
If there are too many stupid users, perhaps it is not the users. Perhaps the technologists who make techno products ought to produce better devices and software and computing paradigms that place greater emphasis on user interface, usability, human factors engineering, ergonomics, and just plain wtf common sense. It seems to me that too many IT people are so wrapped up in the technology and their own familiarity with it that they are suffocating from a lack of reality and some sympathy to how their mom or grandma might use the technologies they are making or managing. Turn your propeller head beanies upside down and air out some of the supercilious cobwebs in your IT skulls.
YOU TELL A LIE UNDER OATH AND YOU ARE A CRIMINAL.
I like that standard. We'll have just about every career politician officially branded a criminal and removed. How soon can we start? I favor the bipartisan approach where we keep going back and forth - ie one of theirs, one of ours. Keeps the process more honest.
I studied for the CISSP and the first thing you notice is how many controls revolve around user education. Users will click on anything they can, unless you educate them not to. It is IT's job to education the users to think before they click. Also teach them how to spot fake URLs and not to click attachment from external sources unless they specifically requested said attachment.
I'm burning mod points to post this but I just can't let this go by. A huge part of the problem with security is IT itself. We have learned that long passwords are good and use of weird characters (numbers, capital letters, punct, etc) are bad. Plus most users shouldn't be required to know more than 2 passwords (normal and maybe an elevated one). But many IT personal keep with the same broken password policies from the past that we now know are bad. If you still use these outdated and problematic password policies, you can't blame the users, IT is still at fault...
"Those that start by burning books, will end by burning men."
Passwords on post it notes are a sign that the password requirements are too strict or onerous.
No, they're a sign that the person who wrote it down needs to be fired.
Good luck retaining employees longer than ninety days.
That comment does NOT deserve "insightful" moderation.
It's just cheap-shot victim blaming. The people who are supposed to make things better blaming the victims they failed to help and protect.
Actually I blame Microsoft. One of the main keys to Microsoft's "success" and perhaps the main source of their YUGE profits was their leadership in escaping responsibility for mistakes. Read your EULA. Whatever happens to you, whatever damage you, your company, or your customers suffer, no matter how egregious the phuckup, you will find that Microsoft's "legal" liability is quite precisely limited, and in most cases limited to nothing at all. It didn't have to be that way, and if Microsoft (and other corporate cancers) had been held liable for their their mistakes, you can be certain they would have been more careful. There's a reason they call it moral hazard.
(Microsoft's other key tactic was minimizing direct sales to the suckers... Er victims... Er, I mean end users. The very honorable end users, and it doesn't matter how much they wind up cursing Microsoft after the fact. Just recently I provided some technical advice on some new machines, but I could not persuade them to even consider skimping on one of the Microsoft taxes. They insisted on paying the OS tax and the MS Office tax to boot.)
Not the saddest part. That's the lack of a solution approach. The solution is obvious, but it will never happen.
Imagine cutting Microsoft into competing companies. NOT vertically, but horizontally. Each baby Microsoft would start with a copy of the source code and an equal share of all the corporate resources. Windows and Office would be standards, and the people would actually have the freedom to buy from the baby company that gets most serious about improving the security of the software.
(My delusional implementation strategy would involve a progressive profits tax linked to market share. It is not a penalty for success. Rather the higher tax rate is a penalty for reducing freedom and the lower tax rate (after dividing the company as needed) is a reward for reproducing the good ideas into separate companies.)
As usual, time's up, but I bid you ADSAuPR, atAJG.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
What cases is a password manager not available
- Corporate IT forbids installing an unapproved application and declines to approve your password manager.
- The password is to a service accessed through a video game console, set-top streaming box, or other device to which your password manager is not ported.
- You have installed a password manager, but in order to synchronize its database to this device, you'd have to first disassociate one or more of your three or more devices from your Dropbox account in order to associate the device.
These rules have been in my sig (and are better explained there) going on for a decade now. For how old these rules are, they still apply. Every virus in that last 10 years exploits 1 or more of these rules. The more you are aware of them as an IT professional, the better your system design will be to mitigate risk.
Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) Computer users do not read.
3) If a computer user can click on it, they will. conversely, if a computer user needs to click on it, they won't.
4) You can patch software, but you can't (legally) patch stupid.
5) The premise of monkey rule: If you can't train a monkey to use it, you can't train a human to use it.
In Soviet Russia, Trojan exploits YOU!
Oh very much, yes.
"Users" are the problem causing security breaches, just like "wheels" are the problem in car accident fatalities. Sure, they're an easily-identifiable point in the causality chain, but there's a lot of underlying factors that need to be considered.
People, including users, generally try to do what's right. In almost every case, the source of the problem falls into one of three categories:
There are levels of distinction within each category, but that just changes the difficulty of the attack... how precisely a phishing page needs to be crafted, or how big the bribe needs to be. To raise that difficulty, a company (or individual) must see investing in their environment as an integral part of their security doctrine. Providing users with extra software tools is a security feature. Having an easy change-request process is a security feature. Having a team outing is a security feature, just as much as telling users to pick a complicated password.
You do not have a moral or legal right to do absolutely anything you want.
Make something idiot-proof, and they will build a better idiot.
-- Murphy's Law
The problem is people. The human race has a good chance of going extinct. Then it won't matter. Then again, maybe the last human that perishes on the last day will say, "wait, did I change that password?" And then die.
The problem isn't users, it's the engineers who think they know better. Every feature or device a user has problems with was designed by an 'expert' and implemented by 'an expert'. That annoying interface in Windows? That was designed by a team of experts and implemented by a team of experts. That iOS feature that everyone hates? Designed and implemented by experts.
If the experts can't make something that users like or can use, who's fault is it?
The twisting... it is... extreme!
Why are things being characterized like this? If you examine all security breaches, the numbers roughly align with what IT security "believe!". All that is happening here is that a survey was done and they found that Security Researchers and IT Personnel happen to "believe" what the numbers actually are.
And yet... all of this is being spun as "IT Security thinks people are the worst."
Why is this being spun like that? What kind of division are they trying to sow? Why is an "article" (for various definitions of article) like this on this site?
Seriously, I think 5% of the world is insane and is working VERY hard to keep the rest of us insane. This article is insane. It makes no fucking sense. Security folks do not think like this. I know, IT Security is what I do.
This "article" is a glowing example of something deeply disturbing about our current "social order". Where observing and acknowledging reality is being spun as something judgemental and therefore to be avoided. What. The. Fuck. is going on here folks? Are the social programmers getting lazy here or what? This is soooooooooo poorly done that it is super easy to see the agenda. I can see behind the curtain very clearly on this one.
If you don't stop this absurd shit, I will become very angry and you won't like me when I am angry (Hulk reference ;))
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
I am glad at least one other person is seeing right through this "evil" article.
I do kind of wish you had explored WHY it is flamebait, but I am happy enough just seeing someone else call it out. This kind of crap literally (yes, literally literally) drives me towards insanity.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
I'd prefer to avoid the "drivers" analogy, because people cling to the idea that drivers are at the top of the causality chain. Nevermind the effects of dashboard design, maintenance recommendations,
If you want to go with a human analogue, I'd refer to airplane pilots. They're more likely to have a fatal accident in the car driving to the airport than when they're actually flying the plane. That's primarily because every aspect of the piloting experience has been refined (often at the cost of human lives) to minimize errors. Whenever something is more error-prone, the FAA gets involved, headlines are made, and it's generally a Big Deal until the process or tool changes to reduce those errors again.
That's the only way to actually achieve security. Don't just claim that rules are "commonly accepted" and shift the blame to the users, who often don't have any idea what those rules are. Instead, recognize that humans are reactionary components of the system, and start managing the environment they're reacting to.
You do not have a moral or legal right to do absolutely anything you want.
Quite frankly, the main reason employees are a security problem is the way we security professionals are handling our responsibilities: By offloading them onto the employees. What's the usual consequence of needing a secure way to access a computer? Requiring some ridiculously convoluted passphrase that no sane person could possibly remember, with requirements like capital and lowercase (but not more than 2 next to each other), numbers and special characters, at least 16 characters long and no more than 4 consecutive characters may form a coherent word in at least 20 languages. What will they do? Write it down. Duh. Preferably on a post-it note tacked onto their screen.
It seems that some security professionals have that pressing urge to build a security monument that demonstrates their awesomeness. Only to produce ridiculously convoluted and unworkable monsters that people will HAVE TO start to work around to do their job. My favorite example was a security door that had an auto-shut mechanism and required workers to slip a keycard into a reader and punch in a 4 digit code every time they went through. Unfortunately, they had to go through this door CONSTANTLY, usually carrying heavy boxes.
How long do you think it took until a wedge held that door open? Not even 2 hours.
And people will not even have any kind of feeling of wrongdoing because they do it so they can do their work more efficiently. It's not like they circumvent the company firewall to go on Facebook or that they drill a tunnel to their home computer so they can listen to their iTunes library at work. They can perfectly justify their actions with being able to work better.
It's time we start to rethink this, people. It's time that we, as security professionals, do our job right. Perfect security is not a monumental work-denial monstrosity. Perfect security is invisible, because what the worker doesn't even notice, he also cannot fuck up.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Dude we don't want to hear about your porno preferences
http://saveie6.com/
You hit the nail on the head when you said users expect devices to just work like their entertainment system at home. Lol.
We had a flood prompting users at a location to move servers, switches, a copier, printers, and 20 PC's to a holiday inn conference room without notifying IT AND EXPECTED everything to just work!
They were shocked and got irked when we laughed at them. What do you mean you can't just move a server, copier, and conference phones AND not JUST WORK?! Appearently they think it's like home where magic and DHCP work with any network with servers. They were shocked it was complex and had to call Holiday Inns IT line and fly a network engineer to get VPN to get everything to function.
Enterprise IT is very complex and not like home at all regardless of IQ users assume it's all simple like their basement.
http://saveie6.com/
I still remember the guy who called me at 3 AM because his code wouldn't compile. He'd visually checked his code and was sure it was correct, and he wanted me to drive in and fix the compiler. (I did no such thing, had a meeting with his boss the following day to discuss service levels. Turns out, the problem was in his code.)
The problem may have also been in the compiler if it didn't give clear enough error messages to help the programmer find where the problem in the code lay.