Slashdot Mirror

← Back to Stories (view on slashdot.org)

IT and Security Professionals Think Normal People Are Just the Worst (zdnet.com)

Posted by msmash on from the we-knew-that-already dept.

Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.

[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

18 of 296 comments (clear)

  1. User have been the problem forever by DarkRookie2 · · Score: 5, Insightful

    This is not new news. User have forever been a problem.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    1. Re:User have been the problem forever by ewibble · · Score: 5, Insightful

      Yes a computer system without users would be very safe but not that useful. But the real problem is that systems themselves allow users do stupid things in the first place or provide no easy alternative. Here is an example:

      I want to download and run an application from the internet, seems like reasonably common thing to do. However how do I know it is safe? Search the internet OK, but there maybe fake sites saying it is safe or it maybe piggybacking on a valid program. Run a virus checker, well OK but it could be virus that isn't picked up by that checker, and the virus checker should run automatically anyway. But you need to run the program so you do.

      What would be nice is option like run un-trusted, which starts a VM automatically and runs that, checks that nothing bad has happened to your computer as well

      I believe the responsibility lies mainly with IT, we should make easy for the user to do what they need to do, we are the experts, we need to take responsibility for it. Yes it is hard and you cannot always fix it but we should always be trying and not just blame it on the user.

    2. Re:User have been the problem forever by Major_Disorder · · Score: 5, Funny

      A few years back I worked for a company that produced a network security device (Not saying who, NDAs are still in place) sticky notes on monitors with passwords on them were everywhere. We sent out multiple requests for them to me removed, and you can guess the result. We eventually got management buy in, and after more warnings, one Saturday we went around the office and removed every sticky note that even remotely resembled a password. After photographing the placement, and placing each note into an envelope, all were removed. I can still hear the echos of the screaming on Monday morning. :)
      The best part is two weeks later we did it again. Several people were found with new sticky notes. (One under the keyboard.) these people were given written notice that they would be terminated if it happened again. One person did not believe them, he was terminated for cause about a month later.
      I really enjoyed removing his accounts. :)

      --
      First law of people: People are generally stupid.
    3. Re:User have been the problem forever by Anonymous Coward · · Score: 3, Interesting

      What I hate as a sysadmin is when I do wander from dark, trance music-filled office, I get ambushed by people wanting everything. I'm sorry, I cannot and will not teach you how to format a Word document. It's your tool, learn how to use it. Ditto Excel formulas, wanting me to troubleshoot your email on your phone (I will not touch personal devices), and it goes on and on and on. I hate dealing with end users. Just let me write my code on my servers and leave me be. It's not my job to educate you on how to use the tools you were hired to use. Watch a YouTube video on Excel formulas; you'll get further along with that than with me.

    4. Re: User have been the problem forever by Spazmania · · Score: 3, Insightful

      I'm in the 9%. I'm not overconfident... I just realize that treating staff like potential enemies is a losing proposition.

      I have lawyers to deal with employees who violate my trust. Until it's time to get the lawyers involved, it's better for everyone if I assume they're trustworthy.

      I focus my efforts on the authentication and accounting side of the problem and handle authorization with a very light touch. Make sure you are who you claim to be and make sure I know what you did. Then get out of the way and let you do your job.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    5. Re:User have been the problem forever by skids · · Score: 5, Insightful

      It ain't the users. It's the products.

      They market themselves as easy to use and then ship with innumerable security holes and deficiencies. Half of them think they are in a living room with everyone in the same broadcast domain and spew exploitable multicast everywhere or want you to punch holes in your network to accommodate them. Cloud services tell users just put you data up here, no mention that they keep getting p0wned by leaving it up in unprotected mongodbs/repos accidentally. CDN-based apps with their thousands of IP addresses all shared by other services make L4 security filers impossible to define. Wifi supplicants and VPN clients which don't have any sane way to install, much less find, a corporate configuration profile that actually locks down the protocol sanely. Unmerited complete trust in DNS results. Self-help support operations that take opaque data dumps including PII, IP, and crypto keys over email to some outsourced support center who knows where.

      So its nearly 2020 and the bright side is you almost never see telnet servers in products anymore. That took decades. In the meantime we are inundated with new attack surface daily.

      90+% of all my problems, many of them security related, are because people want to use product X and product X is a dumpster fire. I don't blame the people for wanting to use it. It's what they were shown in an advertisement, and everyone they know is using it. I blame the manufacturers of product X for shipping crap.

      --
      Someone had to do it.
    6. Re:User have been the problem forever by Major_Disorder · · Score: 3, Interesting

      Did you advise the client that their password policy may be too onerous?

      For those who would respond with "Just use a password manager!!!!" you've just violated the policy since all those systems now have one password. Also, little hard to use a password manager for initial login in areas that forbid any outside electronics.

      Nope, because their password policy was fairly lenient for a company with a security focus.
      We allowed and encouraged people to use password managers. I personally offered training sessions on a number of diffrent password managers. (Almost no takers.)
      If they had written down their login password and stuck it in their wallet we would have had no problem with that. We were really going after the lowest of the low hanging fruit.

      --
      First law of people: People are generally stupid.
    7. Re: User have been the problem forever by c6gunner · · Score: 3, Insightful

      The problem with this advice is people cracking passwords don't just go through the alphabet, they use dictionaries. Since you're using words, you made their attack far more likely to succeed because the space of possible solutions is much, much smaller than "every character, number and symbol"

      Using dictionaries makes it easier, but that doesnt mean the passwords aren't any good.

      Pick 4 words at random from a very simple 2,000 word dictionary and it's roughly the equivalent of a 7 character password using alphanumeric and basic symbols. If you pick them from a 6,000 word dictionary then it's the same as 9 character password. That's assuming a dictionary attack.

      You can also repeat words without much penalty. "purpletablepurpletablepurpletable" is 6 words; even using a 2,000 word dictionary that's equivalent to a 10 character password. With a 6,000 word dictionary it's 12 characters. And it's insanely easy to remember no matter which words you pick.

      You can also do fun things like combine languages. This is easier for people who are multilingual, but anyone can do it. Pick 3 words from 3 different languages. Random example; "I like cheese" in Albanian, Japanese, and Danish: "une suki ost". There's a 10 character password (12 if you use spaces) which is very memorable and which makes dictionary lists useless. Want it longer? Add the word "green" in English, now you're up to 15-18 characters. That's only slightly weaker than the password "!e?@D71?kkvA", but infinitely easier to memorize.

      I use random passwords too, but those get stored in a password manager. For the password manager itself, or for any passwords which I have to type frequently, using actual words is the only way to go.

  2. And conversely... by herve_masson · · Score: 5, Insightful

    ...normal people think IT guys are just the worst, and they're both right from their point of view.
    What a scoop...

  3. Re: where's the lie? by Anonymous Coward · · Score: 3, Insightful

    I dont think long passwords are an issue, more like not being able to use the last 4 previously used passwords and having to change every 2 months. Yeah no, that's going on a post it. My job isn't my life.

  4. A few things... by roc97007 · · Score: 4, Informative

    A few points:

    - Users are "unwashed" compared to IT personnel? Have you *worked* in IT?

    - The first thing IT professionals forget (speaking as one) is that computer management isn't the user's job. It may be *your* expertise, but it isn't *theirs*. They have a different job to do which you would probably suck at. Expecting them to be IT professionals on top of their regular job is an unreasonable expectation. So stop fussing about it.

    - That said, often security issues really are kinda the user's fault. We told 'em and TOLD 'em, don't do that, you'll infect your.. ok, too late.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    1. Re:A few things... by Anonymous Coward · · Score: 3, Funny

      Sure, you've told us. Then some genius at JP Morgan decides that the only way I can get the tax documents I need from their secure portal is by clicking a link in an email that they send me. Which, by the way, gmail offers to translate from Slovak, for some reason--extra-special comforting.

      When I write them and say, just send me the url so I can log in with my credentials, and not have to click some phish-bait link, they only offer to fax me the document instead.

      Oh yeah, sure, users are the problem....

  5. The network is great, but... by marquis111 · · Score: 4, Funny

    A developer for one of my past organizations, a true rocket scientist, posited it the best: "The network would be great, if it wasn't for all of those users!" Cheers, Ron.

  6. Re:We've forced our workforce to use advanced... by hublan · · Score: 3, Interesting

    This needs to be voted up to the heavens, where it can shine above the insular heels that come up with corporate password policies.

    Has it ever occurred to them that all those cracked-out, contradictory password requirements actually reduce entropy rather than the other way around? You can't come up with policies based on how you'd like people to act, you have to come up with policies based on how they do act.

    --
    My spoon is too big.
  7. This confirms ... by PPH · · Score: 3, Funny

    ... the research done by Simon BOFH

    --
    Have gnu, will travel.
  8. Re:We've forced our workforce to use advanced... by sjames · · Score: 4, Insightful

    Remember way back in public school where each teacher individually assigned "just" 45 minutes of homework and proclaimed that 45 minutes is no big deal? And how by the end of the day you had accumulated 4.5 hours of homework?

    Same here. Everyone thinks their password requirements are not that big of deal forgetting that their little assignment is far from the only one people are dealing with.

    Don't tell them not to write it down, tell them where to write it down. And don't make them keep entering it every time something times out.

  9. Look in the mirror, what do you see? by az-saguaro · · Score: 3, Interesting

    No matter what profession each of us is in, I am certain that we all have stories about "stupid users". They surely do exist. But there is a flip side to this story.

    Many "stupid users' are not stupid at their jobs or life in general. They just do not cooperate well with the paradigms of computing and technology they are handed to them by "the industry". The makers of the technology are quite savvy about such things. But, they might forget that not everyone is so, or be dismissive of ordinary smart (or dumb) people who are not as learned about those things as the manufacturers and technical folk are. Those people decrying the IT "stupid user" are likely to be the butt of jokes about how dumbass they are when it comes to accounting their taxes or fixing their car or managing their own diabetes.

    If there are too many stupid users, perhaps it is not the users. Perhaps the technologists who make techno products ought to produce better devices and software and computing paradigms that place greater emphasis on user interface, usability, human factors engineering, ergonomics, and just plain wtf common sense. It seems to me that too many IT people are so wrapped up in the technology and their own familiarity with it that they are suffocating from a lack of reality and some sympathy to how their mom or grandma might use the technologies they are making or managing. Turn your propeller head beanies upside down and air out some of the supercilious cobwebs in your IT skulls.

  10. Victim blaming is NOT a solution by shanen · · Score: 3, Insightful

    That comment does NOT deserve "insightful" moderation.

    It's just cheap-shot victim blaming. The people who are supposed to make things better blaming the victims they failed to help and protect.

    Actually I blame Microsoft. One of the main keys to Microsoft's "success" and perhaps the main source of their YUGE profits was their leadership in escaping responsibility for mistakes. Read your EULA. Whatever happens to you, whatever damage you, your company, or your customers suffer, no matter how egregious the phuckup, you will find that Microsoft's "legal" liability is quite precisely limited, and in most cases limited to nothing at all. It didn't have to be that way, and if Microsoft (and other corporate cancers) had been held liable for their their mistakes, you can be certain they would have been more careful. There's a reason they call it moral hazard.

    (Microsoft's other key tactic was minimizing direct sales to the suckers... Er victims... Er, I mean end users. The very honorable end users, and it doesn't matter how much they wind up cursing Microsoft after the fact. Just recently I provided some technical advice on some new machines, but I could not persuade them to even consider skimping on one of the Microsoft taxes. They insisted on paying the OS tax and the MS Office tax to boot.)

    Not the saddest part. That's the lack of a solution approach. The solution is obvious, but it will never happen.

    Imagine cutting Microsoft into competing companies. NOT vertically, but horizontally. Each baby Microsoft would start with a copy of the source code and an equal share of all the corporate resources. Windows and Office would be standards, and the people would actually have the freedom to buy from the baby company that gets most serious about improving the security of the software.

    (My delusional implementation strategy would involve a progressive profits tax linked to market share. It is not a penalty for success. Rather the higher tax rate is a penalty for reducing freedom and the lower tax rate (after dividing the company as needed) is a reward for reproducing the good ideas into separate companies.)

    As usual, time's up, but I bid you ADSAuPR, atAJG.

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.