Workers Cause More Problems Than Viruses

Technical Writing Geek writes "A new report finds that, for the first time, virus infections have slipped to the second spot on the list of computer security troublemakers. In first place— a company's own workers. 'The Computer Security Institute has just released the 2007 edition (PDF) of its long-running "Computer Crime and Security Survey," and it offers some dreary news for overworked computer security admins: average losses from attacks have surged this year. More surprising is the finding that the single biggest security threat faced by corporate networks doesn't come from virus writers any more; instead, it comes from company insiders.'"

This has been the case for a long time

[Aranykai]

It brings to mind the old saying 'loose lips sink ships'. Ive only had a few years experience as a sysadmin, and it was drilled into my head quite early that the one thing you can never secure is the user. Lets come up with a real story now please.

Re:Really?

[CastrTroy]

And even with viruses, what percentage are them are installed through dumb users running executables they shouldn't? Most of the time it comes down to dumb users. There's been very few times that a Virus/worm has been able to work itself into the computer without user interaction. Granted in the case where this has happened, like when ports are left open, and the virus sneaks in from the internet, the infection rate can be very high. However, still, most viruses, and the majority of computer/security problems in general come from dumb users.

PEBKAC

[Protonk]

The security literature has been saying this for years. And, depending on who you classify as a 'user' this is a much broader problem. The TJX breech? If I consider that the company IT dept. allowed latitude in where computers were connected to the company intranet (for convenience) and which computers could be connected, the the protocols surrounding handling of data (either VISA [google.com], [PDF]or otherwise) become superfluous. the 'user' that wants to be able to check stock at a kiosk inserts problems not considered in the protocol.

This is largely fixed by changing/following protocol (although following PCI would not have eliminated the TJX breech, just limited it). dictating access limits to machines, enforcing those access limits through user and key management. Enforcing segregation of data by pushing it back from the user space. Etc.

In a lot of cases, these things can be eliminated only through design--not draconian regulations. By design I mean something separate from limitations. A limitation (for example) would be to block any traffic going to popular webmail accounds through a browser. This is pretty easily circumvented by a half dozen trivial (read: largely non-technical and non-threatening) solutions. A design solution would be to incent users to use the internal mailing system to organize their mail and to VPN to it while away. Using Outlook as a primary means to communicate makes me pine for the responsiveness and search functionality of Gmail. eventually, rules be damned, I will migrate my work email to gmail (assuming I'm not security conscious) because it offers so many inherent advantages. The solution, bein to eliminate those advantages.

Without that, you are in the same boat that you were before. More rules, but the same incentive to break them.