Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security

Employees Are The Biggest Security Threat 332

blankmange writes "BBC News is reporting that the employees of a company pose the biggest threat to security. "Digital cameras, MP3 players and handheld computers could be the tools that disgruntled UK employees use to sabotage computer systems or steal vital data, warn security experts. The removable memory cards inside the devices could be used to bring in software that looks for vulnerabilities on a company's internal network. The innocent-looking devices could also be used to smuggle out confidential or sensitive information." Unfortunately, this is not news, but it is amazing how slowly the general public, corporations included, comes around on issues like these. "
This discussion has been archived. No new comments can be posted.

Employees Are The Biggest Security Threat

Comments Filter:
  • or.. (Score:3, Insightful)

    by blinx_ ( 16376 ) on Monday April 29, 2002 @08:33AM (#3428705)
    You could just bring a floppy/cd with you - if the companys security is already so tight that you forbids those, the fact that you can use stuff like digital cameras, mp3 players or usb keyrings to bring in data shouldn't come as a surprise.

    • Re:or.. (Score:4, Funny)

      by csbruce ( 39509 ) on Monday April 29, 2002 @10:33AM (#3429184)
      You could just bring a floppy/cd with you

      These items and memory sticks, digital camers & mp3 players can be hidden in people's clothing, and therefore, the real solution is to disallow all clothing on the premises of the business. People could also hide such items up their butt, so you'll need to check there too before allowing employees admittance. (Well, maybe not the CD...)
      • Hahaha... MAYBE not?

        Anyways... Internal vulnerability to attack is nothing new, its always been considered the most likely source of an attempt on an organization's security. However, recent reports from law enforcement show that the rising threat of external attack is starting to become more serious than in previous years.

        Of course, internal vulnerability to fraud and data theft are still very important (USB keychain datastorage, keystroke monitors, and cd burners in workstations pose significant risks).

        2002 CSI/FBI Computer Crime and Security Survey [gocsi.com]

        Hackers: a Canadian police perspective Part I [rcmp-grc.gc.ca]

      • the real solution is to disallow all clothing on the premises of the business

        I hope to god that you're planning on making attendance at the gym mandatory.

  • by randomErr ( 172078 ) <ervin,kosch&gmail,com> on Monday April 29, 2002 @08:34AM (#3428711) Journal
    I've had 10 time more computer problems with users trying to install thier own software than any virus.

    Plus when someone is about to be fired they try to e-mail 500 megs of files to thier 10 meg home account. E-mail Bounce of Death anyone?
    • by Zocalo ( 252965 ) on Monday April 29, 2002 @09:28AM (#3428931) Homepage
      500megs of files? It doesn't even take that. I've seen this happen with an "Out of office" response email. The luser had setup his Exchange account to send an out of office reply, but forgot to remove an automatic CC to his 10meg home email account.

      Naturally the home account filled up pretty quickly at which point the remote and local servers began a game of ping pong betwen "Out of office" and "Mailbox is full" emails. Since we are an ISP and his 10MB account was on another large ISP this game of ping pong was going faster than a world champion on speed. As a side effect it also resulted in a DoS on the two mail servers as log files and message logs grew out of all proportion...

      So it just goes to show; employees can cause grief even when they don't mean to.

    • by stilwebm ( 129567 )
      Amen brother!

      How many times have I had to respond to "urgent network problems" only to find out the problem was someone installed some shit like "NetAccelrator" on a LAN connected computer (they say they saw an error message telling them their connection wasn't optimized...) or CyberPatrol so their kids can play afterhours. Nevermind the problems with clients DoSing us with their Outlook/IIS/Sircam worms, the biggest DoS is people installing Gnutella and other sharing programs and giving downloaders full bandwidth, thinking it will make their downloads faster.

      Even software that doesn't usually mess up a computers network stack or even use the network can wreak havock. Enter the user who thinks he knows everything he needs to know, but really only knows how to break everything he touches. Send him to a training course? Only if you want to teach him how to break more stuff, even with the best ACL's!
      • reminds me of when I was sharing a 64kbps ISDN link trying to use SSH on remote servers and getting about 0.5 cps, very annoying but I took it thinking it was email etc. nope, one of the web designers was using Napster so he could listen and work!

  • by forgoil ( 104808 ) on Monday April 29, 2002 @08:37AM (#3428721) Homepage
    Yes, sounds stupid, but I would find it to be a better idea than to implement some kind of 1984/Farenheit 451 security "utopia". It should also help the companys success in the future. Happy people work better and doesn't try to screw you over (in the bad sense that is).
    • Correction: People who BELIEVE they're happy don't try to screw you over. You're not supposed to actually make people happy. Otherwise you end up with something like a baked alaska.
    • I've advised many people that if they want to improve computer security they should put a good grievance procedure in place.

      Then they immediately ask me for penetration testing.

    • by gosand ( 234100 ) on Monday April 29, 2002 @11:01AM (#3429337)
      I had a post all composed, but decided against sending it. I re-read it, and thought "surely people won't jump on the 'employers suck' bandwagon, and if they do, surely it won't get modded up." *sigh* This is slashdot.

      I originally thought the same thing - the employers are making the crappy workplace. That may or may not be the case. Over the last 8 years, I have seen so many slackers, dead-wood employees that have been kept on for no good reason. I started to wonder why. Then I heard about the pending lawsuits from former employees. Nowadays, you can't even fire someone without getting sued. It is stupid. People get stuck in a hole, and the company doesn't want to give them anything worth doing. Since they can't fire them for being un-driven losers, they give them crap jobs. Instead of working harder to actually reverse the situation, the employee just gets more bitter and lazy. I have seen people steal many many things from a company, because they feel the company "owes them". In one case, a guy claimed 20 hours of OT every week for about 8 months. His manager signed off on it because he was too spineless to challenge him. I know he didn't work it, because *I* was working it and he was nowhere to be found. In true corporate fashion, when it was discovered (by me), nothing was done. Nobody wanted to confront the situation. The guy eventually got PROMOTED! I figure he made out with about $30k.

      I guess my argument is that no matter what your environment is like, people are going to try to screw the company. Granted, the worse the environment, the more it probably happens, but there are always going to be those disgruntled nut-jobs who feel the world owes them something. And I have seen companies do pretty crappy things too, like during the company meeting, announcing layoffs and those who weren't at the meeting were being escorted out of the building by police. This was to "preserve their dignity". Uh-huh.

      Believe me, I know what it is like to be unhappy at a job. But you know what I did? I left. Employers have to cover their asses even more nowadays, when someone with the knowledge could easily F up their network, steal code/secrets, etc. Saying "don't piss off your employees" is no solution. Of course companies should have a good work environment, that is a no-brainer. But there will always be someone who wants more. You let people wear jeans, someone wants to wear shorts. Let them wear shorts, someone walks in with their bag hanging out. Let them wear sandals, someone walks around barefoot. No matter where I have worked, there has always been someone who was unhappy.

  • by line-bundle ( 235965 ) on Monday April 29, 2002 @08:38AM (#3428726) Homepage Journal
    Ultimately it is employers who set the tone for a company. Employees actions are (in part) a reflection of how they are treated by employers.

    • Well said!

      They're correct, in part, about the usage of new media technologies to move information in ways that companies hadn't considered in the past. Sure someone could pop in with a USB-keychain device and copy company secrets, however if someone REALLY wants to copy/duplicate materials, there are a million different ways to do it and bypass typical security precautions.

      If I was travelling with confidential data to any country which I was at all wary about, sure, I'd hide my data on a smartmedia card for my digital camera, or for large amounts, hide it on my nomad jukebox rather than putting it on an encrypted file on the laptop - if they don't know it's there, they can't ask/force you to decode it can they? Likewise for "copying secrets" from a job - anyone with half a clue would use something a little less obvious than walking out the front door with a burned CD if they were at all worried about getting caught.

      By far the larger issue (IMHO) is typical "stupid company workers". I've lost track of how many times my co-workers have forwarded bogus virus notification emails, emails with annoying executable christmas crap, and other assorted garbage to me.

      That's the sort of thing that needs to be "fixed" IMHO. Granted, a disgruntled employee can do a lot of short-term damage, but typical bumbling employees can do enough minor damage spread out over a long term to cost more in terms of support hours and money.
    • You're forgetting about one tiny thing. These kinds of security issues aren't just issues with employees who are pissed off. Ever heard of industrial espionage? An employee doesn't have to be mistreated in order to screw his company over
    • Ultimately it is employers who set the tone for a company.

      Your argument makes sense, but you have to remember employers are people too. When you find a bad employer you generally can unroot a specific subculture or clic at the root of the problem. Often it is a group of political players in management or the jerk in IS who is trying to build a little kingdom with the computers.

      It is not the employer who sets the tone of the company, it is the people who set the tone of the company in the name of the company.

      Upper management can battle a lot of these problems. Unfortunately, there is a small set of employees who, no matter how good they have it, will sabotage their employer. Some are set on insider trading, others studied Machiavelli and want to put the words of the dark one in practice. These people can eat the heart out of both good and bad employers.
  • by Hooya ( 518216 ) on Monday April 29, 2002 @08:38AM (#3428727) Homepage
    call the BSA hotline.
  • by thesolo ( 131008 ) <slap@fighttheriaa.org> on Monday April 29, 2002 @08:38AM (#3428728) Homepage
    Like I said in one of my previous posts on the subject (that I cannot find now for the life of me!), the company that I work for is already very wary of it's data and the "toys" people bring into the office. And now thanks to those keychain-sized USB drives, every guest has his keychain checked before he enters, and has to empty his pockets. Of course, you could still sneak one in, anything is possible as we aren't going to be implementing strip searches anytime soon. ;)

    In the mean time, we keep all the sensitive data as locked down as possible, and hope for the best. I suppose in the end it is just part of human nature; even the most honest, trustworthy of people will steal from you if given the right motivation. Caring managers and a good working environment go a long way to prevent theft (and general unhappiness/turnover!), perhaps even moreso than good security personnel.
    • While it's important to have the proper security checks, this article only focuses on *possibilities* (emphasis added):
      • "Digital cameras, MP3 players and handheld computers could be the tools that disgruntled UK employees use to sabotage computer systems or steal vital data, warn security experts."
      • "The innocent-looking devices could also be used to smuggle out confidential or sensitive information."
      • "One way that unhappy employees might try to damage computer systems is by smuggling in programs on devices such as digital cameras, handheld computers and MP3 players. "
      • "Mr Longhurst said because digital cameras, MP3 players and handheld computers swapped information with a PC they could be used for nefarious purposes. "
      • "Disgruntled employees could easily load hacking software on to the memory card for their digital camera at home, transfer the software on to a PC at work and let it run loose, said Mr Longhurst."
      Yes, we should all be concerned and watchful for both internal and external security issues. Yes, trusted employees have the potential to cause more damage because they have better access to information and first hand knowledge of the systems, security and policies. But listing a whole bunch of "could's" and "might's" is as insightful as saying:
      • "employees could use their Bic pen to damage Post-it notes you have for sale by writing 'buy me :-p' on each sheet."
      The article clearly ignores that *most* security problems are from the outside. When will companies realize there is a simple solution: keep your employees happy; keep happy employees.
    • by CharlieG ( 34950 ) on Monday April 29, 2002 @09:29AM (#3428934) Homepage
      And now thanks to those keychain-sized USB drives, every guest has his keychain checked before he enters, and has to empty his pockets

      And your guests stand for this?
      Folks, three times in recent months I've walked out on places, or canceled tickets to an event that said they wanted to search me. Yes, it's their right to ask, and it's my right to say "No". Then it's up to them to decide which they want more - me, or their rule

      To quote a Sci-Fi story being written by a guy on the net:
      "Contract Addendum 4: The person of the Guild Certified Consulting Programmer is inviolate. Attempts to search the Consulting Programmer's person, vehicle, or home are considered both a violation of contract and initiation of force." -- Page 23 of the Guild's Standard Contract
    • I don't know about you, but that is the sort of treatment that might push me into stealing stuff. When the company trusts and respects me, I will trust and respect the company. If they think I'm theiving scum, then I must be so I'll feel better about screwing the company.

      Travis

      • When the company trusts and respects me, I will trust and respect the company.


        You'll live up to their expectations. Good for you...


        If they think I'm theiving scum, then I must be so I'll feel better about screwing the company.


        You'll live down to their expectations too? How terribly sad. :(
  • This reminds me of the famous NSA "Furby Alert" [info-sec.com]
    As harried parents scrambled in the weeks before Christmas to get their hands on these homely, high-tech cyberpets that supposedly repeat what they hear, the supersecret spy agency put out a "Furby Alert" on its internal intranet in early December and banned the Furby from Fort Meade.

    "Personally owned photographic, video and audio recording equipment are prohibited items. This includes toys, such as 'Furbys,' with built-in recorders that repeat the audio with synthesized sound to mimic the original signal," the Furby Alert warned NSA workers. "We are prohibited from introducing these items into NSA spaces. Those who have should contact their Staff Security Officer for guidance."

    Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]

  • What issues? (Score:2, Insightful)

    by Anonymous Coward
    Unfortunately, this is not news, but it is amazing how slowly the general public, corporations included, comes around on issues like these.

    Employees could bring in matches and burn the building down too. You need to have employees you can trust. Sometimes you will get it wrong and one of them will betray you.

    People who have access to your premises or systems could misuse that access.

    Nothing new here, so what issues are people slowly coming around on?
  • by Anonymous Coward on Monday April 29, 2002 @08:43AM (#3428753)
    I just thought of something, if a person wanted to KILL a whole bunch of people...they probably could. DUH!!

    This is some serious social breakdown we're seeing here. I remember the days when you would get hired by a company, and then not only would your employer actually give a fuck about you...they would assume that you were on their side by default. Maybe this should tell us something about the mindset of modern management. They hate us...they naturally assume that we hate them. Gattaca here we come.
  • by joebp ( 528430 ) on Monday April 29, 2002 @08:43AM (#3428754) Homepage
    • Computers run on electricity.
    • People use the internet to do bad things.
    • Pro-wrestling is faked.
    • The news media is biased.
    • The members of all boy-bands are gay.
    • Britney does not want you.
    • Disgruntled employees can steal your valuable corporate information.
  • Rights (Score:2, Insightful)

    by Jacer ( 574383 )
    It's much easier to bring in a floppy or ls-120 disk, we even have several cd burners around here.......no one can install any new hardware on any of the pc's.....
  • Dumb Question (Score:2, Interesting)

    by Tribe ( 135040 )
    Reading the article I went "duh." But why are these "non-conventional" things getting blamed? How is this more dangerous than bringing in a floppy disk or a "music" cd with a data track on it?

    This bit of lucidity brought to you by..something!
    • "But why are these "non-conventional" things getting blamed?"

      I was wondering the same thing. The best reasoning that I could come up with is that it's the real-world equivalent of steganography. Just like steganography, it allows you to superficially hide data in such a way that many people will completely miss it. And just like steganography, you're in trouble if someone knows what they're looking for. Fortunately, both this system and steganography can be used as an additional layer on top of any other practices -- there's nothing to prevent you from PGP encrypting the hidden data.

      Still, there's the classic drawback that steganographically hidden data implies that you have something to hide. Of course that seems to be the area where this non-conventional smuggling excels. A security guard isn't likely to check the contents of an mp3 player for hidden data. At worst, you'll just be prohibited from bringing the player in the office.

  • by SirSlud ( 67381 ) on Monday April 29, 2002 @08:47AM (#3428777) Homepage
    Oh yes, we should definately come around on issues where the 'biggest threat' is from the people with the 'inside track'. There's no better way to raise a generation on folx free from the confines of ethics and responsibility .. where anything that they can do technically and physically must be AOK, or else it would be impossible to to it.

    You really have to be kidding me here. If your employees are truely taking their time to use their mp3 players to screw your business, you have more pressing concerns than the 'vulnerability' of the systems from the people who built them.

    I suppose since most premeditated murders happen between people who know each other, we'd better wake up and start hiring personal bodygaurds to protect us from our loved ones too!
  • Linux, Anyone (Score:2, Interesting)

    by mgv ( 198488 )
    Isn't this a reason for corporations to be using Linux?

    Microsoft has loaded up their system with so many features that its almost impossible to stop someone finding a backdoor way in. While you can pretty much tie up a M$ system, its not easy to do and you will probably be patching it till the cows come home. Surely better to have *nix systems which can really lock down the user to the required tasks? Particularly with regard to things like file accesses and so on? I still think that there is a huge potential here for *nix OS's - anything to do with security generally leaves M$ smelling less that rosy.

    My 2c worth,

    Michael
    • It's the employees themself. It really doesn't matter if you use copy.com eða cp to steal corporate data, does it?
      • Imagine your user account having no shells, but only access to carefully planned applications. But...but...I'll insert this boot disk and get root! Damn, the filesystem seems encrypted and all those apps appear to have been X11 forwarded with ssh from the main server. Guess I'll have to steal the company secrets with my digital camera.
    • Re:Linux, Anyone (Score:5, Insightful)

      by reemul ( 1554 ) on Monday April 29, 2002 @09:27AM (#3428930)
      Sadly, the NTFS file system has a richer system of file and directory permissions than anything Linux has to offer. Which is of course made moot by exploits that give the Microsoft user system level privileges, but the simplistic owner/group/world permission structure common to *nix systems is not a key selling point. The best permission structure I've personally dealt with was Novell's NDS, but they mistreated their sales channel so badly over the years they'd have troubling selling water to a guy who was on fire. Too bad, their cascading inheritance model was just amazing.

      All of this is beside the point anyway, as the article deals with folks misusing resources they already have access to, not problems with people getting at files they are not normally allowed to see. A Linux user is just as capable as a windows user of burning files he has rights to onto a CD.
  • by Nelson ( 1275 ) on Monday April 29, 2002 @08:50AM (#3428785)
    Back in the day, there wasn't an internet connected to every desktop. You simply weren't allowed to bring recording devices or media to and from work. I remember when it was a dismisable offense at IBM to bring a disk into the building or take one out, with out the proper parperwork and permission. So when your employer decides that you really don't need access to any sites that get blocked by their surfguard it's terrible, YRO are being compromised. What's the response going to be when they decide that you can't take any media in or out and that includes your music and digital camera?


    If you're really worried about corporate security, that kind of stuff is a real risk. It's not even the employees who are doing it, it's just the fact that there is a channel that data is flowing on in and out of the company that isn't protected and not subject to it. Once that exists, it's just a matter of someone hijacking it to use it for their own plans.

  • Another cause... (Score:5, Interesting)

    by HiQ ( 159108 ) on Monday April 29, 2002 @08:50AM (#3428789)
    Another cause is common stupidity / ignorance. My wife works in a bank. Last year this bank interrogated two employees regarding theft of quite a large sum of money. It turned out to be one of their collegues, who used their terminals to make a few transactions. Those two wrongfully accused employees had a habit of not logging out or locking their terminal when leaving the desk. Cases like this make you wonder how often does this happen in other companies?
  • by CDWert ( 450988 ) on Monday April 29, 2002 @08:51AM (#3428790) Homepage
    I have, and have for the last 7 years been in position of trust. I have earned that trust, I have never "screwed" any of my former employers even though I am generally so rooted into their systems , removing any and all access can be nearly impossible. BUT I wouldnt ever screw anyoneover and they know it. I am, the biggest potential hazzard to any company I work for, I once had a company take out 250,000 insurance policy on me for th company, It was matched by a personal policy of the same amount, they figured that was about what they would lose in 1-3 months following an early demise on my part.

    My (ex-wifes) Uncle was a VP of a F-250 in HR, He had been out of work almost a year when he got the Job and was only there 2 years, He quit, we all thought him quite mad. He was going to start a company specifically for consulting of HR risk managment, it had an IT Slant, all the major companies putting these 200 million dollar implementations of ERP's in place made for a lot of problems if a 6$ an hour lackey ordered 10000 of something by accident and didnt catch it, the real time nature of the transactions througouth the company from purchasing to production to HR makes for a lot of fear on the corprate side. Fear SELLS Simply put. He is now about 40 and worth well over 5 million, 7 years ago he couldnt pay his morgate, all money made on the fears, and(solutions) to fear based on employee liability.

    The company is made by employees, it can be broken by the employees, very simple........

  • Why worry about Bond, James Bond sneaking in with a digital camera full of code, when many companies allow employees to hook up personal laptops to the corporate network.. Even companies that require you to use their corporate laptops still give the user "admin on local system" rights, so they can install software (screensavers and "I know more than you about this computer because you're just an IT guy and I was written by Norton" type software).

    Any executive smart enough to bring in a camera and load it up with data could take his laptop, make a big encryped .zip file and accomplish the same thing.

  • by InOverMyFeet ( 576320 ) on Monday April 29, 2002 @08:55AM (#3428809)
    "I don't think its a coincidence that most employee sabotage is done by employees." - Scott Adams

    • The innocent-looking devices could also be used to smuggle out confidential or sensitive information

    Do the sexy new Powerbooks [slashdot.org] qualify as innocent-looking devices ? :)

  • Keyword is "trust" (Score:3, Interesting)

    by blippo ( 158203 ) on Monday April 29, 2002 @08:59AM (#3428826)
    The basic principle here is ; trust.

    You also trust your employes not to burn down
    the office, but you are still allowing them
    to use matches. How is that different?

    • Anyone seen lighting a match INSIDE the office I work would be sacked on the spot. Accidentally triggering sprinklers over server racks and dev workstations is Bad. This is one reason us smokers have to hide in the carpark...
  • by daoine ( 123140 ) <moruadh1013NO@SPAMyahoo.com> on Monday April 29, 2002 @09:01AM (#3428832)
    Some of the first things discussed in a network security class are the things that are very hard to protect against, one of them being 'the man with the gun' attack.

    Simply put, it's very hard to keep something secure when a person's well-being is threatened. If someone held me up at an ATM, building entrance, anything with password access, you'd bet I'd most likely give up the information to survive.

    It's interesting to note that the article mostly focuses on malicious intent on the part of employee. That's not surprising, but far more surprising are the holes left by the everyday user. Take a look around the non-development areas of your company. How many have passwords on post-its? How much good will a secure network do if the front door to the building isn't locked down just as tight?

  • ...before giving-up your badge, just grab the hard-drive and run as fast as you can !
  • No surprise (Score:2, Interesting)

    by Mulletproof ( 513805 )
    If your security as as lax as my company's, the artical is easy to believe. I work on PCs in my depatment while the company itself handles thousands of consumer electronic components list above per day. Sure, you go through a metal detector and the guard wands you, but I swear i could sneak out with a full desktop stashed in my pants and still get away with it. It's for show. Then when they actually find something missing, security gets intense for about a month with people removing everything from their pockets, jackets, etc. After a month, it goes back to being business as usual. If these other companies are as irresponsible as mine, I could easily see the trend. Hmf. Must be desperate for when this post makes for slashdot news but the cool planetary alignment doesn't? Mod me down, bay-bay!

    And for cryin' out loud, You with anal ascii pic, grow up. How many sites do you visit with that pic anyway? "hehe! Hehe! *snort* It's the highlight of my day! *snort* hehe!" Get a life.
  • by GreyyGuy ( 91753 ) on Monday April 29, 2002 @09:12AM (#3428873)
    I looked at that, and had to laugh. I'm just waiting for someone to complain about the data carrying capability of my CD/MP3 player when I am expected to take my laptop with a 30 Gig hard drive home each night.

    Are they going to ban CDs too?

    I know that employees are the biggest security risks, but there has to be some sort of diminishing return in this. Besides, locking down your network on both the internal and external side is work that can't be avoided or established through policy.
  • by DaHat ( 247651 ) on Monday April 29, 2002 @09:12AM (#3428875) Homepage
    I thought that is why we have e-mail, "hum, I want to work with that at home, I'll just e-mail it to myself."

    or worse... what happens when someone realizes that instead of a 500 dollar mp3 player... they can use a 5 cent floppy disk! Lord no! we must eliminate such things.
  • The removable memory cards inside the devices could be used to bring in software that looks for vulnerabilities on a company's internal network. The innocent-looking devices could also be used to smuggle out confidential or sensitive information.

    ... and we're soon expecting also FBI to realize that even floppy disks can be used for similar purposes.

    Even innocent looking floppy disks (i.e. the kind that doesnt have "Warning, contains Virus and/or other malicious code!" printed on it) may soon be concidered a threat to the company security.
  • by Bookwyrm ( 3535 ) on Monday April 29, 2002 @09:20AM (#3428903)
    If people consider PDAs, MP3 players, and digital cameras a security threat as a channel for bringing data in and/or out of a company, just wait for the next generation cell phones/PDAs. When you have a 3G/GPRS/GPS/Bluetooth/802.11/IrDA/Ethernet/USB/Fir ewire/etc. capable personal phone, would employers let you bring it into work? Even if you had no hostile intentions yourself, your phone might be compromised by a trojan or virus that might attempt to spread from your phone into the corporate network over whatever communications medium is available.

    With the wireless connectivity becoming so common, network security is losing its "air gap".

    It might be noted that the IP Rights protection software might end up being a problem for Open Source software acceptance in the market and work place. Not necessarily due to (most) corporations really concerning themselves about people copying music, but with employees copying confidential files to unsecured devices.

    An operating system/networking system that provided built-in guards for transferring confidential/private data from secured/official devices to unsecured/private devices might have a lot more appeal to a corporation than one that has no protections against random file copying.

    (Given that we are reaching the point where we have more memory and CPU power in computers than we know what to do with, I would be highly interested in seeing more OS development that allows for (security) meta-data to be associated with areas of memory as far as the permissions/state of that memory goes. It would be really nice to see a system where, say, image data loaded from a website might be marked in the OS as "image (jpeg) from foo.bar.com -- unauthenticated, non-executable", so that if some thing else tried to trigger the CPU to jump to that area of memory and execute it, the OS would reject the attempt. This is going to be more important with Bluetooth/ad-hoc connectivity, 'media' which are almost programs in themselves (Flash, Java, JavaScript, etc.) -- simply turning off all support for 'dangerous' media may not be practical if their use becomes wide-spread. This sort of internal OS meta-data system would have a high overhead, of course. And yes, the side effect is that it makes IPR-type enforcement much more possible, but the security issues may start pushing systems development in that direction. Free software folks should think about this one -- it would be highly ironic if by implementing IPR management software in Windows, Microsoft then stepped up and managed to make an OS with a superior internal security model based on extending the IPR system to manage internal data/executable security. Better start looking for quad Athlon servers...)
  • by sugrshack ( 519761 ) on Monday April 29, 2002 @09:21AM (#3428910) Homepage
    well... you could blame the users, who've been stuck into a work environment with machines that they barely understand, or you could blame the security departments for incompetence and inconsistent policies.

    for instance, where i work, they've decided to block any web-based email (through a fairly thick piece of software, which just blocks any site with sendmail includes). This makes some sense, because you really can't trust people, no matter how many times you tell them, not to open attachments... they can't filter through each of these sites which bypass the main email systems..

    however... here's the absurd part... they still seem to allow rampant use of peer-to-peer connections. People use AIM all the time... as if this were secure! And security argues that it serves a "business need." ahem.

    • In other not-news, the only sane answer to this alleged "problem" is societal, not technological.
      When you look after your employees happily, including but not limited to giving them a decent salary, they feel sufficient loyalty that you don't *need* draconian security measures.

      Works for me - both the last and current job have simple iptables firewalls, and no restrictions on what flows at censorship level. And do we see major info leak? No. We employee sensible honourable clueful folks, and look after them OK. No problem.
  • Damn. (Score:3, Funny)

    by kryzx ( 178628 ) on Monday April 29, 2002 @09:23AM (#3428917) Homepage Journal
    So that's the problem! That's it, I'm getting rid of all my employees!! In today's day and age, how can any company risk having autonomous entities of unknown motivation and capability wandering around?!? touching the company's stuff?!!? accessing the company's data?!!!? looking at things?!!!!? Ahhckg!!! Fire them all!!!!!
  • by Ewann ( 209481 ) on Monday April 29, 2002 @09:23AM (#3428919)
    I visited a large Asian electronics manufacturer last year. When entering the facility, they inspected every piece of electronics I entered with. Cameras (both film and digital) had to be left at the desk. Laptops had their memory slots and peripheral slots covered with company-issued security tape to be sure I didn't add or remove anything. CDs, tapes, and other recording media were not permitted in the building. When leaving, my bags were X-rayed to be sure I wasn't taking anything forbidden out.
  • Yeah.. well even before we had things like palm pilots or digital cameras or *gasp* the macintosh piratier(er I mean MP3 player).. there was e-mail. All you really need is e-mail at work.. and e-mail at home.. and a cable modem (or dial-up if your paitent). But for those really big documents there's always FTP.. FTP up and then FTP down.
  • by truthsearch ( 249536 ) on Monday April 29, 2002 @09:25AM (#3428924) Homepage Journal
    Many companies leave their "usual" security too simple anyway. Take the financial trading company I work for as an example (name and url left out intentionally). Sometimes a 50k jpg or mpg attached to an e-mail coming into the intranet through our firewall is moved into a "safe zone" where the employee gets notified he/she must call the help desk to request it. Other times the jpg's and mpg's of any size come through fine while only exe's and vbs's (VB Scripts) are blocked. However, all outgoing attachments are allowed, with the understanding that they're monitored. But since I know they're using Outlook and Lotus Notes on Windows to monitor, I can rename a zip file of data to .mpg, comment on the funny joke I pretend is inside, and send corporate info into or out of our intranet.

    Another brilliant common hole (at least in financial companies): block ports 21 and most others through the firewall so employees won't ftp files to or from their workstations over the intranet. Of course no employee is smart enough to configure their ftp client to use port 80.

    Companies are getting scared of the latest techie gadgets, but so often don't even take care of what should be obvious to any educated IT security employee.

    • But since I know they're using Outlook and Lotus Notes on Windows to monitor, I can rename a zip file of data to .mpg, comment on the funny joke I pretend is inside, and send corporate info into or out of our intranet.


      That won't work on NAI/McAfee VirusScan, at least; VS doesn't trust the OS to know what type the file is.
    • >Another brilliant common hole (at least in financial companies): block ports 21 and most others through the firewall so employees won't ftp files to or from their workstations over the intranet. Of course no employee is smart enough to configure their ftp client to use port 80.

      hehehehee...reminds me of something i did at my last job. i used to work at a very large financial company, the only access to the internet was http via a proxy server. i couldn't get access to my external email accounts. so i built an http tunnel to encapsulate ssh back to my box at home.
      http://www.nocrew.org/software/httptunnel.h tml
      from there i could do anything i wanted. moral of the story : never f with a network engineer.
    • I work for a fairly large company. (Aren't going to specify because I'd like to not get fired.)

      Anyways, the've got a proxy where they supposedly monitor and also prevent certain sites.

      However, the proxy only works on port 21, 80, and the standard proxy port (8080?), but you get unfiltered access to all other ports (No inbound connections however, so only passive-mode ftp)

      Anyways, so what I ended up doing was:
      telnetted into my box at home, installed a proxy, set it up to use an odd port, and wa-la. Along with I installed Cygwin, ssh into my machine, and use my machine as if I was there ;)
  • by El Camino SS ( 264212 ) on Monday April 29, 2002 @09:33AM (#3428953)
    Big Corporate Manager: "Goodness, it says here that our biggest security threat is our employees! Well, I suggest that in order to keep them under control, we should institute a set of draconian rules on their behavior and treat them with the utmost resentment possible! Also, take this down, we should constantly address them like they are a liability instead of an asset."

    Big Corporate Lackey: "We already do that, sir!"

    Big Corporate Manager: "Damn, that was a close one! I thought for a moment there we had a security breach on our hands. Good work. Let's go play some golf."

    Big Corporate Lackey: "I'll get the clubs, sir!"
  • Management (Score:2, Informative)

    by WickedLogic ( 314155 )
    I usually find management and owners are the biggest threar to security, not employee's. At lease not the tech ones.

  • by Irvu ( 248207 ) on Monday April 29, 2002 @09:38AM (#3428977)
    • Cost of a new overhead camera to spy on employees: $700
    • Cost of metal detectors at the doors and the guards to staff them: $10,000 yr.
    • Cost of keystroke loggers, internet screening software and the techs to track them: $50,000yr.
    • Cost of employees to monitor the guards and techs: $30,000 yr.
    • Living under a cloud of suspicion and paranoia and driving all of your employees away through fear, distrust, and low morale: Priceless

    There's some things money can't buy, for the rest; raid the retirement fund.
    • I worked for Bell Northern Research (now NorTel) in 93-94. Basically they had the whole, gated entrance, cameras not allowed, magnetic media not allowed unless by authorization or your manager (I had a laptop for a while that I was allowed to take in and out), etc etc. Everyone knew it was because the research we were working on was worth a lot to competitors and, thusly, seeing that kind of protection/paranoia actually boosted morale. It made you feel like what you were working on had actual worth.

      Of course, I eventually succumbed to the dilbertesque syndrome of realizing I could flick my finger all day long and it wouldn't impact the company one bit, so now I only work for small-midsized companies. But this security never bothered me: the one time my friend had her film confiscated, they just developed it to make sure there was no sensitive data on it (for free, even) and sent her the pics/negatives afterwards.
    • Haha. Until HR tells them that the one-day stealth posting for a job brought in 250 resumes the next day and they realize that a draconian, paranoid workforce is no problem when there's no jobs for people to take elsewhere.

      Losing employees is only a problem if your annual churn rate goes to high. Many senior managers consider not losing someone a sign that their subordinate managers aren't managing effectively. Six Sigma, anyone?

  • -1 Redundant (Score:5, Interesting)

    by rutledjw ( 447990 ) on Monday April 29, 2002 @09:50AM (#3429017) Homepage
    Here we go. Here's MY personal story of employee-driven chaos.

    We had a SW Architect who was really anything but. He WAS a great salesman and was able to BS his way out of trouble for ~2 years before they tossed his butt out. When he left, I had been there for ~6 months. In that time, he had burned roughly 150 CDs, he said for backup of our project (our TOTAL source was less than 2 floppies). He also password protected all of his PCs (forcing us to remove the BIOS battery).

    Further, on the server, about 7GB of a 13GB HDD was of a format not recognized by the Mandrake installer. The only thing I could think of was that it was encrypted. Who knows what data was taken or what was on that partition. We reported what we saw and re-formatted...

    Add another 4 months. They fired this guy but didn't revoke his user/pass. So he manages to find a server with telnet exposed to the internet and "hack in" (using his still working user/pass). He then procedes to go to every server he can find and rm -rf on every directory where he has access. They ended up rebuilding 3 Sun boxes.

    No charges in either case.

  • This is the same debate that rages on over MP3's, video games, guns, etc. Is the video game to blame for violence, or is the player's lack of self control to blame when he/she goes postal? Is it the software that allows CD's to be converted to MP3's to blame, or the person who posted them to the internet illegally? IMHO, it is always the person who should be held responsible, not the hardware/software or its designers. Alfred Nobel created dynamite to help miners, not to hurt people, and when his invention was used for harm rather than good, people blamed him. Just my $0.02
  • by Morris Schneiderman ( 132974 ) on Monday April 29, 2002 @09:52AM (#3429031)
    The "biggest threat to security" is almost always the folks working in the Security Department. This has been the case for more than 50 years.

    There could be a good research paper here. Is it because these folks have too much idle time on their hands? Is it because the line of work keeps them focusing on negative activities? Is it because they are exposed to the company's weaknesses and become tempted by them? Is it because this line of work attracts thieves? Is it because companies use the 'it takes a thief to catch a thief' philosophy? Do 'Heads of Security' purposely hire thieves to keep levels of theft up, so as to justify bigger budgets? Outsourcing 'Security' does not solve the problem, it just makes it into someone else's profit center.

    My father tells the story of a guy working at an auto assembly plant who took home an entire car -- piece by piece!

    This 'article' is not News. Look at it's source. It's a marketing piece. Slashdot fell for someone's FUD marketing. I know it's Monday morning, but still...
    • The "biggest threat to security" is almost always the folks working in the Security Department. This has been the case for more than 50 years.

      Sed quis custodiet ipsos custodies? loosely, "But who will guard the guards themselves?")

      Obviously it's been a problem for a lot longer than 50 years.

    • The "biggest threat to security" is almost always the folks working in the Security Department. This has been the case for more than 50 years.
      This has been true for physical security since the beginnging of time.

      Network security should be different. I know plenty of 'reformed hackers' who are now in the "Information Security" business, and none of them collect and keep customer data that they should not have.

      A big part of the reason physical security is a cause of internal theft is that most of the guards have time on their hands and get paid not much more than minimum wage. Neither should be true for information security :-)

      My father tells the story of a guy working at an auto assembly plant who took home an entire car -- piece by piece!
      Anybody have a link to the old joke about they guy who worked in a government factory during the war and wanted his own jeep. So each day he would steal a different part, and after two years, he put it all together in his basement and had himself a beautiful new anti-aircraft gun?
  • by ari{Dal} ( 68669 ) on Monday April 29, 2002 @09:56AM (#3429050)
    The way an employee acts, in many cases, is a direct reflection of how you're treated by your employer.

    In my last (regrettable) job, everyone was treated as an enemy (unless you were related to the boss, but lets not go there). The way people were scrutinized and monitored was ridiculous. Even those of us who'd been there for a while, and had proven ourselves 'loyal' were given this scrutiny. It ended up creating an environment where resentment and suspicion made one feel they were under seige. That atmosphere fostered more employee dishonesty than anywhere i've worked before or since. I still remember the

    Of course, the places I worked before and after treated people with a 'we'll trust you until you do something to destroy that trust' mentality, which I'm finding is rarer and rarer these days. But you know what? The crew at the place I'm at now is completely loyal, the turnover is practically nil, and the job satisfaction surveys are at about 90%. Compare that to my last job...

    In summary, do unto others yadda yadda... if you treat your employees like criminals from day one, they won't disappoint you.
  • The Security team and the IT department are a bunch of bungling boobs.

    If you have your NT boxes (assuming you are a Windows shop, you have NT or one of the NT variants.. 2000 and XP are NT no matter what microsoft says.. if you have 98 then please slap a giant L on your forhead)

    and you dont have them locked down so that only members of the administrator group can add hardware (USB smartmedia/cf/memorystick/whatever reader) then you deserve having your employees trash your systems and network. Mp3's and digital cameras are not a threat at my facility except for taking photos of sensitive materials.. of which they dont have access to even see. the bigger threat is a CD with the offending software on it.. (Yes, I have the CD drives locked down, and no floppy drives are installed. or just emailling themselves the hackerware..

    So what do you do? well everyone has a simple linux box running a network intrusion detection system right? A simple Linux box with multiple network cards and Demarc Pure secure.

    Heck it even catches virii coming in throught the router from corperate..

    If your IS/IT personell has no skills in security.. It's time to train them or hire a security person. Any company the runs without a IT/IS person full time..... I shudder to think about the quality of the system let alone how secure it is.
  • by rakerman ( 409507 ) on Monday April 29, 2002 @10:04AM (#3429084) Homepage Journal

    I saw a good talk by Dr. Richard Walton, the director of the Communications Electronics Security Group [cesg.gov.uk].

    To paraphrase, he said, "Currently we know that about 80% of threats come from inside. But no one ever asks what the desirable value for this number should be. I propose that it should be 100%." He said we should trust insiders rather than outsiders, and trust people rather than machines. Or again paraphrasing, he said that we can trust machines to correctly do whatever they are told, unfortunately machines can't distinguish whether a set of instructions are "good" or "bad", whereas most of the time, most of the people inside your organization will do the right thing.

  • Memories (Score:2, Funny)

    by rworne ( 538610 )
    This article makes me get warm feelings of nostalgia of the time where one of my site managers bought a Sony DSC-S70 camera, much like mine.

    I figured out early on that not only can you get pictures out of digital cameras, you can put them in as well. I grabbed his memory stick, put it in my memory stick reader, and downloaded some juicy pr0n and mixed it in with the photos.

    He had a very hard time explaining where the photos came from.

  • Actual report (Score:2, Informative)

    by dughat ( 158489 )
    Here is a link to the original report [security-survey.gov.uk] on which the article is based. I'd like to point out that the report actually states that the percentage of "worst incidents" caused by insider attacks has gone down, starting on page 11 of the document.
  • Real security (Score:4, Insightful)

    by evilpenguin ( 18720 ) on Monday April 29, 2002 @10:34AM (#3429189)
    It saddens me to read this:

    The removable memory cards inside the devices could be used to bring in software that looks for vulnerabilities on a company's internal network.


    Just how exactly does it improve the security of your systems to punish employees for exposing flaws? This guarantees that the only people scanning for vulnerabilities are outsiders and insiders with evil intent. Give scanning tools to employees and offer to pay them a bonus for reporting problems!

    There is so much wrongheaded thinking out there, it is no wonder to me that security problems remain so numerous.
    • Do you hand out hammer drills [coastaltool.com] to random employees and let them have at the internal walls looking for weak spots?

      Just how exactly does it improve the security of your systems to punish employees for exposing flaws? This guarantees that the only people scanning for vulnerabilities are outsiders and insiders with evil intent.

      The only employee who should be 'scanning for vulnerabilities' here is me. Anybody we catch scanning without express written permission (generally from the CTO) is assumed to have 'evil intent'.

      You can't just go off on your personal quest for vulnerable systems randomly on your employer's network, unless you actually want to end up like Randal Schwartz [lightlink.com]

      Give scanning tools to employees and offer to pay them a bonus for reporting problems!
      Speaking of 'wrongheaded thinking'. Consider the risks of encouraging random scans by non-security employees:

      There are numerous reasons not to encourage random employeers to scan your network.

      1. Some badly-written scanners will DOS even well-written OSes and applications.
      2. Some legacy systems still running in corporate networks react badly to being scanned. This isn't good, but it is a reality.
      3. Who needs 1,000 identical 'Tool X' scan reports of the same network?
      4. Scanning generates extra network traffic and 'hits' on IDS systems. See previous item.
      5. Allowing random 'good' employees to run scans will make it harder to detect the 'evil' employees.
      6. How do you detect when a worm (Nimda?) or a trojan included in some shareware package starts scanning your network without the user's knowledge?
      7. What happens when 'Tool X' is distributed with a trojan, or simply hacked to silently CC the report summary to scanreport2002@hotmail.com?
      8. When 'Joe minimum wage' finds an easily exploited hole in the payroll server, you expect him to report it before trying it out for himself?
      9. Scanning random remote IP ranges can 'bring up' backup ISDN and other toll circuits, incurring a real expense.
      10. Do you encourage your average employee to check for unlocked doors and cabinets outside of their own work area, or do you have dedicated security personnel?
        ...
      I agree that somebody should be scanning the internal network, just as somebody should be checking for unlocked doors. But that somebody should not be just any random employee who takes it upon themselves to test security.
  • Companies and government agencies have found that people with sufficient I.Q. are a threat to security. People with significant intelligence can often circumvent security measures installed by large agencies and are therefore circumvention devices and considered illegal through the DMCA.

    Preliminary testing will be started in the second half of this year with disposal of the offending intellects beginning early next year.

  • Recently scientist found the astonishing amount of dead that have lived at some time before their demise.
    Prof. Harald Dumpfbacke Radab claims that by removing all living people from society, death could be reduced by up to 99.8%!
  • A lot of people seem to be posting comments that amount to "well, Duh!" in response to this, but I think there are some interesting tidbits. Specifically the observation that "48% of large companies blame their worst security incident on employees" but "75% of those questioned named external hackers and criminals as the biggest threat to security." The BBC article doesnt seem to want to extrapolate on the reason for this, but I'm willing...

    Companies like labelling the nefarious and elusive "black hat" as the primary risk because it makes it incredibly easy for them to say "There's nothign we can do!" or, perhaps in more cases, "We're doing everything we can!" This is roughly equivalent to a heroin addict telling someone that they've done everything in their power to avoid being gunned down in cold blood by their dealer. Never mind the fact that more junkies die from overdoses than from being gunned down by their dealer. Admitting the greater risk would entail acknowledging that employees aren't happy and might want to cause the company harm. This in turn indicates some flaw in the way the company conducts business, and opens them up for criticism. It's not surprising in the least that companies fear black hats more than they fear their own, because to fear their own would be to admit fault.

    I'm just curious, of the 48% that report insiders as he cause of their greatest breaches, what percentage of those could be chalked up to insane or psychotic renegade employees as opposed to employees that may have had a semi-legitimate complaint that were driven to malice by a company's own policies and practices.

    And all this USB key chain/MP3 player crap, I mean come on. If an insider wants to move data out of a company, its easy. In this arena these new devices are about as original as the floppy disk. Virtually anyone could e-mail attachments of reasonable size off site. I've never worked for a company with a proxy that blocked HTTP uploads (although I'm sure they exist) and what about the xerox machine? Should we get rid of that too?

  • And yes, some employers are enforcing security measures that would do Dilbert's boss proud. And yes, employers should work on a basis of trust with their employees.

    But to ignore the security issue is very, very wrong for a number of reasons.
    - In some cases, the employer's clients may demand certain measures be taken to protect ther data.
    - In some cases, not having proper measures against theft of confidential data, can make one liable for *huge* lawsuits if the data is stolen. (Think medical records).
    - Most importantly: in any group of employees, there'll be a couple of rotten apples in the bunch, no matter how nice and cuddly the employer. Those same employees are the ones that might steal wallets or other stuff from their co-workers desks. It's sad, but it happens everywhere, and to not be on your guard against it is plain silly.
  • It's funny. The best jobs I've had (and the worst) have nothing to do with how much money I made or the number of benifits... and everything to do with how I was treated as a human being, if I was allowed the tools and resources to do my job, if I was reconized for my accomplishments, and let known that I was a valuable part of the orginization, I would typically not be unhappy at the company.

    Then there are the places where I hated the envrionment. Management carried unrealistic expectations, and refused to give us the tools (responsibility) needed to reach the goals they set. I've never stolen from or willfully damaged company property, but I knew others who did, and understood why they did that.

    It seems that naming your employees as your primary security risk, and taking severe actions against them is throwing oil on the fire. With an attitude of 'We don't trust you, and we are going to assume you've done something wrong' is going to do nothing but make the borderline employees even more pissed off and likely to do something damaging.

    I don't think anyone starts a new job with the exepectation of being bitter, lazy, or vindictive. It takes months to years of abuse by a company before they get that way.
  • by CaptainPhong ( 83963 ) on Monday April 29, 2002 @01:51PM (#3430457) Homepage
    In the lates issue of Duh! magazine:
    Health: Cigarettes cause cancer!
    Politics: Research shows politicians like money.
    Business: Profit helps businesses grow.
    Computer security: Your employees' root access is a security threat!

panic: kernel trap (ignored)

Working...