Workers Cause More Problems Than Viruses 191
Technical Writing Geek writes "A new report finds that, for the first time, virus infections have slipped to the second spot on the list of computer security troublemakers. In first place— a company's own workers. 'The Computer Security Institute has just released the 2007 edition (PDF) of its long-running "Computer Crime and Security Survey," and it offers some dreary news for overworked computer security admins: average losses from attacks have surged this year. More surprising is the finding that the single biggest security threat faced by corporate networks doesn't come from virus writers any more; instead, it comes from company insiders.'"
Ignoring the Human Factor is not Bliss (Score:5, Insightful)
"CEOs are increasingly aware of the risks posed to company information by insiders, but they aren't acting on this knowledge, according to the "2004 Ernst & Young Global Information Security Survey." More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative."
A case of 'ignorance is not bliss'.
CC.
Re:Ignoring the Human Factor is not Bliss (Score:5, Insightful)
A case of 'ignorance is not bliss'.
Re:Ignoring the Human Factor is not Bliss (Score:5, Interesting)
Actually I bet the NSA is doing everything you name, except for the 256bit thing. I'm sure they're using at least 4096 bit encryption (assuming RS). Maybe biometrics instead of the fancy passwords.
But you can be sure that the rooms are faraday cages; even the CIA does that.
(The CIA also has double walls between which they pump white noise so that people can't read the vibrations of the glass with laser meters. The building is magnetically shielded so people can't "read" the monitors of people remotely.)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The replacement rate is less then 1.0 if you factor out immigration. There is a bump where the old out number the young since the baby boomer's had less then 1 child each on average. Depending on how our culture changes it may be a permanent situation. Depending on immigration can be dangerous as parts of Europe a
Re: (Score:2)
And yet the actual numbers indicate differently. Excluding immigration and emigration, more are being born than dying. Including those numbers, more are immigrating than emigrating (net gain of 1 per 26 seconds). Immigrants pay into the system as well.
http://www.census.gov/population/www/popclockus.html [census.gov]
Re: (Score:2)
huh? (Score:2)
Net gain of one person every..................... 10 seconds
You can't discount immigration without discounting emigration as well. But immigration/emigration don't have enough of an effect to say that without them there isn't any growth.
World Population Growth [census.gov]
The growth rate is slowing (going down), but the population is still going up.
Re: (Score:2)
Re: (Score:2)
I'm honestly curious what data shows no population growth? Have any links?
CIA Factbook [cia.gov] highlights:
14.16 births/1,000 population (2007 est.)
8.26 deaths/1,000 population (2007 est.)
2.09 children born/woman (2007 est.)
Re: (Score:2)
2.09 children born/woman (2007 est.)
Replacement level is generally considered to be 2.1 children/woman.
The ultimate attainable security ... (Score:4, Insightful)
The human level is the last limit. Don't focus on technology that will get you that last 0.0001% when the people running your systems will causing the problems 100x more often.
Re: (Score:2, Insightful)
Hiding porn on an office PC, using unlicensed software, and abusing e-mail all count as security incidents, though all pale in comparison to one successful phishing trip."
They are not even talking about "stupid" actions or even losing/corrupting/releasing data. If this is what you are measuring as a security incident, no wonder the number of security incidents being caused by insiders is going to be higher. If I am a hacker, why would I use a PC in a hacked corporate network to store my porn?
Re:The ultimate attainable security ... (Score:5, Insightful)
If I was a hacker, the last place I would store anything incriminating, is my own PC.
One of the big reasons to store off site is to use the hacked PC for free/illegal hosting. This makes it harder to trace back to the hacker, and doesn't waist resources of the hacker's PC (storage/bandwidth). Think of how long it would take to find something on a PC if it was just used as a web server, serving files stored in some rootkit hidden directory. Virus scanners wouldn't find it, as the files aren't viral. Unless a firewall log audit, or internal port scan picked up the web server application, it could go unnoticed for months, or maybe years. Now do this to about 20 hacked systems, and you have a semi-reliable distributed network for all your hosting needs.
Sounds like a reasonable thing for a hacker to do to me.
Re:Ignoring the Human Factor is not Bliss (Score:5, Insightful)
What you need are good audit and logging procedures, to help you pinpoint the vector of intrusion, and to minimize the damage caused. That's a basic principle for financial systems, and it's one that could benefit from being extended to general users.
The goal is not even to do big brother crap (though this could be misused that way) but simply to have an accurate record of what's going on in your systems. Once you have that, all other problems can be addressed more effectively, and solutions can be generated that can provide security without overly hindering users. If you don't have an accurate idea of how your systems are being breached, you're forced to employ blanket policies that hinder productivity and breed dissatisfaction.
Re: (Score:2)
Re: (Score:3, Insightful)
It's not really an often-pursued option these days, however.
Re: (Score:2)
Yes, but... (Score:3, Interesting)
Re: (Score:2)
Still, intelligent accurate logging on
Re: (Score:2, Insightful)
Most organizations have several classes of employee, one including those who could easily walk away and be employed at double or more times their salary the same afternoon. There's another class of employee that most organizations have, consisting of those who will put up with a great deal of abuse, disrepect, and follow any unreasonable or quasi-reasonable rule or workplace condition, because the balance of their value of job security falls in favor of
Re: (Score:2, Funny)
Re: (Score:2)
That's why you would employ an IT security specialist.
Putting a lock on a vending machine seems resonable but none if your employees are thieves right ?
Re:Ignoring the Human Factor is not Bliss (Score:5, Insightful)
If Cindy from HR calls me and I have to verify that she is, in fact, Cindy from HR, every time she calls me, that reduces my productivity by a certain amount.
There are ways to spend money instead of reducing productivity (like installing dedicated phones between offices that don't link to the POTS network), but losing money is hardly better than losing time.
The moral of the story is, until losses from poor security exceed losses to productivity caused by rigorously following security protocols on average, people will not be inclined to rigorously follow those protocols.
Re:Ignoring the Human Factor is not Bliss (Score:5, Insightful)
It requires an upfront investment of time to implement and maintain the system, but it beats the hell out of spending your week re-ghosting all of the computers in the accounting department because some ex-employee decided it would be funny to install a back door, and now you have to lock down every system he had access to and also try to figure out what he could have leaked so you can notify your soon to be ex-customers of what you lost. Feel free to repeat every month or so, depending on the size of your organization.
Or, you could give users a limited access account (which is easy to do even in windows), implement a sane permission system on your servers, implement something like a kerberos server, and make your employees read and sign a "good security practices" memo once a year so that they understand your policy and why it is important.
Security is time well invested.
Re: (Score:3, Interesting)
Re: (Score:2)
Just having a bunch of protocols for people to follow just creates an illusion of security. It doesn't create real security. If you are actually depending on a protocol to protect you, then someone will probably figure out that the way to do wrong is to violate that protocol.
What matters is the implementation of security. If an implementation of security requires a great deal of work on the part of the employees, you are pretty much gu
Re: (Score:3, Funny)
Yeah but it could produce some good phone sex...
Excuse me ma'am but I have to ask you a few questions to validate your identity, please bear with me.
What are you wearing? What are you wearing *underneath* that? Are you getting hot? Oh baby do you love it? Yeah thats the way...
Re: (Score:2)
John's calling down and telling the helpdesk that a certain order is screwed up. It needs to be changed so that he can finish it. What the helpdesk doesn't realize is that John's getting changes made so that he can take order incentive away from Bob. The changes are minute, so Bob doesn't catch on for a while. He's new.
So why does Bob's password always get lo
Re: (Score:2)
Whoop-de-doo. Apparently 70 percent of companies have more imporant 'top initiatives'. I'm surprised that its not even higher. And in fact, I suspect that most of the companies that put listed this in their top initiatives have more top initiatives than there are days in a year, ensuring most of them won't get any attention anyway,
Norton Anti-Worker (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Vista has M$'s own version integrated already.
Re: (Score:2)
I thought they already had that. You mean Norton Anti-Virus isn't supposed to be a paid 3-hour break when it runs the IT-required full scan?
Re: (Score:2)
This has been the case for a long time (Score:3, Informative)
Re:This has been the case for a long time (Score:5, Insightful)
Yeah, we had a guy calling people in our office asking for voicemail passwords. He dialed through a company in New Jersey one day, California the next. Our system doesn't allow dialing out through the voicemail system so we weren't really vulnerable but we have a simple policy which is very easy to understand. It says no one will ever ask for any password in person, email, or over the phone. IT does not need your password for any task whatsoever so never give it out.
Time came with this guy calling and asking and surprisingly no one gave him their password. My faith was restored. Of course this is a reasonably small company. Make it simple and people will follow it though. They can even encrypt their stuff and I still won't need their password ever because I have the recovery keys. All the mechanisms are their so it's up to sysadmins to make it simple and easy for regular folks to understand. Afterall, the folks in accounting know more about taxes than I do because that is their job. I know a little about how our taxes are calculated because I've needed to, just like they've had to learn a little about security practices. I'd say it's as fair a system as any.
How is that surprising? (Score:2)
I work with my Dad (Score:5, Funny)
God forbid you leave your iPod near him!
Really? (Score:2)
Re: (Score:3, Informative)
Duh (Score:5, Insightful)
USB thumb drives are an on going headache, and an attack vector on top of that. I'm forced to wonder how serious any of these issues would be if we didn't live in a windows centric world.
Re: (Score:2, Insightful)
If your current IT environment isn't capable of supporting my needs then fix it.
Re:Duh (Score:5, Funny)
If your current IT environment isn't capable of supporting my needs then fix it.
If your current needs outstrip the capabilities of our current IT environment, then fund the upgrade.
mv shoe otherfoot
Re:Duh (Score:4, Insightful)
The problem is responsibility. The IT department doesn't want to be responsible for a poor software choice that they had absolutely no input on and for which there were any number of superior alternatives. You might say that everyone wants to go to the party, but nobody wants to hang around afterwards to clean up the mess and it is always the IT department that is left without a chair when the music stops (even if IT did not champion the culprit software and was ordered to "just install it").
If your current IT environment isn't capable of supporting my needs then fix it.
It is often the case that this requires money which nobody ever wants to provide for more "expensive IT toys" and so problems go on until they become so notorious that somebody higher up actually approves a last minute purchase or budgets staff time to research and fix the problem.
Re: (Score:2)
And we're tired of being given software that's already been bought, being told it should do X when in fact it does ( x/10 ) due to vendor lies, and being told to fix it.
IT should be consulted from start to finish when purchasing
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No shit. We are support staff, I know this. What you don't know is the work required to make applications work in a windows environment. There is so much work, and we are often so short on resources, that by working with the IT dept to find something that we know will integrate well in our environment you save us a ton of time and energy, not to mentioned the company's resources. Which, happens to help you do your job better btw.
But please, c
Re: (Score:2)
Today I've had the fun of a guy that discovered that an overflow in a big geophysics program with a lot of users on the same data is giving him hassles and he wants to keep on playing with feeding it more garbage to see why the overflow made the program fail in different ways with different degrees of database corruption. It was very difficult to convince him to stop feeding it the character that makes it redirect it's output and execute arbitrary stuff that comes after it. It's very h
Re: (Score:2)
My theories are:
a) You're trying to protect your precious, precious karma, or
b) You're trying once again to shill
Your thoughts?
Security vs. Performance (Score:5, Insightful)
If we give every employee access to everything, yes problems will happen. But if we give most employees access to most things their jobs are a lot easier, and more work gets done (or the same amount of work gets done, but with less stress and overworking).
If one of our employees decides to steal information, we'll deal with it with that employee, but that's as far as we go. We can't live in fear of an inside attack just because it's more likely than a virus (especially for a linux only shop like ourselves). A balance must be struck between full access and full security.
I guess there's something to be said... (Score:2)
...for hiring robots. Unless of course the robots are infected with a computer virus...
watch out for repair man (Score:2)
Re: (Score:2)
Mitnick is right (Score:3, Insightful)
Re:Mitnick is right (Score:4, Insightful)
Don't pass the blame. Deal with the problem.
Re: (Score:2)
I'm talking favorite-sports-team or granddaughter's-name simple.
We have a password policy that mandates pwds of min 7 chars, containing 3 of (upper, lower, num, symbol), changed every 180 days. These accounts just haven't expired the passwords yet. The policy also states Thou Shalt Not Write Thy Passwords on a Sticky, at least not where everyone can find it. Lusers don't listen, of course, because they're special.
Hmmmm... (Score:2)
PEBKAC (Score:5, Informative)
This is largely fixed by changing/following protocol (although following PCI would not have eliminated the TJX breech, just limited it). dictating access limits to machines, enforcing those access limits through user and key management. Enforcing segregation of data by pushing it back from the user space. Etc.
In a lot of cases, these things can be eliminated only through design--not draconian regulations. By design I mean something separate from limitations. A limitation (for example) would be to block any traffic going to popular webmail accounds through a browser. This is pretty easily circumvented by a half dozen trivial (read: largely non-technical and non-threatening) solutions. A design solution would be to incent users to use the internal mailing system to organize their mail and to VPN to it while away. Using Outlook as a primary means to communicate makes me pine for the responsiveness and search functionality of Gmail. eventually, rules be damned, I will migrate my work email to gmail (assuming I'm not security conscious) because it offers so many inherent advantages. The solution, bein to eliminate those advantages.
Without that, you are in the same boat that you were before. More rules, but the same incentive to break them.
Re: (Score:2)
Also, damn google for not just linking my search result as an actual page.
Re: (Score:2)
"Internet access" is requested, in order to facilitate communication (read, status updates, keep track of work process, on-line manuals). "Internet access" is granted -- um... sort of.
No "web mail" is permitted. No "ssh" connection is permitted. No internal email address is supplied. Basically, no email is allowed.
No browsing is permitted, except on one Windows XP based machine (I work on Unix). It is possib
Re: (Score:2)
In that case, we are both talking about the same kind of failure: a company feeling that total restriction means security. It's inherently not true. when I wrote about webmail being superior to local email in a lot of cases for a lot of companies, I was referring to some intrinsic superiority (portability) and some non-intrinsic superiority (ease of use, files storage limits, searchability, 'smart' contact lists).
The best way for the company to limit use of the web
Re: (Score:2)
Reminds me of Fawlty Towers.... (Score:2, Funny)
Re: (Score:2)
Of course they come from the inside (Score:3, Funny)
This is why... (Score:2)
It's Workers Because (Score:3, Funny)
using unlicensed software is not 100% the workers. (Score:2)
Its the lusers fault ... (Score:3, Funny)
Duh! (Score:5, Insightful)
But yeah, most problems are user related. Broken pins on power adaptors, caused by users jabbing the plugs into their laptops, out of harddrive space, fixed by deleting their iTunes, computer running slow, i go and remove tons of crap the user has installed, user has e-mail bouncing, because user had ignored notifications from IT that they were approaching their e-mail quota, Illustrator on the Mac will not start because user has deleted system fonts, modem not working after user used modem during lightning storm (I am actually looking at my tickets as I am writing this, these are my tickets).
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
In theory you could figure out exactly which files and registry keys the poxy things need write access to, but that's almost never documented, and it's better for them not to write to hkey_local_machine anyway.
CSI study is, and always has been, crap (Score:3, Insightful)
It's called non-response bias.
They admit right up front that the results (even if there were no non-response bias) don't generalize to IT in general, since their members are not drawn from IT in general.
Don't alienate users (Score:3, Insightful)
I don't mean, alienating them as employees — that's another story. I mean alienating them as computer users — by bullshit like blocking certain sites or other services (such as instant messengers), in particular.
You will then not have to chase the violators and waste time (money) on the fruitless pursuit... The pursuit, which also severely hampers the productivity of the best of your users... "Access from home? No, you'll need five approvals for me to allow that."
is ignorance cheaper? (Score:2)
*dreary* news? (Score:2)
So bring on the new attacks, the more determined villains, the organised crime groups. It's the closest thing to a job for life i'LL ever have.
Workers bad! viruses good! (Score:2, Funny)
The only logical conclusion (Score:5, Funny)
Inside Job (Score:2)
No big surprise (Score:4, Insightful)
Solutions cause more problems than workers (Score:4, Insightful)
So let's look at the possible solutions. We've got "lock everything down" in the lead - that's fine in its way but causes worker dissatisfaction because they can't use the creative solutions they've developed, can't use the tools they're used to in the way they're used to, etc. Ultimately, if you get things limited to the point that all possibility of damage is prevented you've also created a situation where productivity is severely limited or prevented. And it's just a matter of time before it's pointed out to you that you weren't as secure as you thought you were.
Then there's the "monitor and log everything" plan - give the users a quick class in acceptable use of IT assets then "correct" anyone who violates the rules. This overlooks the very real truth that most of the harm caused by users is not intentional; it's almost always an unexpected result from a silly mistake. The result of this plan is to create an environment of fear where everyone is careful to follow the rules exactly, won't do anything that's "not my job" and if something goes wrong nobody saw anything. Ultimately you end up with all the problems you had before but with no useful information on how it happened / how to prevent it from happening again - and low productivity due to the workers being unwilling to do any more than necessary.
The real answer is that You can't solve personnel problems with technological solutions. Forget what they taught you in your MBA program and what the security software vendors told you, treat the workers like human beings and help them to understand what can go wrong and how to avoid it. Remember that IT's mission is to support the workers. Offer classes on information security, available to all, and on paid time so they'll have the chance and ability to take part. IT works much, much better when the rest of the corporate staff are partners, not antagonists.
IT Tips we could do without (Score:2)
TIP #5: Good Passwords
Never write down your password! Instead, try to come up with passwords that are hard to guess but easy to remember. For example, you could use the first letters of a favorite rhyme and add some special characters. Such as:
Hickory dickory dock, the mouse went up the clock.
Might become: Hd2,tmwutc.
Do ya *really* think that 'Hd2,tmwutc.' is easy to remember? If so, you must be an IT pro! If not
Re:IT Tips we could do without (Score:4, Insightful)
Actually that is easy to remember: the name of the rhyme you used plus the fact that you take the first letter of each word. The rhyme itself should come to mind instantly once you think of the name. The problem is that it's so hard to extract the letters and type it in that even I wouldn't want to have to use it.
And frankly, concentrating on password security misses the obvious: most attacks these days aren't on the passwords. Why should I (as an attacker) waste my time trying to crack your user's passwords when I can send them a simple phishing e-mail that'll get them to give me their passwords? Or maybe just a little trojan disguised as a neat-o screen saver or Web control that'll silently grab all the saved password lists from IE, Outlook, OE, etc. and send it to me? Or that'll install itself under your user account, authenticated and all, and let Windows handle the details of supplying your credentials whenever I want to do something? The big problem isn't keeping unauthorized users out, it's in what authorized users do with their authorization that they shouldn't be doing but are allowed to do anyway.
Re: (Score:2)
I have still not convinced one of our directors that 'director' may not be the best password in the world... or that another one whose name is David should perhaps reconsider having 'david' for a password.
They just don't seem to be able to get it through their heads.
Re: (Score:2)
Re: (Score:2)
Rabbits, possums, rats, sparrows, thistles (Score:2)
Re: (Score:2)
I use another medical saying -- "An ounce of prevention is worth a pound of cure". I would much rather have someone put up with a slightly slower computer or an odd (but usually documented) malfunction than to spend hours fixing their machine because they ran an executible from an email of unknown origin. And while this is far from a scientific, I've never had problems using AVG (or other non "big name" brands)
Re: (Score:2)
How long does a wipe/install take, anyway?
Re: (Score:2)
Much like the wankers who write "begs the question" when they mean "raises the question".
They have a bright future in management, in other words.
MOD PARENT DOWN (Score:2)
Re: (Score:2)
I'm trying to come up with an intelligent response to your post, but every time I re-read that sentence I start cracking up again.