IT and Security Professionals Think Normal People Are Just the Worst (zdnet.com) 296
Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.
[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.
[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.
User have been the problem forever (Score:5, Insightful)
Re: (Score:2, Insightful)
I am pretty sure that electricians in the 19th century blamed electrocutions mostly on user error. A lot fewer of those happen these days and users have not become smarter. Instead, appliance and building engineering standards and certification requirements have evolved.
Re:User have been the problem forever (Score:5, Insightful)
Yes a computer system without users would be very safe but not that useful. But the real problem is that systems themselves allow users do stupid things in the first place or provide no easy alternative. Here is an example:
I want to download and run an application from the internet, seems like reasonably common thing to do. However how do I know it is safe? Search the internet OK, but there maybe fake sites saying it is safe or it maybe piggybacking on a valid program. Run a virus checker, well OK but it could be virus that isn't picked up by that checker, and the virus checker should run automatically anyway. But you need to run the program so you do.
What would be nice is option like run un-trusted, which starts a VM automatically and runs that, checks that nothing bad has happened to your computer as well
I believe the responsibility lies mainly with IT, we should make easy for the user to do what they need to do, we are the experts, we need to take responsibility for it. Yes it is hard and you cannot always fix it but we should always be trying and not just blame it on the user.
Re: (Score:3, Interesting)
What I hate as a sysadmin is when I do wander from dark, trance music-filled office, I get ambushed by people wanting everything. I'm sorry, I cannot and will not teach you how to format a Word document. It's your tool, learn how to use it. Ditto Excel formulas, wanting me to troubleshoot your email on your phone (I will not touch personal devices), and it goes on and on and on. I hate dealing with end users. Just let me write my code on my servers and leave me be. It's not my job to educate you on how to u
Re: (Score:3)
Yeah this is a tricky area. Oftentimes, you see lazy employees who want you to train them... if you do, you just make your life worse and potentially help a subpar employee stay employed. I think the idea of pointing them to learning videos is the way to go... if they are willing to learn they will, if they aren't, tough.
Re: (Score:3)
OK it is not them it is us. The IQ average 100, 50% of people are below that. I've used computers for quite some time and well, they are tricky to use and get the most or even a reasonable amount out of them, they just are. I reckon, that below an IQ of 115 they are a struggle to use and you have to go over IQ 125 to be really good at them and even then, you have to keep up.
In the IT field, the IQs are pretty high and they tend to define usability based upon their experience, which compared to the normies,
Re:User have been the problem forever (Score:5, Insightful)
It ain't the users. It's the products.
They market themselves as easy to use and then ship with innumerable security holes and deficiencies. Half of them think they are in a living room with everyone in the same broadcast domain and spew exploitable multicast everywhere or want you to punch holes in your network to accommodate them. Cloud services tell users just put you data up here, no mention that they keep getting p0wned by leaving it up in unprotected mongodbs/repos accidentally. CDN-based apps with their thousands of IP addresses all shared by other services make L4 security filers impossible to define. Wifi supplicants and VPN clients which don't have any sane way to install, much less find, a corporate configuration profile that actually locks down the protocol sanely. Unmerited complete trust in DNS results. Self-help support operations that take opaque data dumps including PII, IP, and crypto keys over email to some outsourced support center who knows where.
So its nearly 2020 and the bright side is you almost never see telnet servers in products anymore. That took decades. In the meantime we are inundated with new attack surface daily.
90+% of all my problems, many of them security related, are because people want to use product X and product X is a dumpster fire. I don't blame the people for wanting to use it. It's what they were shown in an advertisement, and everyone they know is using it. I blame the manufacturers of product X for shipping crap.
Re: (Score:2)
I don't know of a single, NOT A SINGLE, computer program that works as it's supposed to with other programs. The result is that the IT guy blames the user, the user blames the IT guy.
Computing isn't rocket science (thank god, because otherwise, rockets wouldn't function either). The field is in a constant state of flux, all the time everything is being changed/updated, made to not work, outdated, now you need licenses for shit that never needed licenses before, things are going to the cloud, hardware chan
Re: (Score:2)
checks that nothing bad has happened to your computer as well
I eagerly await your explanation of how you can actually check for this. Keep in mind you have to catch zero-days. And "bad things" that didn't happen to do anything at the time were testing them.
Re: (Score:2)
While it's real easy to come up with ideas, in the real world they need to be viable. "Nothing bad"? How do you even define that? If I am finished with some files on my computer and I decide to wipe the whole folder out of existence how does my PC know I intended to do that, or if it is some malware trying to trick it so it can wipe out my personal fil
Re: (Score:3)
Isn't this what browsers are now? A VM that web apps run in, safely isolated from the rest of the system?
Re:User have been the problem forever (Score:5, Funny)
The best part is two weeks later we did it again. Several people were found with new sticky notes. (One under the keyboard.) these people were given written notice that they would be terminated if it happened again. One person did not believe them, he was terminated for cause about a month later.
I really enjoyed removing his accounts.
Re: (Score:3)
Did you advise the client that their password policy may be too onerous?
I've worked at places that required unique passwords for many different systems, all expiring on different schedules, no reuse, ever. Which means the passwords get written down because remembering all that is not all that feasible.
For those who would respond with "Just use a password manager!!!!" you've just violated the policy since all those systems now have one password. Also, little hard to use a password manager for initial login
Re:User have been the problem forever (Score:4, Interesting)
Did you advise the client that their password policy may be too onerous?
For those who would respond with "Just use a password manager!!!!" you've just violated the policy since all those systems now have one password. Also, little hard to use a password manager for initial login in areas that forbid any outside electronics.
Nope, because their password policy was fairly lenient for a company with a security focus.
We allowed and encouraged people to use password managers. I personally offered training sessions on a number of diffrent password managers. (Almost no takers.)
If they had written down their login password and stuck it in their wallet we would have had no problem with that. We were really going after the lowest of the low hanging fruit.
Re: User have been the problem forever (Score:4, Insightful)
The problem with this advice is people cracking passwords don't just go through the alphabet, they use dictionaries. Since you're using words, you made their attack far more likely to succeed because the space of possible solutions is much, much smaller than "every character, number and symbol"
Using dictionaries makes it easier, but that doesnt mean the passwords aren't any good.
Pick 4 words at random from a very simple 2,000 word dictionary and it's roughly the equivalent of a 7 character password using alphanumeric and basic symbols. If you pick them from a 6,000 word dictionary then it's the same as 9 character password. That's assuming a dictionary attack.
You can also repeat words without much penalty. "purpletablepurpletablepurpletable" is 6 words; even using a 2,000 word dictionary that's equivalent to a 10 character password. With a 6,000 word dictionary it's 12 characters. And it's insanely easy to remember no matter which words you pick.
You can also do fun things like combine languages. This is easier for people who are multilingual, but anyone can do it. Pick 3 words from 3 different languages. Random example; "I like cheese" in Albanian, Japanese, and Danish: "une suki ost". There's a 10 character password (12 if you use spaces) which is very memorable and which makes dictionary lists useless. Want it longer? Add the word "green" in English, now you're up to 15-18 characters. That's only slightly weaker than the password "!e?@D71?kkvA", but infinitely easier to memorize.
I use random passwords too, but those get stored in a password manager. For the password manager itself, or for any passwords which I have to type frequently, using actual words is the only way to go.
Victim blaming is NOT a solution (Score:4, Insightful)
That comment does NOT deserve "insightful" moderation.
It's just cheap-shot victim blaming. The people who are supposed to make things better blaming the victims they failed to help and protect.
Actually I blame Microsoft. One of the main keys to Microsoft's "success" and perhaps the main source of their YUGE profits was their leadership in escaping responsibility for mistakes. Read your EULA. Whatever happens to you, whatever damage you, your company, or your customers suffer, no matter how egregious the phuckup, you will find that Microsoft's "legal" liability is quite precisely limited, and in most cases limited to nothing at all. It didn't have to be that way, and if Microsoft (and other corporate cancers) had been held liable for their their mistakes, you can be certain they would have been more careful. There's a reason they call it moral hazard.
(Microsoft's other key tactic was minimizing direct sales to the suckers... Er victims... Er, I mean end users. The very honorable end users, and it doesn't matter how much they wind up cursing Microsoft after the fact. Just recently I provided some technical advice on some new machines, but I could not persuade them to even consider skimping on one of the Microsoft taxes. They insisted on paying the OS tax and the MS Office tax to boot.)
Not the saddest part. That's the lack of a solution approach. The solution is obvious, but it will never happen.
Imagine cutting Microsoft into competing companies. NOT vertically, but horizontally. Each baby Microsoft would start with a copy of the source code and an equal share of all the corporate resources. Windows and Office would be standards, and the people would actually have the freedom to buy from the baby company that gets most serious about improving the security of the software.
(My delusional implementation strategy would involve a progressive profits tax linked to market share. It is not a penalty for success. Rather the higher tax rate is a penalty for reducing freedom and the lower tax rate (after dividing the company as needed) is a reward for reproducing the good ideas into separate companies.)
As usual, time's up, but I bid you ADSAuPR, atAJG.
Re: (Score:2)
It's just cheap-shot victim blaming.
When users petition management for things that shouldn't be allowed---and occasionally get them---then it is quite reasonable to blame both them and management.
The people who are supposed to make things better blaming the victims they failed to help and protect.
If users won't follow a particular security guideline, we have a choice. Either we need a security service costing $XXXXX to prevent The Bad Thing from happening, or we need to block functionality A, B, and C which the company paid $YYYYY to deploy.
If management refuses to enforce the security guidelines and refuses to pay for mitigating measures, th
Re: (Score:3)
And ignoring the customers is even worse than victim blaming. However you go even farther down when you start attacking the customers, especially when you are attacking them for having problems that gave you the opportunities to solve those problems.
Must be some kind of troll response.
I think it is a waste of time to attempt to be more clear, but I'll invest a few keystrokes.
If the customer wants to do something that is too dangerous, then you have to explain why it can't be done. Or, even better, you have
Re: (Score:2)
It really doesn't matter who mac, linux, microsoft, android, if that's where the money is thieves will find a way to get to it.
In Soviet Russia, Trojan Expolits YOU! (Score:3)
These rules have been in my sig (and are better explained there) going on for a decade now. For how old these rules are, they still apply. Every virus in that last 10 years exploits 1 or more of these rules. The more you are aware of them as an IT professional, the better your system design will be to mitigate risk.
Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) Computer users do not read.
3) If a computer user can click on it, they will. conversely, if a computer user
Re: User have been the problem forever (Score:4, Insightful)
I'm in the 9%. I'm not overconfident... I just realize that treating staff like potential enemies is a losing proposition.
I have lawyers to deal with employees who violate my trust. Until it's time to get the lawyers involved, it's better for everyone if I assume they're trustworthy.
I focus my efforts on the authentication and accounting side of the problem and handle authorization with a very light touch. Make sure you are who you claim to be and make sure I know what you did. Then get out of the way and let you do your job.
Re: (Score:3)
But staff are potential enemies.
Having a record showing that Jane Doe in accounting downloaded every document in the office and sent it to China does you no good when she explains that she was just trying to run some excel macro she found online.
So you can't just get out of their way. How much you get in their way is the balance that must be found.
Re: (Score:2)
If I knew that those employees where receiving ample training but sadly most companies just don't really give their employees the training. I work with smart educated people but that doesn't make them tech savvy and if no one takes them time....
Re: (Score:2)
Re: (Score:2)
But that invoice from somebody they've never heard of, that's still cool to open, right?
True story (Score:2)
Working as IT in a small business retail store. Customer walks in and asks "Hey, can I have your Wifi password?" - and a non-tech person just handed it over. Said non-tech person also used same password for full admin access on their Windows Server machine.
Needless to say, once I was made aware of this, passwords were changed, and now the wifi password is unique from everything else just in case some bumbling idiot decides to hand it out again.
Wish I could mod this entire "story" as Flamebait (Score:3)
Re: (Score:2)
Oh very much, yes.
"Users" are the problem causing security breaches, just like "wheels" are the problem in car accident fatalities. Sure, they're an easily-identifiable point in the causality chain, but there's a lot of underlying factors that need to be considered.
People, including users, generally try to do what's right. In almost every case, the source of the problem falls into one of three categories:
Technophobes (Score:3)
We all know it's true; when it comes to technology, most employees are idiots. Management too.
I want to blame the technology companies a bit here; UX design is the root cause of a lot of these problems. It's bad enough on it's own, but companies like MS continually make radical UX changes between versions making it even worse.
Back to employees, however; a lot of them don't see the need to increase their skillset. They grudgingly use the technology, but refuse to becoming proficient with it. They adamantly refuse to accept that were they more knowledgeable with the tech they were using they'd do their jobs better.
So these results don't surprise me at all.
Re: (Score:2)
Re: (Score:2)
windows 95 until windows 8 were all pretty much identical from a ux standpoint...
Uh...I don't think you're paying attention. Look at the login screen from 2000 to now, as just one small example. Start menu too. Control panel? Task bar?
And that's not even getting into how radical office design changes between versions.
Re: (Score:2)
The key to good user interface/user experience design is to have and to mediate a simple, straightforward mental model of the system to users.
The mental model also has to fit to how the users work, not to how the system works inside.
If you don't do that, there will always be people who will never learn the system's model, but only the steps necessary to get by doing their tasks.
It should go without saying that you must not ever turn that model up-side down in an upgrade to the system.
Unfortunately, there ar
Re: (Score:2)
We all know it's true; when it comes to technology, most employees are idiots. Management too.
My response is when you hate the people you work for, and you hate the people that are the reason that you have a job....
Shouldn't you be in a different career? Life is too short to be the smart guy surrounded by idiots.
Re: (Score:2)
Life is too short to be the smart guy surrounded by idiots.
I rather enjoy being the smart guy surrounded by idiots.
Honestly, everyone is an idiot about some things. I am great at Computers, fixing machines, building. I can speak in public, and even sing a little. But if I did my taxes myself, I would end up in jail!
I hate it, I don't understand it, I don't want to understand it. Why do I have to do it when they already know all this. (Insert temper tantrum here.) Fortunately I am in a place in my life where I can throw money at an accountant and make the problem
Re: (Score:2)
Never said I hated them. But a spade is a spade, and when it comes to technology these folks are spades.
Re: (Score:3)
A lot of assumptions going on there. I don't treat any of my employees poorly. My private opinions are just that; private.
Well there ya go. Pretending to be a nice guy while holding the people responsible for your employment in contempt. Now we're coming to an understanding.
I'm the IT guy everyone goes to because I'm the only one who gets shit done ( suits or no ).
The problem is a large swath of minimum wage employees suck up an inordinate amount of time for stupid shit; constantly forgetting passwords, forgetting how to use the same software they've used for over a decade, complain their computer is broken when the monitors are powered off, ect...and every one of them blames me by proxy because I'm the computer guy.
I'll bet your contemptuous attitude comes right out. So is it unbearable when you fix something simple? Just terrible that a person such as yourself has to stoop to working with these idiots who in no way are your equal?
Now seriously, your attitude comes across loud and clear even in these posts.
Look, I'm happy for you; you get the sweet job of only supporting a small subset of competent people. Try working a real IT job, where you have to support folks top to bottom.
Here we go. By the way, they actually were not competent
Re: (Score:3)
Yea, you're not actual IT. You're a computer concierge.
Okay, apparently I lack the deep seated insecurity and bitterness to be an actual real IT person.
Which is fine, if that's the job you want, and the people actually want to pay for it. Some do, and get that. Some don't.
That wasn't actually the job I wanted. It wasn't even my actual career.
Even the janitors are not called to operate the toilet for users.
Don't ever let anyone tell you you don't have an amusing attitude. It is pretty obvious you don't take telling. Unfortunate that people can get some good advice and be held in contempt for it. I'm just another person fo
Re: (Score:3)
I want to blame the technology companies a bit here; UX design is the root cause of a lot of these problems. It's bad enough on it's own, but companies like MS continually make radical UX changes between versions making it even worse.
The whole field of "UX" is the problem. It's a bollocks discipline made up by companies trying to disguise how their interfaces do not conform with HCI (Human-Computer Interaction) standards.
I was being demo'd a new product yesterday and their web interface was a "clean UX" design of white and very pale blues with very few harsh (read black) lines. I had trouble seeing this against the London skyline in the background which was as is so uncommon for London... completely fecking white. When I asked if the
Re: (Score:2)
I work half support, and I need to deal with irate PM/management types on a daily basis. No, they don't want to understand how our product works. They wouldn't if they tried. Yet, somehow, there's always a conversation like this:
Client: I just don't understand, why can't you do X?
Me: Listen, I can get into the details why that's not possible, but I don't think you want to hear it. Do you want to hear it?
Client: Try me!
[5 minutes of moderately in-depth technical explanation on database and platform architect
And conversely... (Score:5, Insightful)
...normal people think IT guys are just the worst, and they're both right from their point of view.
What a scoop...
Re: (Score:2)
...normal people think IT guys are just the worst, and they're both right from their point of view. What a scoop...
I wonder how much of the attitude that IT guys have toward the people that are the reason they have a job is just deep seated insecurity.
We had a guy who would take temper tantrums when called into a meeting to fix a problems the suits were having. He got so nervous that his tendency was to lash out. It really wasn't a smart move, although he did get out of that job.
We've forced our workforce to use advanced... (Score:3, Insightful)
...passwords and two factor authentication simply because they'd chose such simple passwords to remember.
People hate having to learn something complex to remember, even if it just takes the effort of putting a small note in your wallet for 4 days to help you remember, you'd be SHOCKED if you just knew what passwords even professionals choose, it's hopeless.
So what we did at our big corporate, was to implement an Password A.I guide engine that helps people avoid bad passwords, so it picks stuff from a HUGE database of simpleton passwords (you know, guitar1234567) etc. it will simply explain to people why their passwords are not very good (we're polite, so we don't tell them that theyr'e simple and ...essentially not very IT savvy, they're good at something else, right?)
People just want an easy life, most people working with computers as just a tool to get the job done, don't want a huge advanced routine to do their job, and when the password becomes a chore and hard to remember, it will stop them from doing their job, and since we're nagging people to change their password 4 times a year, with reminders that pop up every day for 14 days before it expires, people simply get seriously annoyed. And they will go through hellfire to find an easy to memorize password before they even try to train for a complex one (Here's a complex one for you, for those who simply don't get what that would be:
J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use, even with a secondary two factor authentication device, and it's not hard to learn to remember it, sure - it's not as easy as guitar1234567, and it takes effort to learn it - but most people (if they just kept that note for a few days in the wallet, had to enter it 10 times a day) they WILL remember it, even the average Joe - and their personal security on the net would sky rocket in comparison.
But...people are ...simple.
What you have actually done (Score:3, Insightful)
We've forced our workforce to use advanced passwords and two factor authentication
What you've actually done: Doubled the workplace's sticky note budget.
If you are doing two factor why torture everyone with bullshit complexity requirements? For the LOLs?
Re: (Score:2)
YOU TELL A LIE UNDER OATH AND YOU ARE A CRIMINAL.
I like that standard. We'll have just about every career politician officially branded a criminal and removed. How soon can we start? I favor the bipartisan approach where we keep going back and forth - ie one of theirs, one of ours. Keeps the process more honest.
Re: (Score:2)
J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use, even with a secondary two factor authentication device, and it's not hard to learn to remember it, sure - it's not as easy as guitar1234567, and it takes effort to learn it - but most people (if they just kept that note for a few days in the wallet, had to enter it 10 times a day) they WILL remember it, even the average Joe - and their personal security on the net would sky rocket in comparison. But...people are ...simple.
You are delusional. Americans find even chip & PIN too hard, have you actually met normal people?
Re: (Score:3, Interesting)
This needs to be voted up to the heavens, where it can shine above the insular heels that come up with corporate password policies.
Has it ever occurred to them that all those cracked-out, contradictory password requirements actually reduce entropy rather than the other way around? You can't come up with policies based on how you'd like people to act, you have to come up with policies based on how they do act.
Re: (Score:2)
J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use, even with a secondary two factor authentication device, and it's not hard to learn to remember it, sure - it's not as easy as guitar1234567, and it takes effort to learn it - but most people (if they just kept that note for a few days in the wallet, had to enter it 10 times a day) they WILL remember it, even the average Joe - and their personal security on the net would sky rocket in comparison. But...people are ...simple.
You are delusional. Americans find even chip & PIN too hard, have you actually met normal people?
We had to talk him out of a 1028 character long password that used only special characters, that was changed every day. Give the guy a break.....
Hardware solution (Score:3)
You're kidding, right? Otherwise, it sounds like a narcissistic case of "I'm capable of remembering long random gobbledygook, so you should be also."
And, I don't understand why the password file cannot be implemented in a dedicated-hardware "lock-box" such that it cannot be file-copied, preventing say 500,000,000,000,000 attempts at it. Using regular-file-based password repositories is just a speed-race to the bottom.
Typically you'd h
Re: (Score:2)
You're kidding, right? Otherwise, it sounds like a narcissistic case of "I'm capable of remembering long random gobbledygook, so you should be also."
Depends on how he generated that password. Maybe there's a system behind it that makes it easy to remember.
Like, say, 4S&7Ya,oFb4thutCanN,ciL,&dttPtaMac=.
I don't remember that string, but I know how it was generated, so when I want to use this example, I can re-create it trivially.
So: Pick a quote. An obscure one that's meaningful to you is best. Whatever you do, don't use the Gettysburg Address; that's what I use for my example, and that string above is all over the Internet. Decide on some ru
Re:We've forced our workforce to use advanced... (Score:5, Insightful)
Remember way back in public school where each teacher individually assigned "just" 45 minutes of homework and proclaimed that 45 minutes is no big deal? And how by the end of the day you had accumulated 4.5 hours of homework?
Same here. Everyone thinks their password requirements are not that big of deal forgetting that their little assignment is far from the only one people are dealing with.
Don't tell them not to write it down, tell them where to write it down. And don't make them keep entering it every time something times out.
Re: (Score:2)
And worse, if you make them have an impossible to remember passoword, so they will use that same password on everything.
Now when one service gets hacked, they all do!
Re: (Score:3)
Relevent XKCD: https://xkcd.com/936/ [xkcd.com]
Don't force your users to use passwords like "J4Al4&/rO1.P9DeErxL )" because then they'll simply write them down on sticky notes and your enhanced security will collapse to zero. There's a third option between "12345" and "J4Al4&/rO1.P9DeErxL )". Encourage them to use password phrases ("correct horse battery staple" or "We're Off To See The Wizard"). You'll have increased security AND they'll be able to remember their passwords without resorting to sticky notes.
Re: (Score:2)
"choose multiple random words"
"using 4 random words from a list of 500 common words is shit"
Getting mixed messages here.
"Common phrases" are an arguably vulnerable set - if you're stupid enough to use them verbatim. If you child likes bob the builder and spongebob, the "common phrase" CwfiWliap is awfully resilient. Mix in a birth year or any other permutation if you want, but you're done, no need for further memory tax (which leads to reuse, stickies, reset requests, etc) on a nine digit behemoth that bear
Re: (Score:2)
Re: (Score:2)
J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use,
That's a terrible password for a person to remember. A good one would be:
"Get your f'ing grubby paws offa my computer, hacker!"
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Unapproved app ban, STBs, Dropbox limits (Score:2)
What cases is a password manager not available
- Corporate IT forbids installing an unapproved application and declines to approve your password manager.
- The password is to a service accessed through a video game console, set-top streaming box, or other device to which your password manager is not ported.
- You have installed a password manager, but in order to synchronize its database to this device, you'd have to first disassociate one or more of your three or more devices from your Dropbox account in order to associate the device.
And the top execs are the clear problem (Score:2)
Everyone at the top level always makes exceptions for themselves, which open vulnerabilities that can easily be leveraged, and they're also the most vulnerable to social engineering attacks.
Re: (Score:2)
Had one like that, then she opened an attachment containing ransomware, full restore of her PC and every file share in existence was required...and what's even funnier is that the same woman who in private demanded the keys to the kingdom was, to the rank and file employee, a huge proponent of secrecy and compartmentalization...
Re: (Score:2)
what's even funnier is that the same woman who in private demanded the keys to the kingdom was, to the rank and file employee, a huge proponent of secrecy and compartmentalization...
Those two things so often exist in the same person. And actually, there should be close attention paid to that one.
yes and no (Score:2)
A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.
Well, yes and no.
Yes, you shouldn't trust that Nigerian prince, you idiot. Or give your password to someone who emails, etc.
No, because systems (in general, IT or otherwise) need to be resilient against a certain amount of human mistakes.
Any system that can be completely brought down with general calamity for the company just because Betty the cat cursor loving secretary makes a mistake isn't a very robust system.
A few things... (Score:5, Informative)
A few points:
- Users are "unwashed" compared to IT personnel? Have you *worked* in IT?
- The first thing IT professionals forget (speaking as one) is that computer management isn't the user's job. It may be *your* expertise, but it isn't *theirs*. They have a different job to do which you would probably suck at. Expecting them to be IT professionals on top of their regular job is an unreasonable expectation. So stop fussing about it.
- That said, often security issues really are kinda the user's fault. We told 'em and TOLD 'em, don't do that, you'll infect your.. ok, too late.
Re: (Score:3, Funny)
Sure, you've told us. Then some genius at JP Morgan decides that the only way I can get the tax documents I need from their secure portal is by clicking a link in an email that they send me. Which, by the way, gmail offers to translate from Slovak, for some reason--extra-special comforting.
When I write them and say, just send me the url so I can log in with my credentials, and not have to click some phish-bait link, they only offer to fax me the document instead.
Oh yeah, sure, users are the problem....
Re: (Score:2)
A few points:
- Users are "unwashed" compared to IT personnel? Have you *worked* in IT?
- The first thing IT professionals forget (speaking as one) is that computer management isn't the user's job. It may be *your* expertise, but it isn't *theirs*. They have a different job to do which you would probably suck at. Expecting them to be IT professionals on top of their regular job is an unreasonable expectation. So stop fussing about it.
- That said, often security issues really are kinda the user's fault. We told 'em and TOLD 'em, don't do that, you'll infect your.. ok, too late.
The awesome part is in engineering, we often need the tools that are most likely to need the admin access that is so dangerous, yet IT keeps yanking it and wondering why all the engineers keep complaining. Seems to always be a push and pull thing with no happy medium.
Re: (Score:2)
Because you keep breaking production.
Now posted to the right comment, because I'm excellent with computers.
Re: (Score:2)
1) Did you read at the top of the page where it says "News for Nerds"? I DO NOT CARE WHAT YOU THINK ABOUT NON-IT PEOPLE.
Nerds are employed in the same company as non-nerds and often manage resources used by said non-nerds.
Re: (Score:3)
There is some correlation to how well an IT professional knows his [1] job and his attitude towards users, I think. I may be wrong about this. In my first few years as an admin, I used to tease mercilessly the users who couldn't figure out where their document went, when they'd accidentally suspended their edit session. (Yeah, I started in the days of VT100s.). It took me some years, a lot more experience, and more time spent outside the machine room to lose the hubris. You can always tell when an admin
Re: (Score:2)
Because you keep breaking production.
Re: (Score:2)
And wow, I managed to reply to the wrong comment. Go me.
I'll bet I can't handle security either.
Re: (Score:3)
Is clicking on the wrong email, which opens up a browser, which launches a 0-day driverby vulnerability really the users fault, or is it the developer who screwed up and created the 0-day drive by vulnerability? Or is it the project manager's fault who insisted on that shiny new feature over doing code review? Or is it the corporations fault for pushing the PM for features over security? Or is it everyones fault for not insisting on security over features? I could go on, but I hope you get the point.
The thing you have to keep in mind is that users need to be able to do their jobs. Even without any security vulnerabilities in any software, a malicious script can always perform any action that the user can do themselves. If a user needs write permission to the files on some network share, then a malicious script could delete all of those files. Determining that some script is malicious, as opposed to what the user wants to do, is not always a trivial task.
Computers are Insecure (Score:3)
Here's the thing - every computer out there is insecure. We basically don't have the knowledge on how to build a secure computer that most of the population can use while remaining connected to the Internet.
There are really only two choices now: 1) disconnect from the Internet and don't face these risks 2) expect risks and pay to avoid incidents and/or clean up after them.
IT people are the worker bees of 2). Blaming the users for using faulty equipment is a waste of time.
Nobody seems to want to do 1) because overall there are profits to be made by being Internet connected. If your place of business wants to do 1) but not 2), then just run for the exits before it's too late.
Re: (Score:2)
Here's the thing - every computer out there is insecure. We basically don't have the knowledge on how to build a secure computer that most of the population can use while remaining connected to the Internet.
Here's the thing; the overwhelming majority of computers online today are not infected, proving that most of the population can in fact use a computer successfully while connected to the internet. We don't need to build the perfect environment. We simply need skilled people operating the existing ones, not ignorant children who refuse to learn. When IT professionals can operate a computer for years and not get infected, it becomes rather obvious who the problem is.
IT people are the worker bees of 2). Blaming the users for using faulty equipment is a waste of time.
Guns are dangerous. They are a tool tha
The network is great, but... (Score:4, Funny)
A developer for one of my past organizations, a true rocket scientist, posited it the best: "The network would be great, if it wasn't for all of those users!" Cheers, Ron.
Ponemon Institute? (Score:3)
Professor Oak, director of the Ponemon Institute, had this to say about security bugs: "Gotta catch 'em all!"
Missing the big question: (Score:2)
If you are alarmed by this result then you should immediately be wondering: is this is merely a perception by IT/Security Professions or are the normal people in fact as awful as perceived?
This confirms ... (Score:4, Funny)
Users don't realize how bad they look (Score:3)
Users will constantly say things like "I just don't understand technology." or "I don't care whats wrong, I just want it to work". This used to put me in a bad frame of mind. I find it hard these days not to laugh at them. I wonder how long it took them to learn that fire will burn or not to walk down the middle of the freeway. They live in the same world as us but refuse to put a minimum amount of effort into learning how it works.
Re: (Score:2)
Re: (Score:2)
Let me turn this around for you for a moment...
Do you know how to, say, navigate the mazes of international copyright law? Run an ad campaign across multiple social platforms? Or balance ledgers?
Do you want to learn these skills?
The same way you're good at IT, those people are good at something else. And the same way you're not going to be interested in the intricacies of their domain, they aren't in yours. And that doesn't make them any less intelligent than you.
Re: (Score:2)
Sure. However, while I don't expect a carpenter to forge a hammer, I do expect them to be able to use it without embedding it in the guy next to them.
Just like I don't expect the marketing guy to write the OS, but I do expect them to be able to use it for basic tasks without hand holding from IT.
Re: (Score:2)
Let me turn this around for you for a moment... Do you know how to, say, navigate the mazes of international copyright law? Run an ad campaign across multiple social platforms? Or balance ledgers? Do you want to learn these skills?
The same way you're good at IT, those people are good at something else. And the same way you're not going to be interested in the intricacies of their domain, they aren't in yours. And that doesn't make them any less intelligent than you.
Bingo! Somewhere along the line IT people somehow thought that it was smart to hate the people that are the reason they have a job.
Re: (Score:2)
Except if I need to learn a little bit about international copyright law to do my job, I don't bitch about it. Most users problem is that they don't want to learn and you wonder how well they do other tasks with such a lazy attitude.
Look in the mirror, what do you see? (Score:4, Interesting)
No matter what profession each of us is in, I am certain that we all have stories about "stupid users". They surely do exist. But there is a flip side to this story.
Many "stupid users' are not stupid at their jobs or life in general. They just do not cooperate well with the paradigms of computing and technology they are handed to them by "the industry". The makers of the technology are quite savvy about such things. But, they might forget that not everyone is so, or be dismissive of ordinary smart (or dumb) people who are not as learned about those things as the manufacturers and technical folk are. Those people decrying the IT "stupid user" are likely to be the butt of jokes about how dumbass they are when it comes to accounting their taxes or fixing their car or managing their own diabetes.
If there are too many stupid users, perhaps it is not the users. Perhaps the technologists who make techno products ought to produce better devices and software and computing paradigms that place greater emphasis on user interface, usability, human factors engineering, ergonomics, and just plain wtf common sense. It seems to me that too many IT people are so wrapped up in the technology and their own familiarity with it that they are suffocating from a lack of reality and some sympathy to how their mom or grandma might use the technologies they are making or managing. Turn your propeller head beanies upside down and air out some of the supercilious cobwebs in your IT skulls.
Users are a security problem and it's IT's fault (Score:2)
Obligatory XKCD (Score:3, Insightful)
Re: (Score:2)
In the IT groups I deal with, it's not IT requiring it. It's management. So yes, it is in fact, the users that are the problem there too.
Of course, there are always exceptions. Ideally, SSO without constant password changes and second factor would be a huge help, but good luck getting the corp to cut loose for 200 second factor auth keys.
Re: (Score:2)
Stuff like PCI compliance means IT has no actual say in the matter.
I agree...bad password policies are still the root of the problem though. You can't fight human nature.
Re: where's the lie? (Score:3, Insightful)
I dont think long passwords are an issue, more like not being able to use the last 4 previously used passwords and having to change every 2 months. Yeah no, that's going on a post it. My job isn't my life.
Re: (Score:3)
A thousand times this. Having to change your password every X months to something you're never going to remember anyway is the polar opposite of good security policy.
Re: (Score:3)
If you can't trust the average user not to do something stupid like this or can't impress upon them the importance of security, then set up two-factor authentication of some sort or a security system that takes user apathy into account. Otherwise you're just asking for trouble.
Re: (Score:2)
Just tack on a 2 digit month when it expires to the password.
Why aren't you using ONE passphrase and a password manager??
Re: (Score:2)
Why aren't you using ONE passphrase and a password manager??
Because Dropbox, the service through which many password managers synchronize saved passwords among devices, recently restricted users to three devices. And which password managers also work for the OS user account itself?
Re: (Score:2)
A password on a post-it at least requires physical access. More troubling are short easy to remember passwords that don't need to be written down, like "passsword" (or if you need a capital, number and special character, "Passw0rd.")
I apologize to everyone whose password I've just exposed.
Re: (Score:2)
Re: (Score:2)
That's amazing! I have the same combination on my luggage.
Re: where's the lie? (Score:2, Interesting)
Just print out and laminate individual password cards. 12 columns and 6 rows fits easily on a CC sized card. Users can stick them in their wallet. Make a bunch of different ones and let the users pick a card, any card, so yiu don't even know it.
Need a password? Pick a starting point and go right/left/up/down, or Fibonacci it if you want to make your life difficult. If you force password changes, have them go down a row and follow the same pattern if they want.
It's a really cheap, effective and simple soluti
Re: (Score:2)
If you haven't instructed the users to write the password on a card and keep it in their wallet, never on a post-it stuck to their monitor and never in their desk, you have also failed. You forgot that in addition to your 12 character password, they also have passwords for the bank, amazon, power company, etc, etc, etc, ad nauseam.
employee churn (Score:2)
Passwords on post it notes are a sign that the password requirements are too strict or onerous.
No, they're a sign that the person who wrote it down needs to be fired.
Good luck retaining employees longer than ninety days.