Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Enemy Within the Firewall

ScuttleMonkey posted more than 7 years ago | from the sowing-dissent-and-distrust-in-the-workplace dept.

265

Mel Tom writes to tell us The Age is reporting that many businesses are now considering employees a much bigger threat to security than most external threats. From the article: "With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing."

cancel ×

265 comments

One thing is sure (5, Insightful)

LunaticTippy (872397) | more than 7 years ago | (#14910965)

If companies treat their employees like criminals, they are likely to get what they expect.

Re:One thing is sure (0, Offtopic)

xzanthar (543209) | more than 7 years ago | (#14911010)

Maybe the **AA should take this concept to heart with all their DRM. Treat your customers like criminals, and they are likely to become such.

Re:One thing is sure (2, Funny)

Anonymous Coward | more than 7 years ago | (#14911073)

What does this stuff have to do with the GNAA?

Re:One thing is sure (1)

Lehk228 (705449) | more than 7 years ago | (#14911521)

just look at what they did to that one guy's ass

Re:One thing is sure (0)

Anonymous Coward | more than 7 years ago | (#14911540)

Apparently, you're not a user of any of the GNAA's ... products.

Re:One thing is sure (5, Insightful)

ditoa (952847) | more than 7 years ago | (#14911072)

Treating your employees like criminals and restricting access to data that they have no business in accessing are very different things. Remember you own nothing at your work, it all belongs to the company. Restricting access to things you do not own is not treating you like a criminal.

Make Sure You Own It! (5, Insightful)

Anonymous Coward | more than 7 years ago | (#14911294)

You don't own it, but companies expect the same loyalty as if you owned it.

See the contradiction? Why should an employee care about something they don't own?

Given that the majority of companies wouldn't hesistate to act against the employees interest if there is any suggestion of compromosing the companies's interest, why should an employee protect a typical company's interest apart from doing the bare minimum required to preserve their own job?

Companies are just repaing the "benefits" of years of treating employees as "production units".

Yes I'm posting as an AC because I don't want any potential employers to know that I don't really care about their company apart from the fact it pays me money.

(I'm not advocating slacking off in life or being bitter and twisted. Just make sure the things you dedicate yourself to are either THINGS YOU OWN or a charitable cause that you think is worthy. Working for someone else's profit is what you do to make money so you can do do what really matters. Don't dedicate your life to making profit for someone else.)

Re:Make Sure You Own It! (1, Insightful)

Anonymous Coward | more than 7 years ago | (#14911412)

Why should an employee care about something they don't own?

Because they're paid to do so?

Re:Make Sure You Own It! (4, Insightful)

ThatNuttyPeej (739121) | more than 7 years ago | (#14911452)

You don't own it, but companies expect the same loyalty as if you owned it.

See the contradiction? Why should an employee care about something they don't own?


Because of a phenomenon known in scientific circles as the paycheck.

Re:One thing is sure (4, Interesting)

truthsearch (249536) | more than 7 years ago | (#14911373)

Restricting access to things you do not own is not treating you like a criminal.

True, but taking my fingerprints and putting them on file at the FBI within the first hour of a new job is criminal treatment. After all the SEC, FBI, and other background checks you still get put on file at the FBI when taking a job at most brokerage firms (at least here in NYC).

It's beyond technical. At many companies you're treated as if they need to always look over your shoulder. Those cameras aren't there for your benefit. They're there to catch you if you do anything wrong.

Re:One thing is sure (4, Insightful)

Metzli (184903) | more than 7 years ago | (#14911430)

Depending on where you are and what you do, that's the norm. I once worked at a bank's data center and there were cameras all over the place. They do background checks before you join, etc. Personally, I don't have a problem with that. I would feel better knowing that the place that has my money is that careful.

Re:One thing is sure (4, Interesting)

EnronHaliburton2004 (815366) | more than 7 years ago | (#14911422)

Where do things like arbitrary background, credit & criminal checks [choicepoint.com] fit in, I wonder.

At my last 3 jobs (Over 4 years), it was required to take these things. Along with the occasional piss-in-the-cup drug test. At many workplaces, companies are running background checks on existing employees. The tests are a "requirement of your continued employment here at the company".

Does this make people feel like a criminal?

Re:One thing is sure (1)

Scrameustache (459504) | more than 7 years ago | (#14911507)

you own nothing at your work, it all belongs to the company

That's MY stapler! It's mine!

Re:One thing is sure (4, Insightful)

tpgp (48001) | more than 7 years ago | (#14911079)

If companies treat their employees like criminals, they are likely to get what they expect.

While I can certainly understand why you say that, the article's headline 'the enemy within the firewall' was a bit of a troll.

More like 'the hapless idiot within the firewall' because the article is more about external attacker using employees's as a vector rather then the employees themselves being the attacker.

And really - when I say 'the hapless idiot' I'm being far too harsh - after all, it only takes inserting a music CD to potentially install a rootkit on a company's (windows) PC.

Re:One thing is sure (5, Insightful)

LunaticTippy (872397) | more than 7 years ago | (#14911149)

I realize there are risks, and agree that appropriate security needs to be in place.

You're right that I was responding to the tone of the article and headline.

I've worked for companies that think of employees as liabilities they reluctantly put up with because there isn't another option. It comes through loud and clear in their policies. Security measures that add no security but are humiliating, stark double standards for management and staff, headlines about corporate malfeasance and record-breaking bonuses, etc.

I think treating employees like family is a better approach. Give them some trust, but have policies in place. My mother, for example, has a computer with very strict security policies that she can't change. That is appropriate, and she has thanked me for it. Same approach will work for employees.

Well, many are. (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#14911089)

Well, many computer users at work *are* criminals.


I'd venture to say that most windows users stolen software from work where they were given access to the right disks/installers. That's not their copy of Photoshop or Visual Studio at home - it's pirated from work. Funny thing, though... I don't see this kind of behavior from many F/OSS users.


So yes, I'd say that employee theft is very real among the IT crowd and the article is totally right.


Sadly, many of these guys use sad excueses (well, I was going to use it for work anyway; so that makes it OK for me to violate the license terms) - and don't even admit that they're criminals.


To: George W. Bush +1, Patriotic (-1, Troll)

Anonymous Coward | more than 7 years ago | (#14911330)

Attack Iran. They have weapons of mass destruction. More importantly, democracy and freedom are rebounding
from their lows in the 1950s when the U.S., with the help of the United Kingdom and B.P. Oil, deposed the democratically elected leader of Iran .

We'll make billions. Most U.S.citizeins, er.... subjects, are illiterate and innumerate.

Feloniously from the United Vassals of America,
President-VICE Richard B. Cheney [cursor.org]

Insiders ARE threats! (remember iBill last week?) (4, Insightful)

GringoGoiano (176551) | more than 7 years ago | (#14911455)

Insiders can be real threats, the BIGGEST threats. An insider can steal much more than a hacker ever can. And many insiders think they can get away with it. Just look at the porn-billing iBill incident made public last week.

The best policy is to log everything that happens in an enterprise, to a level required to reconstruct past bad behavior. You can't keep your insiders away from information they need to do their jobs. Trust, but also verify! There are products out there like Sensage (http://www.sensage.com/ [sensage.com] ) that can collect, centralize, and make available years of log data for an IT organization. While this might not prevent the theft in the first place, a company can crack down on and prosecute current/former misbehaving insiders. Sensage will do very well, as will many other companies in this space (including recent Slashdot heavy banner-advertiser Splunk (http://www.splunk.com/ [splunk.com] ) ).

I look forward to seeing how well these products do. It's time one of them went public so we can gauge interest.

And this is new? (5, Insightful)

Trevahaha (874501) | more than 7 years ago | (#14910969)

Isn't this covered in Security 101 -- most instances of stealing information, destroying data, etc. occurs from the inside (or ex-employees).

I wonder how much of this is average employees (0)

Anonymous Coward | more than 7 years ago | (#14911019)

and how much is high-level execs who actually have access to information that's interesting to competitors, inside-trader-crooks,etc (sales forecasts, contracts, etc).


Perhaps they're the ones who shouldn't be allowed ipaqs and laptops.

Re:And this is new? (1)

azoca (838322) | more than 7 years ago | (#14911204)

I would agree. Its not new and covered well. How ever I am of the opinion that it not so much malicious employees (though there are plenty) but laziness. Keeping security requires a degree of adhering to protocol and inconvenience. If the all rules aren't enforced on people they will break them. Take your typical vpn client deployed to an employees work laptop or home pc. Now add in all the crud they run on their home pc/laptop and all the rules they will not follow. Once the pc is infiltrated they got a straigh path into the network. So much for vpn's they effectively extend your 'secure' network into the most unkept areas of control.

Re:And this is new? (4, Interesting)

hal9000(jr) (316943) | more than 7 years ago | (#14911216)

What is new is that apparently some companies are actually starting to get it.

You don't have to treat your employees like criminals in order to reduce the threat that an insider may pose. You just have to take rational approaches to tighten access.

Re:And this is new? (2, Insightful)

buckhead_buddy (186384) | more than 7 years ago | (#14911470)

Trevahaha wrote:
Isn't this covered in Security 101
True, but it's also covered in BLAME 101 -- When something goes wrong you need to identify, control, and correct the problem. It does no good to acknowledge security issues to the press or in your financial report if you have no response to them.

While you may not know who the real criminals are or whether they are inside or outside your firewall, it IS easy to establish internal policies ("No iPods indoors!") or provide a subtext to layoffs ("We are tightening security!") rather than actually having to diagnose or deal with the real threats right away.

Are good security policies really on the rise in corporations or is the need for blame?

This Has Been Why... (5, Informative)

ackthpt (218170) | more than 7 years ago | (#14910972)

This has been why email attachments are regularly stripped and IM is forbidden here. Still, we get stuff because people bring it in on CDs, infected PDA's in dock, etc.

Forbidden IM (3, Insightful)

truthsearch (249536) | more than 7 years ago | (#14911015)

IM forbidden? Tunnel it through SSH on port 443. Works every time and the company can't spy on what you're IMing.

Re:Forbidden IM (2, Insightful)

MightyMartian (840721) | more than 7 years ago | (#14911181)

But they will know that you were doing something.

Re:Forbidden IM (1)

truthsearch (249536) | more than 7 years ago | (#14911286)

Your average sys admin will see encrypted traffic on port 443 and think you're browsing web sites (https).

A better sys admin will notice you're connected to a server with an odd name (myhomeserver.dyndns.org or whatever) but still wouldn't think much of it.

The best sys admin probably won't notice because there's so much traffic going through the proxy on ports 80 and 443 that they won't bother to look at each server's name. They'll mostly trust the proxy filter to block bad host names, but your random server's name won't be on such a list.

Re:Forbidden IM (2, Insightful)

eneville (745111) | more than 7 years ago | (#14911531)

And some admins do protocol inspection.

There's a bunch of ways to stop tunnels, or even break connections off after a set amount of time, if it takes 5 minutes, surely that cant be good.

Personally I'd like to prevent people listening to streaming music... if someone wants to listen to music, they can buy a mp3 player, or bring in an FM/DAB radio.

And besides, they can't be doing anything through the tunnel that's directly related to work that they can't get permission for from the admin, so they should stop being covert about it.

Re:Forbidden IM (2, Insightful)

idontgno (624372) | more than 7 years ago | (#14911199)

Tunnel it through SSH on port 443. Works every time and the company can't spy on what you're IMing.

Until they lock down down which systems you can hit at port 443. Are you gonna start port-hopping? Then they get really draconic and employ a total "deny unless permitted" outbound ruleset.

Yeah, it can be limiting. In a way, an organization which does this gets what it deserves: workers buckled into the traces with blinders around their eyes, plodding away. Kinda like a team of draft horses pulling a big ol' wagon, which sucks if your competitors are actually operating in this century.

But since when has that mattered? As long as we're in control, none of the rest matters. MWAHAHAHA!

Re:This Has Been Why... (1)

sdirrim (909976) | more than 7 years ago | (#14911017)

If you trust your employees, you might find a lot less security breaches. Many breaches are only due to an employee with an axe to grind.

Re:This Has Been Why... (5, Interesting)

ackthpt (218170) | more than 7 years ago | (#14911064)

If you trust your employees, you might find a lot less security breaches. Many breaches are only due to an employee with an axe to grind.

That's a bit naive. Most of our employees are devious little buggers. As soon as no-one is looking they're sending amusing flash/avi/mpeg between themselves, forwarding jokes someone outside sent to their gmail account (and they've cut-n-pasted them into work mail), etc.

What it really comes down to is establishing a policy and what sanction will be forthcoming on violations. I knew one company that had zero tolerance. A couple sackings and everyone left was quite clear on proper behaviour.

Re:This Has Been Why... (3, Insightful)

MobyDisk (75490) | more than 7 years ago | (#14911201)

The beatings will continue until morale improves!!!!

I've seen companies that have syadmins spend who their time monitoring employees and sacking the ones who use gmail from work, post to Slashdot, or other non-authorized activities under the guise efficiency and security. But it is really an excuse: it was cheaper to hire several semi-technical wannabes to monitor employee activities than to pay one good sysadmin to properly secure the network.

Most of the employees only have a computer on their desk to send email and use Microsoft Office. Those people don't need to be administrative users.

Re:This Has Been Why... (1)

slavemowgli (585321) | more than 7 years ago | (#14911304)

What it really comes down to is establishing a policy and what sanction will be forthcoming on violations. I knew one company that had zero tolerance. A couple sackings and everyone left was quite clear on proper behaviour.

Ah, yes... nothing like creating an atmosphere of fear to motivate your employees and maintain productivity.

This Has Been Why...Spanking (0)

Anonymous Coward | more than 7 years ago | (#14911498)

"Ah, yes... nothing like creating an atmosphere of fear to motivate your employees and maintain productivity."

Obviously your parents don't believe in corporal punishment.

Re:This Has Been Why... (1)

TubeSteak (669689) | more than 7 years ago | (#14911524)

I wouldn't so much call it an "atmosphere of fear" as teaching your employees that no means no.

Some kids learn that lesson at an early age, others learn that "No" actually means "keep asking and you'll get it" or "do it anyways and you won't really be punished".

Usually it helps to explain why you're saying no, as that'll convince some people that you really mean it, but it won't matter to the people who plan on violating the rule anyways.

Re:This Has Been Why... (3, Insightful)

ackthpt (218170) | more than 7 years ago | (#14911526)

Ah, yes... nothing like creating an atmosphere of fear to motivate your employees and maintain productivity.

The overlooked reality is: Most work never requires internet access. Email should be for work only.

Prior to the internet, instant messaging, skype, etc. there were actually jobs and people got things done. Now there's the internet and people seem to feel (and I certainly notice this attitude on slashdot) that it's some kind of right for anyone in the company to check the news, view personal email, surf the web, even post on blogs, all on work time. Remarkable. I certainly find it aggrevating when I'm at work and someone's personal cell phone is going off every half hour. Before cell phones people got things done, too, but now there's some human rights issue about how much crap people can do rather than work, just to keep them happy? Whoa. I'm sure during interviews prospective employees don't enquire on how much internet freedom they can expect, as that would likely raise a red flag. Spend some time thinking about why.

Re:This Has Been Why... (0)

Anonymous Coward | more than 7 years ago | (#14911357)

Posts like this from small-minded security-obsessed drones make me feel much better about my job, where we don't have to deal with such amazing bullshit. Horrors! Our employees might actually like each other and want to foster a sense of friendship and community! Horrors!

Fucking over-zealous security asswipes. I'll bet you're the type to require random rotating passwords every 30 days as well.

Make no mistake - security is important. Making it paramount at the expense of all usability and enjoyment is just asking your employees to find more and more devious ways around it. Soon you'll find that all of your traffic is port 22 and port 443, and you won't be able to do a goddamn thing.

Re:This Has Been Why... (3, Interesting)

paeanblack (191171) | more than 7 years ago | (#14911497)

I've worked at one employer that understood.

They had separate computers set up in the lounge area for IM, web email, games, etc. They were outside the network, and the rules on using them were very lax. We could do whatever we wanted on them, but IT wouldn't come running all that quickly if they were broken. Basically, it was like having a foosball table, but far more practical.

The flipside of this policy was that all the other machines were for pure work-related usage...period. Company email was for company business...period. As wierd as it sounds, the employees really liked this setup.

It's the 21st century...employees have an expectation of being reachable by family and friends when they are on the job, even if it's not a life-threatening emergency. Companies that institute an outright ban on this behavior are living in the past. Companies that let a single computer be used for both personal and professional business are asking for a world of pain.

Malicious employees (0)

Anonymous Coward | more than 7 years ago | (#14910978)

It's not just malicious activity that worries me, either. Employees are running around with laptops, telephones, and USB flash drives without any sense that these are security risks.

Duh! (3, Funny)

creimer (824291) | more than 7 years ago | (#14910986)

Employees are the biggest threat to any company. Especially if the CEO is shoveling the loot out the backdoor.

Then the ONLY real solution is... (5, Funny)

3D Monkey (808934) | more than 7 years ago | (#14910989)

to get rid of all the employees.

Seriously, how can anyone get any work done with all this security risks running around?

Re:Then the ONLY real solution is... (1)

EraserMouseMan (847479) | more than 7 years ago | (#14911264)

Exactly. Because even with them around we have to cut off their access to any useful data just to keep things secure.

Not much new here (4, Insightful)

truthsearch (249536) | more than 7 years ago | (#14910991)

The disguntled employee has always been the biggest security threat to any company. The only new thing today is how much easier it is to disrupt security and how often security is breached accidentally. I still see idiots send out passwords in plain text e-mails all the time. Educating employees is just as important as not disenfranchising them and properly securing networks.

Re:Not much new here (2, Insightful)

GlassHeart (579618) | more than 7 years ago | (#14911234)

I still see idiots send out passwords in plain text e-mails all the time.

RFC 821 (SMTP) was published in 1982. 24 years later on computers with 3,000 times the clock speed, we're still blaming users for the total lack of security in their email applications and infrastructure? How about some security out of the box, the same thing we expect of operating systems vendors?

Re:Not much new here (3, Insightful)

truthsearch (249536) | more than 7 years ago | (#14911318)

Every good security expert will tell you the problem is far more social than technical. We can put in all the encryption and layers you want. But we can still call up 8 out of 10 companies and get the operator's computer password over the phone. The point is it'll always be about the user.

Here's Some News (4, Funny)

mordors9 (665662) | more than 7 years ago | (#14910997)

"Ms Warwar believes that the rise in internal security attacks has come about because outside criminal gangs realise that recruiting or tricking employees to hand over insider knowledge is less expensive and traceable than other forms of cybercrime."

Gee someone ought to come up with a name for this... let's see, we can call it "Social Engineering". Hopefully no bad guys will read about this and start using it now....

Re:Don't Worry (1)

mpapet (761907) | more than 7 years ago | (#14911225)

I've got a patent on that.

Muuuhahahaaha!

In Other News (1)

The Angry Mick (632931) | more than 7 years ago | (#14911384)

"Ms Warwar believes that the rise in internal security attacks has come about because outside criminal gangs realise that recruiting or tricking employees to hand over insider knowledge is less expensive and traceable than other forms of cybercrime."

When approached for comment, Mr. Warwar replied, "Claudia can think its terrorists and criminals all she wants. I know it's that pervert Jason in accounting!"

The enemy within the gates (4, Insightful)

Anonymous Coward | more than 7 years ago | (#14911007)

I am shrugging at this, because it seems fairly obvious to me. After all, haven't all the e-mail worms of the past decade gone through corporate firewalls because some guy in the office just opened an e-mail he though had some interesting photos in it? Or some guy happens to leave his blackberry with hundreds of sensitive emails on it on a subway train or in Starbucks?

Of course they are (1, Insightful)

Anonymous Coward | more than 7 years ago | (#14911014)

That's precisely how Sasser hit us at work a couple years ago. All it took was one laptop to infect the whole network. Thank heavens we still had some NT 4 boxes and UNIX workstations, which were completely immune, so people could still get work done. None of the XP machines ever stood a chance at knowing what hit 'em. Even to this day, we now have a Sasser-detecting script on all machines, but realistically, that's only a patch to a potentially bigger problem.

Re:Of course they are (0)

Anonymous Coward | more than 7 years ago | (#14911481)

I was in a similar situation once, but worse -- all our boxes were running XP when a worm hit us. As if the rate which it spread wasn't bad enough, all the infected hosts kept looking for new targets, so the few Linux machines we had were knocked right off the network (everybody had their home directory on an NFS server, so this effectively stopped people from logging in and working).

What was sad is that this was during a period of "upgrading" to new XP systems (from our previous Linux boxes). At it made me cringe when I tried to salvage the situation by installing Linux on a few of the infected machines, without configuring anything more than the minimum necessary to get some amount of work done, I was reprimanded for it!

Repairing the Windows machines was a nightmare, because no matter how many times we told people that we needed to keep their computers turned off until we had inspected them, they continued to turn them back on. The reason for this escapes me, as their machines were almost useless anyway, but hey, what do you expect? After a few weeks of trying to get virus definitions installed (network issues caused by this worm made it rather difficult), we finally got the Windows machines up and running again...and were then instructed to reinstall Windows on the Linux boxes I set up (the ones that kept things going, albeit at a minimum level).

Sometimes I wonder why these decisions are not made by the IT staff, and then I take a look at a dollar bill and it all makes sense.

crime opportunities (5, Interesting)

pretygrrl (465212) | more than 7 years ago | (#14911018)

I work for a consulting firm that provides all types of HR services. We get data on client personnel that includes EVERYTHING: SSN's, addresses, spouse info, dates of birth, EVERYTHING
The article mentions scarce spending on addressing internal security threats: im looking around my office, and there is just nothing you can do! Even if you completely lock down desktops (the latest image was set up as to disable all HW and SW installs), and I personally had an admin pw within days!), there is still email. And loaner laptops.
I hear that this type of complete personal information fetches $10 per record amongst certain unscrupulous Brooklyn programmers.
Come think of it... where DID i put all my floppies?

Re:crime opportunities (1)

SkizW (892712) | more than 7 years ago | (#14911492)

Actually they are called 'mortgage lead' companies. Check them out if you want. The information goes for anywhere between $10 to $100 each to anyone claiming to be a loan officer. This type of personal information gathering for profit should be illegal without proper security measures in place.

From the well-duh-department... (3, Funny)

hackstraw (262471) | more than 7 years ago | (#14911052)


Employees often suck. In retail, they rip you off more than your "customers". (I can't call a shoplifter a customer :)

Kevin Mitnick was able to get employees to give him tons of "sensitive" information just by asking for it. They take their laptops home and surf porn and get 0wn3d and bring the trojans and malware inside the firewall. Hell, they can even VPN the crud in from home or Starbucks too.

I suggest 1) firing all employees you can 2) treat the remaining ones to a paycut 3) installing spy mechanisms inside of their office, computer, and bathrooms to "keep them honest", and let go of the ones that don't make the cut.

We don't need no stinking happy employee. We need one that does what they are told, and is already happy to do what they are told. Thats it.

Re:From the well-duh-department... (2, Funny)

LunaticTippy (872397) | more than 7 years ago | (#14911081)

Better yet, replace them with robots.

Robots programmed and designed by robots, to remove the chance of humans tinkering with the logic.

Re:From the well-duh-department... (1)

abb3w (696381) | more than 7 years ago | (#14911192)

Employees often suck. In retail, they rip you off more than your "customers". (I can't call a shoplifter a customer :)

Call them "consumers", perhaps?

OT: Disney store does! (2, Informative)

PCM2 (4486) | more than 7 years ago | (#14911313)

Employees often suck. In retail, they rip you off more than your "customers". (I can't call a shoplifter a customer :)
I had a girlfriend who had a (very brief) job working at the Disney Store. She said that at the Disney Store, if a patron was referred to as a "customer," that meant someone suspected them of shoplifting. Everyone else was a "guest."

Re:OT: Disney store does! (1)

LunaticTippy (872397) | more than 7 years ago | (#14911351)

Sounds confusing.

So were these "customers" then "guests" in jail? Who are "customers" in jail? Or are there only "guests" and "eagerly sought escaped guests?"

Curse, you Walt Disney!

Re:From the well-duh-department... (1)

raider_red (156642) | more than 7 years ago | (#14911436)

Here's a plan: let's just outsourse all the work to one of our corporate run prisons in Texas. They won't see this as a disadvantage at all.

Also, I'm sure the corporation running the prison would happily charge you a $20/hr contract rate for the prisoners' services, and deduct the expenses it would entail as "educational/rehabilitation" expenses.

At my last job (0)

Anonymous Coward | more than 7 years ago | (#14911060)

I stole a firewall. For some reason it is making me lol.

Internal security is a double-edged sword. (4, Interesting)

robyannetta (820243) | more than 7 years ago | (#14911075)

If you're a company that respects its employees, rewards them appropriately and values them, do you think internal threats are going to be such a large issue compared to the faceless megaopolies that most American companies have mutated into?

opportunities for workplace crime are growing? (2, Informative)

mnmn (145599) | more than 7 years ago | (#14911087)

"opportunities for workplace crime are growing"

This may be more because of incompetent netadmins than vile employees. Maybe more so because of lax security. Tighten up the computers, the type of traffic that can travel, the ports, the installed apps, passwords etc and an employee on a mission cant break in except into her own account. Security in a workplace lan is more than just put an MS Windows 2000 Server Firewall, its segregated security groupings per department and employee.

Security is good. Give it a shot.

Re:opportunities for workplace crime are growing? (5, Insightful)

helix_r (134185) | more than 7 years ago | (#14911154)


If an employee wants to screw up his employer, there are 1001 ways to do that-- with or without involving IT staff or systems.

There is nothing new here except that more and more companies are treating their employees as disposable temps that can be dropped simply to increase share price. It is not surprising that in today's enviroments employees are more likely to feel they need revenge.

Security lapses happen for a reason. Instead of attempting the sisphian task of "locking down" all systems, perhaps companies should address the root causes that incentivise their employees to behave badly.

Re:opportunities for workplace crime are growing? (1)

Hymer (856453) | more than 7 years ago | (#14911161)

...and get axed by the CEO 'cause he can't chat with his mistress ?
--
I totally agree with parent... but my CEO got a mistress in every larger city in Europe.

Re:opportunities for workplace crime are growing? (1, Interesting)

Anonymous Coward | more than 7 years ago | (#14911365)

It's a good thing I'm a nice guy. I was fired from my last admin job for matters beyond my control (corporate admin wouldn't take the blame for something they did) and I walked with access to everything.

Even when they brought in a new guy and he changed the VPN, the admin passwords, and everything else he could think to change, *my* preferred method of access remained online...a windows station on a fixed external IP that would let me connect directly to the network. They even missed my backup admin password. Probably because it's the login for the backup software. If I hadn't landed a better, higher-paying job the same day I was fired I might be inclined to do something unpleasant to them.

Who is the enemy? (5, Insightful)

Y-Crate (540566) | more than 7 years ago | (#14911098)

While businesses should take reasonable precautions to secure their networks, data and physical assets, I've found that the employer/employee relationship is beginning to evolve into one of suspicion and severe distrust that is fostering resentment, anger and inhibiting productivity. No one wants to work anywhere they are treated as being one step removed from a hardened criminal from the moment they walk in the door on their first day. There is a fine line between taking sensible precautions to prevent opportunistic breaches of security, and indulging in paranoia and broadcasting an implicit belief through actions and words that everyone there is just waiting for the right moment to take the entire company for all they're worth.

Employees are no longer being thought of as possible risks, but confirmed dangers that must be actively confronted every step of the way. Proactive security measures enacted in a passive way that does not interfere with day to day work in an unreasonable fashion, or impact the work environment in a disproportionate manner are giving way to managers that are far more focused on what their employees are deliberately doing wrong, than on the actual work at hand.

By creating this atmosphere of hostility and distrust which cannot be overcome by proving oneself through hard work and carrying out duties in a thoughtful, honest way, managers are encouraging high-turnover, poor communication between workers, poor attitudes towards work and customers, and an atmosphere of little or no respect for the organization which anyone can tell you is the first step towards encouraging workplace crime.

Re:Who is the enemy? (1)

LunaticTippy (872397) | more than 7 years ago | (#14911213)

Well said.

I've had the misfortune to watch this happen at various workplaces since the late 80s, when things were already deteriorated. Smaller companies are sometimes better, but it is becoming a pervasive attitude.

In some ways governments are going the way of suspicion as well.

Re:Who is the enemy? (1)

pubjames (468013) | more than 7 years ago | (#14911221)

This attitude of treating everyone as a criminal is a current trend. Not only are employers treating their employees as potential criminals, but companies treat their customers as thieves, and even the government is seems to be moving that way. Time to go live in a cabin in the mountains...

Re:Who is the enemy? (1)

ceoyoyo (59147) | more than 7 years ago | (#14911269)

Hey, if I worked somewhere that treated me as a criminal I might oblige them too.

Respect your employees and they'll respect the place they work.

I've got my cabin in the mountains all picked out.

Re:Who is the enemy? (1, Offtopic)

pilkul (667659) | more than 7 years ago | (#14911341)

Just wanted to say, great post.

Re:Who is the enemy? (4, Insightful)

aussersterne (212916) | more than 7 years ago | (#14911404)

There is a fine line between taking sensible precautions to prevent opportunistic breaches of security, and indulging in paranoia and broadcasting an implicit belief through actions and words that everyone there is just waiting for the right moment to take the entire company for all they're worth.

The problem is that this is absolutely true in western society. Everyone is waiting to take everyone for all they're worth. Witness patent battles, intellectual property and copyright battles, lawsuits, hostile takeovers, noncompete agreements and violations of noncompete agreements, "new enterpreneurship" in which you work to gain expertise, then leave the company and start your own doing the same things, corporate cutbacks in benefits and resorting to temp workers and outsourcing... From my view, virtually every practice in the free market, even those that are applauded, are of marginal ethics and morality at best. The basic premise of taking as much wealth as possible from others because you are clever enough to win it at their expense makes the entire pile of rubbish stink.

Everyone is in this for his or herself, and the offensively rich can routinely be heard to say to the poor labor force: "You should have seized the opportunity like I did," or "it's not my fault if you don't know how to build wealth."

Everything is fair game--it's only illegal if someone richer than you or less clever than you is able to stop you from getting away with it. So companies should be paranoid, because all of their employees would steal everything not nailed down if they could get ahold of it, and employees should be paranoid, because companies would press employees bodies and minds into perpetual, dehumanizing forced labor if they could.

All employees or just executives? (5, Insightful)

gcauthon (714964) | more than 7 years ago | (#14911107)

I like how they lump everyone into one big category. Unless you've been living in a cave for the past 5 years, it should be obvious who the biggest crooks are. Hint, they all have 3-letter acronyms for titles.

Re:All employees or just executives? (0)

Anonymous Coward | more than 7 years ago | (#14911508)

No surprise there. The more coercion (government) entangled in what would otherwise be voluntary trade, the more it pays to employ coercion as your means to your end (like a crook), rather than voluntary association as your means to your end (like an honest businessman).

Fire yourself (1)

Bull999999 (652264) | more than 7 years ago | (#14911113)

I'd fire myself but I heard that firing yourself can make you go blind.

Always has been, always will be a problem (4, Insightful)

sizzzzlerz (714878) | more than 7 years ago | (#14911124)

Stealing money from the till, stealing insider information, gaming the quarterly sales to boost the stock price, etc., have always been an issue. If you employee human beings, these things will happen whether or not computers are used. Their actions don't even need to be illegal, simple carelessness can harm a company as much, or even more, than outright theft.

Careful screening during hiring, sufficient training and re-training during employment, as well as attentiveness are the keys to mitigating these problems. Restricting e-mail, firewalls, etc., are simply putting fingers in the dike.

Is security the answer? (5, Insightful)

loony (37622) | more than 7 years ago | (#14911128)

If you're in a situation where you really have to worry that much about your own people, doesn't that just show that management has failed to provide a good working environment and create loyalty?

The only effect of security is going to be that the few loyal employees you have get pissed and turn against you too. And for anyone who has done only a little bit of hacking, we all know useful security is way too expensive... You'd need to audit virtually everything that's going on on a server and there are only a few government agencies that can efford that much money.

So why not do something more useful with the money? Free coke for employees on tuesdays. Or fix that darn pothole at the entrance of the parking lot. Put a few plants up in the office... That is all money better spent than on some lack luster, process bound security measures...

Peter.

Re:Is security the answer? (3, Funny)

Tsugumi (553059) | more than 7 years ago | (#14911239)

Free coke? Hell yeah, sign me up, my dealer is way too expensive! A hole full of pot sounds interesting too, but I reckon the plants in the office would probably yield a better crop. When can I start? I swear I'm gonna be way too high to be any kind of security threat...

Re:Is security the answer? (1)

AnonymousPrick (956548) | more than 7 years ago | (#14911272)

Free coke? Hell yeah, sign me up, my dealer is way too expensive!

He works in a steel mill, it's a different kind of coke! Geeze!

Re:Is security the answer? (0)

Anonymous Coward | more than 7 years ago | (#14911323)

hehehehehehehehehe...

Re:Is security the answer? (3, Informative)

PCM2 (4486) | more than 7 years ago | (#14911290)

If you're in a situation where you really have to worry that much about your own people, doesn't that just show that management has failed to provide a good working environment and create loyalty?
It's a fair question, and yet loyalty is not always something that is so easy to just "create." Loyalty is not something that's handed down from management. It is a personal choice on behalf of each individual employee. Every employee has his or her own agenda and set of beliefs. Particularly among IT people, you may encounter a number of difficult types:

  • The smug techie who thinks he knows more than anybody and is therefore tempted by the idea that he can get away with whatever he wants because nobody knows what he does anyway.
  • The person with poor interpersonal skills which have held him back in terms of career advancement, and who thus feels he is undercompensated (and doesn't know how to ask for a raise).
  • The individual who styles himself as a "Bad Boy hacker," who isn't going to be loyal to any company no matter how you compensate him.
  • The individual who was hired right out of college and is simply too young and inexperienced to have a well-developed sense of personal ethics.

There are all sorts of other examples that could apply to anyone; for example, an employee who feels bored or unchallenged at work, or is otherwise just lazy, might spend too much time engaging in compromising activities (whether they be playing games or using P2P networks). And some people just don't know any better than to disclose information they shouldn't -- I personally have worked for a company that hired a private detective to try and get a job at a rival company and pick up information from other employees while he was there.

The point is that you can't entirely point the finger at management. Yes, it's in management's best interest to create an engaging and enjoyable work environment for everyone, but the most they can really do is try. Whether or not they succeed, that's still no reason to skimp on internal security measures.

Re:Is security the answer? (0)

Anonymous Coward | more than 7 years ago | (#14911374)

The article is just a reflection of the current Australian government's "new Australia". Presumption of guilt. You are a terorist until proven otherwise. You are an illegal entrant until you are grudingly admitted to be a refugee. You are a criminal to be deported and there is no way to clear your name. You are an employee to be treated as a criminal by default.

Biotech (4, Interesting)

Anonymous Coward | more than 7 years ago | (#14911158)


I work in the biotech biz. We've been warned about Chinese "students" snafing our secrets. Thought it was a lot of tinfoil hat paranoia until we saw logs of HUGE attachments going to Asian hotmail addresses. Guess what some of those attachements were? Research data going straight back to China.

Needless to say, his worker agreements were terminated and the person shipped back.

Re:Biotech (2, Insightful)

woolio (927141) | more than 7 years ago | (#14911469)


I work in the biotech biz. We've been warned about Chinese "students" snafing our secrets. Thought it was a lot of tinfoil hat paranoia until we saw logs of HUGE attachments going to Asian hotmail addresses. Guess what some of those attachements were? Research data going straight back to China.

Needless to say, his worker agreements were terminated and the person shipped back.


How convenient... Since you shipped him back, he can explain to his Chinese counterparts the details that were not covered in the attachments.

Way to go!

Movie connection? (2, Interesting)

Jon Luckey (7563) | more than 7 years ago | (#14911206)

Is this story just belated hype for the movie Firewall starring Harrison Ford?

Sure its not well timed if that what it supposed to be. But it has the the same elements as the movie. Employee threatened to help criminals breach his companies security. The headline even contains the name of the movie. Maybe it was submitted weeks ago, but was kept in the slush pile until needed as filler now.

At least if it was hype it would be better than if if a tech writer had to pull his story ideas from Hollywood. Or at least more understandable.

Who do you trust then? (5, Insightful)

Vapon (740778) | more than 7 years ago | (#14911214)

If you can't trust employees, who is securing the network for you? As a network admin I have full access to a company's full network within a week of starting a new job, otherwise I am unable to do my job.

There will always be a level of trust needed between employers and employees since even if the president of a company can set up the security for a company they would still have to trust someone to enforce it, and that person would have the ability to abuse.

Rating the risks (1)

fak3r (917687) | more than 7 years ago | (#14911223)

I just wrote about this topic, and it's something that has been ignored for far too long. http://fak3r.com/articles/2006/02/06/rating-the-ri sks [fak3r.com] The idea that people can come and go with USB drives on their keychain, a 60GIG drive in their iPod and unfethered Internet access is just an unlocked door. I'm all for privacy and freedom of speech, but a company HAS to be able to control it's DATA. IMO this is not happening anywhere in corp America.

This is a very big market... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#14911255)

...for tools like this one [trigeo.com] . Banks and other regulated industries are all over it.

Not really a problem (0)

Anonymous Coward | more than 7 years ago | (#14911291)

As a SysAdmin I'm much less worried about the activities of a person I can just walk over to and beat the living crap out of. And since all the employees know that if they do something wrong on my network I will come over and beat the living crap out of them it's not really a problem at my company.

Key Fob Fear (2, Insightful)

Short Circuit (52384) | more than 7 years ago | (#14911307)

And Floppy disks weren't a security threat?

Seriously, except for images, it's not difficult to fit a *ton* of data on a floppy disk. Just export to an ASCII-based file format, then zip it up.

Some other formats compress pretty well. Access databases, for example.

Re:Key Fob Fear (1)

chill (34294) | more than 7 years ago | (#14911495)

Yeah, because we all know how good ASCII-art CAD files are, much less ASCII Visio and ASCII Project.

Those are the biggies because they are the manufacturing industry's crown jewels -- how to make it, what is the work flow, and what is our production schedule.

There is a big difference between 1.44 Mb and 1 Gb.

  -Charles

Handling Employees and Security: (2, Insightful)

dracphelan (916527) | more than 7 years ago | (#14911377)

You need to do a few things to handle employees and security: 1. Do a thorough background check. This includes employment and criminal. You don't want to hire someone who did time for stealing from an employer. 2. Only allow them access to information they need for their jobs. I've had jobs where I could have walked out with all the personal info on past and current employees, and I had no need to access that information. 3. Run a good hardware and software anti-virus and firewall system. This means not letting every employee and their cousin having admin access to their machines. 4. Try to run a work place where people are happy to be there. I had an employer that I seriously thought about turning in software piracy because of the way he treated everyone in the office. Instead, I found a new job and left him with no technical people (it was a computer parts reseller).

What they didn't mention (1)

madfilipino (557839) | more than 7 years ago | (#14911379)

How many managers think of themselves as a security threat?

Check out www.fortinet.com (1)

get quad (917331) | more than 7 years ago | (#14911395)

http://www.fortinet.com/ [fortinet.com] Ever since implementing Fortigate Router bundles in all of my offices, which include AV, Antispam, IPS and Content Filtering services, user-induced havoc is much less of a concern for us. I've been called a Nazi a few times since turning on certain webfiltering but I usually laugh and tell my users to take it up with the boss to have their favorite gambling/file storage/message board/etc unblocked and the subject is immediately dropped. lol. Price vs performance I personally dont think these appliances can be beaten. Good news is they're about to go IPO as well.

Simple solution. (1)

SheeEttin (899897) | more than 7 years ago | (#14911402)

Simple solution: There are two networks: an internal and an external. The internal one contains all company-related data and cannot connect to any other network, and external devices (e.g. flash drives) cannot be connected without authorization. The external one contains all non-company-related data and can connect to the Internet freely. External devices can be connected. Neither network is connected, and data cannot be transferred from one to the other. You say you want to work from home? Tough luck. Too much of a security risk.

as an emp (1, Interesting)

Anonymous Coward | more than 7 years ago | (#14911457)

I've been on the wrong side of this issue. I found a couple of security holes. Reported them. Was asked to quit (4 weeks after a promotion).

The holes?
1. Well known 'tech support' password, and
2. An unsecure website on the intranet used to do employee evaluations.

Management's Q: How did you find this?
A1. I'm in IT and I login to several servers every day. When I don't have an account, I try the tech-support pwd.
A2. I don't use IE. So, the holes are as far away as right-clicking

Management: So, you hacked our network servers and our employee evaluation system!

Me: No!?!? (WTF) That's not what 'hacking' means... and, I reported it to 'cyber-security'

Management: (He's a liability -- and I don't understand anything about 'view source', 'remote logins', etc. Cyber Security has no record of his complaint...) "We hold our IT staff to a higher standard...." SEE YA!

I'm one paranoid SOB, now. I don't want passwords, or access rights, and I'm thankful when I don't have to login to any other machines. In hindsight, that job sucked. So, this was a good thing. My new job is much better.

Loyalty is so 50s... (1)

GeekBird (187825) | more than 7 years ago | (#14911471)

"People are becoming the weakest link. A fluid work force with diminished loyalty to organisations is being exacerbated by the fact that people do not always realise the value of information that they deal with,"

The "fluid workforce" and its disloyalty is the fault of the organizations themselves. When employees are viewed as interchangeable commodities, and swapped out willy-nilly for an overseas "body" that is a few thousand cheaper, there just isn't going to be any loyalty to the organisation. When a company shows no loyalty to you, there is less and less reason to be "loyal" to it, especially when, for a while there, the only way to get a raise was to change jobs.

So yes, people are the weakest link to security. This is nothing new - ask Mitnick about social engineering.

The fact that senior management is still a bit sparse on ethics (cf Global Crossing, WorldCon, Enron) also doesn't inspire ethical and/or careful behavior with company data by the rank and file.

How to reverse the trend? I don't know if it's even possible. Even high profile prosecutions don't seem to slow it down.

Trusted Computing (1)

sam0737 (648914) | more than 7 years ago | (#14911476)

...cannot work without trusted employee.

Same as Trusted Computing, you either trust your employee and allow highest degree of freedom, or like DRM: don't trust your employee and banned them for everything possible.

JUST OUTSOURCE IT! (1, Interesting)

Anonymous Coward | more than 7 years ago | (#14911479)

That'll teach those employees to hack your system!

I'm beginning to realize how brilliant that outsourcing is!

Feh. (0, Redundant)

Pig Hogger (10379) | more than 7 years ago | (#14911511)

With all the wholesale raping of employee pension funds and wholesale dumping of jobs, it's only normal that any employee will cover his ass by making sure he can inflict maximum damage to a company when it will screw him.

When everything is illegal, everyone is a criminal (2, Funny)

Pinback (80041) | more than 7 years ago | (#14911515)

The goal is to always have more dirt on your employer than they have on you.

Screw hacking the server. Spend a few months running the license paperwork through the shredder, and then call the BSA. If you do it right, you may even be in line for a reward.

Seriously folks, if you want to treat your employees like criminals, hire people who are already institutionalized. At least you can find out what their predilection is.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...