Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Workers Cause More Problems Than Viruses

ScuttleMonkey posted about 7 years ago | from the going-postal dept.

Security 191

Technical Writing Geek writes "A new report finds that, for the first time, virus infections have slipped to the second spot on the list of computer security troublemakers. In first place— a company's own workers. 'The Computer Security Institute has just released the 2007 edition (PDF) of its long-running "Computer Crime and Security Survey," and it offers some dreary news for overworked computer security admins: average losses from attacks have surged this year. More surprising is the finding that the single biggest security threat faced by corporate networks doesn't come from virus writers any more; instead, it comes from company insiders.'"

cancel ×

191 comments

Sorry! There are no comments related to the filter you selected.

Ignoring the Human Factor is not Bliss (5, Insightful)

foobsr (693224) | about 7 years ago | (#20639201)

As of 2004 [news.com] :

"CEOs are increasingly aware of the risks posed to company information by insiders, but they aren't acting on this knowledge, according to the "2004 Ernst & Young Global Information Security Survey." More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative."

A case of 'ignorance is not bliss'.

CC.

Re:Ignoring the Human Factor is not Bliss (4, Insightful)

king-manic (409855) | about 7 years ago | (#20639399)

"CEOs are increasingly aware of the risks posed to company information by insiders, but they aren't acting on this knowledge, according to the "2004 Ernst & Young Global Information Security Survey." More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative."

A case of 'ignorance is not bliss'.
You do have to weigh company morale vs security. Requesting the whole organization use tinfoil hat Linux boxes; with 256bit end to end encryption; with all outgoing and incoming packets sniffed, duplicated and logged; 16 character mixed special char, numeric, and alphabetic passwords; Faraday cages around every office; may be excessive even for the NSA. You have to trust your employees at least a little or else it becomes a Us vs them situation.

Re:Ignoring the Human Factor is not Bliss (5, Interesting)

EvanED (569694) | about 7 years ago | (#20639537)

Requesting the whole organization use tinfoil hat Linux boxes; with 256bit end to end encryption; with all outgoing and incoming packets sniffed, duplicated and logged; 16 character mixed special char, numeric, and alphabetic passwords; Faraday cages around every office; may be excessive even for the NSA

Actually I bet the NSA is doing everything you name, except for the 256bit thing. I'm sure they're using at least 4096 bit encryption (assuming RS). Maybe biometrics instead of the fancy passwords.

But you can be sure that the rooms are faraday cages; even the CIA does that. ;-)

(The CIA also has double walls between which they pump white noise so that people can't read the vibrations of the glass with laser meters. The building is magnetically shielded so people can't "read" the monitors of people remotely.)

Re:Ignoring the Human Factor is not Bliss (0, Offtopic)

ShieldW0lf (601553) | about 7 years ago | (#20639785)

The numerous old are living off a smaller number of young.

Thus, we are all forced to work beyond our capacity to tolerate it with no appreciable reward.

No one is motivated by anything beyond fear. They don't value the system, they hate it.

Thus, things are falling apart.

There is no alternative, only stopgap measures to try to keep them all working, which will eventually fail.

Before it's all done, we will have to abandon the system, we will have to fight those who hang on till the end, and we will have to find another way to stay alive. Most won't.

But they're still trying to establish a fascist state, with locked borders, police acting in an arbitrary fashion for political reasons, etc.

There is no way out of any of this. None at all.

Just wait till it hits the tipping point. Then things are really going to get interesting.

Can't wait, personally.

Mod Parent Down (0)

Anonymous Coward | about 7 years ago | (#20639909)

Flamebait, n/t troll

Re:Ignoring the Human Factor is not Bliss (0, Offtopic)

ShieldW0lf (601553) | about 7 years ago | (#20640407)

You think it's off topic because you can't see the connections.

It's not. It's the cause to the effect.

Hey MODS! (0)

Anonymous Coward | about 7 years ago | (#20640537)

Mod parent down. Offtopic once more...

Re:Hey MODS! (0)

Anonymous Coward | about 7 years ago | (#20640801)

Love to, and I even have points, but I already posted in this thread :\

Re:Ignoring the Human Factor is not Bliss (1)

thePowerOfGrayskull (905905) | about 7 years ago | (#20642043)

The numerous old are living off a smaller number of young.
You do realize that barring a draft and assuming a continued population growth rate of anything greater than 1.0, the number of working young will always be larger than the number of retired old?

The ultimate attainable security ... (3, Insightful)

khasim (1285) | about 7 years ago | (#20639775)

The ultimate attainable security ... is when your systems lose/corrupt/release data more often due to the stupid (non-malicious) actions of your people than due to crackers.

The human level is the last limit. Don't focus on technology that will get you that last 0.0001% when the people running your systems will causing the problems 100x more often.

Re:The ultimate attainable security ... (2, Insightful)

sufijazz (889247) | about 7 years ago | (#20640233)

From TFA

Hiding porn on an office PC, using unlicensed software, and abusing e-mail all count as security incidents, though all pale in comparison to one successful phishing trip."
They are not even talking about "stupid" actions or even losing/corrupting/releasing data. If this is what you are measuring as a security incident, no wonder the number of security incidents being caused by insiders is going to be higher. If I am a hacker, why would I use a PC in a hacked corporate network to store my porn?

Re:Ignoring the Human Factor is not Bliss (4, Insightful)

SatanicPuppy (611928) | about 7 years ago | (#20639819)

Meh. All that is pointless, because it doesn't address social engineering or intentional internal sabotage.

What you need are good audit and logging procedures, to help you pinpoint the vector of intrusion, and to minimize the damage caused. That's a basic principle for financial systems, and it's one that could benefit from being extended to general users.

The goal is not even to do big brother crap (though this could be misused that way) but simply to have an accurate record of what's going on in your systems. Once you have that, all other problems can be addressed more effectively, and solutions can be generated that can provide security without overly hindering users. If you don't have an accurate idea of how your systems are being breached, you're forced to employ blanket policies that hinder productivity and breed dissatisfaction.

Re:Ignoring the Human Factor is not Bliss (1)

thomas.galvin (551471) | about 7 years ago | (#20640697)

The problem is, if you own a box, you own the auditing system that runs on the box, too.

Re:Ignoring the Human Factor is not Bliss (2, Insightful)

SatanicPuppy (611928) | about 7 years ago | (#20641509)

Yea. There are ways of doing black-box auditing and logging...Not the least to have a terminal-output hardcopy.

It's not really an often-pursued option these days, however.

Re:Ignoring the Human Factor is not Bliss (4, Insightful)

gravos (912628) | about 7 years ago | (#20639471)

Implementing good security practices tends to waste time.

If Cindy from HR calls me and I have to verify that she is, in fact, Cindy from HR, every time she calls me, that reduces my productivity by a certain amount.

There are ways to spend money instead of reducing productivity (like installing dedicated phones between offices that don't link to the POTS network), but losing money is hardly better than losing time.

The moral of the story is, until losses from poor security exceed losses to productivity caused by rigorously following security protocols on average, people will not be inclined to rigorously follow those protocols.

Re:Ignoring the Human Factor is not Bliss (4, Insightful)

an.echte.trilingue (1063180) | about 7 years ago | (#20639729)

No, implementing good security practices saves time, every time.

It requires an upfront investment of time to implement and maintain the system, but it beats the hell out of spending your week re-ghosting all of the computers in the accounting department because some ex-employee decided it would be funny to install a back door, and now you have to lock down every system he had access to and also try to figure out what he could have leaked so you can notify your soon to be ex-customers of what you lost. Feel free to repeat every month or so, depending on the size of your organization.

Or, you could give users a limited access account (which is easy to do even in windows), implement a sane permission system on your servers, implement something like a kerberos server, and make your employees read and sign a "good security practices" memo once a year so that they understand your policy and why it is important.

Security is time well invested.

Re:Ignoring the Human Factor is not Bliss (2, Interesting)

QRDeNameland (873957) | about 7 years ago | (#20640229)

It requires an upfront investment of time to implement and maintain the system, but it beats the hell out of spending your week re-ghosting all of the computers in the accounting department because some ex-employee decided it would be funny to install a back door, and now you have to lock down every system he had access to and also try to figure out what he could have leaked so you can notify your soon to be ex-customers of what you lost. Feel free to repeat every month or so, depending on the size of your organization.

Honestly, in my experience, I've seen far more cases of mass re-ghosting due to "routine" Windows Updates hosing some critical piece of enterprise software, than from anything like what you describe. In other words, IME for the average IT shop, far more downtime costs are associated with bad implementation practices than bad security practices. YMMV, but I do think the the GP has a point in that for many shops that the impact of actual security issues do not justify the observed costs of enhanced security beyond a certain level.

That is not to say that security is not a good investment even if your business is not particularly security-sensitive, but it is more akin to insuring oneself against rare and catastrophic events...that is, as long as the catastrophe never occurs, it seems like money wasted, but in the event that catastrophe does strike, it is a very good investment indeed.

Re:Ignoring the Human Factor is not Bliss (0, Offtopic)

Elyscape (882517) | about 7 years ago | (#20641729)

Only on Slashdot does something more insightful than anything get modded +4 Funny.

Re:Ignoring the Human Factor is not Bliss (1)

yintercept (517362) | about 7 years ago | (#20640175)

"people will not be inclined to rigorously follow those protocols."

Just having a bunch of protocols for people to follow just creates an illusion of security. It doesn't create real security. If you are actually depending on a protocol to protect you, then someone will probably figure out that the way to do wrong is to violate that protocol.

What matters is the implementation of security. If an implementation of security requires a great deal of work on the part of the employees, you are pretty much guaranteed that it will become lax with time. It seems to me that real security starts by keeping things physically and logically separate and by limiting access to key areas and with secure audit trails.

Re:Ignoring the Human Factor is not Bliss (1, Funny)

Anonymous Coward | about 7 years ago | (#20640459)

You mean that Cindy from HR keeps calling you all the time? Isn't that a good thing?

This is news? (1, Interesting)

Anonymous Coward | about 7 years ago | (#20640713)

If this surprises anyone, I hope they don't act like they are IT professionals. EVERY IT PRO knows this fact, and it's been well documented for years.

Your biggest security threats have always come from the inside. That's why a total-network solution like Active Directory using group policies is so important, rather than just having a bunch of computers thrown onto a network, with no control over anything.

It's also smartest to maintain two internal networks: one only for domain computers, and one for anything else.

Re:Ignoring the Human Factor is not Bliss (1, Insightful)

Anonymous Coward | about 7 years ago | (#20640815)

this reveal is more of a symptom.... The real problem exists in that corporations dont nurture employee loyalty and corp management seems to be only looking out for themselves. This breeds discontent in the workers and creates stats like the ones listed in the article..... Why should an employee care about protecting assets when they have no vested interest in corporate asset protection? Loyalty seems to be non-existent these days and corporate management methodologies seem to be it's killer. Elaborate automated security safeguards cannot fix this problem and in fact just further alienates the employees...

The obvious, very lo-tech solution is to take care of your employees, consider them long term and valuable assets and earn their loyalty by making sound and knowledgeable decisions for the good of the company. Doesnt take an MBA to understand that.... In fact it seems that most MBAs dont understand that all...
 

Re:Ignoring the Human Factor is not Bliss (1)

vux984 (928602) | about 7 years ago | (#20641083)

More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative

Whoop-de-doo. Apparently 70 percent of companies have more imporant 'top initiatives'. I'm surprised that its not even higher. And in fact, I suspect that most of the companies that put listed this in their top initiatives have more top initiatives than there are days in a year, ensuring most of them won't get any attention anyway, making 'top initiative 'rather meaningless in those companies.

CONCLUDING COMMENTS (2, Funny)

UncleWilly (1128141) | about 7 years ago | (#20639203)

Stop hiding your porn, hiding porn is a security violation.

Norton Anti-Worker (5, Funny)

biocute (936687) | about 7 years ago | (#20639243)

Time to place your order.

Re:Norton Anti-Worker (1)

JohnnyGTO (102952) | about 7 years ago | (#20639435)

It's called /.

Re:Norton Anti-Worker (0)

Anonymous Coward | about 7 years ago | (#20639797)

Norton Anti-Worker
Time to place your order.
Prefer the open source GNAW myself: GNAW is Not Anti-Worker.

Re:Norton Anti-Worker (1)

Erris (531066) | about 7 years ago | (#20640105)

Vista has M$'s own version integrated already.

Re:Norton Anti-Worker (1)

_xeno_ (155264) | about 7 years ago | (#20640723)

I thought they already had that. You mean Norton Anti-Virus isn't supposed to be a paid 3-hour break when it runs the IT-required full scan?

This has been the case for a long time (3, Informative)

Aranykai (1053846) | about 7 years ago | (#20639251)

It brings to mind the old saying 'loose lips sink ships'. Ive only had a few years experience as a sysadmin, and it was drilled into my head quite early that the one thing you can never secure is the user. Lets come up with a real story now please.

Re:This has been the case for a long time (0)

Anonymous Coward | about 7 years ago | (#20640523)

To give due credit to the agents of seductive destruction, 'loose hips sink ships'.

Re:This has been the case for a long time (4, Insightful)

Vancorps (746090) | about 7 years ago | (#20641527)

Yeah, we had a guy calling people in our office asking for voicemail passwords. He dialed through a company in New Jersey one day, California the next. Our system doesn't allow dialing out through the voicemail system so we weren't really vulnerable but we have a simple policy which is very easy to understand. It says no one will ever ask for any password in person, email, or over the phone. IT does not need your password for any task whatsoever so never give it out.

Time came with this guy calling and asking and surprisingly no one gave him their password. My faith was restored. Of course this is a reasonably small company. Make it simple and people will follow it though. They can even encrypt their stuff and I still won't need their password ever because I have the recovery keys. All the mechanisms are their so it's up to sysadmins to make it simple and easy for regular folks to understand. Afterall, the folks in accounting know more about taxes than I do because that is their job. I know a little about how our taxes are calculated because I've needed to, just like they've had to learn a little about security practices. I'd say it's as fair a system as any.

Really? (0)

Anonymous Coward | about 7 years ago | (#20639259)

wWo could have ever imagined...

How is that surprising? (1)

sholden (12227) | about 7 years ago | (#20639271)

Completely obvious and expected would be a better description.

Re:How is that surprising? (1)

thatskinnyguy (1129515) | about 7 years ago | (#20639565)

What I'm more shock and awed at is that recognized institutions are just catching on to this. They were drilling this into my head back in Business School.

Re:How is that surprising? (1)

Fritz T. Coyote (1087965) | about 7 years ago | (#20640259)

And is it any less surprising that The Suits are just now catching on?

Musta been an article about it in an in-flight magazine.

I work with my Dad (4, Funny)

JohnnyGTO (102952) | about 7 years ago | (#20639363)

and when it comes to computers, faxes, phone system or staplers we call him the Human.Virus

God forbid you leave your iPod near him!

Really? (1)

Colin Smith (2679) | about 7 years ago | (#20639367)

Viruses made it to the top spot at one point?

 

Re:Really? (2, Informative)

CastrTroy (595695) | about 7 years ago | (#20639465)

And even with viruses, what percentage are them are installed through dumb users running executables they shouldn't? Most of the time it comes down to dumb users. There's been very few times that a Virus/worm has been able to work itself into the computer without user interaction. Granted in the case where this has happened, like when ports are left open, and the virus sneaks in from the internet, the infection rate can be very high. However, still, most viruses, and the majority of computer/security problems in general come from dumb users.

Bonzai Buddy (0, Funny)

Anonymous Coward | about 7 years ago | (#20639375)

I hope they don't consider an animated gorilla that pops up and scares the hell out of you while you're trying to masturbate in your office during your lunch break a "problem".

Duh (4, Insightful)

grasshoppa (657393) | about 7 years ago | (#20639383)

No shit; I'm surprised this hasn't been the case all along. Every IT dept I've been in has been treated by the employer as a reactive service. Most of the time, we are given something to install. Not asked if it'll fit in our current IT environment, but given and asked how soon it can be installed.

USB thumb drives are an on going headache, and an attack vector on top of that. I'm forced to wonder how serious any of these issues would be if we didn't live in a windows centric world.

Re:Duh (2, Insightful)

czmax (939486) | about 7 years ago | (#20639663)

IT should be a reactive service. Ideally there would be more communication than just "please install this", maybe something more like, "we need this service and think this would provide it". But frankly I'm tired of IT thinking they know more about my job, and what I need, than I do.



If your current IT environment isn't capable of supporting my needs then fix it.

Re:Duh (4, Funny)

Mattintosh (758112) | about 7 years ago | (#20639867)

For this exercise, I'm going to assume you're in management.

If your current IT environment isn't capable of supporting my needs then fix it.

If your current needs outstrip the capabilities of our current IT environment, then fund the upgrade.

mv shoe otherfoot

Re:Duh (3, Insightful)

CodeBuster (516420) | about 7 years ago | (#20640405)

As you so aptly pointed out, most users (and managers) just approach IT with a demand to "please install this" only it is really an order and not a request. The users have needs yes, but often times that have already decided that a particular piece of software is "ideal" for their needs based upon the word of a salesman without even asking IT. You say that you are tired of IT thinking that they know more about your job than you do, but really that is exactly what you are doing to IT when you have already selected whatever software that you are going to use lock stock and barrel without consulting IT first about what it is that you are trying to do or asking for suggestions or an opinion on the software or possible alternatives. Remember that IT has to be concerned with what is best for all of the users and the network, not just your immediate needs. I cannot tell you how many times I have had to dissuade a user from a poor software selection merely because they heard a good sales pitch at their last conference where the salesman told them to "just ignore IT objections, because they don't know what they are talking about"...yeah and that salesman doesn't have a horse in the game either way right? wrong.

The problem is responsibility. The IT department doesn't want to be responsible for a poor software choice that they had absolutely no input on and for which there were any number of superior alternatives. You might say that everyone wants to go to the party, but nobody wants to hang around afterwards to clean up the mess and it is always the IT department that is left without a chair when the music stops (even if IT did not champion the culprit software and was ordered to "just install it").

If your current IT environment isn't capable of supporting my needs then fix it.

It is often the case that this requires money which nobody ever wants to provide for more "expensive IT toys" and so problems go on until they become so notorious that somebody higher up actually approves a last minute purchase or budgets staff time to research and fix the problem.

Re:Duh (1)

grasshoppa (657393) | about 7 years ago | (#20640563)

IT should be a reactive service. Ideally there would be more communication than just "please install this", maybe something more like, "we need this service and think this would provide it". But frankly I'm tired of IT thinking they know more about my job, and what I need, than I do.

And we're tired of being given software that's already been bought, being told it should do X when in fact it does ( x/10 ) due to vendor lies, and being told to fix it.

IT should be consulted from start to finish when purchasing ANYTHING IT related. IT depts should be proactive in this and all IT related projects.


If your current IT environment isn't capable of supporting my needs then fix it.


You must be a manager. There are realities that no one wants to hear; There are 20 different things people want from IT, and we are given a fraction of the resources we need to do half of them. We do what we can, but often times we are simply under resourced and no one wants to provide the funds to fix it.

It boils down to this; You either work *with* your IT dept, or against it. You work against it, it'll come back to bite you in the ass.

Re:Duh (1)

lohphat (521572) | about 7 years ago | (#20642031)

"I'm tired of IT thinking they know more about my job,"

I'm tired of random people who think they're IT experts because they installed Quickbooks once. Most non-IT people are marketing tools who blindly listen to product marketing sales collateral and think technology will solve all their problems.

Suckers.

Re:Duh (2, Interesting)

CodeBuster (516420) | about 7 years ago | (#20640069)

The USB thumb drive issue is more of an issue when autorun is enabled. I don't know about you, but I disable Autorun on all drives with group policy on all of my computers. I suppose that it is still possible that a virus could exploit the mounting procedure in Windows to execute code, but disabling autorun substantially raises the bar of difficulty for a potential attacker. The other problem is removal of sensitive data off site, but realistically an employee who is out to get you could just as well burn a CD or print sensitive documents and leave the laying around so that will always be a risk no matter what type of removable storage or printing policy is configured.

I think that the real problem is responsibility. If 'power users' want these types of privileges then they should have to sign off on a statement absolving the IT department of responsibility for the consequences (i.e. we may help you if this fails provided that we have some spare time and we are feeling nice, but don't count on it...otherwise we are just going to restore an image on your machine and be done with it when you ask us to 'just make it work'). The problem, as it stands now, with most users is that they don't care because its 'not their problem' when things go down.

Re:Duh (1)

shaka999 (335100) | about 7 years ago | (#20640283)

God I wish my IT dept was reactive. Maybe I could actually run some apps that would help (ok some would hurt :) ) my productivity. Our IT dept has no idea what we need to do our job and frankly they don't seem to care a whole lot. If it doesn't fit in one of their pet projects you don't have a chance of getting it approved.

Multiple Elimination of Problem. (0, Flamebait)

Erris (531066) | about 7 years ago | (#20640299)

USB thumb drives are an on going headache, and an attack vector on top of that. I'm forced to wonder how serious any of these issues would be if we didn't live in a windows centric world.

Outside windoze, the attack vector is gone, there's little need for a thumbdrive because network services work securely, and finally it's easier to make sure information is shared on a need to know basis. That these services are lacking in the non free software world is an indictment of the non free software way, which starts with secrets to begin with. Beyond these precautions, you are left with HR type issues like not hiring someone who's going to sell your client information. Before these precautions, blaming employees is a waste of time.

Re:Multiple Elimination of Problem. (0)

Anonymous Coward | about 7 years ago | (#20640755)

Outside windoze

"Windoze"?

Re:Multiple Elimination of Problem. (0)

Anonymous Coward | about 7 years ago | (#20641497)

Sorry, that makes absolutely no sense. So I am at home on my Ubuntu machine and I need a file from my Ubuntu machine or network server at work. I do what exactly? Right, like I thought - I pop in the thumbdrive I brought home. Otherwise I would have to do the same damn thing as in Windows - get ports for something (whether SSH, VPN, whatever) opened in the corporate firewall and make a connection and get the data. There is no difference here at all.

Re:Duh (1)

Hatta (162192) | about 7 years ago | (#20642039)

Face it, it's your job to make things work so I can do my job.

Security vs. Performance (4, Insightful)

fishybell (516991) | about 7 years ago | (#20639403)

My company is constantly tightening the security belt on its employees, but we find we can only tighten it so much.


If we give every employee access to everything, yes problems will happen. But if we give most employees access to most things their jobs are a lot easier, and more work gets done (or the same amount of work gets done, but with less stress and overworking).

If one of our employees decides to steal information, we'll deal with it with that employee, but that's as far as we go. We can't live in fear of an inside attack just because it's more likely than a virus (especially for a linux only shop like ourselves). A balance must be struck between full access and full security.

I guess there's something to be said... (1)

Billosaur (927319) | about 7 years ago | (#20639425)

...for hiring robots. Unless of course the robots are infected with a computer virus...

watch out for repair man (1)

us7892 (655683) | about 7 years ago | (#20640065)

Then you have to worry about the robot service person. That's your weak link.

Mitnick is right (3, Insightful)

Enlarged to Show Tex (911413) | about 7 years ago | (#20639429)

It's all well and good to have the tech locked down; however, the system is only as good as its weakest link - the humans. There's only so much you can do when a luser decides to keep all of his passwords on a post-it note...

Re:Mitnick is right (1)

that IT girl (864406) | about 7 years ago | (#20639939)

Oh, that's okay. I encrypted my Post-It note. I wrote my passwords in Pig Latin! ;D

Re:Mitnick is right (3, Insightful)

Carrot007 (37198) | about 7 years ago | (#20639963)

When the user writes all his passwords down on a post it note this shows you that either IT or Management have implemented a passowrd policy that is over complex and or changed to frequently. And if it is Management then IT are to blame for not adiqualty advising them that such a policy would make the system less secure though post it note activity.

Don't pass the blame. Deal with the problem.

Re:Mitnick is right (1)

Nimey (114278) | about 7 years ago | (#20640695)

Never had a luser with a really simple password write it down on a monitor sticky, have you?

I'm talking favorite-sports-team or granddaughter's-name simple.

We have a password policy that mandates pwds of min 7 chars, containing 3 of (upper, lower, num, symbol), changed every 180 days. These accounts just haven't expired the passwords yet. The policy also states Thou Shalt Not Write Thy Passwords on a Sticky, at least not where everyone can find it. Lusers don't listen, of course, because they're special.

We've pointed out that if they /don't/ follow the policy, the state is apt to enforce /their/ policy, which mandates password changes once a month.

Hmmmm... (1)

Colin Smith (2679) | about 7 years ago | (#20639431)

Cool! A use for all that non lethal weaponry the US military has been developing.
 

Ha! AV software is even worse (0)

Anonymous Coward | about 7 years ago | (#20639447)

I don't think viruses are a source of security problems as much as they are an annoyance. And in that vein, anti-virus software is typically even worse than the viruses themselves. They are invasive, pop up ads (for themselves), slow down your computer, make it malfunction, and just generally cause hardship 100% of the time. As opposed to the viruses that only cause such hardship while you actually have one.

I tell people that anti-virus software is like medicine -- don't take it if you're not sick!

dom

Re:Ha! AV software is even worse (1)

prozac79 (651102) | about 7 years ago | (#20640863)

I tell people that anti-virus software is like medicine -- don't take it if you're not sick!

I use another medical saying -- "An ounce of prevention is worth a pound of cure". I would much rather have someone put up with a slightly slower computer or an odd (but usually documented) malfunction than to spend hours fixing their machine because they ran an executible from an email of unknown origin. And while this is far from a scientific, I've never had problems using AVG (or other non "big name" brands). But since this is slashdot, a one person sample set is more than enough to be "conclusive".

Really? (1)

downix (84795) | about 7 years ago | (#20639481)

I'd have never....

RUN ALEX! They're onto us!!

PEBKAC (4, Informative)

Protonk (599901) | about 7 years ago | (#20639507)

The security literature has been saying this for years. And, depending on who you classify as a 'user' this is a much broader problem. The TJX breech? If I consider that the company IT dept. allowed latitude in where computers were connected to the company intranet (for convenience) and which computers could be connected, the the protocols surrounding handling of data (either VISA [google.com] , [PDF]or otherwise) become superfluous. the 'user' that wants to be able to check stock at a kiosk inserts problems not considered in the protocol.

This is largely fixed by changing/following protocol (although following PCI would not have eliminated the TJX breech, just limited it). dictating access limits to machines, enforcing those access limits through user and key management. Enforcing segregation of data by pushing it back from the user space. Etc.

In a lot of cases, these things can be eliminated only through design--not draconian regulations. By design I mean something separate from limitations. A limitation (for example) would be to block any traffic going to popular webmail accounds through a browser. This is pretty easily circumvented by a half dozen trivial (read: largely non-technical and non-threatening) solutions. A design solution would be to incent users to use the internal mailing system to organize their mail and to VPN to it while away. Using Outlook as a primary means to communicate makes me pine for the responsiveness and search functionality of Gmail. eventually, rules be damned, I will migrate my work email to gmail (assuming I'm not security conscious) because it offers so many inherent advantages. The solution, bein to eliminate those advantages.

Without that, you are in the same boat that you were before. More rules, but the same incentive to break them.

Re:PEBKAC (1)

Protonk (599901) | about 7 years ago | (#20639553)

wow. editing is awesome. Breech evidently =/= breach. :)

Also, damn google for not just linking my search result as an actual page.

Re:PEBKAC (1)

ratboy666 (104074) | about 7 years ago | (#20641757)

So I am called in to do some software work at a major company (names suppressed to protect everyone).

"Internet access" is requested, in order to facilitate communication (read, status updates, keep track of work process, on-line manuals). "Internet access" is granted -- um... sort of.

No "web mail" is permitted. No "ssh" connection is permitted. No internal email address is supplied. Basically, no email is allowed.

No browsing is permitted, except on one Windows XP based machine (I work on Unix). It is possible to "ftp" to and from the Unix machines. There are multiple workers on the project.

No laptops are permitted (or USB keys, etc.).

Comment?

Re:PEBKAC (1)

Protonk (599901) | about 7 years ago | (#20642003)

Not sure what I'm supposed to comment on.

In that case, we are both talking about the same kind of failure: a company feeling that total restriction means security. It's inherently not true. when I wrote about webmail being superior to local email in a lot of cases for a lot of companies, I was referring to some intrinsic superiority (portability) and some non-intrinsic superiority (ease of use, files storage limits, searchability, 'smart' contact lists).

The best way for the company to limit use of the webmail service is to have the hosted service eliminate the intrinsic and non-intrinsic superiorty of the insecure alternative. Create a useful, robust VPN service (portablity). Write/buy an mail service that doesn't seem like a chore to use. It's sort of like offering music on iTunes for 99cents a song. It didn't add new laws or barriers to ripping music or downloading it from the internet, but it created a strong incentive to do it legally, with its own advantages over illicit downloading.

That doesn't answer your question, but maybe it explains why I hope that I shouldn't have provoked it.

to answer your question:

Do your best to explain what 'internet access' means, and that real-time access to support is worth its weight in gold considering the time to switch over, browse, upload the contents to ftp, blah, blah, blah. But, you rpobably already know that the company in question won't open up 'fort knox', so the real answer becomes: suck it up. :(

Nothing Revolutionary Here (1)

dstiggy (1145347) | about 7 years ago | (#20639517)

This is basically saying to me that antivirus packages and software systems have finally gotten to the point where they're being effective. In response to this, hackers have developed more sophisticated techniques in order to penetrate systems. It's not that anyone is doing their job worse. it's that technology is moving at such a rapid rate that it's nearly impossible for one person or a small group to keep up with all of the new attacks being implemented each day. I for one commend IT admins from doing as good of a job as they have done.

Reminds me of Fawlty Towers.... (2, Funny)

Zorbane (1095631) | about 7 years ago | (#20639571)

"Can we get you on Mastermind, Sybil? Our next contestant, Sybil Fawlty from Tall Key, special subject, the Bleedin' Obvious..."

Re:Reminds me of Fawlty Towers.... (1)

sharopolis (819353) | about 7 years ago | (#20641063)

Tall Key? It's spelt Torquay, but don't worry, it's one of thousands of British placenames designed to trap the unwary.

Re:Reminds me of Fawlty Towers.... (1)

Pope (17780) | about 7 years ago | (#20641321)

Torquay actually. [google.ca]

Ugh.... (1)

doyoulikeworms (1094003) | about 7 years ago | (#20639589)

IT Guy: I'd like to share a revelation that I've had during my time here. It came to me when I tried to classify your species and I realized that you're not actually mammals. Every mammal on this planet instinctively develops a natural equilibrium with the surrounding environment but you humans do not. You move to an area and you multiply and multiply until every natural resource is consumed and the only way you can survive is to spread to another area. There is another organism on this planet that follows the same pattern. Do you know what it is? A virus. Human beings are a disease, a cancer of this planet. You're a plague and we are the cure.

Re:Ugh.... (1)

networkBoy (774728) | about 7 years ago | (#20639751)

That was my single favorite segment of the movie.

Re:Ugh.... (1)

timster (32400) | about 7 years ago | (#20641559)

While it was a great monologue, it's obviously false. You'd think that since the movie was filmed in Sydney, someone would have thought "let's see... consuming every natural resource... multiplying out of control... humans are rabbits?"

Of course they come from the inside (2, Funny)

antifoidulus (807088) | about 7 years ago | (#20639691)

I mean, I wouldn't have had to set the place on fire if they would have quit moving my desk and asked me to kill cockroaches and kept on stealing my stapler.

This is why... (1)

this great guy (922511) | about 7 years ago | (#20639757)

...I require network traffic to use secure protocols (SSL/TLS, etc) on the internal networks I administer, even if they are protected from external attackers by a firewall. Use POP3S/IMAPS to prevent the employees from accessing others' mailboxes. Run your intranet website on HTTPS. Use LDAPS. Force CIFS connections to be signed and encrypted and to use LMv2/NTLMv2.

It's Workers Because (2, Funny)

Nom du Keyboard (633989) | about 7 years ago | (#20639771)

Workers have probably displaced viruses simply on the strength of MediaDefender's e-mails all going public this weekend due to the truly stupid actions of one person, whom I'm very glad today that I'm not him!

Re:It's Workers Because (1)

CharlesAKAChuck (1157011) | about 7 years ago | (#20640969)

"... the finding that the single biggest security threat faced by corporate networks doesn't come from virus writers any more; instead, it comes from company insiders"

I'm sure there will be several emails from MediaDefender saying "No shit?"

Article Summation (1)

Notquitecajun (1073646) | about 7 years ago | (#20639787)

PEBCAK

using unlicensed software is not 100% the workers. (1)

Joe The Dragon (967727) | about 7 years ago | (#20639793)

Using unlicensed software / bypassing security is not 100% the workers fault. Some times they need to do it to get the job done on time and the official way takes to long. Some bosses have even setup there own severs for testing just to get it done faster as some times the official way takes a lot of time for every little update to the project. Some times even IT works do things like this and it seems to happen more when the IT boss is clueless about IT.

Its the lusers fault ... (2, Funny)

PPH (736903) | about 7 years ago | (#20639809)

.. according to the BOFH [wikipedia.org] .

Duh! (4, Insightful)

gravis777 (123605) | about 7 years ago | (#20639873)

Even when I do have a small virus outbreak, its because people are visiting sites that they know they shouldn't. I have Sophos setup to block installations of all toolbars except for Google, users cannot run Limewire, Kazaa, Bearshare, or so forth (BitTorrent is still enabled), and soforth. Before I upgraded Sophos and it was not able to block apps, I was always having problems with people going to SmileyCentral, or downloading Weatherbug. Now they can go to the websites all they want, it will not let them install the software.

But yeah, most problems are user related. Broken pins on power adaptors, caused by users jabbing the plugs into their laptops, out of harddrive space, fixed by deleting their iTunes, computer running slow, i go and remove tons of crap the user has installed, user has e-mail bouncing, because user had ignored notifications from IT that they were approaching their e-mail quota, Illustrator on the Mac will not start because user has deleted system fonts, modem not working after user used modem during lightning storm (I am actually looking at my tickets as I am writing this, these are my tickets).

Re:Duh! (2, Insightful)

myz24 (256948) | about 7 years ago | (#20640665)

Don't allow your users to be local admins, this has done well for me to prevent installations.

Re:Duh! (1)

gravis777 (123605) | about 7 years ago | (#20640999)

No can do, we have software that will not even run unless the user has local admin rights. We have been down that avenue before.

Re:Duh! (1)

Nimey (114278) | about 7 years ago | (#20641923)

Can't do that with most Adobe software, unless they've wised up recently. There's other software that *must* have Admin rights to run.

In theory you could figure out exactly which files and registry keys the poxy things need write access to, but that's almost never documented, and it's better for them not to write to hkey_local_machine anyway.

CSI study is, and always has been, crap (2, Insightful)

44BSD (701309) | about 7 years ago | (#20639949)

494 out of 5,000 responded. I wonder if the 9% who did are at all unlike the 91% who did not? Could it be, ya think??

It's called non-response bias.

They admit right up front that the results (even if there were no non-response bias) don't generalize to IT in general, since their members are not drawn from IT in general.

Don't alienate users (2, Insightful)

mi (197448) | about 7 years ago | (#20640009)

I don't mean, alienating them as employees — that's another story. I mean alienating them as computer users — by bullshit like blocking certain sites or other services (such as instant messengers), in particular.

You will then not have to chase the violators and waste time (money) on the fruitless pursuit... The pursuit, which also severely hampers the productivity of the best of your users... "Access from home? No, you'll need five approvals for me to allow that."

is ignorance cheaper? (1)

192939495969798999 (58312) | about 7 years ago | (#20640031)

Maybe it's cheaper to not bother with security education initiatives, because the people who are going to commit security fraud won't change their minds knowing that it's wrong -- they already know it's wrong. The people who unwittingly violate security probably wouldn't be able to regularly practice the secure workaround, thus exposing the same security holes as always, just less frequently exposing them.

*dreary* news? (1)

OriginalArlen (726444) | about 7 years ago | (#20640205)

It's been almost a decade since I decided to start working towards infosec rather than web development. Finally, this year, I'm earning slightly more than I was back in 1998. (Admittedly I was massively overpaid then - it was the bubble! in central London! and I could write Perl, /and/ read it! :) )

So bring on the new attacks, the more determined villains, the organised crime groups. It's the closest thing to a job for life i'LL ever have.

Re:*dreary* news? (1)

xSquaredAdmin (725927) | about 7 years ago | (#20641501)

Able to read Perl? I call shenanigans!

Workers bad! viruses good! (2, Funny)

heli_flyer (614850) | about 7 years ago | (#20640423)

The obvious conclusion is all the workers should be fired and replaced with viruses.

The only logical conclusion (4, Funny)

gorbachev (512743) | about 7 years ago | (#20640469)

...is to fire everyone.

Inside Job (1)

Bellum Aeternus (891584) | about 7 years ago | (#20640501)

Wait, you mean social hacking and stupid people are a dangerous combination, or that corporations get ripped off by inside jobs? No way?! Oh come on, this shouldn't be news to anyone. As IT systems make up more and more of corporate infrastructure of course "evil" people are going to use them to steal. Maybe the news is that they have clue about IT systems. In which case this is good news, maybe execs will stop making stupid IT choices... wait, never mind.

Some technologies DO address human issues (0)

Anonymous Coward | about 7 years ago | (#20640543)

Glad to hear that finally there is some understanding that any solution to the problem of endpoint security must take into consideration the human issue. There are even companies now who offer central granular control over devices and application whitelisting [trinamo-solutions.com] , both technologies that will help you secure the laptop or desktop.

Tag: virii (0)

Anonymous Coward | about 7 years ago | (#20641033)

"Virii" is the plural of the latin word "virius", which isn't in my dictionary. The plural of the English word "virus" is "viruses".

Re:Tag: virii (1)

Nimey (114278) | about 7 years ago | (#20641957)

Pah. The people posting that just want to look "cool" or "with it" and don't bother understanding what they're writing.

Much like the wankers who write "begs the question" when they mean "raises the question".

They have a bright future in management, in other words.

This is old news... (0)

Anonymous Coward | about 7 years ago | (#20642037)

In this interview in PC Magazine ( http://www.pcmag.com/article2/0,1759,2164176,00.asp [pcmag.com] ) Jonathan James said:


"Q: What is the most common, preventable security hole you've seen?
A: Aside from users, I'd have to say updates. Users always ignore messages about updating software..."

I always thought that was funny, and wondered if anyone else caught the quip... more here: http://jaclynperrelli.wordpress.com/2007/08/16/beyond-modifications-to-the-infrastructure-a-hacker-interview/ [wordpress.com]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?