Forgot your password?
typodupeerror

The Enemy Within the Firewall 265

Posted by ScuttleMonkey
from the sowing-dissent-and-distrust-in-the-workplace dept.
Mel Tom writes to tell us The Age is reporting that many businesses are now considering employees a much bigger threat to security than most external threats. From the article: "With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing."
This discussion has been archived. No new comments can be posted.

The Enemy Within the Firewall

Comments Filter:
  • One thing is sure (Score:5, Insightful)

    by LunaticTippy (872397) on Monday March 13, 2006 @05:34PM (#14910965)
    If companies treat their employees like criminals, they are likely to get what they expect.
    • by ditoa (952847) on Monday March 13, 2006 @05:46PM (#14911072)
      Treating your employees like criminals and restricting access to data that they have no business in accessing are very different things. Remember you own nothing at your work, it all belongs to the company. Restricting access to things you do not own is not treating you like a criminal.
      • by Anonymous Coward on Monday March 13, 2006 @06:14PM (#14911294)
        You don't own it, but companies expect the same loyalty as if you owned it.

        See the contradiction? Why should an employee care about something they don't own?

        Given that the majority of companies wouldn't hesistate to act against the employees interest if there is any suggestion of compromosing the companies's interest, why should an employee protect a typical company's interest apart from doing the bare minimum required to preserve their own job?

        Companies are just repaing the "benefits" of years of treating employees as "production units".

        Yes I'm posting as an AC because I don't want any potential employers to know that I don't really care about their company apart from the fact it pays me money.

        (I'm not advocating slacking off in life or being bitter and twisted. Just make sure the things you dedicate yourself to are either THINGS YOU OWN or a charitable cause that you think is worthy. Working for someone else's profit is what you do to make money so you can do do what really matters. Don't dedicate your life to making profit for someone else.)

        • by ThatNuttyPeej (739121) on Monday March 13, 2006 @06:34PM (#14911452)
          You don't own it, but companies expect the same loyalty as if you owned it.

          See the contradiction? Why should an employee care about something they don't own?


          Because of a phenomenon known in scientific circles as the paycheck.
          • by Anonymous Coward on Monday March 13, 2006 @08:15PM (#14912193)
            You don't own it, but companies expect the same loyalty as if you owned it.

            See the contradiction? Why should an employee care about something they don't own?


            >>>Because of a phenomenon known in scientific circles as the paycheck.

            There is a fundamental point overlooked here. I assume you're just being flippant but, the original poster didn't say he planned on destroying or stealing, only that he didn't care. The man in the apartment downstairs from me has a nice car, and I respect the car by not doing anything untoward to it but, I don't care about the car. The paycheck will make us work on things we wouldn't otherwise work on. It won't make us care.

            Now if pride of work can be achieved then, I'll care.
        • Why should an employee care about something they don't own?

          Self-respect?

          Call me old-fashioned.
      • Re:One thing is sure (Score:5, Interesting)

        by truthsearch (249536) on Monday March 13, 2006 @06:25PM (#14911373) Homepage Journal
        Restricting access to things you do not own is not treating you like a criminal.

        True, but taking my fingerprints and putting them on file at the FBI within the first hour of a new job is criminal treatment. After all the SEC, FBI, and other background checks you still get put on file at the FBI when taking a job at most brokerage firms (at least here in NYC).

        It's beyond technical. At many companies you're treated as if they need to always look over your shoulder. Those cameras aren't there for your benefit. They're there to catch you if you do anything wrong.
        • by Metzli (184903) on Monday March 13, 2006 @06:32PM (#14911430)
          Depending on where you are and what you do, that's the norm. I once worked at a bank's data center and there were cameras all over the place. They do background checks before you join, etc. Personally, I don't have a problem with that. I would feel better knowing that the place that has my money is that careful.
      • Re:One thing is sure (Score:5, Interesting)

        by EnronHaliburton2004 (815366) * on Monday March 13, 2006 @06:31PM (#14911422) Homepage Journal
        Where do things like arbitrary background, credit & criminal checks [choicepoint.com] fit in, I wonder.

        At my last 3 jobs (Over 4 years), it was required to take these things. Along with the occasional piss-in-the-cup drug test. At many workplaces, companies are running background checks on existing employees. The tests are a "requirement of your continued employment here at the company".

        Does this make people feel like a criminal?
        • by Lehk228 (705449)
          i have no problem with criminal checks. if i was hiring an accountant i would want to know he wasn't involved in previous fraud or other scandals
          • by green1 (322787)
            >> i have no problem with criminal checks. if i was hiring an accountant i would want to know he wasn't involved in previous fraud or other scandals

            There are 2 problems here, first of all this depends on the scope of the criminal check, is it any of your business if your accountant had a drunk driving conviction 15 years ago?
            secondly, we as a society frequently complain that criminals aren't properly rehabilitated after serving their sentences, but a lot of that is our fault. just try to get a decent
        • by wkitchen (581276)

          Does this make people feel like a criminal?

          It doesn't make me feel like a criminal. But it does help to clarify what the true nature of the relationship is. The company is not my friend, because clearly, it does not consider me one.

          After many years of having my misplaced loyalty abused, I have developed a much different perspective than the one I started with. My present employer is one of the best I've ever worked for. Decent pay, relatively low stress, competent co-workers, recognition for accomplishm

      • you own nothing at your work, it all belongs to the company

        That's MY stapler! It's mine!
      • by slapout (93640) on Monday March 13, 2006 @06:45PM (#14911552)
        It's funny. At one job I had, it wasn't allowed to defragment my own hard drive. Yet I had delete access to every table in the production database. Strange.
        • by TheSkyIsPurple (901118) on Monday March 13, 2006 @11:05PM (#14913037)
          > It's funny. At one job I had, it wasn't allowed to defragment my own hard drive. Yet I had delete access to every table in the production database. Strange.

          Perhaps because you have "ownership" of the production database and will catch living hell if you break it.

          But, if you accidentally hose your desktop, there is no real recourse against you? It only ends up costing the IT group time and money to fix your problem. (maybe not you personally, but "users" in general may have set the pattern...)
    • by tpgp (48001) on Monday March 13, 2006 @05:47PM (#14911079) Homepage
      If companies treat their employees like criminals, they are likely to get what they expect.

      While I can certainly understand why you say that, the article's headline 'the enemy within the firewall' was a bit of a troll.

      More like 'the hapless idiot within the firewall' because the article is more about external attacker using employees's as a vector rather then the employees themselves being the attacker.

      And really - when I say 'the hapless idiot' I'm being far too harsh - after all, it only takes inserting a music CD to potentially install a rootkit on a company's (windows) PC.
      • by LunaticTippy (872397) on Monday March 13, 2006 @05:55PM (#14911149)
        I realize there are risks, and agree that appropriate security needs to be in place.

        You're right that I was responding to the tone of the article and headline.

        I've worked for companies that think of employees as liabilities they reluctantly put up with because there isn't another option. It comes through loud and clear in their policies. Security measures that add no security but are humiliating, stark double standards for management and staff, headlines about corporate malfeasance and record-breaking bonuses, etc.

        I think treating employees like family is a better approach. Give them some trust, but have policies in place. My mother, for example, has a computer with very strict security policies that she can't change. That is appropriate, and she has thanked me for it. Same approach will work for employees.

    • by GringoGoiano (176551) on Monday March 13, 2006 @06:35PM (#14911455)

      Insiders can be real threats, the BIGGEST threats. An insider can steal much more than a hacker ever can. And many insiders think they can get away with it. Just look at the porn-billing iBill incident made public last week.

      The best policy is to log everything that happens in an enterprise, to a level required to reconstruct past bad behavior. You can't keep your insiders away from information they need to do their jobs. Trust, but also verify! There are products out there like Sensage (http://www.sensage.com/ [sensage.com] ) that can collect, centralize, and make available years of log data for an IT organization. While this might not prevent the theft in the first place, a company can crack down on and prosecute current/former misbehaving insiders. Sensage will do very well, as will many other companies in this space (including recent Slashdot heavy banner-advertiser Splunk (http://www.splunk.com/ [splunk.com] ) ).

      I look forward to seeing how well these products do. It's time one of them went public so we can gauge interest.

  • And this is new? (Score:5, Insightful)

    by Trevahaha (874501) on Monday March 13, 2006 @05:35PM (#14910969)
    Isn't this covered in Security 101 -- most instances of stealing information, destroying data, etc. occurs from the inside (or ex-employees).
    • Re:And this is new? (Score:5, Interesting)

      by hal9000(jr) (316943) on Monday March 13, 2006 @06:04PM (#14911216)
      What is new is that apparently some companies are actually starting to get it.

      You don't have to treat your employees like criminals in order to reduce the threat that an insider may pose. You just have to take rational approaches to tighten access.
    • Trevahaha wrote:

      Isn't this covered in Security 101

      True, but it's also covered in BLAME 101 -- When something goes wrong you need to identify, control, and correct the problem. It does no good to acknowledge security issues to the press or in your financial report if you have no response to them.

      While you may not know who the real criminals are or whether they are inside or outside your firewall, it IS easy to establish internal policies ("No iPods indoors!") or provide a subtext to layoffs ("We are tight

    • by jd (1658) <imipak AT yahoo DOT com> on Monday March 13, 2006 @07:36PM (#14911945) Homepage Journal
      And that came out in the UK in the mid-to-late 80s. Never did solve the anagram of the author's name. The DoD's "Orange Book" covers the topic in some depth, which is why computers that can carry classified data MUST be certified to B1 standard or better - or whatever the nearest Common Criteria protocol defines for mandatory access controls and protected space.


      And that's the crux of it. If you have discretionary access controls (or no meaningful access controls at all) then you're as trusting as the person who leaves a spare key under the doormat. Under a totally trusting environment, that actually works very well and can improve efficiency. Where trust is unrealistic or inappropriate, you need better defenses.


      I believe it has passed the point where most businesses should be using B1-comparable systems for as much as possible, and should use secure networking where practical.


      IPSec for all traffic would be good. All web traffic over SSL would be excellent, Kerberos is good. SSH is good. Telnet is bad. Rsh/Rlogin is evil. Both easy-to-guess and impossible to remember passwords are diabolical. Wireless without 802.1x security or better is satanic. Unpatched computers that "don't matter" (and so never supervised or monitored) are so far beyond the deepest pits of Hades that they should be burned at the stake and their transistors scattered to the four corners of the world.

  • This Has Been Why... (Score:5, Informative)

    by ackthpt (218170) * on Monday March 13, 2006 @05:35PM (#14910972) Homepage Journal
    This has been why email attachments are regularly stripped and IM is forbidden here. Still, we get stuff because people bring it in on CDs, infected PDA's in dock, etc.
    • Forbidden IM (Score:4, Insightful)

      by truthsearch (249536) on Monday March 13, 2006 @05:39PM (#14911015) Homepage Journal
      IM forbidden? Tunnel it through SSH on port 443. Works every time and the company can't spy on what you're IMing.
      • Re:Forbidden IM (Score:3, Insightful)

        by MightyMartian (840721)
        But they will know that you were doing something.
        • Your average sys admin will see encrypted traffic on port 443 and think you're browsing web sites (https).

          A better sys admin will notice you're connected to a server with an odd name (myhomeserver.dyndns.org or whatever) but still wouldn't think much of it.

          The best sys admin probably won't notice because there's so much traffic going through the proxy on ports 80 and 443 that they won't bother to look at each server's name. They'll mostly trust the proxy filter to block bad host names, but your random serv
          • Re:Forbidden IM (Score:3, Insightful)

            by eneville (745111)
            And some admins do protocol inspection.

            There's a bunch of ways to stop tunnels, or even break connections off after a set amount of time, if it takes 5 minutes, surely that cant be good.

            Personally I'd like to prevent people listening to streaming music... if someone wants to listen to music, they can buy a mp3 player, or bring in an FM/DAB radio.

            And besides, they can't be doing anything through the tunnel that's directly related to work that they can't get permission for from the admin, so they should stop
      • Re:Forbidden IM (Score:3, Insightful)

        by idontgno (624372)
        Tunnel it through SSH on port 443. Works every time and the company can't spy on what you're IMing.

        Until they lock down down which systems you can hit at port 443. Are you gonna start port-hopping? Then they get really draconic and employ a total "deny unless permitted" outbound ruleset.

        Yeah, it can be limiting. In a way, an organization which does this gets what it deserves: workers buckled into the traces with blinders around their eyes, plodding away. Kinda like a team of draft horses pulling a big ol'

  • Duh! (Score:3, Funny)

    by creimer (824291) on Monday March 13, 2006 @05:36PM (#14910986) Homepage
    Employees are the biggest threat to any company. Especially if the CEO is shoveling the loot out the backdoor.
  • by 3D Monkey (808934) on Monday March 13, 2006 @05:36PM (#14910989)
    to get rid of all the employees.

    Seriously, how can anyone get any work done with all this security risks running around?
  • Not much new here (Score:5, Insightful)

    by truthsearch (249536) on Monday March 13, 2006 @05:37PM (#14910991) Homepage Journal
    The disguntled employee has always been the biggest security threat to any company. The only new thing today is how much easier it is to disrupt security and how often security is breached accidentally. I still see idiots send out passwords in plain text e-mails all the time. Educating employees is just as important as not disenfranchising them and properly securing networks.
    • by GlassHeart (579618)
      I still see idiots send out passwords in plain text e-mails all the time.

      RFC 821 (SMTP) was published in 1982. 24 years later on computers with 3,000 times the clock speed, we're still blaming users for the total lack of security in their email applications and infrastructure? How about some security out of the box, the same thing we expect of operating systems vendors?

      • by truthsearch (249536) on Monday March 13, 2006 @06:17PM (#14911318) Homepage Journal
        Every good security expert will tell you the problem is far more social than technical. We can put in all the encryption and layers you want. But we can still call up 8 out of 10 companies and get the operator's computer password over the phone. The point is it'll always be about the user.
        • Every good security expert will tell you the problem is far more social than technical. We can put in all the encryption and layers you want. But we can still call up 8 out of 10 companies and get the operator's computer password over the phone.

          What you wrote is true, but has little to do with what I wrote, unless you mean that because of the bigger security hole that is the user there's no need to plug the smaller security hole that is plain-text email. My opinion is that we need to do both, but have fai

  • by mordors9 (665662) on Monday March 13, 2006 @05:37PM (#14910997)
    "Ms Warwar believes that the rise in internal security attacks has come about because outside criminal gangs realise that recruiting or tricking employees to hand over insider knowledge is less expensive and traceable than other forms of cybercrime."

    Gee someone ought to come up with a name for this... let's see, we can call it "Social Engineering". Hopefully no bad guys will read about this and start using it now....

    • I've got a patent on that.

      Muuuhahahaaha!
    • "Ms Warwar believes that the rise in internal security attacks has come about because outside criminal gangs realise that recruiting or tricking employees to hand over insider knowledge is less expensive and traceable than other forms of cybercrime."

      When approached for comment, Mr. Warwar replied, "Claudia can think its terrorists and criminals all she wants. I know it's that pervert Jason in accounting!"

  • by Anonymous Coward on Monday March 13, 2006 @05:39PM (#14911007)
    I am shrugging at this, because it seems fairly obvious to me. After all, haven't all the e-mail worms of the past decade gone through corporate firewalls because some guy in the office just opened an e-mail he though had some interesting photos in it? Or some guy happens to leave his blackberry with hundreds of sensitive emails on it on a subway train or in Starbucks?
  • crime opportunities (Score:5, Interesting)

    by pretygrrl (465212) on Monday March 13, 2006 @05:40PM (#14911018) Journal
    I work for a consulting firm that provides all types of HR services. We get data on client personnel that includes EVERYTHING: SSN's, addresses, spouse info, dates of birth, EVERYTHING
    The article mentions scarce spending on addressing internal security threats: im looking around my office, and there is just nothing you can do! Even if you completely lock down desktops (the latest image was set up as to disable all HW and SW installs), and I personally had an admin pw within days!), there is still email. And loaner laptops.
    I hear that this type of complete personal information fetches $10 per record amongst certain unscrupulous Brooklyn programmers.
    Come think of it... where DID i put all my floppies?
  • by hackstraw (262471) * on Monday March 13, 2006 @05:43PM (#14911052)

    Employees often suck. In retail, they rip you off more than your "customers". (I can't call a shoplifter a customer :)

    Kevin Mitnick was able to get employees to give him tons of "sensitive" information just by asking for it. They take their laptops home and surf porn and get 0wn3d and bring the trojans and malware inside the firewall. Hell, they can even VPN the crud in from home or Starbucks too.

    I suggest 1) firing all employees you can 2) treat the remaining ones to a paycut 3) installing spy mechanisms inside of their office, computer, and bathrooms to "keep them honest", and let go of the ones that don't make the cut.

    We don't need no stinking happy employee. We need one that does what they are told, and is already happy to do what they are told. Thats it.

    • Better yet, replace them with robots.

      Robots programmed and designed by robots, to remove the chance of humans tinkering with the logic.

      • Wait... I think I saw that movie. as it turns out the designer robots aren't all that great. The concept of failsafe seems to have escaped them... I mean, why even put sharp fangs on a snake-bot that's not supposed to ever bite a guest? Especially when rubber fangs would get the same visual effect. Same thing with the bullets. Why would the robot gunslinger even have real bullets? Just make sure all his firing lines are predetermined and make judicious use of squibs.

        Why would you have a hermetically s
    • Employees often suck. In retail, they rip you off more than your "customers". (I can't call a shoplifter a customer :)

      Call them "consumers", perhaps?

    • by PCM2 (4486)
      Employees often suck. In retail, they rip you off more than your "customers". (I can't call a shoplifter a customer :)
      I had a girlfriend who had a (very brief) job working at the Disney Store. She said that at the Disney Store, if a patron was referred to as a "customer," that meant someone suspected them of shoplifting. Everyone else was a "guest."
    • Here's a plan: let's just outsourse all the work to one of our corporate run prisons in Texas. They won't see this as a disadvantage at all.

      Also, I'm sure the corporation running the prison would happily charge you a $20/hr contract rate for the prisoners' services, and deduct the expenses it would entail as "educational/rehabilitation" expenses.
  • by robyannetta (820243) * on Monday March 13, 2006 @05:46PM (#14911075) Homepage
    If you're a company that respects its employees, rewards them appropriately and values them, do you think internal threats are going to be such a large issue compared to the faceless megaopolies that most American companies have mutated into?
  • by mnmn (145599) on Monday March 13, 2006 @05:47PM (#14911087) Homepage
    "opportunities for workplace crime are growing"

    This may be more because of incompetent netadmins than vile employees. Maybe more so because of lax security. Tighten up the computers, the type of traffic that can travel, the ports, the installed apps, passwords etc and an employee on a mission cant break in except into her own account. Security in a workplace lan is more than just put an MS Windows 2000 Server Firewall, its segregated security groupings per department and employee.

    Security is good. Give it a shot.
    • by helix_r (134185) on Monday March 13, 2006 @05:56PM (#14911154)

      If an employee wants to screw up his employer, there are 1001 ways to do that-- with or without involving IT staff or systems.

      There is nothing new here except that more and more companies are treating their employees as disposable temps that can be dropped simply to increase share price. It is not surprising that in today's enviroments employees are more likely to feel they need revenge.

      Security lapses happen for a reason. Instead of attempting the sisphian task of "locking down" all systems, perhaps companies should address the root causes that incentivise their employees to behave badly.

    • ...and get axed by the CEO 'cause he can't chat with his mistress ?
      --
      I totally agree with parent... but my CEO got a mistress in every larger city in Europe.
  • Who is the enemy? (Score:5, Insightful)

    by Y-Crate (540566) on Monday March 13, 2006 @05:49PM (#14911098)
    While businesses should take reasonable precautions to secure their networks, data and physical assets, I've found that the employer/employee relationship is beginning to evolve into one of suspicion and severe distrust that is fostering resentment, anger and inhibiting productivity. No one wants to work anywhere they are treated as being one step removed from a hardened criminal from the moment they walk in the door on their first day. There is a fine line between taking sensible precautions to prevent opportunistic breaches of security, and indulging in paranoia and broadcasting an implicit belief through actions and words that everyone there is just waiting for the right moment to take the entire company for all they're worth.

    Employees are no longer being thought of as possible risks, but confirmed dangers that must be actively confronted every step of the way. Proactive security measures enacted in a passive way that does not interfere with day to day work in an unreasonable fashion, or impact the work environment in a disproportionate manner are giving way to managers that are far more focused on what their employees are deliberately doing wrong, than on the actual work at hand.

    By creating this atmosphere of hostility and distrust which cannot be overcome by proving oneself through hard work and carrying out duties in a thoughtful, honest way, managers are encouraging high-turnover, poor communication between workers, poor attitudes towards work and customers, and an atmosphere of little or no respect for the organization which anyone can tell you is the first step towards encouraging workplace crime.
    • This attitude of treating everyone as a criminal is a current trend. Not only are employers treating their employees as potential criminals, but companies treat their customers as thieves, and even the government is seems to be moving that way. Time to go live in a cabin in the mountains...
      • Hey, if I worked somewhere that treated me as a criminal I might oblige them too.

        Respect your employees and they'll respect the place they work.

        I've got my cabin in the mountains all picked out.
    • by aussersterne (212916) on Monday March 13, 2006 @06:29PM (#14911404) Homepage
      There is a fine line between taking sensible precautions to prevent opportunistic breaches of security, and indulging in paranoia and broadcasting an implicit belief through actions and words that everyone there is just waiting for the right moment to take the entire company for all they're worth.

      The problem is that this is absolutely true in western society. Everyone is waiting to take everyone for all they're worth. Witness patent battles, intellectual property and copyright battles, lawsuits, hostile takeovers, noncompete agreements and violations of noncompete agreements, "new enterpreneurship" in which you work to gain expertise, then leave the company and start your own doing the same things, corporate cutbacks in benefits and resorting to temp workers and outsourcing... From my view, virtually every practice in the free market, even those that are applauded, are of marginal ethics and morality at best. The basic premise of taking as much wealth as possible from others because you are clever enough to win it at their expense makes the entire pile of rubbish stink.

      Everyone is in this for his or herself, and the offensively rich can routinely be heard to say to the poor labor force: "You should have seized the opportunity like I did," or "it's not my fault if you don't know how to build wealth."

      Everything is fair game--it's only illegal if someone richer than you or less clever than you is able to stop you from getting away with it. So companies should be paranoid, because all of their employees would steal everything not nailed down if they could get ahold of it, and employees should be paranoid, because companies would press employees bodies and minds into perpetual, dehumanizing forced labor if they could.
      • Re:Who is the enemy? (Score:4, Informative)

        by bnenning (58349) on Monday March 13, 2006 @08:17PM (#14912207)
        From my view, virtually every practice in the free market, even those that are applauded, are of marginal ethics and morality at best. The basic premise of taking as much wealth as possible from others because you are clever enough to win it at their expense makes the entire pile of rubbish stink.

        Free markets are not zero-sum. Wealth can be created, not just "taken", and capitalism encourages that better than the alternatives.
      • Greed doesn't win (Score:5, Informative)

        by redelm (54142) on Monday March 13, 2006 @08:23PM (#14912245) Homepage
        Look at game theory: betrayal and greed only work in the very short term. Co-operation works much better long term. Different people have different time horizons (discount rates), but the system has long memories. Getting longer with electronics.

      • Re:Who is the enemy? (Score:3, Interesting)

        by sinewalker (686056)

        Witness patent battles, intellectual property and copyright battles, lawsuits, hostile takeovers, noncompete agreements and violations of noncompete agreements, "new enterpreneurship" in which you work to gain expertise, then leave the company and start your own doing the same things, corporate cutbacks in benefits and resorting to temp workers and outsourcing...

        There are all activities taken by employers, not employees... That is companies. So companies should be paranoid because their own behaviour

    • by HalfStarted (639977) on Monday March 13, 2006 @06:59PM (#14911655) Journal
      A common trend I am seeing in these threads is the equating of "IT infrastructure policies to limit employee access" == "Treating employees like criminals".

      Bank employees (at least the ones I know and talk to) definitely do not feel that they are treated like criminals, but most of them are not allowed into the vault at any time they like for any reason they would like. Similarly I would consider it a reasonable policy to specify IT polices to limit access to databases that contained confidential data.

      Access policies are just one example of a reasonable IT policy for protecting corporate data and infrastructure. Really most acceptable use policies are also reasonable when you get down to it as well.

      As recent as the 2005 CSI/FBI Computer Crime and Security Survey roughly 50% of all network intrusion/unauthorized use was from inside jobs. This can have a substantial material impact on a company, it is only reasonable that they take steps to minimize this as well. Reasonable policies to protect corporate assets are not the same as treating you like a criminal, hence the word reasonable. From reading the article I do not see anyone saying that extreme steps should be taken either, just that this is an area that should not be ignored and deserves some thought.

      Really the argument that IT policies intended to limit access or specify accepted use for equipment is tantamount to treating you like a criminal is just an overreaction by technologically sophisticated people that resent the idea of being told that they can't do anything they want.

      • Re:Who is the enemy? (Score:3, Interesting)

        by DerekLyons (302214)

        A common trend I am seeing in these threads is the equating of "IT infrastructure policies to limit employee access" == "Treating employees like criminals".

        Bank employees (at least the ones I know and talk to) definitely do not feel that they are treated like criminals, but most of them are not allowed into the vault at any time they like for any reason they would like. Similarly I would consider it a reasonable policy to specify IT polices to limit access to databases that contained confidential data.

        Ind

  • by gcauthon (714964) * on Monday March 13, 2006 @05:50PM (#14911107)
    I like how they lump everyone into one big category. Unless you've been living in a cave for the past 5 years, it should be obvious who the biggest crooks are. Hint, they all have 3-letter acronyms for titles.
  • I'd fire myself but I heard that firing yourself can make you go blind.
  • by sizzzzlerz (714878) on Monday March 13, 2006 @05:52PM (#14911124)
    Stealing money from the till, stealing insider information, gaming the quarterly sales to boost the stock price, etc., have always been an issue. If you employee human beings, these things will happen whether or not computers are used. Their actions don't even need to be illegal, simple carelessness can harm a company as much, or even more, than outright theft.

    Careful screening during hiring, sufficient training and re-training during employment, as well as attentiveness are the keys to mitigating these problems. Restricting e-mail, firewalls, etc., are simply putting fingers in the dike.

  • by loony (37622) on Monday March 13, 2006 @05:53PM (#14911128)
    If you're in a situation where you really have to worry that much about your own people, doesn't that just show that management has failed to provide a good working environment and create loyalty?

    The only effect of security is going to be that the few loyal employees you have get pissed and turn against you too. And for anyone who has done only a little bit of hacking, we all know useful security is way too expensive... You'd need to audit virtually everything that's going on on a server and there are only a few government agencies that can efford that much money.

    So why not do something more useful with the money? Free coke for employees on tuesdays. Or fix that darn pothole at the entrance of the parking lot. Put a few plants up in the office... That is all money better spent than on some lack luster, process bound security measures...

    Peter.
    • by Tsugumi (553059) on Monday March 13, 2006 @06:07PM (#14911239)
      Free coke? Hell yeah, sign me up, my dealer is way too expensive! A hole full of pot sounds interesting too, but I reckon the plants in the office would probably yield a better crop. When can I start? I swear I'm gonna be way too high to be any kind of security threat...
    • by PCM2 (4486) on Monday March 13, 2006 @06:13PM (#14911290) Homepage
      If you're in a situation where you really have to worry that much about your own people, doesn't that just show that management has failed to provide a good working environment and create loyalty?
      It's a fair question, and yet loyalty is not always something that is so easy to just "create." Loyalty is not something that's handed down from management. It is a personal choice on behalf of each individual employee. Every employee has his or her own agenda and set of beliefs. Particularly among IT people, you may encounter a number of difficult types:

      • The smug techie who thinks he knows more than anybody and is therefore tempted by the idea that he can get away with whatever he wants because nobody knows what he does anyway.
      • The person with poor interpersonal skills which have held him back in terms of career advancement, and who thus feels he is undercompensated (and doesn't know how to ask for a raise).
      • The individual who styles himself as a "Bad Boy hacker," who isn't going to be loyal to any company no matter how you compensate him.
      • The individual who was hired right out of college and is simply too young and inexperienced to have a well-developed sense of personal ethics.

      There are all sorts of other examples that could apply to anyone; for example, an employee who feels bored or unchallenged at work, or is otherwise just lazy, might spend too much time engaging in compromising activities (whether they be playing games or using P2P networks). And some people just don't know any better than to disclose information they shouldn't -- I personally have worked for a company that hired a private detective to try and get a job at a rival company and pick up information from other employees while he was there.

      The point is that you can't entirely point the finger at management. Yes, it's in management's best interest to create an engaging and enjoyable work environment for everyone, but the most they can really do is try. Whether or not they succeed, that's still no reason to skimp on internal security measures.

  • Biotech (Score:4, Interesting)

    by Anonymous Coward on Monday March 13, 2006 @05:56PM (#14911158)

    I work in the biotech biz. We've been warned about Chinese "students" snafing our secrets. Thought it was a lot of tinfoil hat paranoia until we saw logs of HUGE attachments going to Asian hotmail addresses. Guess what some of those attachements were? Research data going straight back to China.

    Needless to say, his worker agreements were terminated and the person shipped back.
    • Re:Biotech (Score:3, Insightful)

      by woolio (927141)

      I work in the biotech biz. We've been warned about Chinese "students" snafing our secrets. Thought it was a lot of tinfoil hat paranoia until we saw logs of HUGE attachments going to Asian hotmail addresses. Guess what some of those attachements were? Research data going straight back to China.

      Needless to say, his worker agreements were terminated and the person shipped back.


      How convenient... Since you shipped him back, he can explain to his Chinese counterparts the details that were not covered in the atta
  • Movie connection? (Score:3, Interesting)

    by Jon Luckey (7563) on Monday March 13, 2006 @06:02PM (#14911206)
    Is this story just belated hype for the movie Firewall starring Harrison Ford?

    Sure its not well timed if that what it supposed to be. But it has the the same elements as the movie. Employee threatened to help criminals breach his companies security. The headline even contains the name of the movie. Maybe it was submitted weeks ago, but was kept in the slush pile until needed as filler now.

    At least if it was hype it would be better than if if a tech writer had to pull his story ideas from Hollywood. Or at least more understandable.
  • by Vapon (740778) on Monday March 13, 2006 @06:03PM (#14911214)
    If you can't trust employees, who is securing the network for you? As a network admin I have full access to a company's full network within a week of starting a new job, otherwise I am unable to do my job.

    There will always be a level of trust needed between employers and employees since even if the president of a company can set up the security for a company they would still have to trust someone to enforce it, and that person would have the ability to abuse.
  • I just wrote about this topic, and it's something that has been ignored for far too long. http://fak3r.com/articles/2006/02/06/rating-the-r i sks [fak3r.com] The idea that people can come and go with USB drives on their keychain, a 60GIG drive in their iPod and unfethered Internet access is just an unlocked door. I'm all for privacy and freedom of speech, but a company HAS to be able to control it's DATA. IMO this is not happening anywhere in corp America.
  • Key Fob Fear (Score:2, Insightful)

    by Short Circuit (52384) *
    And Floppy disks weren't a security threat?

    Seriously, except for images, it's not difficult to fit a *ton* of data on a floppy disk. Just export to an ASCII-based file format, then zip it up.

    Some other formats compress pretty well. Access databases, for example.
    • Yeah, because we all know how good ASCII-art CAD files are, much less ASCII Visio and ASCII Project.

      Those are the biggies because they are the manufacturing industry's crown jewels -- how to make it, what is the work flow, and what is our production schedule.

      There is a big difference between 1.44 Mb and 1 Gb.

        -Charles
  • You need to do a few things to handle employees and security: 1. Do a thorough background check. This includes employment and criminal. You don't want to hire someone who did time for stealing from an employer. 2. Only allow them access to information they need for their jobs. I've had jobs where I could have walked out with all the personal info on past and current employees, and I had no need to access that information. 3. Run a good hardware and software anti-virus and firewall system. This means not let
  • The goal is to always have more dirt on your employer than they have on you.

    Screw hacking the server. Spend a few months running the license paperwork through the shredder, and then call the BSA. If you do it right, you may even be in line for a reward.

    Seriously folks, if you want to treat your employees like criminals, hire people who are already institutionalized. At least you can find out what their predilection is.
  • Honestly, i've *seen* what's in a lot of corporate databases and it's not all that interesting or special. Sure there's some ssn's in there and maybe some spreadsheets that shouldn't get out but it's not like every single file on every single machine contains critical proprietary data.

    Obviously, managers should evaluate what the mission critical data is and take steps to keep it off of laptops and the corporate network but frankly I think they're too lazy--they'd rather blame rank and file employees and pl
  • Crime? (Score:3, Insightful)

    by Eric Damron (553630) on Monday March 13, 2006 @07:10PM (#14911740)
    "With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing."

    Oh please. I suppose that's true but in my shop we are far more afraid of workplace stupidity than crime.

    Users will do things like copy files from a home computer onto their work computer never thinking about the possible implications. There are also more cases where a user will connect a wireless switch to their RJ45 jack so that they can move their laptop anywhere they want and still be on the network. Do they think about encrypting the connection? No. That's the kind of stuff we worry about more than crime.
  • IT 101 (Score:5, Funny)

    by zero1101 (444838) on Monday March 13, 2006 @07:23PM (#14911840) Homepage
    99% percent of the time, employees are not a threat because they're malicious...they're a threat because they're very, very stupid.
  • by pandrijeczko (588093) on Monday March 13, 2006 @07:35PM (#14911934)
    As far as I am concerned, anything I spend almost a third of my life doing has to pay me enough to live comfortably *and* has to stimulate me as a job. In other words, I don't care how much my employer pays me, if they treat me like dirt and/or give me a boring job to do, then it's up to me to withdraw my services & go find another employer that can give me an interesting jonb.

    Fortunately, my job does stimulate me (it's not perfect but it's more good than bad) & allows me to live comfortably within the law. I'm treated pretty well, fairly autonomous in what I do & I have no interest in screwing over my employer - I don't care what money I was offered for "trade secrets", I wouldn't do it; my integrity is far more important to me.

    The point I'm trying to make is that in my experience, most people are like me rather than potential criminals - it's just a shame that anyone who works for an American company at the moment (like me) constantly has Sarbanes Oxley rammed down their throats & endless training about "work ethics" purely because a few corrupt CEOs in other companies have decided not to work ethically.

    At the end of it all, it is *just* a job and most people are inventive enough to find other sources of legal income if they choose to resign and walk out the door. If I chose to walk out the door, my employer can take their laptop back & any backups of my data - I'm just not interested in keeping it/

    Sure, there are internal security threats in any organisation but mostly it's due to employee stupidity rather than criminal activities - and in my view, no company spends enough on training employees to be less stupid; it's far easier to close down a few more ports on the firewall and put a few more banned sites in the web proxies than educate people about the dangers of webmail.

    And I am *STILL TRULY AMAZED* at the number of Windows users around me who do NOT change that STUPID default setting of "Hide extensions of known file types" - the BIGGEST security threat of all... believe me, turn that setting off and tell people not to open .BAT, .EXE and Office documents from sources they do not 100% trust & your security problems will dramatically reduce overnight.

  • by Mutatis Mutandis (921530) on Monday March 13, 2006 @07:47PM (#14912013)

    One of the most fundamental contributory factors to internal security problems in companies is the attitude of many IT departments and IT managers, who would basically like to run their business as a police state. As in "real life", security is always the ideal excuse to give IT managers more power and to downgrade the rights of system users.

    Of course, draconic security policies are very rarely backed up by any commitment from IT staff to provide efficient services and smoothly functioning systems. I've seen long documents discussing IT policy that expounded at great length on IT security, but failed to make any mention at all of service quality or system performance.

    The natural, logical, entirely human result of this is that users will rebel and take revenge by cheating on security policy. And why not? It is not as if the IT department is of much use to them, anyway, so it doesn't get any sympathy. But when you get to this point, none of your security policies is worth the paper they are carefully filed on, in triplicate. Basically, when you have lost goodwill, you have lost everything. No overload of carefully crafted security polices and security systems is going to help. The IT people will be the first ones to ignore them; they know how to get around the barriers.

    Of course IT will react to this by declaring that the users are the problem. Not so. IT is a supporting department, not more. If the users are unhappy and unruly, then IT is the problem; it is a strong indication that the department is failing in its mission.

    Rule One of an efficient IT policy is to understand the business your are supporting and its requirements, and to finely tune your policy to achieve the best compromise between security and functionality. When IT is experienced as a burden to users, instead of a support, you've lost the game. It can, and will, only go downhill from there.

    Frankly, past a certain point IT policy itself becomes a serious threat to the competitiveness of a company. Most CEOs would balk at giving everyone a 10% raise, but inept IT policy can cost them considerably more than 10% of the time of their workforce. Few of them realize this, because they regard software as too technical to be understood.

  • by mrraven (129238) on Tuesday March 14, 2006 @01:38AM (#14913663)
    Fear of employees, fear of Arabs owning the ports, fear of non existent WMDs in Iraq, fear of porn, fear of violent video games, fear little Johnny will be kidnapped if he's out of eye sight for even a millisecond, fear, fear, fear, it's all the MSM and our "leaders" speak of these days. Ever since 911 the U.S. has become a nation ruled by fear and paranoia. Is anyone sick of it yet?

    Whatever happened to rugged individualism, proud freedom, and respect for individual dignity without need for spying on employees, and fretting about "intellectual property" and "national security." How diminished we have become, how pathetic, how cowering.

    Fight back damn it, join unions to protect your rights at work, protest, make yourself heard before the candle of freedom is extinquished entirely.

Logic is a systematic method of coming to the wrong conclusion with confidence.

Working...