The Register® — Biting the hand that feeds IT

Feeds

Incompetence a bigger IT security threat than malign insiders

Accidental security incidents involving workers happen more frequently and have the greater potential for negative impact than malicious insider attacks, according to new research from RSA. The poll of 400 top level execs in the UK, France, Germany and the US casts doubt on the conventional wisdom that malicious insiders are the …

This topic is closed for new posts.
Anonymous Coward
Headmaster

My Experience

Anti-Malicious security measures are almost always cumbersome, prompting people to work around them in order to get their jobs done.

I have found that it is much better to make security usable and transparent (like not being able to even see directories for which you aren't authorized, as opposed to directories with big padlock icons on them).

That seems to be emerging as SOP these days.

Make security transparent, unobtrusive and usable. Make it easier to follow security protocol than to go around it.

That will go a long ways towards reducing accidental breaches.

Gannon (J.) Dick
Joke

Correct me if I'm wrong, but

100 % of the employees are idiots or thieves.

I know Boolean Algebra buddy, this means 200%!

Pete 2

and the most significant cock-ups are ...

... from management. Who don't understand the effects their decisions will have, fail to communicate all the relevant information to the design teams, put pressure on meeting delivery targets rather than quality targets and only have an attention-span long enough for sound-bite conclusions.

Of course, since they're not the people pressing the buttons, none of their mistakes ever make it to the light of day. All that happens with poorly managed companies is that their security gets worse and worse. They implement less and less efficient policies in a series of ill-thought out panic measures, becoming more and more restrictive and slower to innovate: given all the layers of approvals, decision making, buy-ins, CYA-ing and shared responsibility until they are totally unable to compete.

ooooorange
FAIL

it doesn't take a genius to figure it out....

In most companies, 50% of IT staff are total ignorant spackers who think they're IT gods.

Peter2

uh...

Presumably this survey was done by someone that's never worked in IT.

I'm not disagreeing with it, it's just that its so blindingly obvious that I wouldn't have thought anybody in the industry* would have had any other opinion of the users.

* Excluding incompetent management that have never done anything other than "management" and so don't know the stark realities of life on the ground.

Nathan Meyer

Permeable By Design

Service Oriented Architectures (mash-ups by any other name) often leave huge holes that are exploited unintentionally by users. Because the services and orchestrators are written to be as context-free and reuseable as possible; they can often be called by naive client programs that don't realize the exposure that results. For example, in a hospital system a client that calls an Admission Discharge and Transfer module to tell Housekeeping and Maintenance which rooms to clean may give unintentional access to Admission Reason, preliminary diagnosis, AIDS. Which maybe you didn't want the janitor knowing?

Anonymous Coward
WTF?

Hero of the People, First Class

...awarded for the Statement of the Bleedin' Obvious of the year so far.

Of course, "incompetence" can also be read as "under-resourced, over-worked staff, pushed into building / maintaining stuff they've no experience with (and training? Yeah, we've heard of that) make the entirely predictable errors that are the hallmarks of all humans, everywhere, throughout time", and IMNSHO, should be.

Anonymous Coward
Unhappy

Adver-fucking-torial

> "IDC concludes that organisations ought to apply a comprehensive risk management-based approach to information security, rather than firefighting security problems. "

Oh, wow, now I'm so worried, I obviously need to be worried about this threat.

> "Free whitepaper – Seven essential steps to achieve, measure and prove optimal security risk reduction"

Oh, what a lucky coincidence! Your advertisers just happen to have a solution to just this problem! I feel so privileged!

Not.

jake

@Peter2

What you said. Thanks for typing it for me.

Nick 6
Coffee/keyboard

What are you asking them for?

Why do these surveys ask the "top executives"? Even if they are CIOs who actually have any kind of clue about IT, rather than being trough feeding pigs at the executive bonus party, then they'll rarely see the reality.

Rather when they get told about some incident, after many meetings amongst the lower orders, the story will be one of inadequate procedures and accidental finger trouble by a slightly incompetent peon. This is much better than a sub-department team leader having to fess up that they were responsible for actually delivering a piece of swiss-cheese rather than fort knox.

Mark Aggleton

@Gannon (J) Dick

What about those who are both idiots and thieves - so somewhere between 100% and 200%.

As it happens I'm in the POC stage of a DJP project at the moment so it isn't exactly news.

Anonymous Coward
Anonymous Coward

largely money, and management incompetence

in the company i work for, whose applications I develop and support, user access rights are managed by a series of flags on people's user profile. It's pretty accurate and secure, and lets access be pretty well changed and defined by the business areas without IT intervention.

However, if you want to add a new flag to a profile, several different areas of the company have to coordinate and create it for us to check against. As this costs money, the managment who have sponsored the change usually rights it off as a bad idea and refuses to get the new flags added, leaving us to find some other way to restrict access. Usually only location is even vaguely suitable, as job roles aren't defined well enough to map onto functionality, which opens up features to many more people than should have access to them. Not in the least of which, we recently found out some idiot gave a load of people access to update their location details.

Massive security lapses, almost as a matter of course, purely so a manager can save a few thousand pounds on their project budget and cut their development/testing period down by a few weeks.

Anonymous Coward
Anonymous Coward

I've got a free solution too.

Brief your staff on security procedures and get them to understand the risks and penalties.

You can't expect individuals to find out for themselves, have you ever tried reading the DPA, RIPA, FOIA, and OSA, or the GPG's.

qwertyuiop
Unhappy

@Pete2, 20:28

You forgot to include the fact that senior management think that simply because they are in such lofty positions then security incidents can't happen to them or involve them. They therefore exploit their authority to insist on being exempt from the precautions they insist on for the plebs.

Anonymous Coward
Anonymous Coward

Re: uh...

>> Presumably this survey was done by someone that's never worked in IT.

>>

>> I'm not disagreeing with it, it's just that its so blindingly obvious that I wouldn't have thought

>> anybody in the industry* would have had any other opinion of the users.

It isn't about what you know it is about what you can prove. At least now when you come across an idiot manager who can't see the blindingly obvious, at least you can beat them over the head with the survey.

Peter2

@ AC, 09;15

>"It isn't about what you know it is about what you can prove. At least now when you come across an idiot manager who can't see the blindingly obvious, at least you can beat them over the head with the survey."

If your dealing with an incompetent manager who can't see the blindly obvious from evidence and experience from within their own department why do you think they will accept the results of a survey from outside the department?

Anonymous Coward
FAIL

what incompetence?

So the article states that:

***Accidental security incidents involving workers happen more frequently and have the greater potential for negative impact than malicious insider attacks, according to new research from RSA.***

In what way does this translate to incompetence? Who is supposedly incompetent and why? The discussion makes a lot of sense but the "conclusion" as presented in the title of the article does not. Yes I can understand perfectly that accidental security incidents may be the most common issue. However while some are the result of "incompetence" of users others are in my experience the results of the "security measures" being badly designed into the workprocess. Basically a lot of "accidental incidents" are only described as "accidental" because they were not intended as "incidents". However the issue is then that the incidents were designed into the system but not intended to be security incidents. What I mean is that for many people to be able to do their job COMPETENTLY they must bypass and ignore badly designed security (sic) procedures! Otherwise many professional users could not do their jobs competently! This ofcourse leads to the question stated earlier - what kind of competence and incompetence is the article author referring to? As I see it many incidents are due to the difference between what managers think that their professional and often competent employees are doing (formal description) and what those professional employees actually have to do to make things work appropriately! Old wisdom suggest that the best way to draw any organisation to a halt blindingly quickly is to ultimately enforce the prescribed formal procedures! There is a reason for why people need to be competent in the first place - e.g. real world problems are not solved by blindly following recipes without adapting them to situation and context. So the situation many professionals find themselves in is wether or not to strive to do a good job as a competent professional or wether to follow prescribed routines which sabotages any competent application of personal knowledge of the task at hand!

Tom Welsh

Hanlon's Razor again

For those who have forgotten the exact text of this puissant rule, which explains so much about human history and affairs:

"Never attribute to malice that which can be adequately explained by stupidity".

As stupidity is far and away the commonest element in the universe (leaving hydrogen in a brave but totally outclassed second place), it is even more frequently encountered than malice.

RainForestGuppy

What happens is...

When IT people who think they know what security is spend time firefighting security problems

Properly experienced Information security professionals take a "comprehensive risk management-based approach to information security" .

When IT management try to make security decisions that's when things really screw-up.

Anonymous Coward
FAIL

@it doesn't take a genius to figure it out....

Yep, have to agree. I work for a HUGE company with many, many disparate systems so I have many passwords to remember so I use KeePass, that way I can use strong, randomly generated passwords for the systems I need to access.

For my main domain log-on I use a real life word (7 letters long), spelled backwards with a "special" character followed by a number (OK so I'm lazy, change the password once a month, just increment the number!)

Main Domain logon is now enforced by our security group, the policy seems sensible at first view - Your new password must be 8 letters long and contain 3 of the folowing 4 items

1 Upper case letter

1 Lower case letter

1 "special" character

1 Number

So, my "old" insecure password - stceffa_1041 (not my real password obviously) is NOT allowed

But I can put in Pa$$word1, it really will accept that

Fucking Genius

David David David David (formerly David 22)

@Peter 2 12:22 GMT

Unfortunately, yes.

Most (if not all) managers like fancy external reports so that they can have something shiny to show their own bosses. (Internal reports are also much detailed and show up too much dirt to be shown to higher-ups.) A fancy *IDC* report will persuade the stupid fuckers even though it doesn't actually say anything at all.

David

ElReg!comments!Pierre

"conventional wisdom"?

"conventional wisdom that malicious insiders are the greatest single threat to an organisation."

That would be the "conventional wisdom" of anti-intrusion vendors then. And maybe this of the clueless managers dumb enough to listen to them. Everyone else knows very well that the only significant threat comes from legit users making a small mistake, then breaking their whole system trying to fix it "headless duck" style*, and then get the self-dubbed "wizz" in the next cubicle to bring half the department down trying to fix their computer.

The first step is usually some utterly minor change in some unimportant display setting, but the subsequent "headless duck" syndrome can break things pretty deep in the system, and the last "self-dubbed wizz" step usually spread the FUD. that's you end up with half a department whinning at your door for what was initially a change in Word's display of non-printable characters...

No-one needs an intruder when they have users.

Of course in some high-profile targets the intrusion risk is real, but that would be what, one millionth of the cases?

* hit every single button and change every option in a frantic manner

This topic is closed for new posts.