back to article Security procedures are good – follow them and you get to keep your job

Motorists tend to believe speed limits are a good idea and that everyone should stick to them. They know that when they break the limit the risk of an accident rises. But they also "know" that it is everyone else breaking the speed limit that pose the real danger. When it comes to cybersecurity insider threats, it appears that …

  1. Pete 2 Silver badge

    Do as I do

    uTorrent, WireShark, Powershell, Ccleaner, SnippingTool, FreeWatch, DontSleep, PDF converters and Caffeine were among the more common risky apps.

    The report said: "Like security bypass, the use of high risk applications is often a warning sign of something worse. A user will typically install such applications so that they can get around security measures, download pirated media, or engage in more sinister activity."

    The real-life reason that people will use these and other freeware off the internet is that their organisation does not provide (i.e. spend money on) suitable secure tools that do what these do. If you need to read PDFs now would you wait 2 - 3 months for your purchase order to be approved? Which manager would accept that amount of delay. IT staff always get stuck on the sharp end of project delays, with little support from above. If they are pressured to deliver but receive no help in getting the tools they need, is it really their fault if they "improvise"?

    1. Dimmer Bronze badge

      Re: Do as I do - as long as I don’t have to fix it

      Users will wait till work to do things they will never do on their home kit. They think the PFY will fix it and the BOFH take the fall.

    2. JohnFen

      Re: Do as I do

      I disagree that WIreshark should be on the "automatically suspicious" list, at least for certain shops. For most of my career, Wireshark (and similar tools) counts as a critical tool needed to do my job.

      Torrent clients fall into a similar category, as torrents are a common method of distributing very large files.

      1. Anonymous Coward
        Anonymous Coward

        Re: Do as I do

        I disagree that WIreshark should be on the "automatically suspicious" list, at least for certain shops. For most of my career, Wireshark (and similar tools) counts as a critical tool needed to do my job.

        You just made the argument for an exception process, not for abandoning the idea of a sanctioned list - also because companies like to occasionally add things to updates that then sit polling the base with information you have no control over (I'm looking at you, Microsoft).

        If you have a defensible need for a tool that allows you to do your job there should be no problem in having the risk analysed and then either accepted and managed or denied.

        Torrent clients fall into a similar category, as torrents are a common method of distributing very large files.

        To be honest, you would get a "no" from me on that front. They are too easily used in court as evidence that you're doing something dodgy (not your fault, blame the RIAA and MPAA for that) which does not combine well with ignorance of the average legal individual which has allowed this precedent to build.

        That said, even there it depends on circumstances. If you need this frequently there and there is a valid business need that cannot be addressed by the usual single point download, maybe we could come up with a process to establish an independent log of its use that would stand up in court.

        1. Alan Brown Silver badge

          Re: Do as I do

          "They are too easily used in court as evidence that you're doing something dodgy"

          Has anyone actually made that stick? Recall what's happened to Prenda Law and the other copyright trolls, along with rulings that an IP is not personal identification.

          1. Anonymous Coward
            Anonymous Coward

            Re: Do as I do

            Has anyone actually made that stick? Recall what's happened to Prenda Law and the other copyright trolls, along with rulings that an IP is not personal identification.

            I think this falls more in the category of choosing the battles you're willing to fight. You may very well win that one eventually, but at what cost? Most businesses do not willingly engage in crusades unless there is a clear upside to it. Part of risk management is not to amplify the risks you know you may be exposed to.

    3. Flexdream

      Re: Do as I do

      What do people use for packet analysis if not WireShark?

  2. Isn't it obvious?

    Wireshark is a risky app?

    Unlike the others on that list, it's open source, and you can download the source and build it yourself. Or use a distro that does that for you, so you're still not relying on some random company's binaries.

    For me the biggest problem with Wireshark is that it needs gtk, and I've otherwise almost managed to get a completely gnome-free workstation.

    1. JohnFen

      Re: Wireshark is a risky app?

      I suspect it's on the list because so many people (particularly the sort who wears suits) consider its primary use to be a surveillance aid to help hack into systems.

    2. onefang

      Re: Wireshark is a risky app?

      "Unlike the others on that list, it's open source"

      "PDF converters" can also be open source, unless that's the name of a specific closed source package. Open Office works OK for that task.

    3. Mystery Machine

      Re: Wireshark is a risky app?

      Of course it's a risky app as the vast majority of employees aren't doing network diagnostics or security analysis (nor can review code and build applications from source), and therefore it becomes a good tool for undertaking malicious activity. Some applications (like powerline-based network adaptor setup tools) require it and therefore it can be present for a variety of reasons not limited to debugging jumbo frames.

      Ultimately the issue here is allowing users to install their own shit in the first place as that is invariably associated with local admin rights and whole world of additional pain. Why for articles about general end-user security is there always loads of smart-arse comments from people who clearly are infosec/IT one-percenters? This article isn't about you - it's for you to inform you what the other 99% are up to.

  3. JohnFen

    Almost...

    "Motorists tend to believe speed limits are a good idea and that everyone should stick to them."

    This is almost correct. A better version is "Motorists tend to believe speed limits are a good idea and that everyone except for themselves should stick to them."

    This is exactly the same effect as with security measures.

    1. Anonymous Coward
      Anonymous Coward

      Re: Almost...

      The InfoSec team I work in are the worst for that.

      I tried polite feedback, reporting though channels and just ignoring anything that wasn't my problem. Until one day I got dragged in to fix someone else's fuckup, and made the comment in a reply-all email "Some of my colleagues seem to think rules don't apply to them".

      That got a reaction. I was pulled into a meeting with several Directors and senior managers. I naively thought they were going to address the issue. But of course, they were only concerned that I'd exposed their fuckup in front of others.

      I have to be more discreet now. So I just say "'I'm not allowed to say "Some of my colleagues seem to think rules don't apply to them" '.

      1. JohnFen

        Re: Almost...

        "I have to be more discreet now"

        I firmly believe that failing to speak up about issues at the place you work is a kind of dereliction of duty, and responding to the situation you encountered by being more discreet is the wrong response. Worst case, the correct response is to find another job.

        But there's a middle ground. It's entirely possible to be vocal about these sorts of issues without overtly pointing fingers. Saying "this is an ongoing problem that needs to be addressed" rather than "you jokers think the rules don't apply to you" is likely to be much more effective.

    2. BrownishMonstr

      Re: Almost...

      I prefer "motorists tend to believe speed limits are good but some aren't very sensible and most certainly are not equally effective throughout the day"

      1. Alan Brown Silver badge

        Re: Almost...

        "some aren't very sensible"

        The motorists or the speed limits?

        The twats doing 60-90mph past my house at any time of day or night (30mph zone) are a good advertisement for automated and immediate enforcement systems (occasionally there's a messy crash, or pedestrian death but that doesn't discourage the speeders)

        1. Anonymous Coward
          Anonymous Coward

          Re: Almost...

          I live near to the North Circular Rd. (London). I watch idiots speed along in the 50MPH* average speed check zone, approaching some complex junctions and bends. The cameras don't deter them. Probably because no one believes these are working. Neither do I. I once did a back of the envelope calculation of how much TfL would make in fines if they were.

          Since it's a constant stream of vehicles over at least two lanes the sums were incredible. As in being able to provide free bus travel for all. Just from that one section.

          *Some must be doing almost 100. Most are well over 50mph and when I drive along there in the left lane at 50** sometimes they zoom past me and vanish off into the distance.

          **I got caught once doing just below 45 in a 40 zone coming into Borehwood. At night, in a relatively deserted stretch. It still annoys me that they can get away with insane speeding where I live, in a known accident zone when it's busy. But I had to pay all that money and go on a course for being a tad over the speed limit on a deserted road late at night!!!

  4. Terry 6 Silver badge

    There are some problems with this article

    First, the fact that it's people who are the risk is nothing new.

    However,

    1.) if these people can install random bits of software on a company system then the system can't have been tied down properly

    2.) If they want to install this software they must have a reason. If they have a reason (other than personal, possibly entertainment, software ) then they are being asked to perform tasks that the company hasn't given them the tools for. So the company would deserve all it gets.

    3.) Where staff circumvent the actual security procedures of the company for reasons of productivity - which was the implication of this article before it got tied up in dodgy software installs, the question is then posed; What are they being asked to do that can't be managed within the procedures? And if this, why is the management is not factoring in its own procedures when setting tasks?

    This makes the image of a speeding driver totally inadequate.

    1. Giovani Tapini

      Re: There are some problems with this article

      This risk is not limited to the installation of software.

      The pressure to deliver in many shops comes with an almost "at any cost" or "the business depends on hitting date x" type strapline.

      This leads to poor code, ineffectively configured cloud instances, people working on home kit (because it works) leading then to confidential data stored and transmitted over the internet.

      The pressure to deliver creates risks that senior managers seem to even sign off and tolerate in their desperate drive for change delivery (for the few that are admitted to anyway)

      This is a problem for individuals, particularly those not experienced enough to read El Reg regularly. It's for managers, and even senior managers and ultimately the corporate culture where security is important, but must not get in the way.

      The risk is not new, the consequences of it manifesting get increasingly complex, widespread and more difficult to mitigate is however likely to stay true... As are the consequences for the associated brand...

  5. Anonymous Coward
    Anonymous Coward

    My fave is 'make your password complicated, don't reuse it on different systems, and change it often' combined with 'no you can't use a password manager'.. WTF behaviour do you expect that to drive?

  6. Anonymous Coward
    Anonymous Coward

    Insider Threat Trifecta

    #1 bring unauthorized sensitive/classified work home from the office

    #2 upload unauthorized sensitive/classified work data to an internet connected home computer running third party AV

    #3 Download trojanized keygen from torrent site for pirated MS program

    1. Anonymous Coward
      Anonymous Coward

      Re: Insider Threat Trifecta

      I allegedly might of heard a rumour about a story that implied, if you were of a gullivan persuadathon that the cat was dispossessed from its bag and begat more ballmer monkey business because the bag is now home to allegedly hooky or unhooky K to the M of the S serfs freely posixessable on the intertubes that fender bendered the sanctity of the volume license banditorros ivory tower with the're own silk petard!

      And yea though I crawl through the wadi of discontent the kms of your dreams doth need not activatorz nor the mal that wears it. For verily asketh of the gurgle godz and ye shall find the alphabet spaghetti fiends are your chuddy buddies in adword and the nexte for the truth is out there and he rides upon a Zweirad Union of holes tied together with cheese stringz and memories

      maybe

  7. Doctor Syntax Silver badge

    Meaningless numbers.

    "Incidents are increasing too: the average number involving employee of contractor negligence has risen from 10.5 to 13.4."

    What are the numbers here? Are they percentages? If so are they part of or in addition to the 64% mentioned in the previous sentence.

    "75 per cent of respondents to a Dtex Systems YouGov poll identified using an encrypted file system to share confidential documents as important, but only 16 per cent had done so in the previous 60 days."

    Yes, but how many of the remaining 84% had transferred confidential files in that time?

    BTW, that speed limit analogy: show me a driver who's concentrating on their speedo so as to guarantee sticking within the arbitrary speed limit and I'll show you a driver who isn't paying enough attention to the road. Read right, it's a good analogy; you need to keep the whole picture in view and not just concentrate on a single detail.

  8. John Smith 19 Gold badge
    Unhappy

    "How the security department manages the human factor "

    What security department?

    NHS hospitals seem to barely manage a general IT department.

    1. Nick Ryan Silver badge

      Re: "How the security department manages the human factor "

      In the hospital's IT department's defence, it's because it's seen as easier (and safer!) to slash IT budget compared to reducing layers of management, particularly as trusts can't do anything about having been screwed over by the entire PFI business nor the hugel reduced amount of central government funding they get.

  9. jMcPhee

    Think of it as...

    ... evolution in action, cleaning the digital gene pool.

    Like the old meme says, just because you can doesn't mean you should.

  10. FlamingDeath Silver badge
    IT Angle

    Too much HUBRIS in IT by people who think they know everything

    Too many companies rely on their single antivirus offering heavily and they think just because its reported a binary as clean, that it is actually clean of malicious code. The amount of times I have uploaded binaries that have been downloaded from official website to VirusTotal and found them to be compromised is happening more often.

    I only have to give the example of Shellter to prove my point, I've used this and tested it against Security Essentials and others, they do not fare well in detections

    When you think you know everything, you're never going to improve your learning

    I know I am smart, because I know I know nothing

  11. Anonymous Coward
    Anonymous Coward

    Powershell & Snippingtool?

    Not sure how I would be able to do my job as an admin without PowerShell. Plus, it is now the default shell in Windows 10.

    Snipping tool is a built in Windows accessory. Very useful for capturing error messages.

    When did these become "risky"?

    1. Terry 6 Silver badge

      Re: Powershell & Snippingtool?

      In this rather muddled article there is no differentiation between named software/officially sanctioned software/IT staff using own unauthorised software/ general staff using their own.... software

  12. Anonymous Coward
    Anonymous Coward

    Try working for an org where the rules are strictly enforced

    And where admin rights have been removed from all developer PCs, replaced with a special admin user. We have a pretty effective Preventor of IT.

  13. Anonymous Coward
    Linux

    The real threat to your business

    uTorrent, WireShark, Powershell, Ccleaner, SnippingTool, FreeWatch, DontSleep, PDF converters and Caffeine were among the more common risky apps.”

    Risky apps, you have got to be kidding. This report, just an excuse to trash Opensource. It's also an insult to IT techie everywhere who do a thankless task. The real threat to your business is the accounts department, oh and a certain software company, that musn't ever be mentioned in relation to security violations.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like