Schneier on Security
A blog covering security and security technology.
« Security Cartoon |
| Cell Phone Companies and Security »
December 19, 2005
Insider Threat Statistics
From Europe, although I doubt it's any different in the U.S.:
- One in five workers (21%) let family and friends use company laptops and PCs to access the Internet.
- More than half (51%) connect their own devices or gadgets to their work PC.
- A quarter of these do so every day.
- Around 60% admit to storing personal content on their work PC.
- One in ten confessed to downloading content at work they shouldn't.
- Two thirds (62%) admitted they have a very limited knowledge of IT Security.
- More than half (51%) had no idea how to update the anti-virus protection on their company PC.
- Five percent say they have accessed areas of their IT system they shouldn't have.
One caveat: the study is from McAfee, and as the article rightly notes:
Naturally McAfee has a vested interest in talking up this kind of threat....
Based on its survey, McAfee has identified four types of employees who put their workplace at risk:
- The Security Softie – This group comprises the vast majority of employees. They have a very limited knowledge of security and put their business at risk through using their work computer at home or letting family members surf the Internet on their work PC.
- The Gadget Geek – Those that come to work armed with a variety of devices/gadgets, all of which get plugged into their PC.
- The Squatter – Those who use the company IT resources in ways they shouldn't (i.e. by storing content or playing games).
- The Saboteur – A very small minority of employees. This group will maliciously hack into areas of the IT system to which they shouldn't have access or infect the network purposely from within
I like the list.
Posted on December 19, 2005 at 7:13 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
You know, if your users can "put their business at risk" through "letting family members surf the Internet on their work PC", you have a big problem with your basic computer infrastructure.
"More than half (51%) had no idea how to update the anti-virus protection on their company PC."
Nor should they have to. In a work environment, those should be auto pushed .
I have a copy of the McAfee report, but I don't know of a URL for an Internet version. If someone finds it on the Web, please post the URL. Thanks.
Being a Network Admin I only today had to send 3 emails to explain to someone that the computer she uses isn't "hers" and that she shouldn't store her own personal pictures and files on there, and yes if she does it breaches the acceptable use policy.
When giving a quick induction to a new starter he said our policy was "stupid" because it practically didn't allow him to do anything (other than work) and that his last company let them do what they wanted. Good for them.
They never seem to understand you're trying to protect them from themselves.
Dear God (or whomever):
Please save me from those who are trying to protect me from myself.
Couldn't a savy "Squatter" be a security resource if you established an open relationship with them?
They are going to know all the newest Kazzas, WoW's, etc well before you do.
I know how that goes. I work as a business analyst and have been put in charge of documenting and creating some of our security policies. I face some of the same kinds of feedback.
It comes down to establishing liability. If people realise that if they screw up the system, they will be held liable and/or criminally negligent, they start to change their tune rather quickly.
Now, if only I could get upper management to understand how ridiculous liable they are.
It's interesting what (according to McAfee) we do without thinking in the real world but ought not to do with computers.
Pictures of family/friends on your desk or wall: fine. Pictures of family/friends on your desktop: questionable.
Letting friends or family members who stop by your office use the water fountain, the toilet, the chairs, the locally conditioned air: fine. Letting them touch your computer: questionable.
Keeping the address and phone number of family members and their workplaces/schools/etc on your bulletin board or in your rolodex: fine. Keeping the same information in your computer's address book: questionable.
Keeping a couple of candy bars in your desk drawer: fine. Keeping a game on your PC: questionable.
And so forth. Of course there are some places where none of the real-world things are allowed either, but no one questions that they're not places anyone would want to work.
In the real world, the boundary between "work" and "personal" isn't as tidy as some of us might like.
Suppose one of your people goes on a two-week business trip. Do you expect him to carry a second laptop for personal uses, or to leave his personal life on hold for that time? Of course not. You wouldn't yourself, would you? So you have to accept that people need to do personal stuff on their work laptops. It's surely unreasonable to try to ban personal use altogether.
That last one, Saboteur, seems awfully loaded. We have a computer that everyone in the user group has been quietly given admin access to since our security people thoughtfully set it up so that meer users couldn't do things like map their own network drives or printers, or save their data.
I shook my head as I was changing the access levels, and I'm sure someone, somewhere would have kittens about it.
In the parlance of their system I'm now a Saboteur, when in fact, I'm just a guy trying to do his job in an environment where someone turned the knob to a really dumb setting.
Yes, but we are working a world, where even work information should not be on a work notebook!
From a security perspective, the employees who need access to business information on the road should VPN into the corporate network and access data from there.
Since we have this expectation for business use, I would say the reasonable expectation follows; if you can remote into your work network for business, why can't you remote into your home network for personal?
At that point the computer is a terminal, and on a standard windows xp pro system, very little additional software is needed!
SSH+remote desktop should be good for the average home network, and if they need video games so badly, they can shell out for a DS or a PSP so they can play on the road.
I think the "insider threat" in the above study (mostly by "non-malicious" actions) is a bit harsh compared with this:
The Association of Certified Fraud Examiners estimates that a typical U.S. organization loses about 6 percent of its annual revenue to fraud, according to Ernst &Young's global security survey published in September. When placed within the context of the U.S. gross domestic product for 2003, that amounts to roughly $660 billion.
effective security is initiated and managed by individuals only, not by governments or enterprises. the only thing a company can do is provide education and ground rules, and fire people who break the rules, that's all.
if you work for a big company, 100 people or more, stand up, stretch and take a look around your cube farm. somebody there is so stupid that right now they're looking at a porn site with associated malware compromising your system!
Moe-Moes and their effect on security:
6 of the top ten virues right now(Nov2005) are spread thru users opening attachments.
I called my Mom as a test. I asked her to goto her hotmail account, open one of the spam messages, and execute the attachment. She REFUSED!
If my Mom knows not to open attachments from an unknown sender it is now COMMON KNOWLEDGE.
Anyone opening invalid attachments from an unknown source should be fired.
So, am I a security threat, if I send an email to my wife using my work-laptop and the email gets stored in the sent-folder?
Or, if I write a shopping list and store it on my computer?
Or, if I pay my bills using my work-laptop and store the receipt on the laptop?
I was doing a research of the content monitoring market, and decided to combine it with some insider threat insights in a post I did earlier today :)
"Naturally McAfee has a vested interest in talking up this kind of threat...." they sure do, but correct me if I'm wrong, compared to various CERT and government bodies initiatives this is a bit biased one?
So, who do you propose should set up and maintain a VPN to someone's home network? Assuming they even have a network at home, which also was set up and maintained by??? 90% of the users at my workplace would not be able to do this. None of them could do this without some support from IT from time to time.
Also, what about the times when you don't have a network connection - then what? How do you access your files? For most of the common working world this level of security "trade-offs" just won't work as it is far too restricitive, IMHO.
I wonder if McAfee considered data-capable cell phones at all? You see, I use my work cellphone to call home (to let them know I'll be late) rather than emailing them (because that would be a security problem), but I'm not sure whether an SMS counts as data (bad) or voice (ok). Having read your report, I dare not use the work landline since they use VOIP and calling home would be a security problem.
Do you think it's OK to put my wife's picture in a frame on top of my work computer rather than as the desktop background?
cowering in fear
Yes it is a security threat, but to you and probably not to the company. If you store your personal information on a company PC you might as well burn it to CD and send it through internal mail to your IT department - the guys who manage your network, servers, soe, etc all (most likely) have unrestricted access to it unless you take 'precautions'; I know some people do, but most people don't. Same goes for your email and messenger conversations.
Frankly I think that the numbers on this study are low. From my experience I see that nearly 100% of people do some one the things defined here. It seems the me the take home of this should be that we need to build security systems that allow people to work and live in the ways that they want do without a loss of security. I would expect that 100% of the employees will have some materials on the computers that they use that is personal and not work related just as they would have personal pictures or decorations. Since this behavior is usually explicitly forbidden by company policy and still almost uniformly done the important security policies are often seen as unimportant. To get users to behave as we desire from a security perspective we need to make that security work for them. Draconian rules will always be worked around unless the user base understands the reasons for the rules. When that starts to happen we have lost touch with the largest group of eyes we have since the users will see the security personal and IT staff not as partners but as threats.
@Moz - "Do you think it's OK to put my wife's picture in a frame on top of my work computer rather than as the desktop background?"
If she's attractive then I'd definetly hide her on the background under all those spreadsheets and host sessions - otherwise you might discover a new security threat when your colleagues visit your place while you are at work ;-)
I have not worked at many companies and might be a bit naive when it comes to corporate security, but my experience is that the companies that had best working security were also the companies allowing most freedom for the users. When the users had no interest in trying to bypass the security they also acted responsibly.
At one company they had set up a separate area for “personal��? documents at the main server. This was, according to the description, a place to store personal documents that were not related to work. This way they avoided having a clutter of personal documents at the computers.
At another company the man responsible for IT support both bought and installed games on the machines at the request of the users, to avoid having people trying to install games on their own.
But, on the other hand, both these cases were small companies that practically only employed highly skilled engineers and a few support staff. So, they did not really have many issues with unskilled or malicious users.
"The Squatter – Those who use the company IT resources in ways they shouldn't (i.e. by storing content or playing games)."
I think whether "storing content" is using company iT resources in a way that you shouldn't really depends on the company in question, though, doesn't it? I used to bring music CDs and rip them to work in the past, with both the knowledge and the blessing of the company's managment. (Admittedly, that was a small, local company, but still...)
So because I have brought some personal, non-workrelated files on my desktop and I read this blog (and write to comment on it) while working, I'm a squatter?
"... my experience is that the companies that had best working security were also the companies allowing most freedom for the users."
In a smaller environment I suppose it's fine, they don't need to be too strict.
I work in a medium-sized construction company with 4 fixed sites and many remote temporary offices on building sites. Users ranging from the completely un-savvy builders (a rum bunch) who will browse porn and get kit riddled with viruses, to architects bringing in removable disks with viruses on, to programmers who's "hacking tools" get quarantined in the desktop AV.
We give people as much access to do what they need to do; they don’t get paid to run their personal lives. If people want freedom to do what they want they can buy their own computer and internet connection and mess it up in their own time.
I'm typing this on my girlfriend's work laptop, on which I've installed Linux (shuffling the Win2K partition up to make room). Neither of us actually use the Windows partition; she got the laptop in the first place because nobody could remember the password, and I've not bothered trying to reset it from Linux.
I agree with Student that if you allow reasonable freedom then users will be less inclined to circumvent your precautions; at my last job, I was working in a satellite office behind a corporate web filter which made it impossible for anybody to get any web-based research done. I ended up setting up an SSH tunnel to a web proxy on my home connection, and letting all the staff in my workplace use it, because upstream Computer Services were useless at whitelisting actually necessary sites.
I can't help but notice the similarities between some of these posts and the Facilities Managers who regularly gripe about how much easier it would be to run a building without any tenants. On any given day, every person in every profession needs to deal with situations made more difficult by the stupidity of those around them. Many of the "solutions" I have run across are basically driving a tack with a sledgehammer. Weigh the risks and implement appropriate solutions, instead of just outlawing everything.
The Security Softie - probably does a little better at securing their desktop than the programers who left it vulnerable in the first place. Has the advantage of knowing their limitations.
The Gadget Geek - also known as the average consumer, pays the meal tickets of much of the IT industry.
The Squatter - could be squeezed into a 1% smaller cubicle if they didn't have photo's of their family on their desk.
The Saboteur - show's initiative, and doesn't let the irrelavant corperate policies that failed to stop the last virus attack score yet another false positive.
The IT Guy - responsible for the whole mess in the first place, but attempts to direct attention to everyone else.
It seems that much of this is part of the general fear of computers felt by people who don't understand them and by people who have a vested interest in controlling information.
Most of the "vulnerabilities" cited are trivial, no different from the freedom that many workplaces grant to their employees under the Biblical injunction to not bind the mouths of the kine who tread the grain.
A few of them are serious issues, potentially, that can be better solved by education than by beating people up about the occasional personal email, websurfing session, or sudoku game on company time and (horrors!) using company resources.
IT is a curious business. Most people don't have other people trying to mess up what they have built. It takes a lot of effort both on the clock & off the clock to keep up with the complexities of the IT world. There is no way to make it secure. It is too complex and too dependent on previous work (libraries of code & design when security wasn't a consideration).
So the IT guys build up this very complex house of cards, get it to accomplish most of what needs to be done, often working many hours into the night and then some new virus comes along & he is rewarded by getting to spend several nights at work cleaning up the network.
There are multiple players at work here: (1) some miscreant that built that particular vermin (2) another clueless user who opens up every attachment sent to them and went home a few minutes early complaining about how slow the network was (3) Enterprise software costing bucketfulls of money with another systemic hole in it, which allowed the bug inside.
I don't like the IT guys telling me I can't use the machine for "reasonable" personal things, but I do understand where it comes from. Imagine how you would feel, if you spent a few months working on a project & I came along & destroyed your work on purpose or because I just didn't get it. I'll bet you wouldn't be happy about having to redo the work.......& I suspect you might take some action to prevent it from happening again in the future.
If the IT dudes could get their act together, there wouldn't need to be quite so many rules.
Can I bring my company to a standstill by reading a sales flyer? Of course not.
But open a malicious email attachment and I could. so who's the monkey here?
If the IT dudes could get their act together, there wouldn't need to be quite so many rules.
Can I bring my company to a standstill by reading a sales flyer? Of course not.
But open a malicious email attachment and I could. So who's the monkey here?
A lot of responses are making me ask myself.
If they were signing the pay check how much time would they want their employees to devote to playing games or burning personal files or paying bills and how secure would they want their company data?
Ah! The sad part is that some the people who carry on e-commerce business online in a small scale or a medium scale are unaware of the internet security threats. Though they know a few threats, they are least bothered to have a proper internet security system, except a few who wanted to make their business a really big one and to secure their customers.
"Two thirds (62%) admitted they have a very limited knowledge of IT Security" this applies well here. Who is that 62% - the customers(major internet users), vendors, resellers and the ecommerce people.
Hackers are always ready to target these 62% unless an internet security systems is installed by the internet users.
I've read the entires and some are interesting some seem plain stupid.
It isn't rocket science.
You do not use your company laptop to do ANYTHING non-work related full stop.
As a company boss, I don't pay my staff (as many people have pointed out) to spend even 1 minute paying bills online or doing anything not work related.
Why is it so hard to understand, unless you were the one paying the salaries!
The "laptop on a business trip" scenerio, you either take two laptops or use an internet cafe abroad, you still should not use the company laptop.
I used to carry a wallet with everything in, I Lost it. Have a laptop with your work stuff on only what have you lost?
With your personnal files and pictures on , You've lost alot more!
Simple - really simple.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.