back to article How do you protect your online systems? Cultivate an insider threat

People are the biggest problem in corporate infosec. Make them the biggest asset.  The numbers are so bad because we're doing people wrong.  Here's news you can use. If you're trying to secure a corporate network, you almost certainly can't. When you can't, that network can be cracked open and hoovered clean of good stuff in …

  1. ThatOne Silver badge

    Employee IT skills?

    I admit I'm not IT, but it seems to me that the biggest danger here is that any real intrusion is lost in the deafening noise of random employees clumsily banging at the doors. Also, I don't think those employees will be able to find anything remotely useful, given their total lack of IT skills. Don't forget that if it's easy to hand somebody clueless a bomb and tell him to go somewhere, it doesn't necessarily mean you can easily train him to detect bombs.

    I can't really imagine a HR, accounts or marketing person searching and finding ways to bypass corporate security (beyond the usual "click on something you shouldn't have clicked on"). It will just raise the noise/signal ratio for IT.

    1. Dave White

      Re: Employee IT skills?

      I would think that one needs a good IDS system before putting this in place. The idea would be that you have enough reporting to know that while Fred in HR can't type his password, Dave shouldn't be trying to log into these particular systems.

      There's more to it than that, of course. But having the lowest hanging fruit tested by everyone is a great way to keep the security / IT teams under enough pressure that the lowest hanging fruit soon becomes unreachable to the average user.

      1. Anonymous Coward
        Anonymous Coward

        Re: Employee IT skills?

        There's also something to be said to having users and user reps on your project groups to get their perspective, that's how we do it, we even pay them more for being there.

        It helps us avoid shadow IT or minimise it by looking at what the pressing need is that would drive it and seeing if we can incorporate that - or ensure it's not possible to do. However 9 times out of 10 there's a way of facilitating the need so staff can do what they want to in a sensible, managed way.

    2. TeeCee Gold badge

      Re: Employee IT skills?

      In my experience, it's the idiots who are most likely to break something. They're the ones who'll do stupid stuff that nobody who knows anything about IT will even consider doing.

  2. VoiceOfTruth

    I would want to see it 100% in writing

    Dear Bob,

    Please try to break into our systems. We are authorising you to do this. If you are unsuccessful that is OK. If you are successful or unsuccessful we will not seek to prosecute you. If somebody else wants to prosecute you, please consider this letter as an agreement prior to the act, that we are therefore to be considered co-conspirators to the alleged offence.

    Signed by every director on the board, and not just one who we want to throw under the bus when the crap hits the fan.

    The idea sounds good in principle, but in practice I am not so sure. On the inside we are party to knowledge which attackers may not have. We many know the design limits of systems and know how to overload them. That is privilege of being on the inside. Every system has limits and flaws somewhere. It may not be possible to eliminate them all.

    1. MiguelC Silver badge

      Re: I would want to see it 100% in writing

      And when management begins to see how much they'll have to spend to correct all those flaws, they'll do a speedy u-turn on the policy. Because, ultimately, bean-counters are the real bosses.

      1. Anonymous Coward
        Anonymous Coward

        Re: I would want to see it 100% in writing

        The places this would be most useful are also the places you would want it done the least due to impacts e.g. MOD, NHS etc.

    2. aregross
      Thumb Up

      Re: I would want to see it 100% in writing

      Oh it's much more than that... When I was the 'One Man Army' of IT at a past position, it's was interesting to hear other employees say things like 'Why are they (Admin) doing this? It would be much better to...' and rattle off their concerns and reasonings about how decisions were made at the Top and why they were wrong. This is an excellent article pointing out that the 'Little People' usually know much more about how a company is run, or run into the ground, than those at the top who are mainly results oriented.

      Big Plus One to the author!

  3. amanfromMars 1 Silver badge

    'Tis the Crack Hacker Victims' Dilemma when a Successful Hack Problem ?

    Now that was a truly instructive read, Rupert Goodwins. Erudite and clear and bereft of any of those annoying and misleading ambiguities which infect and infest so much of the fledgling cyber security warescape. Bravo, and thanks for the service.

    And yes, people are the problem. However, that problem is firmly centred around and securely confined exercising desperate measures in the top level circles of crack hacked executive mismanagement which never ever before believed that they could be so easily compromised with their secrets laid bare for all to see and be enraged and energised by, and thus didn't realise just who they should be paying and for what to ensure universal catastrophic secret securities remain generally unknown and privy only to a very select sympathetic few, in order that a remote stealthy virtualised reality order continues to function in order for them to longer survive and prosper rather than perish unpleasantly and SWIFTly.

    Once that stable door is unbolted and flung wide ajar, steer well clear of the stampeding horses if you don’t want to be severely trampled upon and pulverised into the dust, for there is nothing creative then to be done to rescue the old situation for all will be rendered far too little, much too late . You had your chances earlier and you blew it all on the crazy bet that future ignorance would sustain and maintain the present as well as it has done in the past with hubris rampant and arrogance leading.

  4. Mike 137 Silver badge

    "it boils down to the first rule of cybersecurity: people are the problem"

    Absolutely not! The real problem is giving entirely uniformed people inherently fragile systems and expecting them to operate safely on them without any guidance or prompting to indicate what is safe or unsafe. You wouldn't do that with a chainsaw, so why do you do it on your computers?

    Examples:

    Arbitrary scripts running in the browser are a primary vector for malware of many kinds, but a majority of web sites now won't operate without scripts so the corporate browser typically has all scripting enabled.

    Clickable links in emails can lead to malicious content but it's impossible for an uniformed user to decide whether a link is legitimate as the visible text field has no consistent relationship to the (invisible) actual link.

    Consequently, handing a fully script-enabled browser to users and allowing clickable links in the emails they receive imposes an impossible decision-making task on them and they can not legitimately be held responsible when this backfires. The only way to achieve protection is to apply technical controls that restrict the malicious components. For example, links in emails could be stripped of their text field and displayed directly, or prferably one of the many cloud security proxies could be deployed to check all incoming web and email content before it's delivered to the user.

    The very last thing we should be doing is encouraging uninformed staff to act as pseudo-hackers. Not only will the be incompetent and their efforts disorganised, it will engender a culture of mistrust you should strenuously avoid.

    1. Anonymous Coward
      Anonymous Coward

      Re: whether a link is legitimate

      Outlook here seem to rewrite/redirect all in-email links via some sort of "safelinks" service, which I presume helps protect users ... ... .... and has the handy side effect of helping MS track user behaviour, I imagine.

      1. Anonymous Coward
        Anonymous Coward

        Re: whether a link is legitimate

        A wonderful system which means that if a colleague actually needs to send me a URL, they can't,

    2. Morten Bjoernsvik

      Re: "it boils down to the first rule of cybersecurity: people are the problem"

      So it is much better to let it loose and let some strangers do it.

      Exploit your own before some strangers do it.

    3. Anonymous Coward
      Anonymous Coward

      Re: "it boils down to the first rule of cybersecurity: people are the problem"

      I take the view that if my beloved employers present me with an email containing something malicious, and if their systems are susceptible to that something malicious, that's two problems on their side and none whatsoever on mine. I will therefore click on anything I see, and if that causes damage it is Not My Problem.

  5. captain veg Silver badge

    you clicked a phishing link!

    This (the title) was literally the subject of an email that I received from corporate IT.

    I tried explaining that I had clicked on nothing, but downloaded (with wget) into a secure virtual machine the content of a page linked to in a deeply suspicious email.

    Having analysed the download it was clearly bogus. So I reported it to local IT and the providers of the email sender and the linked web site.

    The corporate security nazis insisted that I take "remedial" security training. When I refused they withdrew all access to network resources, so I couldn't work. Which was fine for me, but annoyed my colleagues somewhat. I "watched" (i.e. ignored until it had finished) the "mandatory" training (i.e. I could correctly answer all the questions without the slightest hesitation having spent precisely no time at all absorbing the "training"), which was (surprise!) entirely pointless.

    I complained. They threatened me with disciplinary action.

    I work for an American company. I don't get why we spend vast amounts on employing these B-Ark parasites.

    -A.

    1. Throatwarbler Mangrove Silver badge

      Re: you clicked a phishing link!

      You sound like this (mandatory) xkcd:

      https://xkcd.com/651/

    2. Anonymous Coward
      Anonymous Coward

      Re: you clicked a phishing link!

      Been there. When I got the notice that my manager was being informed that I "fell for" the phishing link, I sent my manager (and his!) an email pointing out that I successfully identified the email as coming from a security-testing organization hired by the company, and that their website was the destination of the link and therefore safe, before I clicked it.

      Never heard a word about it from my management, but I did have to "watch" the mandatory retraining the same way you did.

      Ironically, the fake-phishing emails are always much, much higher quality and more likely to fool the user than the real things.

  6. doublelayer Silver badge

    Start by having a system for reports

    I'm not entirely sold on this, but there's something else that will be required if you are and will be very useful if you aren't. You need a way to have people report problems to someone knowledgeable who won't attack the finder of the problem. I have two examples to demonstrate why this is necessary.

    The first is from an internal hacker who discovered a vulnerability. You've probably heard the story. When Richard Feynman was working at Los Alamos, he discovered that the locks on safes containing nuclear designs weren't very good. He could open them with a paper clip. When they got higher security locks, he found that they too could be attacked too easily for comfort, and he reported it. As the story goes, the administrators decided that the new policy was not to let Feynman near safes he wasn't supposed to get into. In other words, they completely failed to recognize the severity of the vulnerability he was pointing out and were attacking the one person they could be sure wasn't going to misuse the vulnerability.

    The second example is from an external hacker (me, by accident, on a system from the same company but not related to my work). I found a vulnerability in a system that allowed public access to somewhat important internal data. I knew enough to know that what I'd just seen was not supposed to be visible and that there was more where that came from. I sent an email describing the problem to the managing team. If I'd been really external, I couldn't have done that very easily either, because contacting a specific team when you're not internal is difficult (and I'd have been afraid of retaliation, so I'm not sure if I'd have done it anyway). Nobody responded. Sending more emails didn't help. The only way I got anyone to look into the problem was by knowing a friend who could introduce me to someone who worked with the team, who in turn could introduce me to someone on the team itself. Reporting a problem took a lot of effort, and had the bug been much smaller, I wouldn't have bothered reporting it.

    If you ask people to find vulnerabilities or even if you don't, there needs to be a way to get reports and handle them without making the person reporting it the bad guy. If the ideas in the article sound like a good idea, don't start with them until this first step is completed, or the process will backfire when someone's found a problem and can't find anyone to fix it.

    1. amanfromMars 1 Silver badge

      Re: Start by having a system for reports

      and were attacking the one person they could be sure wasn't going to misuse the vulnerability. .... doublelayer

      Now that is one assurance no one can ever accept as valid in any situation for there is nothing to stop things changing and those changes may be for the worse.

      That second example though, doublelayer, is a real Doozy and practically guarantees third party secret private pirate access to as many dirty little secrets as one would wish to access and expose or safeguard and protect for an undisclosed fee/realistically priced extremely attractive expensive retainer whenever the managing team are not up to the task of protecting sensitive and explosive assets and are not easily contactable.

      Indeed, in some cases one could almost imagine and realise there are no competent management teams to contact and one is thus in sole charge of future eventful situations oneself .... which is even more excessively rewarding if one knows what needs to be done for a greater future, and how it is to be done, with that latter element the secret to be failsafe safeguarded and protected against exfiltration and unauthorised access or universal common knowledge.

  7. Yet Another Anonymous coward Silver badge
  8. pc-fluesterer.info
    FAIL

    "because of bad actions by employees"

    A vast amount of "bad actions by employees" would be totally innocuous if the IT wouldn't rely on M$ monoculture.

    "Yes, people are the problem"? No, they needn't be.

    Try the usual [email brings infection (malware or data stealer)] stunt in a FOSS environment.

    1. doublelayer Silver badge

      Re: "because of bad actions by employees"

      I know. That's why I only ever use Linux. They don't have the concept of binaries or scripts so nobody could send me a malicious one. Although I've been thinking about changing to BSD because I hear they completely prevent the most clueless person from entering sensitive data on a malicious website because they've implemented RFC 3514 strictly.

      1. Anonymous Coward
        Anonymous Coward

        Re: "because of bad actions by employees"

        Didn't downvote you, because I agree with what I *think* you're saying, but Linux does have both binaries and scripts.

        1. Ian Johnston Silver badge

          Re: "because of bad actions by employees"

          The "RFC 3514" reference shows it was sarcasm.

        2. doublelayer Silver badge

          Re: "because of bad actions by employees"

          Now I'm wondering what you think I was saying. It could easily have been right or you could think I was agreeing with the original comment.

          For the avoidance of doubt, I was saying the idea that Microsoft software is the cause of and a FOSS environment the unstoppable cure for user-caused vulnerabilities is obviously false. Microsoft has a lot to answer for, both in security and in general, but that complaint is not correct.

          1. pc-fluesterer.info
            Linux

            Re: "because of bad actions by employees"

            To update your knowledge an opinion, I suggest you have a look at Denmark and Estonia.

            In both countries public authorities rely on FOSS.

            Here in Germany we had a lot of ransomware incidents hampering universities, cities, courts, revenue authorities, and the like.

            Such incidents are unknown in the two FOSS countries!

            Assuming that people are similar all over Europe, the only interpretation remains the intrinsic security of FOSS.

  9. TeeCee Gold badge

    Here's how this works.

    At a previous employer's I sought out the IT security guy for a ciggy outside. As what I had found was dynamite, I thought it best to avoid a paper trail.

    Me: "You know your new security system? Where all the servers have the same config and the only admin access is via gaining access to the management server, sudo and rlogin with full logging?"

    Him: "Yes of course. What about it?"

    Me: "Well you've blown that standard setup to all the servers. You can rlogin to the management server from any other server and many of the test / dev servers have known passwords, for obvious reasons. Thus with a test server I can get root on the management server and, from there, rlogin to any of the production servers, bypassing all the security and logging! I find this very handy, but it's probably not a good idea."

    Him: "Shit. We were rather hoping to come up with a solution for that which doesn't screw up our standardisation process before anyone else found it....".

    Me: <Stunned silence>.

  10. Anonymous Coward
    Anonymous Coward

    I work for a university. That means that it is, as it always has been, us academics vs the IT department. They try to stop us doing our jobs; we subvert everything they do. For example, I have with trivial ease bypassed their insistence on encrypted USB sticks. I'm certainly not going to tell them though. They are the enemy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon