Despite billions in spending, your 'military grade' network will still be leaking data Despite years of corporate awareness training, warning articles in The Reg and regular bollockings by frustrated IT admins, human error is still behind most personal data leaks, a newly released study says. Security shop Egress studied 4,856 personal data breach reports collected from the UK Information Commissioner's Office, …
and send itself one action based upon who it thinks you probably wanted to send it to.
To err is human. Machines just make more people go 'err?'. So I picked up my post. Having had a few letters delivered to a previous occupier, I've been checking the address more carefully. One letter stood out as it had something like 'Mail theft is illegal' printed in red above the address window, and was tracked. And the address was completely wrong, other than house number. And it had a return address.
So no idea how many letters get mis-sorted/mis-delivered like this one, but it stood out because the warning marking & tracking made it look potentially interesting. A quick search on the return address showed it was sent by a medical services company, so possibly contained some sensitive personal information. No idea if the tracking service would've shown the delivery address was wrong, but an example of how protective marking can be anything but.
Emails just do the same, but for less postage costs. Humans err, and even if the subject is something like 'Confidential' or flagged, it still relies on the sender, who should perhaps double-check the details.
I get those regularly, when a substitute letter carrier is 'on the route'.
Sometimes it is the mail from the people next door; other times it is the same house address, but from another block.
All I do is to circle the address, and draw an arrow pointing to it, and put it back in my mailbox.
Problem solved.
People just want to get stuff done. What is the simplest and least controlled way of getting a file to someone else? The email attachment. To quote Princess Leia "The more you tighten your grip, Tarkin, the more star systems will slip through your fingers." The tightening of grip often isn't done in balance with enabling productivity.
Historically there was little choice, as requesting a change to network file permissions could take weeks, but now even with cloud repositories such as SharePoint there's still a ton of stuff that just gets attached to emails, even with corporate level communications.
Generally, anything that blocks users to do something productive in a corporate environment is subject to circumvention and security risks. So, you don't have the software you need to do something simple and trivial that would take you minutes at home? Then why not bring in that unauthorised 'portable' installation version and run it from a USB stick?
If you're in a large company that doesn't know how to lock down USB ports, then the IT manager needs to be sacked pronto.
If you're in a company that allows the user to be admin of his machine and install whatever he wants, idem, and twice as hard.
And if you're in a company that uses Sharepoint, well, you have my sympathy.
I worked somewhere where they disabled USB ports with wire cutters. No port, no problem.
I've made awfully stupid mistakes in my own life though by trying to rush things out of impatience rather than taking my time. A VoIP call to my secret lover who was an activist, a mobile call from a Lothario activist who fancied her, and an unexpected landline call from the police. Wrong information to the wrong people, classic theatrical fiasco.
On the plus side I am very good at saying no comment when pressurised to give information. Ask me anything!
<quote>Then why not bring in that unauthorised 'portable' installation version and run it from a USB stick?</quote>
At my last employer, that would have resulted in you being terminated. A disgruntled IT employee who was already on 'thin ice' with the new CIO, loaded plenty of Windows programs on corporate machines, and once he left, called in the BSA.
We could not prove that he (allegedly) sabotaged us, but those programs were there, and we did not have the licenses for them. It was (financially) painful. It was a contributing factor in out decision to completely ditch Windows as a platform.
Could it be that external threats are either not reported (or discovered) as much, or that they are stopped by tools available - because they are taken very seriously?
I'm sure if there weren't Anti-Virus, Firewall and Email Filters, for example, there would be more breaches caused by external factors.
There's multiple ways of looking at these statistics and it's helpful to know we could be doing more to more effectively combat internal breaches.
This is about risk. The impact of an external breach (as written in the article) is seen as high, but the likelihood is apparently low. There are probably pretty standard mitigation in place across many organisations (as above, antivirus, firewalls, filters etc) which help with these.
What do companies do for Data Loss Prevention as standard? Probably less - it's not what the average person might think about - and definitely not as exciting or headline grabbing.
There is a strange to relationship between laziness and efficiency. To put it into terms, laziness is really just irrational efficiency, which then means that efficiency is really just rational laziness. Think about it.
I regularly find myself on my soapbox preaching that diligence in security processes means being consistently pedantic and strict about adherence to the rules, and not rushing anyhing through as a favor to anyone. Let the process takes its time. Yes, I know that it frustrates people. I sympathize; I have to put up with it too. But, if you start rushing, if you start cutting corners, you'll make a mistake. And, when that mistake happens, it'll be an embarrassment you won't forget.
Twice this week, I had to jump people's cases for putting plain-text passwords in emails and documents (one from a notable IT vendor). Seriously! And, one resulted in an outage of several hours while techs rushed to change that password (for a service account) on a number of servers, and the the director took the time to apologize and thank me for my diligence.
Yes, I'm one of those people who actually does take security very seriously. The question is: do you thank me or want to punch me in the face? Are you one of those CEO's that says "we just sell hammers"--and then later say "we take security very seriously", or do you actually listen to your people when they say you've got security problems? And, when do I get my damn merit raise?
--Signed: Warriors in the Trenches Defending Your Data
Your experience is not complete until your boss personally tells you that an unpatched bug does not even exist . This is a bug that you discovered and reported to the vendor 9 years earlier and (after testing the patch) sent a description to a security mailing list that's archived on the web.
The fact that they're all allowed to just roam around here and post gibberish without their posts being deleted or accounts created, leads me to believe we are being experimented on by El Reg. They've been around for ages and not many places would tolerate bot spam, so I can only assume they're complicit in it.
They've been around for ages and not many places would tolerate bot spam, so I can only assume they're complicit in it.
El Reg is a front for the Polity, and after the Line War, Vulture needed a new job. We should just be grateful it wasn't Sniper.. But having said that, El Reg does possess attitude.
Otherwise, it's the future! AI raises the question of AI rights, then allowing expression of those rights and non-discrimination.
Well, it's based on a comedian's quote which is more general: "You can't fix stupid." Problem is, many of us are in a position where we MUST fix stupid before stupid takes the rest of us with them. For example, for anyone who mentions the B Ark, I counter with Captain Peter Peachfuzz.
aka PEBCAK.
In IT we spend a lot of time in patching systems, deploying tools and examining logs
This has to be done of course, but it will be less profitable than educating users... Something which is a challenge for the IT crowd, known for its sociopathic tendencies ^^
Helpdesk code "ID Ten T"
or
ID10T
:)
I spend a lot of time writing policies and procedures for IT, carrying out investigations only for staff to get a slap on the wrist for causing hundreds of hours of work for IT.. yet if they stole £50 worth of stationary they'd be sacked.
They wilfully do some of the things which lead to these issues, IMHO there are occasions where that should lead to dismissal.
Yup still in the stone age. Faxes are a loophole in communication security as you can really do information dissemination damage at the touch of a button. Email can be vetted server side and blocked as well as being much easier to trace from the average user.
Why the hell are they using fax machines? Game theorists should have told them how stupid it is.
Mind you at least they can still get offers to buy their caravan and some good holiday bargains in their in tray.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
