When Security Problems Get Bad, IT Managers Blame Everyone Else
from the it's-your-JOB dept
Ok, let’s start out by admitting that people do incredibly stupid things on their computers that often put those computers at risk. It happens. It sucks and they should know better — but it happens and it’s not going to stop happening any time soon. However, as an IT manager, part of your job is to do your absolute best to protect computers anyway. That could involve better training for employees or it could involve better technology to help prevent bad things even when users are, in fact, clueless about security. However, that doesn’t change the simple fact that users are going to screw up. That doesn’t mean, though, that IT managers get to shift all the blame to end users. Yes, they’re doing things stupidly — but it’s not necessarily their fault. They just don’t know. Your job, as an IT manager, is to prevent against attack no matter how clueless your end users are. Whining about end users just suggests that you’re not doing your job very well.
Comments on “When Security Problems Get Bad, IT Managers Blame Everyone Else”
No Subject Given
Okay, I’ll take the bait:
Many of today’s security problems cannot be prevented by IT personnel, but CAN be prevented by users.
For example: frequently, it will be discovered that there is a security vulnerability in, say, Internet Explorer. Miscreants can use that vulnerability to take over any computer, but only if the miscreant can get the user to visit their site through fairly obvious social engineering tricks that just about any 12 year old can spot now.
Corporate IT departments cannot prevent the stupid user from visiting the site (which, after all, is promising to end the misery of their daily lives if only they will click on over). Corporate IT departments cannot rewrite Internet Explorer.
Only the user can prevent the security breach from occurring by not falling for the bait. And that is why security measures that rely on users not doing stupid things is a poor security system indeed.
Yet, here we are. Such a breach is totally unpreventable by IT personnel, and is totally the fault of the dolt user.
An IT manager I could, I guess, send out trick emails containing a link to a given page to all users at my company and make that link look especially like a phishing, scamming or virus-infecting email.
Then, I suppose, one could keep track of which employees fell for the ruse and opened the page. Then, management could easily identify the dolts within their ranks and fire them as security risks.
If one did this for say, 4 or 5 days in a row, I bet that the problem would magically disappear as word got round that an IQ test was ongoing.
Alas, I cannot get management buy-in for this proposal.
(And please, you Linux folks …don’t tell me the answer is to use Firefox! All software is vulnerable.)
Re: No Subject Given
“…An IT manager I could, I guess, send out trick emails containing a link to a given page to all users at my company and make that link look especially like a phishing, scamming or virus-infecting email. Then, I suppose, one could keep track of which employees fell for the ruse and opened the page…”
Did that; sent out phishing bait with a link asking detailed questions to gather account numbers, etc.
Problem was, nobody took the bait. They all called the helpdesk and asked if it was a real email.
The failing here is those stupid chain letters. If someone sent one out and embedded a bad link in there any insufficiently protected network could be compromised.
I’m confident in the steps we’ve taken as an IT department to protect the world from our users, as well as our users from the world, but, as you said, all software is vulnerable. Problem there is the manufacturer doesn’t seem to care most of the time.
Re: Re: No Subject Given
It’s not the fault of IT or the end users. It’s the fault of the OS (including browser & email) for including so much “flexibility” that every teenager with too much time on their hands can hack your system. The OS and apps belong in ROM. You don’t have hackers taking over your refrigerator or toaster. That’s because you can’t redesign hardware remotely. Someday this will be a reality. Until then we live in the dark ages of computers.
Re: Re: Re: No Subject Given
I disagree. It’s no one fault but the world’s governments. As long as governments continue to treat the people who create this stuff as less than full-fledged criminals, they’ll continue on their merry way. Look, the lock on my front door isn’t bullet proof; it can be picked, broken, etc. That doesn’t mean that that it’s the lock maker?s fault if my house gets broken into. But if criminals when caught, aren’t sent to jail then it’s sending a message that it’s OK to break into my house.
If Germany would have sent that kid that wrote Sasser to jail for 20 years instead of a one-year suspended sentence, hacker may think twice about what they are doing. If instead of paying MS when caught, then setting up shop elsewhere, spammers were sent to jail for a long time, my company wouldn’t need to spend thousands of dollars on anti-spam & anti-virus software every year. Any modern system is too complicated to ever be 100% secure, we need to start looking at the problem differently.
Re: Re: Re:2 No Subject Given
certainly punishment is a valid argument, but script kiddies as a group are tied to the challenge by adrenaline and a desire to subvert the rules.
If they up the ante by saying you’ll go to jail for 20 years, the challenge just got upped big time.
Not slapping on an super-sized sentence can lead to other methods of silencing the inner adrenaline junkie these types have become…
as usual, correct me if I am wrong.
Re: Re: Re:3 No Subject Given
While I agree with you that there will always be a group that cannot be deterred no matter how stiff the penalty, “real” punishment I think would have two affects. First, it would deter the causal hacker. These aren’t the diehards, these are the ones that download a toolkit, make a few mods, and wait for TV coverage. Secondly, you can?t deter the diehards, but at least you’d get them off the net once you catch them. They can?t code from a jail cell.
All the finger pointing between users, admins, developers, browsers, OSs, etc really bothers me. The discussion we should be having is how do we get these criminals off the street.
Re: Re: Re:4 No Subject Given
You guys are still missing the point. The problem here is a fundamentally bad engineering design. Allowing malicious (or accidental!) overwrites of your program data is just asking for trouble. Please observe that we aren’t having these same discussions about teenagers hijacking refrigerators or television sets.
Just don't give them the keys...
Anyone who wants admin (or root) privilege on their desktop box (so they can install stuff on it either intentionally or because it’s “their” machine) should become part of the IT team and carry the on-call pager.
You get the midnight-6am Sunday shift…
Re: Just don't give them the keys...
So, true. Or it could be like my company where our Corporate IT heads specify that all of our domain users are local admins on every machine throughout the country. I wonder if our IT Heads have ever heard of Admin Shares or remote registry access, amongst everything else. Out of 900+ PC users I cannot believe we haven’t had an incident to date.
I’m curious how many of our “learned” users have key loggers installed on other people’s PC and are checking their email… or reading their sensitive documents.