When Security Problems Get Bad, IT Managers Blame Everyone Else

from the it's-your-JOB dept

Ok, let’s start out by admitting that people do incredibly stupid things on their computers that often put those computers at risk. It happens. It sucks and they should know better — but it happens and it’s not going to stop happening any time soon. However, as an IT manager, part of your job is to do your absolute best to protect computers anyway. That could involve better training for employees or it could involve better technology to help prevent bad things even when users are, in fact, clueless about security. However, that doesn’t change the simple fact that users are going to screw up. That doesn’t mean, though, that IT managers get to shift all the blame to end users. Yes, they’re doing things stupidly — but it’s not necessarily their fault. They just don’t know. Your job, as an IT manager, is to prevent against attack no matter how clueless your end users are. Whining about end users just suggests that you’re not doing your job very well.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “When Security Problems Get Bad, IT Managers Blame Everyone Else”

Subscribe: RSS Leave a comment
rightnumberone (user link) says:

No Subject Given

Okay, I’ll take the bait:

Many of today’s security problems cannot be prevented by IT personnel, but CAN be prevented by users.

For example: frequently, it will be discovered that there is a security vulnerability in, say, Internet Explorer. Miscreants can use that vulnerability to take over any computer, but only if the miscreant can get the user to visit their site through fairly obvious social engineering tricks that just about any 12 year old can spot now.

Corporate IT departments cannot prevent the stupid user from visiting the site (which, after all, is promising to end the misery of their daily lives if only they will click on over). Corporate IT departments cannot rewrite Internet Explorer.

Only the user can prevent the security breach from occurring by not falling for the bait. And that is why security measures that rely on users not doing stupid things is a poor security system indeed.

Yet, here we are. Such a breach is totally unpreventable by IT personnel, and is totally the fault of the dolt user.

An IT manager I could, I guess, send out trick emails containing a link to a given page to all users at my company and make that link look especially like a phishing, scamming or virus-infecting email.

Then, I suppose, one could keep track of which employees fell for the ruse and opened the page. Then, management could easily identify the dolts within their ranks and fire them as security risks.

If one did this for say, 4 or 5 days in a row, I bet that the problem would magically disappear as word got round that an IQ test was ongoing.

Alas, I cannot get management buy-in for this proposal.

(And please, you Linux folks …don’t tell me the answer is to use Firefox! All software is vulnerable.)

jdw242 says:

Re: No Subject Given

“…An IT manager I could, I guess, send out trick emails containing a link to a given page to all users at my company and make that link look especially like a phishing, scamming or virus-infecting email. Then, I suppose, one could keep track of which employees fell for the ruse and opened the page…”

Did that; sent out phishing bait with a link asking detailed questions to gather account numbers, etc.
Problem was, nobody took the bait. They all called the helpdesk and asked if it was a real email.

The failing here is those stupid chain letters. If someone sent one out and embedded a bad link in there any insufficiently protected network could be compromised.

I’m confident in the steps we’ve taken as an IT department to protect the world from our users, as well as our users from the world, but, as you said, all software is vulnerable. Problem there is the manufacturer doesn’t seem to care most of the time.

GS says:

Re: Re: No Subject Given

It’s not the fault of IT or the end users. It’s the fault of the OS (including browser & email) for including so much “flexibility” that every teenager with too much time on their hands can hack your system. The OS and apps belong in ROM. You don’t have hackers taking over your refrigerator or toaster. That’s because you can’t redesign hardware remotely. Someday this will be a reality. Until then we live in the dark ages of computers.

PSC says:

Re: Re: Re: No Subject Given

I disagree. It’s no one fault but the world’s governments. As long as governments continue to treat the people who create this stuff as less than full-fledged criminals, they’ll continue on their merry way. Look, the lock on my front door isn’t bullet proof; it can be picked, broken, etc. That doesn’t mean that that it’s the lock maker?s fault if my house gets broken into. But if criminals when caught, aren’t sent to jail then it’s sending a message that it’s OK to break into my house.
If Germany would have sent that kid that wrote Sasser to jail for 20 years instead of a one-year suspended sentence, hacker may think twice about what they are doing. If instead of paying MS when caught, then setting up shop elsewhere, spammers were sent to jail for a long time, my company wouldn’t need to spend thousands of dollars on anti-spam & anti-virus software every year. Any modern system is too complicated to ever be 100% secure, we need to start looking at the problem differently.

jdw242 says:

Re: Re: Re:2 No Subject Given

certainly punishment is a valid argument, but script kiddies as a group are tied to the challenge by adrenaline and a desire to subvert the rules.

If they up the ante by saying you’ll go to jail for 20 years, the challenge just got upped big time.

Not slapping on an super-sized sentence can lead to other methods of silencing the inner adrenaline junkie these types have become…

as usual, correct me if I am wrong.

PSC says:

Re: Re: Re:3 No Subject Given

While I agree with you that there will always be a group that cannot be deterred no matter how stiff the penalty, “real” punishment I think would have two affects. First, it would deter the causal hacker. These aren’t the diehards, these are the ones that download a toolkit, make a few mods, and wait for TV coverage. Secondly, you can?t deter the diehards, but at least you’d get them off the net once you catch them. They can?t code from a jail cell.

All the finger pointing between users, admins, developers, browsers, OSs, etc really bothers me. The discussion we should be having is how do we get these criminals off the street.

GS says:

Re: Re: Re:4 No Subject Given

You guys are still missing the point. The problem here is a fundamentally bad engineering design. Allowing malicious (or accidental!) overwrites of your program data is just asking for trouble. Please observe that we aren’t having these same discussions about teenagers hijacking refrigerators or television sets.

Chris says:

Re: Just don't give them the keys...

So, true. Or it could be like my company where our Corporate IT heads specify that all of our domain users are local admins on every machine throughout the country. I wonder if our IT Heads have ever heard of Admin Shares or remote registry access, amongst everything else. Out of 900+ PC users I cannot believe we haven’t had an incident to date.

I’m curious how many of our “learned” users have key loggers installed on other people’s PC and are checking their email… or reading their sensitive documents.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...