Insider Security Attacks On The Rise, MS Says

from the the-human-factor dept

Microsoft is warning that “malicious insider” security attacks are on the rise as the economy churns out more and more disgruntled and/or desperate laid-off workers. Combine this with the high number of data breaches that are blamed on human error, and it’s clear that the human factor remains a big problem in IT security. Technology often gets the blame for data breaches and leaks, but it’s important to remember that in many cases, it’s the implementation of the technology, or the policies behind it, that are to blame. For instance, in the massive TJX breach, a lot was made of the fact that the company’s WiFi network was protected only by the easily cracked WEP security standard. But somewhere along the line, a human decision was made not to upgrade to something stronger, while another decision was made to transmit credit-card data without encryption. Whether it’s simple incompetence or malicious activity, humans often surpass technology as the weakest link in the security chain.

Filed Under: ,
Companies: microsoft

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Insider Security Attacks On The Rise, MS Says”

Subscribe: RSS Leave a comment
SRS says:

Oh really?

Microsoft would definitely prefer this version of events, as it usefully distracts people from how vulnerable Microsoft software is to external remote attacks – much better to blame the actions of evil insiders instead.

As you state: “it’s important to remember that in many cases, it’s the implementation of the technology, or the policies behind it, that are to blame”. And who implements the technology? Microsoft.

eleete (user link) says:

Re: Oh really?

As you state: “it’s important to remember that in many cases, it’s the implementation of the technology, or the policies behind it, that are to blame”. And who implements the technology? Microsoft.

Microsoft rarely ‘implements’ the technology. They create the software. Network engineers and administrators ‘implement’ the technology. As far as I know, Microsoft doesn’t produce many wireless products at all. The implementers have choices in software and hardware. What they choose and how they choose to configure it is very rarely a Microsoft decision.

Osno says:

By that reasoning, any attack can be blamed on “human error”. If a hacker exploits a vulnerability on a system, there is a human who programmed the system and coded the vulnerability. Humans as the weakest link refers to the fact that a human who has access to the data will give you the access or the data, either by mistake or maliciously. Implementing a WEP protocol may be dumb, but it’s not a “human weakest link”. It’s an easily solved technological vulnerability. Technical error doesn’t mean there’s no human responsible. It means that a technical solution is needed. Human vulnerability is something that cannot be solved technologically, but with training.

nasch says:

Re: Re:

There’s another distinction to be made though. Choosing poor wireless security is a different kind of problem than having your OS fall prey to a buffer overrun error and get taken over remotely. One is a mistake (a technical mistake) by the sysadmin(s). The other is an OS vulnerability (also a technical mistake) outside the control of anyone at the place where the breach happened.

This is the distinction being made in the original post. Was the problem inherent to the software and hardware being used, or was it caused by poor choices in how to use it?

NullOp says:


Its been my experience management knows and cares nothing about the overall security of its systems and data. It only matters when an event occurs and then they must have “someone to blame” i.e. the Sacraficial Lamb syndrome. MS would, of course, follow the theory that “it couldn’t be our product, it must have been improperly implemented” line of thinking. Also, often decisions are made to cater to the crybaby VP. He/She wants ease of use rather then security for the company.

R. Miles says:

Figures Microsoft would say this just shy of a new Windows release.

I know, it seems a bit of a “conspiracy theory”, but it does make some wonder.

What I find interesting is how Microsoft refuses to acknowledge its own software is what allows these threats to increase. It seems every day, there’s a new vulnerability found within the Windows operating system, rarely patched in time before being exploited.

It makes sense these attacks would increase during this economic state. Most IT departments are responsible for patching known vulnerabilities. Given how quickly businesses act, many are still open.

I still can’t believe anyone would do this, especially during these times, simply to get “revenge” for being let go and destroying any future chance at working in the industry again.

chris (profile) says:

the WEP decision

not all devices are created equal. WPA2 is the favorite for maximum wireless security, but it is a relatively new invention, and not all wifi connected devices are new, nor are they laptops.

WPA2 is great, but support for it was not built into windows xp, so you have to install the wpa2/wps ie update or move to service pack 3. this means testing, deployment, and even training.

what about those other devices, like pdas, phones, or barcode readers, that may not include WPA2 support?

the problem isn’t with the decision to use wep. the problem is with not separating the wireless network from the corporate network when wep was proven to be insecure.

Anonymous Coward says:

You can have perfect technology security and still have data breaches. Humans are the weakest link. Blame Microsoft if you want, but companies just don’t spend the money it should to really secure itself.

Just like all the companies that blamed SAP and consultants when their huge implementation didn’t do what was planned because the company didn’t spend the money on the proper planning or the proper modules. Companies take shortcuts that cost them in the long run.

Bradley Stewart (profile) says:


OK so I am an old codger with only about five years computer experience. I did spend decades in business. I have worked with and for some great people. I have also worked with some really lazy,careless and thought less individuals who couldn’t care less. Though I consider myself pretty much of a computer dope I have learned enough over the years about technology how to get the right answers to technology security potential problems. I know its tough to keep up on as technology is in a constant state of flux however I believe company’s should do everything within their power to avoid any possible compromise. If they do not they should be heavyly fined and be forced to make restitution to any injured partys. I am sorry to say that I believe that this is the only way to get the attention of the people who some of whom couldn’t figure out how to pour water out of a boot if you told them that the instructions were written on the heel and really don’t care about anything but their pay checks.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...