Insider Security Attacks On The Rise, MS Says
from the the-human-factor dept
Microsoft is warning that “malicious insider” security attacks are on the rise as the economy churns out more and more disgruntled and/or desperate laid-off workers. Combine this with the high number of data breaches that are blamed on human error, and it’s clear that the human factor remains a big problem in IT security. Technology often gets the blame for data breaches and leaks, but it’s important to remember that in many cases, it’s the implementation of the technology, or the policies behind it, that are to blame. For instance, in the massive TJX breach, a lot was made of the fact that the company’s WiFi network was protected only by the easily cracked WEP security standard. But somewhere along the line, a human decision was made not to upgrade to something stronger, while another decision was made to transmit credit-card data without encryption. Whether it’s simple incompetence or malicious activity, humans often surpass technology as the weakest link in the security chain.
Comments on “Insider Security Attacks On The Rise, MS Says”
Oh really?
Microsoft would definitely prefer this version of events, as it usefully distracts people from how vulnerable Microsoft software is to external remote attacks – much better to blame the actions of evil insiders instead.
As you state: “it’s important to remember that in many cases, it’s the implementation of the technology, or the policies behind it, that are to blame”. And who implements the technology? Microsoft.
Re: Oh really?
As you state: “it’s important to remember that in many cases, it’s the implementation of the technology, or the policies behind it, that are to blame”. And who implements the technology? Microsoft.
Yes. That would be Carlo’s point.
Re: Oh really?
As you state: “it’s important to remember that in many cases, it’s the implementation of the technology, or the policies behind it, that are to blame”. And who implements the technology? Microsoft.
Microsoft rarely ‘implements’ the technology. They create the software. Network engineers and administrators ‘implement’ the technology. As far as I know, Microsoft doesn’t produce many wireless products at all. The implementers have choices in software and hardware. What they choose and how they choose to configure it is very rarely a Microsoft decision.
By that reasoning, any attack can be blamed on “human error”. If a hacker exploits a vulnerability on a system, there is a human who programmed the system and coded the vulnerability. Humans as the weakest link refers to the fact that a human who has access to the data will give you the access or the data, either by mistake or maliciously. Implementing a WEP protocol may be dumb, but it’s not a “human weakest link”. It’s an easily solved technological vulnerability. Technical error doesn’t mean there’s no human responsible. It means that a technical solution is needed. Human vulnerability is something that cannot be solved technologically, but with training.
Re: Re:
There’s another distinction to be made though. Choosing poor wireless security is a different kind of problem than having your OS fall prey to a buffer overrun error and get taken over remotely. One is a mistake (a technical mistake) by the sysadmin(s). The other is an OS vulnerability (also a technical mistake) outside the control of anyone at the place where the breach happened.
This is the distinction being made in the original post. Was the problem inherent to the software and hardware being used, or was it caused by poor choices in how to use it?
IMHO
Its been my experience management knows and cares nothing about the overall security of its systems and data. It only matters when an event occurs and then they must have “someone to blame” i.e. the Sacraficial Lamb syndrome. MS would, of course, follow the theory that “it couldn’t be our product, it must have been improperly implemented” line of thinking. Also, often decisions are made to cater to the crybaby VP. He/She wants ease of use rather then security for the company.
Figures Microsoft would say this just shy of a new Windows release.
I know, it seems a bit of a “conspiracy theory”, but it does make some wonder.
What I find interesting is how Microsoft refuses to acknowledge its own software is what allows these threats to increase. It seems every day, there’s a new vulnerability found within the Windows operating system, rarely patched in time before being exploited.
It makes sense these attacks would increase during this economic state. Most IT departments are responsible for patching known vulnerabilities. Given how quickly businesses act, many are still open.
I still can’t believe anyone would do this, especially during these times, simply to get “revenge” for being let go and destroying any future chance at working in the industry again.
Oooo another place to get and read comments that are anti-microsoft!
This story is somewhat true. Human’s are the weak link when it comes to the quality of solutions.
Looks like a Sales Pitch
Article -> “Data loss prevention systems specialise in the detection of precisely these events.”
Is anyone trying to sell their “Data loss prevention systems” ?
Re: Looks like a Sales Pitch
data loss prevention systems are snake oil.
data loss prevention is pretty simple:
1) centralize your data on a secure platform
2) use encryption and access control when granting access to the secured storage
3) if data cannot be centralized, then it must be encrypted with strong cryptographic tools.
the WEP decision
not all devices are created equal. WPA2 is the favorite for maximum wireless security, but it is a relatively new invention, and not all wifi connected devices are new, nor are they laptops.
WPA2 is great, but support for it was not built into windows xp, so you have to install the wpa2/wps ie update or move to service pack 3. this means testing, deployment, and even training.
what about those other devices, like pdas, phones, or barcode readers, that may not include WPA2 support?
the problem isn’t with the decision to use wep. the problem is with not separating the wireless network from the corporate network when wep was proven to be insecure.
You can have perfect technology security and still have data breaches. Humans are the weakest link. Blame Microsoft if you want, but companies just don’t spend the money it should to really secure itself.
Just like all the companies that blamed SAP and consultants when their huge implementation didn’t do what was planned because the company didn’t spend the money on the proper planning or the proper modules. Companies take shortcuts that cost them in the long run.
BEST PRACTICES PHOEY!
OK so I am an old codger with only about five years computer experience. I did spend decades in business. I have worked with and for some great people. I have also worked with some really lazy,careless and thought less individuals who couldn’t care less. Though I consider myself pretty much of a computer dope I have learned enough over the years about technology how to get the right answers to technology security potential problems. I know its tough to keep up on as technology is in a constant state of flux however I believe company’s should do everything within their power to avoid any possible compromise. If they do not they should be heavyly fined and be forced to make restitution to any injured partys. I am sorry to say that I believe that this is the only way to get the attention of the people who some of whom couldn’t figure out how to pour water out of a boot if you told them that the instructions were written on the heel and really don’t care about anything but their pay checks.
and it’s clear that the human factor remains a big problem in IT security
Is the technology here to serve man, or are we here to serve the technology?
Plus, it really doesn’t matter what technology you put in place – an ‘unhackable’ system puts me in mind of an ‘unsinkable’ ship – and we all know where that ends up.