Jim Routh and Gary McGraw examine why twenty-somethings skateboard right past security controls, and what it means for employers (i.e. you!)
November 02, 2009
The insider threat, the bane of computer security and a topic of worried conversation among CSOs, is undergoing significant change. Over the years, the majority of insider threats have carried out attacks in order to line their pockets, punish their colleagues, spy for the enemy or wreak havoc from within. Today’s insider threats may
have something much less insidious in mind—multitasking and social networking to get their jobs done.
To get a handle on the growth of the lifestyle hacking problem, consider this: One Wall Street firm we’re both very familiar with estimated that 45 percent of all security incidents in the past two years were lifestyle hacks.
Example: Dylan had constructed a secure tunnel by exploiting a vulnerability in the company’s Web proxy, and he was connecting his workstation to his ISP at home. This allowed Dylan to watch pirated movies running on his home PC while he was streaming music from sites no longer filtered by the proxy.
Phi Beta Iota: Shades of CIA in the 1980’s, when graduate students came in, saw the Soviet-era tools, and left. We recommend a full reading of the above article, for it cuts more deeply into the pathological divide between the top-down security idiocy of the past and the bottom-up sharing culture of the present than any we have seen. What the article does NOT tell you, which we learned from Vint Cerf and others, is that “insider attacks” of any kind are less than 10% of the problem over all–MOST communications and computing outages come from bad management including storing back-up files in the same place as the system being backed up (fire and water kill both), and sticking with legacy systems too long (not switching out and upgrading every two years is tantamount to putting a 25 lb weight on an employees hands). CEOs today–and government CIOs–are completely out of touch with both reality, and the promise of the digital natives they are firing instead of promoting.