February 14th, 2003, 10:43 PM
Why 'computer' security is not enough
The signs were not that positive, a massive increase in staff, all poorly trained, although mostly well motivated; a management that didn’t really understand the impact of security lapses but who were prepared to ‘humor’ the geeky one (yours truly), and a culture of not thinking beyond the end of the year that had disturbed my slumber on a number of occasions.
So with year-end approaching, I started to consider the areas to review. Like most companies I could divide them easily into systems, procedures and personnel. Unlike most companies, and partly due to the short history of our company, none of them were documented or indeed had ever been subject to review before. I began in earnest looking into systems.
Being so new we didn’t have too many systems to worry about. Those we had, a customer database and an email system were relatively secure, albeit plagued by accidental record deletions and new staff errors. Our email system was a major cause of concern though. Frequent viral outbreaks and a poor delivery system for anti-virus, which required the user to install both the program and updates led to silly mistakes and frequent embarrassments, which affected all levels of staff in the organisation. Another worry was the way email was filtered in through just a few accounts, with one person receiving up to 300 emails a day with others just ten. This led to an almost blasé approach to passing on messages. Sometimes those who received the most email forwarded emails on to whomever they thought the most appropriate recipient regardless of content, as they only read the subject line. I myself received several references for my new manager through this lapse.
The lessons from this portion of the review were simple; distribute mail more evenly and train staff in what is and what is not sharable data, using message classifications to determine message sensitivity; ensure the new replacement system was suitable for untrained staff, then throw in some training anyway. Lastly, a system was created to allow ‘blameless’ reporting, so that staff knew that when they’d wiped 40 records, or mailed a virus by accident, that it would be dealt with without them being vilified.
After two days of reviewing procedures, I genuinely thought about quitting. I even started updating my resume so damning was the evidence. The fast growth and one person creation of procedures had led to a kind of institutional anarchy, where things that once considered objectively, were clearly insane, were accepted as normal. To state it plainly, and I can still hardly believe this to be the case, the single largest cause of privacy breaches was…paperclips!
No, not Microsoft’s helpful buddy, but the small metal clasps that clip files together, which in turn caused 20 of the 25 problems identified in my report.
Paperclips are useful little devices. According to http://www.mb007a2628.pwp.blueyonder...paperclips.htm the modern style of paperclips has been around since 1866, not bad for a small piece of metal. They are as common as Post-it notes and in the right environments serve a great purpose. However, in our case they were a menace!
The procedure went like this: A customer subscribed to our service. His or her application was then entered onto a computer (by untrained staff); the paper form was then filed in a metal filing cabinet. Aside from the problems or poor data entry or database failure, which loomed large, there’s another factor I have not yet mentioned: The forms were six pages long and included supplementary pages. So staff would clip the pages together using paperclips then put them in the filing cabinet. Pretty soon, the filing cabinet was full and so the documents were pushed in and promptly attached themselves to the next form. Finally when a caller telephoned and his/her record couldn’t be found, staff helpfully retrieved their file from the cabinet and read out the details on it in order to verify that they were correct, which of course they weren’t because Alice’s front page was tagged to Bob’s back.
To make it worse, another file cabinet was used to store unprocessed records, and you can just imagine the chaos that ensued. Pretty soon, staff were trying to identify all the pages in a particular form (and they could be any length up to 12 pages) just from the handwriting, but no one considered it to be a big problem and so just cleaned up as best they could and continued. Until one day during my audit I upset everyone by removing all the paperclips from the office and handing out staplers.
Finally, I looked at staff related issues. Aside from lack of training, the team is generally well meaning, although we don’t actually know much about any of them, having failed to secure basic background checks or verify any qualifications. This will probably be my next battleground, but for the time being problems were more procedurally based, than individually based.
However, one thing that was apparent as I spoke to people about systems and procedures was that they were genuinely scared of making errors and so resorted to the oldest, most trusted technologies, the paperclips, the post-it notes on the monitor, all things that cause as many problems as they solve, but which are generally accepted as ‘irrelevant’.
So I found many post-it notes under keyboards emblazoned with network passwords, one even stated the password rotation mechanism (change first two letters to those of current month), workarounds used instead of reporting potentially damning bugs and a culture of printing out and posting rather than emailing ‘I want it to get there safe’.
I also discovered a lack of basic awareness of what systems are available, what equipment is owned and where it is in the building. You could walk into our offices, pick up a thousand dollar item of equipment and walk out. A week later, it wouldn’t have been reported; as staff would assume it had been borrowed, or even not realise it was gone. I often wondered whether if on 8am on a Monday you replaced the monitors with microwave ovens, staff would notice by 10 (and whether they’d just file a ‘network down’ report with helpdesk).
But I digress. The moral of my story is this: old technologies are just as insecure as new technologies and if your staff are spooked by the media, or indeed whatever you are doing to increase security, they’ll resort to using old, insecure methods, which will impact on both security and productivity and will do nothing to impress your customers, but will make a great impression on your bottom line.
Sermon over...where's that jokebook?
668 - the neighbor of the beast
February 15th, 2003, 03:26 AM
The problem is implementing "new" anything. Aprogramming major came to me with a problem-she had aquired a trojan but thought it HAD to be something else. She told me she was computer savvy, being a senior in programming and all, so I just had to be wrong. When I asked her to review her firewall logs she told me she didn't use a firewall because her isp was dialup. When I gently explained the purpose of a firewall she ended the conversation saying she needed to find someone who will help her. For two weeks she has been looking for someone to give her an answer that is "acceptable" to her.
The similarities to your story, though on a different level, occur wherever change or something that isn't understood by those whom it is being implemented on just pretend it isn't there. In business it is sometimes the fear of appearing stupid so some practice ignorance instead. I am sure that your people don't understand why you can't do your work and leave them out of it!! Of course if things get any worse it will be your fault. Use those Dilbert skills-lol!
the only way to fix it is to flush it all away-tool
February 15th, 2003, 04:35 AM
I have a question; are you the bug, or the windshield?
February 15th, 2003, 08:18 AM
Wow that was a good read
February 15th, 2003, 08:50 AM
I could not agree more. Excellent post englishgirl.
Ubuntu-: Means in African : "Im too dumb to use Slackware"