End User Ignorance - How long will we cope?

ISO: "Internet Security Officer" is (when I wear the hat) a sucky job, where a state or FED entity drags you in to an office to convict an employee of misuse.... As a consultant its a sucky job to compile the history and Caches that end up confirming the charge of "guilty" of un-authorized net access on the part of a state/Fed employee... I'm sure it happens in the private sector all the time, just never had to deal with that. As far as Gov't agencys go, it always ends in termination (at least in my experience). State governments don't tend to log much, so its the persons own machine that provides the "proof" the sad part is that anyone can get window washer 5.51 from kickme.to/FOSI oh well.... the whole (L)user thing can be kinda sad sometimes....

we never have a problem with users accessing sites they shouldn't - we just dont give them net access ;)

they have no need for it to complete their jobs so we dont allow them to use it - if they feel they need a piece of information that is not included for them in the internal network then they can ask their team leaders for it and that can then be supplied.

heh they dont even have email anymore - one of the first things that got taken away when we arrived

v_Ln

Speaking of being accountable for what happens when one's username is logged in, it is relatively easy to obtain another's user/pwd. It takes under 3 seconds to install & take off a hardware keyboard logger. This wouldn't really help w/ surfing since surfing is a lengthy activity & one is bound to be seen by someone, but if malicious user wanted to attempt a quick attack agains the network another one would be blamed. That is unless you have cameras or a good physical access policy.

Quote:

---

Originally posted here by rabit
Speaking of being accountable for what happens when one's username is logged in, it is relatively easy to obtain another's user/pwd. It takes under 3 seconds to install & take off a hardware keyboard logger. This wouldn't really help w/ surfing since surfing is a lengthy activity & one is bound to be seen by someone, but if malicious user wanted to attempt a quick attack agains the network another one would be blamed. That is unless you have cameras or a good physical access policy.

---

It's even easier than that...most end users at work freely pass their password around even though they're told not to. I've seen countless have it written on something nearby (postit on the monitor, etc) and I've seen one place where users had to have their password and username written on paper taped to the underside of their keyboard.

All you have to do is look like you know what you're doing and Kevin Mitnick's trick of social engineering is all you have to do. They'll GIVE the information away.

And as far as security and AUP are concerned, it's a hypocritical situation when upper level execs have full access and no rules on them when everyone else does AND it gets even better when those execs/political leaders/etc just let everyone else use their machine if they can't reach a site that's blocked by the firewall. Bad news there considering it's a security threat as well as people seeing that person X has more than everyone else.

You know all the AUP talk aside, I use to just walk around with my "destructive packet filterers" (aka - scissors)in my hand and gently remind the engineers that if use my def gateway as their IP address and bring down the whole network again, they'll be pushing the remains of their vehicle home with a pink slip!!! hehehehe That always gets them.

Funny, the only people that really abused the privelege of network use were the ones that had hiring or firing ability. Does that seem strange to anyone? .... Nah.

Quote:

---

it's a hypocritical situation when upper level execs have full access and no rules on them

---

not where i work they dont - only the techs do ;)

v_Ln

The latest BOFH has something about this.... Not strictly relevant, but hey, gimme a break :D.
http://www.theregister.co.uk/2004/07...04_episode_22/

Cheers,
cgkanchi

Quote:

---

Originally posted here by KorpDeath
Funny, the only people that really abused the privelege of network use were the ones that had hiring or firing ability. Does that seem strange to anyone? .... Nah.

---

Funny, the only ones ever getting infected (virii etc) at work are the ones with hiring/firing ability..

Well and also a previously employed lamer..
I warned him once (on paper), warned him twice (again in writing) and the third time was the charm.. Say Bye Bye mr. Lamer !!

Hmmm,
A slightly different slant but I have had a slightly different experience from:

Quote:

---

Funny, the only ones ever getting infected (virii etc) at work are the ones with hiring/firing ability..

---

I think that there is an ageism/eliteism or whatever, culture.

I am used to the hirers & firers forwarding dodgy stuff to me to have a look at. Because I am over 50, I seem to be trusted..............now that is really pathetic (and dangerous too).

I strongly feel that it is an educational thing, as I am sure we all agree, but it is also a cultural thing, and that should come from the top.........like the Director/EVP level.

One of the main "gospels" that I preach (yeah, I know, "a voice crying in the Wilderness" :D ) is that it is not a stigma or shameful to receive an infected item............but it is if you open it and let it loose on the network.

just my slant

Quote:

---

"But how do we discipline questionable computer use?"


"The old fashioned way," I reply.


"Interviews, recommendations then dismissal?"


"No, I said the old fashioned way, not the slow way."


"What's the old fashioned way?"


"Threats, blackmail."

---

Now that sounds like a plan, doesn't it? D:

But then again, another bullet proof method would be to hire Gore as the main admin. Im sure he'll take care of things the 'right' way ;)

Cheers.