What's a Company's Biggest Security Risk? You.

CommanderFrank

CommanderFrank

Cat Can't Scratch It
Joined
May 9, 2000
Messages
75,399
Well, here’s a real shocker. It is a proven fact that the weakest link in corporate security environments is the employees themselves. A company may have the best security available on the market, but it only takes one employee to hold the door wide open for hackers.

Closing these holes is proving very difficult, security experts say. But companies keep fighting. To stop potentially dangerous employee habits, they're testing new tools to keep track of what's happening on their networks and rolling out employee education programs.
Click to expand...
 
The classic that still works: plant a few USB sticks in the employee parking lot early in the morning. Employees pick them up, say "ooo shiny", and by noon most of the sticks will either have been plugged into a company PC, or plugged into a personal PC or device that later connects with a company network. About 99.5% of companies won't even see this coming, and for the few that do educate about it, many employees are still not going to get the memo and do it anyway.
 
Also many company policies go directly against improved security - in company where I work 96% of employees have to use IE6 for no fucking reason (all our apps work in IE8 and FF3.xx without any problems).

 
... and here I thought the real problem was companies using WinXP with IE6 :confused:
 
1. block USB device connection - in our office, no need for them, mice / keyboard only work.
2. restrict people's abilities to install things
3. solid GPO's
4. a good UTM - allow what is needed, block everything else.

These work great, except when those "higher up" want full access to everything yet are the same ones who want tight security.
 
Rebel44 said:
Also many company policies go directly against improved security - in company where I work 96% of employees have to use IE6 for no fucking reason (all our apps work in IE8 and FF3.xx without any problems).

Click to expand...

So get a good UTM that blocks sites that could be compromised...protect your office at the gateway.
 
mashie said:
A good start would be when companies stopped to require 20+ logins that has to be changed every 30 days to something that never has been used before or contains something that resembles a 3 letter dictionary word.
Click to expand...

Still wouldn't matter. I did a test about 2 months ago of our security. Made a fake site that appeared like facebook. Then sent out a fake email that appeared to be from facebook stating that a new policy required you to provide your username and password for your computer so that facebook could verify that it is really you trying to log into the site. Said that you had 2 days to do this before you could no longer log in. I got 1 person to actually fall for it and quickly fill out the page to submit their username and password to make sure that they didn't get locked out.

evilsofa said:
The classic that still works: plant a few USB sticks in the employee parking lot early in the morning. Employees pick them up, say "ooo shiny", and by noon most of the sticks will either have been plugged into a company PC, or plugged into a personal PC or device that later connects with a company network. About 99.5% of companies won't even see this coming, and for the few that do educate about it, many employees are still not going to get the memo and do it anyway.
Click to expand...

that is one that I never thought about. although now on newer OSs though they shouldn't try to autorun a flash drive so it shouldn't be as much of a problem unless they try to run a program on it.
 
  • Like
Reactions: Santa
like this
Exavior said:
that is one that I never thought about. although now on newer OSs though they shouldn't try to autorun a flash drive so it shouldn't be as much of a problem unless they try to run a program on it.
Click to expand...

If I were trying that I'd use a program but change it's icon to that of a folder and rename it "honeymoon pics".
 
Insula Gilliganis said:
This shouldn't be new news to any company. Kevin Mitnick (mentioned near the end of the article) started doing this at age 12.. Mitnick used social engineering to bypass the punchcard system used in the Los Angeles bus system. According to Wikipedia, social engineering is.. "the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques."
Click to expand...

I used to read so much about this guy when I was younger. He was my idol during those "i'm in 8th grade and a l33t hacker" times. After I got done reading about him from various books and reading various logs, I realized he was just another script kiddie who had connections to private exploits from other people. In one of the logs I read, after receiving an exploit from a friend of his, he was like "Where is the readme?"

I give him props for his insanely good use of social engineering though.
 
So is this why Windows has evolved from an "are you sure" query system to "are you sure? are you really sure? I'm not sure you should do it? Sorry I can't let you do it without administrative access"
 
Totally agree with this finding.

Although if your a country other then America, then America could still be your be biggest security threat (Stuxnet)
 
sfsuphysics said:
So is this why Windows has evolved from an "are you sure" query system to "are you sure? are you really sure? I'm not sure you should do it? Sorry I can't let you do it without administrative access"
Click to expand...

you mean like every other OS?

I don't get why windows gets shit for this. What is the defense you hear from mac users? you have to be really stupid to get a virus or malware on a mac as you have to enter your password to do anything that requires admin rights. same thing on linux, you are told that you don't love in as root so you have to enter in root password every time. so that means that the UAC in windows is no different than any other OS.
 
you dont "love" in as root? Freudian slip?

but true, MS does what other OS have done for ages and of course, hate on MS.
 
mashie said:
A good start would be when companies stopped to require 20+ logins that has to be changed every 30 days to something that never has been used before or contains something that resembles a 3 letter dictionary word.
Click to expand...

Without exaggerating in the slightest, 80-85% of the people in the company I work for use the same password. I'd wager the same applies to most companies.

E.g. Qualcomm1, Amazon1, Newegg1, Proctor1

Add a 2 instead of a 1 if it doesn't take the first time. CompanynameX...always.
 
mashie said:
A good start would be when companies stopped to require 20+ logins that has to be changed every 30 days to something that never has been used before or contains something that resembles a 3 letter dictionary word.
Click to expand...

I run into this at the hospital I work at, I understand the security risks with patient data, med records. etc.

But I have very good passwords, yet still have to change them every 60 days, not bad when you only got 1 login - but between HEC, Horizon Clinicals chart viewer, rad path etc I have at least 11 logins I use on a semi daily basis.
 
MajorDomo said:
Well, here’s a real shocker. It is a proven fact that the weakest link in corporate security environments is the employees themselves.
Click to expand...

Since when was this news? It's long been known by those in the defence sector.
 
The real issue with the 30 day confusing as fuck passwords is firstly EVERYBODY writes them down OR forgets them every second day. constant password resets going through security and with volume comes less vigilance. also try make a hot sounding crying chick fill out forms get them signed of by their manager and authorizing agent and wait up to 24hours when "i do this all the time and i can't do my work and i think i'm gonna get fired soon."

no. there you go new password over the phone. does this mean you'll touch my penis?
 
Exavior said:
you mean like every other OS?

I don't get why windows gets shit for this. What is the defense you hear from mac users? you have to be really stupid to get a virus or malware on a mac as you have to enter your password to do anything that requires admin rights. same thing on linux, you are told that you don't love in as root so you have to enter in root password every time. so that means that the UAC in windows is no different than any other OS.
Click to expand...

You mean every other OS automatically runs any piece of data it gets from anywhere? Like the above mentioned USB sticks? Every other OS has has hooks to automagically download "codecs" for your media? Every other OS was built around promiscuous execution? There is a reason to load anti-virus software on windows and no other OS. It is to suddenly stop the idiot box and suddenly say "no not that one" when the untrusted string of bytes it found and wants to run is a known piece of malware (that isn't from a trusted source such as Sony).

Anybody who thinks windows has any chance of being secure hasn't used any other OS and doesn't know how a computer works. Funny, MS made the XBox[xxx] reasonably secure: it doesn't have the above problem. Console software in general isn't promiscuous. It will make absolutely certain there is a money trail back to Redmond before executing the software. It is all a matter of priorities and supporting a legacy that ignored the internet until it was the talk of Good Morning America and ignored security until Vista.

Quartz-1 said:
Since when was this news? It's long been known by those in the defence sector.
Click to expand...

Banking has know it forever as well. Any security you see is pretty much security theater. They are serious about watching their own accountants. Watching their own management/policy is another story.
 
mashie said:
A good start would be when companies stopped to require 20+ logins that has to be changed every 30 days to something that never has been used before or contains something that resembles a 3 letter dictionary word.
Click to expand...

This 1000x.

I used to keep one password I used for work like: D!v1SmnH7@3

Pretty much unguessable.

Then they switched to his retarded policy of changing your password every 30 days. Result? My new password is Happy1 ... when that expires... Happy2, etc.
 
Yeah frequent password changes sound good on paper, but then people are much less likely to use a bunch of randon numbers, characters, and symbols; because it would be a bitch to remember when it's constantly changing.
 
Stop blaming us, Majordomo. We all know you're companies' real greatest security risk.
 
You must log in or register to reply here.
Back
Top