95% of Organizations Have Employees Seeking to Bypass Security Controls

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
38,739
Dark Reading has an article up regarding a Dtex Systems report indicating that 95% of all organizations have employees actively trying to bypass their corporate security measures at work. The report also shows that users are more frequently attempting to use private VPN services or TOR browsers to bypass organizational security and browsing restrictions.

Dtex uses this analysis to support the lesson that "Insiders are your biggest security threat", suggesting that organizations should take this as an indication that the employee is engaging in illegal activities, or attempting to illegally steal data, as if they couldn't just do this using a $5 32GB USB stick. I feel there is a different lesson to be learned here as well. Employees hate being patronized, and if corporate IT departments attempt to do so, they will see themselves as justified in circumventing their measures.

I should know. In the past I've been one of them, running a private VPN on port 443 (so that it blends in with HTTPS traffic) to my own home server (not a known VPN service). Not because I was trying to do anything malicious, mind you, but because during my lunchtime browse, I don't want anyone spying on what I'm looking at. That, and I've run into some over-reactive site blocks, like this one company which would block every site discussing firewall rules, categorizing them as "instructional pages for malicious hacking" or some nonsense like that.

There are certainly justified things for enterprises to block. Pr0n and online gambling come to mind, as do sites with known security exploits, but paint the blocking rules too broadly at your own risk. I once worked for a company that blocked Craigslist outright. Presumably this was because of the less savory sections on that site, but the end effect? I couldn't browse for deals on used speakers during my lunch break. It pissed me off, and I felt like I was being treated like a child. When I first started working in corporate settings 15 years ago, I always had full local machine admin access and a wide berth to do as I please as long as I got my work done. These days these freedoms have more and more been chipped away to the point where as an employee, in many places you feel like trash.

The lesson as always is, treat your employees with respect and dignity and like adults, and they will return the favor. Get overly petty with net-nanny techniques and they will get pissed off and try to circumvent them. This is not a right vs. wrong discussion, it's just one regarding how adult humans innately respond to being patronized.

For example, if a user threat assessment uncovers an employee using a TOR browser on the network, administrators should treat that as a red flag that the employee is engaging in prohibited or even potentially illegal behavior. Similarly, there’s a high chance that an employee who spends hours researching ways to get around security systems is trying to evade the controls within their own organizations.

“When an employee spends time researching how to bypass security controls, we often find that they are trying to exfiltrate data without being blocked by their DLP or without raising any flags on the network
 
I usually try to push the security boundaries to see where they are at, pushing harder a little bit at a time. Thankfully where I work now we are all treated as adults, so the security is focused on preventing actual maliciousness.
 
Although I do agree many companies take the nannying too far, especially with blocking block or tech tip sites, here is my problem with this: when you join a company and you use their systems, you sign an agreement saying you will abide by their rules, specifying many things you cannot do. So basically, 95% of people are just trying provided easy ways for companies to fire them.
 
People doing anything other than their employer's business on their employers computers are idiots, period.

In the days before people had home computers and high speed home internet were common doing personal stuff on work computers on your personal time (such as lunch time) was more reasonable. But these days just about everyone has a phone or mobile device with it's own Internet access - use them!
 
The state agency I last worked at implemented Websense to filter and monitor employee web usage to limit non work activity and block porn and activist sites. All of the division directors approved the implementation because of stats showing a large amount of non work web activity during work hours. The day we turned in on, we got an urgent call from one of the division directors. The emergency problem? He couldn't access the ebay item he was bidding on from his office computer during work hours.
 
People doing anything other than their employer's business on their employers computers are idiots, period.

In the days before people had home computers and high speed home internet were common doing personal stuff on work computers on your personal time (such as lunch time) was more reasonable. But these days just about everyone has a phone or mobile device with it's own Internet access - use them!

Somebody has never used their phone to try and research a product their buying. I'm sorry but if I'm going to be buying something on my lunch break its time I'm cutting out from my own time, and it is so much easier to have a few tabs open on a computer than a fucking phone.
 
I do my browsing in a VM tethered to my phone.
When the a*shole boss reviews the Internet usage logs, I'm always clean as a whistle :)
 
Somebody has never used their phone to try and research a product their buying. I'm sorry but if I'm going to be buying something on my lunch break its time I'm cutting out from my own time, and it is so much easier to have a few tabs open on a computer than a fucking phone.

Except many companies specifically say you are not allowed to use company resources for personal reasons, regardless whether its on your own time. It is specifically worded that way. So while it may be easier for you to use the company equipment, that doesn't make it acceptable. Personally I do believe that is a bit over the line and perhaps silly, but I have seen many reasons why they have that in place and why its a blanket statement for all employees. Dumb people ruin things for everyone, and we live in a very litigious world.
 
I just remembered a good one.

In about 2005 or so, I worked for a company that made custom tubing sets for hospitals. One day they rolled out their new web filtering program without any announcement.

Suddenly one day we lost contact with our Stopcock supplier.

These are stopcocks:

EO-sterile-stopcock-3-way-three-way.jpg
 
Except many companies specifically say you are not allowed to use company resources for personal reasons, regardless whether its on your own time. It is specifically worded that way. So while it may be easier for you to use the company equipment, that doesn't make it acceptable. Personally I do believe that is a bit over the line and perhaps silly, but I have seen many reasons why they have that in place and why its a blanket statement for all employees. Dumb people ruin things for everyone, and we live in a very litigious world.


I've never seen this wording in any IT acceptable use policy.

Usually they specifically allow use for personal reasons, as long as it does not interfere with work, and does not violate any other provisions of the policy (pr0n, gambling, illegal activities, etc.)
 
Somebody has never used their phone to try and research a product their buying. I'm sorry but if I'm going to be buying something on my lunch break its time I'm cutting out from my own time, and it is so much easier to have a few tabs open on a computer than a fucking phone.

Guess again - I do it all the time. After working for an organization that was in the middle of a lawsuit and seeing what was available in discovery (hint: EVERYTHING) I don't do personal shit at work on work equipment.

PERIOD

You can choose convenience over common sense if you like - just be honest about what you are doing and stop pulling out the pity card.
 
I've never seen this wording in any IT acceptable use policy.

Usually they specifically allow use for personal reasons, as long as it does not interfere with work, and does not violate any other provisions of the policy (pr0n, gambling, illegal activities, etc.)

I have seen this is almost every IT acceptable use policy. It usually depends on the industry you are in. If you read the full acceptable use policy, there are provisions for not using company resources for personal gain. Part of that could be not using Ebay, Amazon, Craigslist, etc. Part of that could potentially be training sites, university, etc. There is also usually language involving using company resources to purchase personal items. So that would rule out a lot more shopping sites and browsing. Unfortunately there are good reasons why companies are forced to put this in their policy.
 
Guess again - I do it all the time. After working for an organization that was in the middle of a lawsuit and seeing what was available in discovery (hint: EVERYTHING) I don't do personal shit at work on work equipment.

PERIOD

You can choose convenience over common sense if you like - just be honest about what you are doing and stop pulling out the pity card.

Really, just carry a laptop or tablet to work. Or like this scenario, I'm working from home today, slow day because of Easter. We use Citrix for remote work, totally separated from my personal device, while I'm on my personal device. Just keep your work stuff and personal stuff separate. It's not a big deal with current tech and it's just easier for everyone.
 
Really, just carry a laptop or tablet to work. Or like this scenario, I'm working from home today, slow day because of Easter. We use Citrix for remote work, totally separated from my personal device, while I'm on my personal device. Just keep your work stuff and personal stuff separate. It's not a big deal with current tech and it's just easier for everyone.

Yeah, I used to run a small lightweight VM with full disk encryption on my work laptop, that connected via OpenVPN to my home network on port 443. Anything personal I did at lunchtime would go in the VM.
 
Yeah, I used to run a small lightweight VM with full disk encryption on my work laptop, that connected via OpenVPN to my home network on port 443. Anything personal I did at lunchtime would go in the VM.

This technically is fine. In our environment, this would get you fired if detected. On personal workstations, no VMs, no remotely accessible services of ANY kind, no local storage of personal information (as in other peoples), etc. Very tightly controlled and it's annoying but perfectly understandable in the banking business.
 
Last edited:
Really, just carry a laptop or tablet to work. Or like this scenario, I'm working from home today, slow day because of Easter. We use Citrix for remote work, totally separated from my personal device, while I'm on my personal device. Just keep your work stuff and personal stuff separate. It's not a big deal with current tech and it's just easier for everyone.

EWE CITRIX! BURN IT WITH FIRE!
 
This technically fine. In our environment, this would get you fired it detected. On personal workstations, no VMs, no remotely accessible services of ANY kind, no local storage of personal information (as in other peoples), etc. Very tightly controlled and it's annoying but perfectly understandable in the banking business.

You know I've never had a problem, but I've also been careful to not violate the letter of the policy. Nothing in the policy at that job mentioned VPN's or VM's. The one bit that was a grey area was the provision for "not installing software". For some odd reason Virtualbox was already on my machine, so I didn't install it (I wouldn't have been able to even if I wanted to, because I didn't have an admin account). Now the grey zone part was how you interpret installing software. I interpret it as anything requiring a windows installer. I did put Linux software inside the VM, but that's not really installing it directly on the corporate Windows image.

Luckily I never had to defend that decision, but even if I did, it would probably have resulted only in a slap on the wrists. Companies generally don't want to fire people in my role unless we have done something REALLY bad. We are WAY too difficult to find and hire. Positions often take more than a year to fill.

I'm about to start a new job on Monday. We will have to see what their policy says. I'm hoping it's not too restrictive, or I may have to return to using my phone only at work, which would be a bummer.
 
My corporate IT policy is that I can use it for personal use as long as it is not excessive.

I really couldn't get work done and even told my boss I was doing it.

While I agree with other posts that it is an easy way for the company to fire over this, I would argue that if a company wants to fire you, they will find a way to fire you regardless of using a proxy, etc.
 
All is fine and good until you start having MITM SSL Decryption on all 443 traffic... It's happening...
 
All is fine and good until you start having MITM SSL Decryption on all 443 traffic... It's happening...

Yeah, since employers control the local machine, there is no reason why they can't use a man in the middle proxy with it's own certificate, and install that certificate on every client machine.

It's more difficult for them to combat users who use VPN though.
 
I keep telling IT, if they'd just get rid of the damn USERS, there wouldn't be any more problems!
 
The tighter you try and control your network, the more people will resent you and try to get around it. I found years ago that reasonable restrictions and just telling people "Things are logged and tracked and if you are found responsible for browsing shit you shouldn't or getting a virus there will be consequences". Works so much better than trying to block and control everything. Trust me, you watch one or two people get canned for browsing porn at work and it sends a loud and clear message.
 
It depends on the organization that you're in. It also depends on how lazy and how much risk IT is willing to take on. The less control (policy) they have the better in some cases.
In my old company, it was free and open for a while (small company that was growing). Then people started taking advantage of it so they put in a firewall. After some back and forth between IT blocking everything under the sun (yeah, just go ahead and subscribe to every block list out there, i'm sure it'll never backfire) we reached a decent compromise.

Then there's a much bigger organizations that have a lot of control of the policy they write. Instead of thinking in ways to accommodate people, they view anything remotely out of their control as a risk and take steps to shut it down. Even when their employees have needs, they just don't give a rat's ass. If there's a slight possibility of them getting a call after hours and having to deal with something, they'd just rather not do it.
Case and point, they decided to switch from blackberry phones to windows phones. They didn't ask their business groups what devices they were using (some projects had already started experimenting with android tablets and phones as mobile devices). Their reasoning? Windows mobile os gave them total control. That was their entire reason to switch to it. Thousands of phones later they abandoned it for iphones. They probably spent millions switching over to it and then abandoning it. Of course they don't have to justify wasting money doing those kind of decisions.
 
This is a huge selling point for Linux. Not that its honestly any easier to lock down, or any harder to do things you shouldn't. It does however make it far harder for the people doing such things after reading a few online instructions... which is a lot.

Mostly it just makes people think that their employer likely knows what they are doing and they are more likely to get caught.

Or perhaps they are all doing the same shit anyway... what do I know. (not that I have caught many people trying lol)

Still the people that make decisions about computer systems... often believe this is a big advantage to switching to Linux workstations. I honestly never use this one as a bullet in my sales pitches... I never have too, it comes up every single time I pitch. (Its more powerful to let them voice the issue, and then offer the solution to them... yes I can be a dirty salesman at times)
 
This is a huge selling point for Linux. Not that its honestly any easier to lock down, or any harder to do things you shouldn't. It does however make it far harder for the people doing such things after reading a few online instructions... which is a lot.

If that would happen, the user base would increase, and people will adapt (sounds like the borg,lol). only reason Windows is "wasy", is because a lot are using it.
 
  • Like
Reactions: ChadD
like this
The tighter you try and control your network, the more people will resent you and try to get around it. I found years ago that reasonable restrictions and just telling people "Things are logged and tracked and if you are found responsible for browsing shit you shouldn't or getting a virus there will be consequences". Works so much better than trying to block and control everything. Trust me, you watch one or two people get canned for browsing porn at work and it sends a loud and clear message.

 
If that would happen, the user base would increase, and people will adapt (sounds like the borg,lol). only reason Windows is "wasy", is because a lot are using it.

Mostly true... of course when it comes to business setups there is still lots of variation. As well as 1001 ways to lock things down. Windows machines are almost always going to be running windows pro or enterprise. The version of Linux companies are running varies a lot more... and the enterprise class Linux distros and their freebie versions like Cent are pretty hard to dick with if they are locked down.

Still ya your not wrong... the more people learn about Linux the more that information gets shared. :)
 
The tighter you try and control your network, the more people will resent you and try to get around it. I found years ago that reasonable restrictions and just telling people "Things are logged and tracked and if you are found responsible for browsing shit you shouldn't or getting a virus there will be consequences". Works so much better than trying to block and control everything. Trust me, you watch one or two people get canned for browsing porn at work and it sends a loud and clear message.

Years back I worked for a large company that was setup with lots of smaller branches. I managed one of these branches, and the tools we had to inspect traffic from the branches was pretty good. I had 4 or 5 people and myself, we sold B2B and I was out of the office a lot meeting clients ect. Anyway we had one salesman we knew was wasting a lot of time browsing crap... nothing porn like or anything just wasting lots of time. So my boss told me he would fix it... he came in one morning early and sat all day in our office doing his own thing. Over a beer later he was laughing his ass off cause every chance he had he would strike up a conversation with this employee about hobbies he had. Things like building RC cars and stuff, cause we knew the forum sites and stuff he would spend his day on. He never gave him shit about it just made sure he knew he knew. That guy was nervous for a few weeks... but hey his sales numbers went up. lol
 
Years back I worked for a large company that was setup with lots of smaller branches. I managed one of these branches, and the tools we had to inspect traffic from the branches was pretty good. I had 4 or 5 people and myself, we sold B2B and I was out of the office a lot meeting clients ect. Anyway we had one salesman we knew was wasting a lot of time browsing crap... nothing porn like or anything just wasting lots of time. So my boss told me he would fix it... he came in one morning early and sat all day in our office doing his own thing. Over a beer later he was laughing his ass off cause every chance he had he would strike up a conversation with this employee about hobbies he had. Things like building RC cars and stuff, cause we knew the forum sites and stuff he would spend his day on. He never gave him shit about it just made sure he knew he knew. That guy was nervous for a few weeks... but hey his sales numbers went up. lol
That seems an awfully inefficient and backhanded way to get a lazy employee off his ass.
 
  • Like
Reactions: ChadD
like this
That seems an awfully inefficient and backhanded way to get a lazy employee off his ass.

Honestly it was just bad timing. The company was having issues in a few markets and the CEO had decreed that none in the land should hire anyone new right now.

So we had the choice of firing him (I had warned him in writing a few times it would have been all legal like) and having no one for perhaps months or kicking his ass a little. I never liked firing people I likely would have had a sit down with him anyway. Our boss at the time though was a bit odd and I think he did a lot of things just to amuse himself.... I think that employee knew we didn't want to can him cause we couldn't replace him so he was perhaps milking things. The sitting in the branch all day sounds bad... but its sort of how that company worked. The DM didn't have an office really, he would spend a few days in this branch a few in that one. I liked having him around he helped me close pain in the ass deals, but the newer sales guys for some reason where always nervous when the big boss would come in and setup at an empty desk all day.
 
Last edited:
Back
Top