[ISN] Accounting For Human Error

From: InfoSec News (alerts@private)
Date: Thu Aug 30 2007 - 23:28:29 PDT


http://www.forbes.com/technology/2007/08/30/behavior-employees-vulnerable-tech-cx_ag_0830secure.html

By Andy Greenberg
Forbes.com
08.30.07

When the Anna Kournikova virus was spreading wildly in 2001, it infected 
millions of computers and clogged e-mail servers by offering a racy 
picture of the teen tennis star to unsuspecting e-mailers. Or, in some 
cases, not so unsuspecting.

"A big proportion of the infections we saw were coming from people who 
had actually gone out searching for the virus because they wanted to see 
Anna Kournikova," says David Perry, global director of education for 
Trend Micro. "We didn't see this happening two times. We saw it 
thousands of times."

Today, some security professionals say, enterprise computer users 
haven't gotten much savvier. Perry says he still sees as many as one in 
five virus infections coming from users who purposefully infect 
themselves out of curiosity, just one of the many practices that 
undermine information technology security with varying combinations of 
naivet and carelessness. And as cyber-criminals become more 
sophisticated and networks more intricately connected, that human 
element leaves companies vulnerable to data leaks and intrusion in spite 
of billions spent on electronic protections.

IT managers, for their part, are wising up to the importance of 
security. In fact, they plan to spend 20% more on preventing data theft 
and intrusion in the next year, according to research by the market 
analysis firm InsightExpress. At the same time, about 30% of non-IT 
corporate employees violate the terms of security agreements they sign, 
according to another study performed by the firm, which surveyed 
hundreds of professionals in seven countries around the world.

The second study, commissioned by Cisco Systems (nasdaq: CSCO - news - 
people ) and the National Cyber Security Alliance, also shows that more 
than 60% of employees sometimes use mobile devices without encrypted or 
password-protected data to connect to their work's network, and more 
than a third sometimes work by piggybacking on strangers' wireless 
Internet connections.

"The human element is always the most insecure," says Jennifer Granick, 
executive director of Stanford's Center for Internet and Society. But 
she argues that the problem isn't employees who are stupid or even 
apathetic. She blames companies that make unrealistic demands without 
providing secure ways to meet those expectations. "There's this pressure 
to be on call outside of the office, either at your house or while 
you're on vacation," she says. "That creates an incentive to skimp on 
security."

When employees connect to an unsecured wireless network in a coffee shop 
or in their home, they expose all the data they're working on to the 
whims of whoever else controls the router. Since 2005, security 
researchers have warned of the threat of "evil twins," computers set up 
to appear as routers and intercept sensitive data.

A more common problem is workers who transfer corporate e-mail to 
third-party Webmail services like Gmail. Workers often prefer a Gmail or 
Yahoo! Mail account because of its universal accessibility and 
convenient interface. But using those services means confidential data 
is stored on someone else's servers, where it can be exposed to anyone 
who subpoenas it from Google (nasdaq: GOOG - news - people ) or Yahoo!.

"If you're forwarding corporate secrets with Gmail, you should be aware 
you're sending them to Google," Granick says. "And when you put your 
data in someone else's hands, you can't be sure how they're going to 
treat it."

As mobile technology unties workers from their offices, they engage in 
significantly more risky behavior, according to a study released Tuesday 
by Trend Micro. By their count, U.S. and U.K. workers on corporate 
laptops are more than twice as likely, compared with desktop users, to 
send confidential info by instant message, and about a third more likely 
to send confidential data across Webmail. American laptop users are also 
doubly inclined to download music and movies to corporate machines, 
making them more likely to unwittingly install hidden malicious 
software.

But the real problem behind employees' insecure practices, says Trend 
Micro's Perry, doesn't stem from any single trend. He cites Future 
Shock, Alvin Toffler's 1970 book, which introduced the idea that humans 
simply aren't emotionally prepared for the pace of technological change. 
"Computer users aren't stupid," he says. "But there's a kind of 
cognitive dissonance. We have a hard time understanding that all our 
most sensitive materials are now ones and zeros."

In Pictures: Seven Habits Of Highly Insecure People 
http://www.forbes.com/2007/08/30/behavior-employees-vulnerable-tech-cx_ag_0830secure_slide_2.html?thisSpeed=25000


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Thu Aug 30 2007 - 23:48:11 PDT