Discussion on:
View:
Show:
It happened to us about 20 years ago. The guy that was responsible for maintaining our office areas by hiring contractors to paint, move walls, fix things etc. got the contractor to send in bills for the same work multiple times. The guy then just signed the invoices and sent them to AP. This went on for 3 years, getting worse every year, to the tune of about $750,000 until finally someone discovered it. The contractor claimed the guy told him nepotism rules prevented his wife from getting paid to work there and this was how the company approved paying her.
And then delegate the blame to them when all the outsourcers do a slop job, where nothing is communicated between departments... (a lot of articles also say "IT is dead" but those, at best, ignore how much of a disaster such upgrades have been...)
More supply-side hogwash - you'll find risks everywhere. Just swallow some prozac and live under a rock, since you might find the biggest risk to said organization the moment you see a mirror.
Sheeh.
More supply-side hogwash - you'll find risks everywhere. Just swallow some prozac and live under a rock, since you might find the biggest risk to said organization the moment you see a mirror.
Sheeh.
Otherwise huge swathes of the TR audience will get ripped off by each other...
Information security is only a small part of the equation, the overall attitude to and implementation of "Protective Security" which encompasses physical, information and personnel security is the key.
But given trusted insiders are personnel consider this.
Most companies rely solely on the recruitment process which onlydetermines an employee's job suitability but does not determine suitability to access resources of a confidential or commercially sensitive nature. Th recruitment process does facilitate appropriate levels of vetting to determine if there is anything in a persons character or background that could lead to them becoming the next "trusted insider". Companies rely on technology which can be bypassed where as the problem is a "Human Factor" problem.
A well designed and targeted vetting program that looks into an employee's history and lifestyle to determine if they are a security risk is critical. Another area that most companies overlooks is "Security Awareness", Security Awareness training should be mandatory annually to remind employees of their obligation to protect company resources and to educate them about the threats the company faces be it cyber or trusted insider. Teaching employees to notice when someone's behavior has significantly changed which indicate the person is a potential threat, reporting it and the sensitive handling of the matter are all critical to mitigating the risk from the trusted insider. Until organisations implement these sort of mitigation tactics the problem will only get worse.
But given trusted insiders are personnel consider this.
Most companies rely solely on the recruitment process which onlydetermines an employee's job suitability but does not determine suitability to access resources of a confidential or commercially sensitive nature. Th recruitment process does facilitate appropriate levels of vetting to determine if there is anything in a persons character or background that could lead to them becoming the next "trusted insider". Companies rely on technology which can be bypassed where as the problem is a "Human Factor" problem.
A well designed and targeted vetting program that looks into an employee's history and lifestyle to determine if they are a security risk is critical. Another area that most companies overlooks is "Security Awareness", Security Awareness training should be mandatory annually to remind employees of their obligation to protect company resources and to educate them about the threats the company faces be it cyber or trusted insider. Teaching employees to notice when someone's behavior has significantly changed which indicate the person is a potential threat, reporting it and the sensitive handling of the matter are all critical to mitigating the risk from the trusted insider. Until organisations implement these sort of mitigation tactics the problem will only get worse.
The one who said Burgess, Maclean and Philby were good guys.
There is no such thing as "IP theft" as described in this article. It's talking about copyright and patent infringement, and industrial espionage. While there may be theft involved in an act of industrial espionage, the theft is not of "IP", but of materials that represent the copyrights or (probably pending) patents in question.
Criminy. People should know this stuff by now.
edit: By the way . . . how has TR/CBSi changed its comment formatting this time? I don't know the magical incantation that'll allow me to emphasize text any longer, and I can't be arsed to find documentation of this stuff on the badly-organized site every couple months.
Criminy. People should know this stuff by now.
edit: By the way . . . how has TR/CBSi changed its comment formatting this time? I don't know the magical incantation that'll allow me to emphasize text any longer, and I can't be arsed to find documentation of this stuff on the badly-organized site every couple months.
yourself away on a public site at 18:50 on 15/02/2013 GMT.
No job at weinventedtheifstatementanditsourssonah.com for you matey...
No job at weinventedtheifstatementanditsourssonah.com for you matey...
doesn't always translate I suppose, sometime the pie in the face comes at an oblique angle.
Where you been anyway?
I had to stand in for you with some of those obscurity is security boys.
Where you been anyway?
I had to stand in for you with some of those obscurity is security boys.
I've just kinda been doing some of my own things, trying to run a nascent standards and advocacy group (the Copyfree Initiative), writing code, maintaining four Ruby gems and a FreeBSD port, taking classes through Coursera for the joy of learning, wading through a flood of email, dealing with a flu, taking care of a cat with cancer, co-writing an RPG product for Raging Swan (interesting publisher name -- yeah?), spending some time in IRC, and handling a slew of other stuff. I haven't really been maintaining any specific online community presence very consistently other than the Copyfree Initiative, so TR's not special as regards my neglect.
Apotheon,
Within the context of the insider threat research conducted by the CERT insider threat team, IP theft includes the taking of drawings, code, etc. and using them contrary to IP law and to the detriment of the owning organization. Apparently a difference in semantics, but the underlying point is the same.
Tom.
Within the context of the insider threat research conducted by the CERT insider threat team, IP theft includes the taking of drawings, code, etc. and using them contrary to IP law and to the detriment of the owning organization. Apparently a difference in semantics, but the underlying point is the same.
Tom.
"Semantics" refers to "meaning". The key here is that "theft" doesn't *mean* anything relevant to copyright or patent infringement. The fact CERT's personnel misuse the term doesn't suddenly make the term mean something different.
What if I took pictures of your living room through your open window? Would I have "stolen" your living room? Would I have "stolen" your privacy? Even if privacy laws prohibit me from taking pictures of the interior of your home through your living room window without your permission, I would not be "stealing" anything. The crime in question, then, would not be "theft", even if some legally challenged privacy advocacy group decided to refer to the practice as "privacy theft".
So . . . no, it isn't "still IP theft". It's copyright or patent infringement and/or industrial espionage.
What if I took pictures of your living room through your open window? Would I have "stolen" your living room? Would I have "stolen" your privacy? Even if privacy laws prohibit me from taking pictures of the interior of your home through your living room window without your permission, I would not be "stealing" anything. The crime in question, then, would not be "theft", even if some legally challenged privacy advocacy group decided to refer to the practice as "privacy theft".
So . . . no, it isn't "still IP theft". It's copyright or patent infringement and/or industrial espionage.
Save me the trouble of writing it again? Assuming I was going somewhere that used the same language and infrastructure and had the exact same requirement?
The algorithms in our heads, the nifty trick that makes the job simpler is in our heads. More to the point the catalog of errors that end up in the production code due to technical debt is in our heads. Steal code, only an incompetent would bother.
You are one of those we should patent of our use of the if statement types aren't you?
The algorithms in our heads, the nifty trick that makes the job simpler is in our heads. More to the point the catalog of errors that end up in the production code due to technical debt is in our heads. Steal code, only an incompetent would bother.
You are one of those we should patent of our use of the if statement types aren't you?
I suppose the guy on the team who does more harm than good with his coding might want to copy code -- and as long as he's talking to an executive instead of a programmer, he might find someone who wants the code.
Then again, maybe they're talking about stuff like people leaking code to the Internet for the express purpose of showing the world what kind of ridiculous ****-ups exist in the company's closed source, as happened with Win2k sources were leaked years ago.
That was not an f-word that got asterisked out. It was the word for something you do with, say, a single-action revolver before firing. It's rather odd the obscenity filter stripped that out, considering all the potential uses of the term that are in no way impolite and do not refer to other things ending in "ck". In fact, the one "obscene" usage of it that comes to mind comes from a metaphorical reference to a rooster.
Then again, maybe they're talking about stuff like people leaking code to the Internet for the express purpose of showing the world what kind of ridiculous ****-ups exist in the company's closed source, as happened with Win2k sources were leaked years ago.
That was not an f-word that got asterisked out. It was the word for something you do with, say, a single-action revolver before firing. It's rather odd the obscenity filter stripped that out, considering all the potential uses of the term that are in no way impolite and do not refer to other things ending in "ck". In fact, the one "obscene" usage of it that comes to mind comes from a metaphorical reference to a rooster.
They think buying debts is sound business proposition.
I was watching some piece on the idiot box yesterday.
(There was an attractive woman reading it out, he hastens to explain)
Some idiot was on there saying despite all the care they took with their IP, people could still leave and remember key parts of it.
What is the world coming to eh?
My current favourite is *** for tat...
I was watching some piece on the idiot box yesterday.
(There was an attractive woman reading it out, he hastens to explain)
Some idiot was on there saying despite all the care they took with their IP, people could still leave and remember key parts of it.
What is the world coming to eh?
My current favourite is *** for tat...
That's what NDAs are for. If someone signs an NDA, you can go after 'em for disclosing. If someone does not sign an NDA, you should share stuff with that person that you don't want the person repeating.
A very large client with close to 100K desktops and 50K laptops in national offices and headquarters. All machines are keyed with a thumb drive for each employee. Their units will not start without one but the advantage is that any employee with a key can use any other unit. Service people have their own diagnostic keys and the IT people have more extensive keys and no software resides with the user. This was all thought out when a cleaning lady used a labs desktop to download some videos and gamble. She was pretty sharp to have gotten past the site blocker and infested the machine with a rootkit that almost took over their lab network. Now, it is up to each individual to guard his key. This prevents any intrusion attempts from within. Blocking web sites only goes so far and site hijacks are pretty common. Internal attacks from outside can be difficult if you can't get past the firewall.
Great article Tom. In regards to IT with admin privileges: Segregation of Duties and the Principle of Least Privilege are fundamental ways of thinking that some businesses don't take seriously. The business, IT and information security leaders have to commit to a strategy to help their organization minimize the amount of damage that can be done by those with elevated rights.
Taking a scan of who has local administrator rights on all your servers (including nested groups!) is a good start. Take that list and get justification for every account and keep track of who the account holder is or if it's a service account - who owns it. If a user doesn't truly need full administrator rights to do their job, consider delegating specific rights using a tool like System Frontier. Having roles and responsibilities defined and enforced will help limit insider threats tremendously.
Taking a scan of who has local administrator rights on all your servers (including nested groups!) is a good start. Take that list and get justification for every account and keep track of who the account holder is or if it's a service account - who owns it. If a user doesn't truly need full administrator rights to do their job, consider delegating specific rights using a tool like System Frontier. Having roles and responsibilities defined and enforced will help limit insider threats tremendously.
certainly, but the true insider threat is the person you explicitly trusted and later found you shouldn't have.
So I'm going have to say red herring.
So I'm going have to say red herring.
While I agree to a point, I also believe that many administrators have access they shouldn't have. In most organizations where I've worked, privileged access was handed out carelessly to avoid actually designing a true role-based access control process.
Tom.
Tom.
Not really. What actually happened is security got in the way of making money, so it got de-prioritised.
I did the job a long time, I know how it works and I know why it works. I also know that once the realisation sinks in that may be Fred shouldn't have had access to every system in the business, too late.
After one particular episode I became a bit of stickler for making sure access I shouldn't have was revoked. Good vetting question that, but if you answer it correctly you're as likely to not get the job as otherwise. So this person doesn't believe he should be trusted. aha, next...
I did the job a long time, I know how it works and I know why it works. I also know that once the realisation sinks in that may be Fred shouldn't have had access to every system in the business, too late.
After one particular episode I became a bit of stickler for making sure access I shouldn't have was revoked. Good vetting question that, but if you answer it correctly you're as likely to not get the job as otherwise. So this person doesn't believe he should be trusted. aha, next...
Same experiences here Tom. No matter what tool or technology you put in place, having RBAC in place with good processes to enforce it are vital.
due to commercial exingencies?
GIve him access for now, we'll sort it later? Never happened? Really?
GIve him access for now, we'll sort it later? Never happened? Really?
. . . basically every manager who has been working in a management job for a while would probably tell you that, even if the manager in question is engaged in making such a decision as you describe *right now*. I notice noxigen's profile doesn't say "manager", though.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
