Security

General discussion

Gravatar
0 Votes
Locked

Good employees gone bad -- how they affect the network

By Tink56 ·
I am trying to implement strong network security policies and practices. Sometimes, however, the employees and even management don?t understand why I want to be so strict about things.

?But we know our people. We trust them. We?d never have problems like that.?

Well, that is going to change because over the next few years our little ?family? will be growing beyond its 20-some employees and two locations.

I want to put together some ?scenarios? that could happen. I?ll give you two examples below and then ask if anyone else wants to add real instances they know of that I could incorporate into my case files.

#1 ? This is true and happened to us several years ago.

We did not have a network in place. Each employee had a PC with a dial-up connection. ?Bob? worked in the branch as assistant manager. Everyone liked Bob. He worked hard, did a good job at what he did, motivated employees, strived for customer service and had a wonderful sense of humor.

Then one day Bob was fired. Not sure why. Rumor has it he made one too many ?suggestive? remarks about a customer?s backside anatomy. Anyway, one of the women in the office was promoted to Bob?s job. A couple weeks later she called me. I had just transitioned from a job in marketing to the new IT department. ?Could you look at Bob?s computer next time you come here? It pops up with these pictures on the hour every hour and I find them annoying.?

I visited the office a few days later and looked at the computer. It was chock full of porn. He had installed a program that popped up a lady of choice every half hour to remind you to visit the web site for more. Needless to say, I pulled the PC, took it back, reported it to the powers that be and then wiped away the hard drive. I was then able to get approval on a ?no porn? policy when web browsing.

#2 ? This occurred at the company a friend of mine (Judy) works for.

A super-star employee, John, was caught embezzling funds from a client in order to meet some financial needs he was having on some day-trading he was doing during company time. Long story short, the client sued the company and the company was required to turn over email records associated with the client from all employees who worked the account. A lot of personal emails of one employee, Mary, were included in these records (intentionally or unintentionally, I?m not sure). These emails are to friends or family in which she talks about the "cute guys" the client employs but also shares her on-going problems with drug addiction, her sexual misadventures with men she meets online (while at work) and detailed progress she is making with her therapist.

Okay, so what sorts of things have happened in your company that necessitate the need for policies/procedures?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

Strict computer usage policy

by zlitocook In reply to Good employees gone bad - ...

All companys large or small need to have one. Employees need to read it ask questions and sign off on it. I have been a contractor for four years and worked full time a three. I have seen employees fired for sending off color jokes(racial, sexual or company related) a boss being let go for child porn, a girl for taking work home and that work exactly being used at another company.
One contractor I worked with sold company computers on Ebay, the sale made it's way back to the company. A person who worked in the mail room brought in a great buy and wanted the IT department to check it out.
Set a policy and have evey one sign it, it will save the company alot in the long run.
Let people know it is a company computer and everything done with it is the companys. And as such is to be used only for the company business.
And boy are you going to get complaints:)

gravatar
Collapse -

Interesting Post, Industry Info

by Matthew Yurksaitis In reply to Good employees gone bad - ...

Very interesting post, but perhaps some industry findings from this years CSI/FBI computer crime survey would provide more help than personal experiences:

Some of the Key Findings of this years report are:

Virus attacks continue as the source of the
greatest financial losses. Unauthorized access,
however, showed a dramatic cost increase and
replaced denial of service as the second most
significant contributor to computer crime losses
during the past year.

The percentage of organizations reporting com-puter
intrusions to law enforcement has contin-ued
its multi-year decline. The key reason cited
for not reporting intrusions to law enforcement
is the concern for negative publicity.

Unauthorized use of computer systems has in-creased
slightly according to the respondents.
However, the survey respondents reported that
the total dollar amount of financial losses result-ing
from cybercrime is decreasing. Given that
the total number of respondents to the survey
has dramatically increased, the survey shows a
dramatic decrease in average total losses per re-spondent.
Two specific areas (unauthorized ac-cess
to information and theft of proprietary
information) did show significant increases in
average loss per respondent.

Web site incidents have increased dramatically.

This in itself should help support and justify good, sound policies and practices. Reduce the risk of being the victim of a crime and sometimes a bit worse is the publicity which may result.

For the complete report you can download it from the Computer Security Institute's Web site at: http://www.gocsi.com/

gravatar
Collapse -

Possible counter arguments

by jkameleon In reply to Good employees gone bad - ...

> ?But we know our people. We trust them. We?d never have problems like that.?

Statistics shows, that only 10-20% attacks come from the outside. Everything else is an inside job.

Every bank auditor will tell you, that you can trust no one, that popular, seemingly honest people often prove to be corrupt, and that it's sometimes hard to imagine what are people capable of. You can't fool around, when the money is at stake.

You can't possibly be sure there will never be any problems. **** happens. And when it does, would you like to be responsible for it? If you have access to certain resources, and something, anything goes wrong there for whatever reason, you'll find yourself under scrutiny. You could even be blamed for something you haven't perpetrated. So, you wouldn't want an access to resources you don't really need, would you?

gravatar
Collapse -

Yes you still need to protect

by zlitocook In reply to Possible counter argument ...

Your company and your self! A strong computer policy and a policy that protects the company is the best way to go.

gravatar
Collapse -

A true experience

by foringmar In reply to Possible counter argument ...

This is a true story. Not from a company enviroment though.

1990-2003 I worked in a school enviroment as the person in
charge of adminstrating the students computer network. We had
several hundred users on a network with much fewer workstations.
Basically a network with Windows 98 workstations and a NT4 server.

In order to get access to a workstation one had to log in to the
server.

There were a few teachers which considered the fact that one had
to log in to the server in order to get access to a workstation as
complete nonsense. They wanted that everybody should get access to
a workstation without such nonsense as a user name and password.

They also saw no wrong in lending their own user rights to students
which had forgot their passwords. We had quite an argument about
it. I firmly refused to change the established practise. Everybody
had to use a user name and a password to get access to a
workstation.

And the teachers continued to lend their user rights to pupils.
Any warnings had no effect whatsoever. As it happened, one teacher
learned the lesson the hard way.

One day, when I logged on to a workstation for routine
maintainance, it happened.

The workstation presented a fullscreen size background image of an
proudly erect male organ in all its glory on the desktop.

The first thing I did, was to seek out from where on the local
network this gloriuos picture loaded itself onto the workstations
desktop. I found out that the image in question was situated on a
female teachers home area on the server.

I turned the workstation off and went to the server. I checked
when the picture was saved and when the female teacher had been
logged on and from wich workstation. All available evidence showed
that the female teacher had been logged on from that specific
workstation and had been logged on during the time the picture had
been saved on the teachers home area on the server.

There is a strong possibility that she has lended her user rights
to someone, I thought. I also saw a chance to make an example.

I called the teacher and asked her to join me in front of the
workstation with the male organ background. I started the computer
and showed her the background. Then I told her that that image was
situated on her home area on the server, and that ment that she
had saved it there. And then I asked for an explenation.

What followed was a very interesting collection of face colors and
expressions. She hadn't placed the image there, she said.

OK. I believe You, I said. But someone has placed the image there,
and all available evidence shows that You was logged on, on this
workstation, when it happened. Besides, only You and an
administrator have access to this area on the server. And I KNOW
that I have not placed that picture there. So?

She then remembered lending her user rights to a student at the time
the image was saved on her home area.

The student (a male) in question was later confronted with the facts and
confessed beeing responsible for the pornographic desktop image.

And I never told the female teacher that the organ background
showed on the desktop only when she or anyone with adminstrator
rights logged on to that workstation.

I think the female teacher understood the importance of holding on
to ones user name and password after that. There were however
other teachers which did not see the light, not even after this
incident.

gravatar
Collapse -

I wish, I wish,

by noyoki In reply to Good employees gone bad - ...

I wish I could do this.

Unfortunately, I also work in a smallish firm (~30 people total, and we likely aren't going to get any bigger) with the same mind-set.

I'm the IT Manager, by title, but I may as well be called IT Staff. The partners of the firm have stated that, I'm not allowed to even BLOCK known bad sites because we have night-typists that are "allowed" to do as they please while waiting for work. While the personal stuff while waiting is fine, (I really don't care if people are doing their work, that's not my job, that's the Managing Partner's/HR's) I keep finding installs of (and HOW they are installed, I have no idea, noone runs on Admin accounts) download-helpers, spyware, "install this to buy from us"-crap, etc.

We also don't have passwords on any computers except the Partners'. And even that was painful to implement. They don't even password protect their screensavers because they don't want to type it in when they come back 2 hours later! (And 98% of the firm doesn't bother to reboot, nevermind shut down.) "But what if someone needs to log into their machine?!" Then you call down here and you ask me. Or you log into the Novell server using your password, etc.

The funny thing about all these "policies" forced upon me (isn't it supposed to be the other way 'round?), is that this is a LAW firm. One would think that the appeals to "What if this happens" would phase them...

Good luck on this one, I hope you have better success than I have. But in my experience, if they don't want to give up "luxury", they just aren't going to.

gravatar
Collapse -

Well you can stay if you like the job

by zlitocook In reply to I wish, I wish,

you should be compliant to any federal laws, you will be the first person they go after. What if a person decides to look for a date and they go to a site that is taken over by a bot net? The first thing is it will disable your antiviral software, then disable any thing that will stop it from sending out it's software to every one on your email list.
You are the IT guy, if the company can not accept your changes you should find another job.

gravatar
Collapse -

IT Girl!

by noyoki In reply to Well you can stay if you ...

Lol.

I don't yet have the experience to just "find another job", however, it IS on paper that I have tried to institute changes and they have been rejected from above my head.

gravatar
Collapse -

I have missed two jobs because

by zlitocook In reply to IT Girl!

When in the interview I said that if you want me to provide security I need full access and no one is above what I say. I told them that they could check what I do but no one is above me checking on them! Wow you would think that the CIO,COO and other TLA's were going to be killed! So I said that if you need security you need to start at the top and work your way down.
Boy I am a party pooper

gravatar
Collapse -

cover your A**E

by neil_essex In reply to I wish, I wish,

Your best bet would be to get the people at the top to put in writing what you can and can't do...that way if any legal prosecutions crop you are covered. Oh and find another job, whats the point in being there if they are not going to value or implement your security policies.

Back to Security Forum

Start or search

Related Discussions

Related Forums