When Security Problems Get Bad, IT Managers Blame Everyone Else

from the it's-your-JOB dept

Ok, let's start out by admitting that people do incredibly stupid things on their computers that often put those computers at risk. It happens. It sucks and they should know better -- but it happens and it's not going to stop happening any time soon. However, as an IT manager, part of your job is to do your absolute best to protect computers anyway. That could involve better training for employees or it could involve better technology to help prevent bad things even when users are, in fact, clueless about security. However, that doesn't change the simple fact that users are going to screw up. That doesn't mean, though, that IT managers get to shift all the blame to end users. Yes, they're doing things stupidly -- but it's not necessarily their fault. They just don't know. Your job, as an IT manager, is to prevent against attack no matter how clueless your end users are. Whining about end users just suggests that you're not doing your job very well.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    rightnumberone, 16 Sep 2005 @ 11:41am

    No Subject Given

    Okay, I'll take the bait: Many of today's security problems cannot be prevented by IT personnel, but CAN be prevented by users. For example: frequently, it will be discovered that there is a security vulnerability in, say, Internet Explorer. Miscreants can use that vulnerability to take over any computer, but only if the miscreant can get the user to visit their site through fairly obvious social engineering tricks that just about any 12 year old can spot now. Corporate IT departments cannot prevent the stupid user from visiting the site (which, after all, is promising to end the misery of their daily lives if only they will click on over). Corporate IT departments cannot rewrite Internet Explorer. Only the user can prevent the security breach from occurring by not falling for the bait. And that is why security measures that rely on users not doing stupid things is a poor security system indeed. Yet, here we are. Such a breach is totally unpreventable by IT personnel, and is totally the fault of the dolt user. An IT manager I could, I guess, send out trick emails containing a link to a given page to all users at my company and make that link look especially like a phishing, scamming or virus-infecting email. Then, I suppose, one could keep track of which employees fell for the ruse and opened the page. Then, management could easily identify the dolts within their ranks and fire them as security risks. If one did this for say, 4 or 5 days in a row, I bet that the problem would magically disappear as word got round that an IQ test was ongoing. Alas, I cannot get management buy-in for this proposal. (And please, you Linux folks ...don't tell me the answer is to use Firefox! All software is vulnerable.)

    link to this | view in chronology ]

    • identicon
      jdw242, 16 Sep 2005 @ 12:35pm

      Re: No Subject Given

      "...An IT manager I could, I guess, send out trick emails containing a link to a given page to all users at my company and make that link look especially like a phishing, scamming or virus-infecting email. Then, I suppose, one could keep track of which employees fell for the ruse and opened the page..."

      Did that; sent out phishing bait with a link asking detailed questions to gather account numbers, etc.
      Problem was, nobody took the bait. They all called the helpdesk and asked if it was a real email.

      The failing here is those stupid chain letters. If someone sent one out and embedded a bad link in there any insufficiently protected network could be compromised.

      I'm confident in the steps we've taken as an IT department to protect the world from our users, as well as our users from the world, but, as you said, all software is vulnerable. Problem there is the manufacturer doesn't seem to care most of the time.

      link to this | view in chronology ]

      • identicon
        GS, 16 Sep 2005 @ 1:26pm

        Re: No Subject Given

        It's not the fault of IT or the end users. It's the fault of the OS (including browser & email) for including so much "flexibility" that every teenager with too much time on their hands can hack your system. The OS and apps belong in ROM. You don't have hackers taking over your refrigerator or toaster. That's because you can't redesign hardware remotely. Someday this will be a reality. Until then we live in the dark ages of computers.

        link to this | view in chronology ]

        • identicon
          PSC, 16 Sep 2005 @ 2:40pm

          Re: No Subject Given

          I disagree. It's no one fault but the world's governments. As long as governments continue to treat the people who create this stuff as less than full-fledged criminals, they'll continue on their merry way. Look, the lock on my front door isn't bullet proof; it can be picked, broken, etc. That doesn't mean that that it's the lock maker’s fault if my house gets broken into. But if criminals when caught, aren't sent to jail then it's sending a message that it's OK to break into my house.
          If Germany would have sent that kid that wrote Sasser to jail for 20 years instead of a one-year suspended sentence, hacker may think twice about what they are doing. If instead of paying MS when caught, then setting up shop elsewhere, spammers were sent to jail for a long time, my company wouldn't need to spend thousands of dollars on anti-spam & anti-virus software every year. Any modern system is too complicated to ever be 100% secure, we need to start looking at the problem differently.

          link to this | view in chronology ]

          • identicon
            jdw242, 16 Sep 2005 @ 4:14pm

            Re: No Subject Given

            certainly punishment is a valid argument, but script kiddies as a group are tied to the challenge by adrenaline and a desire to subvert the rules.

            If they up the ante by saying you'll go to jail for 20 years, the challenge just got upped big time.

            Not slapping on an super-sized sentence can lead to other methods of silencing the inner adrenaline junkie these types have become...

            as usual, correct me if I am wrong.

            link to this | view in chronology ]

            • identicon
              PSC, 16 Sep 2005 @ 6:07pm

              Re: No Subject Given

              While I agree with you that there will always be a group that cannot be deterred no matter how stiff the penalty, "real" punishment I think would have two affects. First, it would deter the causal hacker. These aren't the diehards, these are the ones that download a toolkit, make a few mods, and wait for TV coverage. Secondly, you can’t deter the diehards, but at least you'd get them off the net once you catch them. They can’t code from a jail cell.

              All the finger pointing between users, admins, developers, browsers, OSs, etc really bothers me. The discussion we should be having is how do we get these criminals off the street.

              link to this | view in chronology ]

              • identicon
                GS, 19 Sep 2005 @ 7:23am

                Re: No Subject Given

                You guys are still missing the point. The problem here is a fundamentally bad engineering design. Allowing malicious (or accidental!) overwrites of your program data is just asking for trouble. Please observe that we aren't having these same discussions about teenagers hijacking refrigerators or television sets.

                link to this | view in chronology ]

  • identicon
    Michael Vilain, 16 Sep 2005 @ 1:28pm

    Just don't give them the keys...

    Anyone who wants admin (or root) privilege on their desktop box (so they can install stuff on it either intentionally or because it's "their" machine) should become part of the IT team and carry the on-call pager.

    You get the midnight-6am Sunday shift...

    link to this | view in chronology ]

    • identicon
      Chris, 16 Sep 2005 @ 1:33pm

      Re: Just don't give them the keys...

      So, true. Or it could be like my company where our Corporate IT heads specify that all of our domain users are local admins on every machine throughout the country. I wonder if our IT Heads have ever heard of Admin Shares or remote registry access, amongst everything else. Out of 900+ PC users I cannot believe we haven't had an incident to date.

      I'm curious how many of our "learned" users have key loggers installed on other people's PC and are checking their email... or reading their sensitive documents.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.