Insider Security Attacks On The Rise, MS Says

from the the-human-factor dept

Microsoft is warning that "malicious insider" security attacks are on the rise as the economy churns out more and more disgruntled and/or desperate laid-off workers. Combine this with the high number of data breaches that are blamed on human error, and it's clear that the human factor remains a big problem in IT security. Technology often gets the blame for data breaches and leaks, but it's important to remember that in many cases, it's the implementation of the technology, or the policies behind it, that are to blame. For instance, in the massive TJX breach, a lot was made of the fact that the company's WiFi network was protected only by the easily cracked WEP security standard. But somewhere along the line, a human decision was made not to upgrade to something stronger, while another decision was made to transmit credit-card data without encryption. Whether it's simple incompetence or malicious activity, humans often surpass technology as the weakest link in the security chain.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: insiders, security
Companies: microsoft


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    SRS, 19 Feb 2009 @ 1:57am

    Oh really?

    Microsoft would definitely prefer this version of events, as it usefully distracts people from how vulnerable Microsoft software is to external remote attacks - much better to blame the actions of evil insiders instead.

    As you state: "it's important to remember that in many cases, it's the implementation of the technology, or the policies behind it, that are to blame". And who implements the technology? Microsoft.

    link to this | view in chronology ]

    • icon
      Mike (profile), 19 Feb 2009 @ 2:13am

      Re: Oh really?


      As you state: "it's important to remember that in many cases, it's the implementation of the technology, or the policies behind it, that are to blame". And who implements the technology? Microsoft.


      Yes. That would be Carlo's point.

      link to this | view in chronology ]

    • identicon
      eleete, 19 Feb 2009 @ 3:31am

      Re: Oh really?

      As you state: "it's important to remember that in many cases, it's the implementation of the technology, or the policies behind it, that are to blame". And who implements the technology? Microsoft.

      Microsoft rarely 'implements' the technology. They create the software. Network engineers and administrators 'implement' the technology. As far as I know, Microsoft doesn't produce many wireless products at all. The implementers have choices in software and hardware. What they choose and how they choose to configure it is very rarely a Microsoft decision.

      link to this | view in chronology ]

  • identicon
    Osno, 19 Feb 2009 @ 3:28am

    By that reasoning, any attack can be blamed on "human error". If a hacker exploits a vulnerability on a system, there is a human who programmed the system and coded the vulnerability. Humans as the weakest link refers to the fact that a human who has access to the data will give you the access or the data, either by mistake or maliciously. Implementing a WEP protocol may be dumb, but it's not a "human weakest link". It's an easily solved technological vulnerability. Technical error doesn't mean there's no human responsible. It means that a technical solution is needed. Human vulnerability is something that cannot be solved technologically, but with training.

    link to this | view in chronology ]

    • identicon
      nasch, 19 Feb 2009 @ 10:26am

      Re:

      There's another distinction to be made though. Choosing poor wireless security is a different kind of problem than having your OS fall prey to a buffer overrun error and get taken over remotely. One is a mistake (a technical mistake) by the sysadmin(s). The other is an OS vulnerability (also a technical mistake) outside the control of anyone at the place where the breach happened.

      This is the distinction being made in the original post. Was the problem inherent to the software and hardware being used, or was it caused by poor choices in how to use it?

      link to this | view in chronology ]

  • identicon
    NullOp, 19 Feb 2009 @ 3:51am

    IMHO

    Its been my experience management knows and cares nothing about the overall security of its systems and data. It only matters when an event occurs and then they must have "someone to blame" i.e. the Sacraficial Lamb syndrome. MS would, of course, follow the theory that "it couldn't be our product, it must have been improperly implemented" line of thinking. Also, often decisions are made to cater to the crybaby VP. He/She wants ease of use rather then security for the company.

    link to this | view in chronology ]

  • identicon
    R. Miles, 19 Feb 2009 @ 4:07am

    Figures Microsoft would say this just shy of a new Windows release.

    I know, it seems a bit of a "conspiracy theory", but it does make some wonder.

    What I find interesting is how Microsoft refuses to acknowledge its own software is what allows these threats to increase. It seems every day, there's a new vulnerability found within the Windows operating system, rarely patched in time before being exploited.

    It makes sense these attacks would increase during this economic state. Most IT departments are responsible for patching known vulnerabilities. Given how quickly businesses act, many are still open.

    I still can't believe anyone would do this, especially during these times, simply to get "revenge" for being let go and destroying any future chance at working in the industry again.

    link to this | view in chronology ]

  • identicon
    Tony, 19 Feb 2009 @ 5:04am

    Oooo another place to get and read comments that are anti-microsoft!

    This story is somewhat true. Human's are the weak link when it comes to the quality of solutions.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Feb 2009 @ 6:22am

    Looks like a Sales Pitch

    Article -> "Data loss prevention systems specialise in the detection of precisely these events."

    Is anyone trying to sell their "Data loss prevention systems" ?

    link to this | view in chronology ]

    • icon
      chris (profile), 19 Feb 2009 @ 7:39am

      Re: Looks like a Sales Pitch

      data loss prevention systems are snake oil.

      data loss prevention is pretty simple:

      1) centralize your data on a secure platform
      2) use encryption and access control when granting access to the secured storage
      3) if data cannot be centralized, then it must be encrypted with strong cryptographic tools.

      link to this | view in chronology ]

  • icon
    chris (profile), 19 Feb 2009 @ 7:35am

    the WEP decision

    not all devices are created equal. WPA2 is the favorite for maximum wireless security, but it is a relatively new invention, and not all wifi connected devices are new, nor are they laptops.

    WPA2 is great, but support for it was not built into windows xp, so you have to install the wpa2/wps ie update or move to service pack 3. this means testing, deployment, and even training.

    what about those other devices, like pdas, phones, or barcode readers, that may not include WPA2 support?

    the problem isn't with the decision to use wep. the problem is with not separating the wireless network from the corporate network when wep was proven to be insecure.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Feb 2009 @ 8:07am

    You can have perfect technology security and still have data breaches. Humans are the weakest link. Blame Microsoft if you want, but companies just don't spend the money it should to really secure itself.

    Just like all the companies that blamed SAP and consultants when their huge implementation didn't do what was planned because the company didn't spend the money on the proper planning or the proper modules. Companies take shortcuts that cost them in the long run.

    link to this | view in chronology ]

  • identicon
    Bradley Stewart, 19 Feb 2009 @ 8:37am

    BEST PRACTICES PHOEY!

    OK so I am an old codger with only about five years computer experience. I did spend decades in business. I have worked with and for some great people. I have also worked with some really lazy,careless and thought less individuals who couldn't care less. Though I consider myself pretty much of a computer dope I have learned enough over the years about technology how to get the right answers to technology security potential problems. I know its tough to keep up on as technology is in a constant state of flux however I believe company's should do everything within their power to avoid any possible compromise. If they do not they should be heavyly fined and be forced to make restitution to any injured partys. I am sorry to say that I believe that this is the only way to get the attention of the people who some of whom couldn't figure out how to pour water out of a boot if you told them that the instructions were written on the heel and really don't care about anything but their pay checks.

    link to this | view in chronology ]

  • identicon
    Overcast, 23 Feb 2009 @ 8:50am

    and it's clear that the human factor remains a big problem in IT security

    Is the technology here to serve man, or are we here to serve the technology?

    Plus, it really doesn't matter what technology you put in place - an 'unhackable' system puts me in mind of an 'unsinkable' ship - and we all know where that ends up.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.