Insider Security Attacks On The Rise, MS Says

from the the-human-factor dept

Thu, Feb 19th 2009 12:32am — Carlo Longino

Microsoft is warning that "malicious insider" security attacks are on the rise as the economy churns out more and more disgruntled and/or desperate laid-off workers. Combine this with the high number of data breaches that are blamed on human error, and it's clear that the human factor remains a big problem in IT security. Technology often gets the blame for data breaches and leaks, but it's important to remember that in many cases, it's the implementation of the technology, or the policies behind it, that are to blame. For instance, in the massive TJX breach, a lot was made of the fact that the company's WiFi network was protected only by the easily cracked WEP security standard. But somewhere along the line, a human decision was made not to upgrade to something stronger, while another decision was made to transmit credit-card data without encryption. Whether it's simple incompetence or malicious activity, humans often surpass technology as the weakest link in the security chain.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: insiders, security
Companies: microsoft

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

SRS, 19 Feb 2009 @ 1:57am

Oh really?
Microsoft would definitely prefer this version of events, as it usefully distracts people from how vulnerable Microsoft software is to external remote attacks - much better to blame the actions of evil insiders instead.

As you state: "it's important to remember that in many cases, it's the implementation of the technology, or the policies behind it, that are to blame". And who implements the technology? Microsoft.
[ link to this | view in chronology ]
- Mike (profile), 19 Feb 2009 @ 2:13am
  
  Re: Oh really?
  
  As you state: "it's important to remember that in many cases, it's the implementation of the technology, or the policies behind it, that are to blame". And who implements the technology? Microsoft.
  
  Yes. That would be Carlo's point.
  [ link to this | view in chronology ]
- eleete, 19 Feb 2009 @ 3:31am
  
  Re: Oh really?
  As you state: "it's important to remember that in many cases, it's the implementation of the technology, or the policies behind it, that are to blame". And who implements the technology? Microsoft.
  
  Microsoft rarely 'implements' the technology. They create the software. Network engineers and administrators 'implement' the technology. As far as I know, Microsoft doesn't produce many wireless products at all. The implementers have choices in software and hardware. What they choose and how they choose to configure it is very rarely a Microsoft decision.
  [ link to this | view in chronology ]
Osno, 19 Feb 2009 @ 3:28am

By that reasoning, any attack can be blamed on "human error". If a hacker exploits a vulnerability on a system, there is a human who programmed the system and coded the vulnerability. Humans as the weakest link refers to the fact that a human who has access to the data will give you the access or the data, either by mistake or maliciously. Implementing a WEP protocol may be dumb, but it's not a "human weakest link". It's an easily solved technological vulnerability. Technical error doesn't mean there's no human responsible. It means that a technical solution is needed. Human vulnerability is something that cannot be solved technologically, but with training.
[ link to this | view in chronology ]
- nasch, 19 Feb 2009 @ 10:26am
  
  Re:
  There's another distinction to be made though. Choosing poor wireless security is a different kind of problem than having your OS fall prey to a buffer overrun error and get taken over remotely. One is a mistake (a technical mistake) by the sysadmin(s). The other is an OS vulnerability (also a technical mistake) outside the control of anyone at the place where the breach happened.
  
  This is the distinction being made in the original post. Was the problem inherent to the software and hardware being used, or was it caused by poor choices in how to use it?
  [ link to this | view in chronology ]
NullOp, 19 Feb 2009 @ 3:51am

IMHO
Its been my experience management knows and cares nothing about the overall security of its systems and data. It only matters when an event occurs and then they must have "someone to blame" i.e. the Sacraficial Lamb syndrome. MS would, of course, follow the theory that "it couldn't be our product, it must have been improperly implemented" line of thinking. Also, often decisions are made to cater to the crybaby VP. He/She wants ease of use rather then security for the company.
[ link to this | view in chronology ]
R. Miles, 19 Feb 2009 @ 4:07am

Figures Microsoft would say this just shy of a new Windows release.
I know, it seems a bit of a "conspiracy theory", but it does make some wonder.

What I find interesting is how Microsoft refuses to acknowledge its own software is what allows these threats to increase. It seems every day, there's a new vulnerability found within the Windows operating system, rarely patched in time before being exploited.

It makes sense these attacks would increase during this economic state. Most IT departments are responsible for patching known vulnerabilities. Given how quickly businesses act, many are still open.

I still can't believe anyone would do this, especially during these times, simply to get "revenge" for being let go and destroying any future chance at working in the industry again.
[ link to this | view in chronology ]
Tony, 19 Feb 2009 @ 5:04am

Oooo another place to get and read comments that are anti-microsoft!

This story is somewhat true. Human's are the weak link when it comes to the quality of solutions.
[ link to this | view in chronology ]
Anonymous Coward, 19 Feb 2009 @ 6:22am

Looks like a Sales Pitch
Article -> "Data loss prevention systems specialise in the detection of precisely these events."

Is anyone trying to sell their "Data loss prevention systems" ?
[ link to this | view in chronology ]
- chris (profile), 19 Feb 2009 @ 7:39am
  
  Re: Looks like a Sales Pitch
  data loss prevention systems are snake oil.
  
  data loss prevention is pretty simple:
  
  1) centralize your data on a secure platform
  2) use encryption and access control when granting access to the secured storage
  3) if data cannot be centralized, then it must be encrypted with strong cryptographic tools.
  [ link to this | view in chronology ]
chris (profile), 19 Feb 2009 @ 7:35am

the WEP decision
not all devices are created equal. WPA2 is the favorite for maximum wireless security, but it is a relatively new invention, and not all wifi connected devices are new, nor are they laptops.

WPA2 is great, but support for it was not built into windows xp, so you have to install the wpa2/wps ie update or move to service pack 3. this means testing, deployment, and even training.

what about those other devices, like pdas, phones, or barcode readers, that may not include WPA2 support?

the problem isn't with the decision to use wep. the problem is with not separating the wireless network from the corporate network when wep was proven to be insecure.
[ link to this | view in chronology ]
Anonymous Coward, 19 Feb 2009 @ 8:07am

You can have perfect technology security and still have data breaches. Humans are the weakest link. Blame Microsoft if you want, but companies just don't spend the money it should to really secure itself.

Just like all the companies that blamed SAP and consultants when their huge implementation didn't do what was planned because the company didn't spend the money on the proper planning or the proper modules. Companies take shortcuts that cost them in the long run.
[ link to this | view in chronology ]
Bradley Stewart, 19 Feb 2009 @ 8:37am

BEST PRACTICES PHOEY!
OK so I am an old codger with only about five years computer experience. I did spend decades in business. I have worked with and for some great people. I have also worked with some really lazy,careless and thought less individuals who couldn't care less. Though I consider myself pretty much of a computer dope I have learned enough over the years about technology how to get the right answers to technology security potential problems. I know its tough to keep up on as technology is in a constant state of flux however I believe company's should do everything within their power to avoid any possible compromise. If they do not they should be heavyly fined and be forced to make restitution to any injured partys. I am sorry to say that I believe that this is the only way to get the attention of the people who some of whom couldn't figure out how to pour water out of a boot if you told them that the instructions were written on the heel and really don't care about anything but their pay checks.
[ link to this | view in chronology ]
Overcast, 23 Feb 2009 @ 8:50am

and it's clear that the human factor remains a big problem in IT security

Is the technology here to serve man, or are we here to serve the technology?

Plus, it really doesn't matter what technology you put in place - an 'unhackable' system puts me in mind of an 'unsinkable' ship - and we all know where that ends up.
[ link to this | view in chronology ]