Security Basics mailing list archives
Re: Security and the Under 30 User
From: "Yousef Syed" <yousef.syed () gmail com>
Date: Wed, 13 Feb 2008 10:46:20 +0100
If you want to stop it all, then use White-lists. Black-lists will never keep up. ys On 12/02/2008, George, Joe (OCFO) <Joe.George () dc gov> wrote:
Slightly unrelated to the subject, but still relevant: One thing I'm discovering a lot are sites which claim to allow you to view the blocked sites like FaceBook, etc. There are mirrors after mirrors and site after site that do this. Are there ways to stop it or will savvy "under-30" types continue to be resourceful and circumvent? Here's an example: http://ysurfnow.info/index.php?q=aHR0cDovL3d3dy5teXNwYWNlLmNvbS8%3D -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jason Thompson Sent: Tuesday, February 12, 2008 3:10 PM To: net sec consule Cc: security-basics () securityfocus com Subject: Re: Security and the Under 30 User I am 31, and have just left that Under 30 group :) My main line of work is information security pen tests, assessments, incident response and investigations. You are absolutely right about the ME ME ME attitude that many younger people have. They are the online generation and if they aren't able to connect to people on the net 24x7 its a huge issue. I'll admit if I am not near an Internet connection I feel a little out of sorts myself :) I agree with Chris, they understand consequences. I've done some demonstrations that have changed a few minds. Usually starts with "oh you think Facebook is secure? Watch this..." and 10 mins later they are deleting 2/3's of the data in their profile. Facebook is a fantastic social engineering tool, as a pen tester I love it. Made my job a lot easier. And I've seen it used in several embezzlement cases. I mean those apps people install are gathering information right out of the profile (you ALLOW it to do this when you add the app), so how hard would it be to add some 'special' features? Goes beyond that as well, I demonstrate how they can click a link and without doing anything their computer is under someone else's control, how just by chatting on MSN they can have their computer scoured for information. From a corporate standpoint, policy has to be forced. 'You will learn to like it or there's the door' is the way companies need to approach security sometimes. This PC is a company asset, and no problem if you want to use your MSN and whatever (with content filtering and restructions) and you can do your social networking on your lunch or whatever (you have to give them SOME slack) but you are being watched and if you have too many red flags (social networking for 5 hrs a day), the hammer comes down. And they have zero recourse if its a written policy. Policy requires technology to enforce it because frankly policies are meaningless to users unless you apply an enforcement method, but policy is required to ensure the employee doesn't come back and say 'well I didn't know'. And to be honest the people who raise a HUGE stink about this sort of thing are probably employees that are not adding any real value to the company (because they are social networking all the time), are thinking only of themselves, and should probably be working at a gas station anyway, so losing them isn't as big a loss as the company might think. And when they go looking for other jobs with no references and having been fired for lack of productivity, a gas station is where they will likely end up. Which is just fine. Consequences. You mentioned the company lost these 100K a year people... who were doing tons of social networking... to me that sounds like a good opportunity to gain some financial assets back :) I don't know what they did for the company but it sounds like they didn't do much. People are either assets or liabilities, and these people sound like liabilities. That may seem cold but its business... it is what it is :) This isn't restricted to under 30. I've met some folks who have 20 years exp in security, but 20 years exp in doing security very poorly because security wasn't a forefront when they were in their 20's. One actually could argue that because of the lack of security awareness in the 80's and early 90's, the 40+er's are far more likely to practice poor security than the under 30 group. In fact, if I took a social sample, I would bet on it. They may be much less likely to have that need to be online, but when they are online, I'll bet their passwords are 'password123' or will click anything sent to them. It would be an interesting social experiment... I am more concerned about what's coming... To be blunt, the education system is forcing kids through the school system without failing them much more than it used to regardless of how little work they do (I have a lot of teacher friends on the high school level) and with no discipline because that is frowned upon now, so there are more graduating who shouldn't be and entering the workforce with no real skills or disciplined work ethic. In that same line, we have been trying to hire more consultants but its impossible to find one that knows what they are doing rather than saying they know and knowing nothing, and with no time management skills, poor work ethics, and a general lack of respect for authority because they were never taught to respect authority in school. This of course leads to a lack of respect for security. -J On Feb 10, 2008 3:36 PM, net sec consule <netseccon () yahoo com> wrote:Thanks to everyone for their replies. Please let me clarify a few things. I agree that almost everyone has a lot of resistance to security. However, I find that the old crowd tends to be more compliant and only grumble a little, but in general go along with policy. The under-30 crowd is where I constantly see the problem: They don't grumble and then comply, they loudly object and rebel. The old crowd generally appears to value their jobs, but I find the younger crowd often has the attitude "If I can't get my way around here, take this job and shove it!". That is the biggest difference I see, outright defiance on the part of the younger worker. I see this in just about every one of my clients. Without question, but biggest concern I have about the under-30 crowd is their not caring about privacy. This really concerns me as it does not bode well for the future of a democratic society. I am also concerned about the "screwing the big corporations doesn't impact me" attitude. After all, anything that makes it more expensive to do business increases everyone's cost of living. About the client with the under-30s quiting because they had social networking taken away. Each employee signs twice a year an agreement that includes that computers and communications equipment (telephones, company cell phones, etc.) are for official company business only and usage may be monitored without further notice. Computer login screens repeat the notice every time someone signs in. The company has an established history of docking paychecks for non business cell phone use, suspending employees without pay for trying to bypass computer security, spending time on social network sites, and firing employees who visit porn and other inappropriate sites. The company has always prohibited cameras in the work place and has prohibited personal cell phones in the work place for several years. IM was blocked a few years back when it started becoming a malware source. Social networking sites have always been against policy, but it was not until they were blocked that outright rebellion occurred. The employees who quit knew they were violating company policy but chose to ignore it and those that got caught and suspended usually quit the company. I should also point out that this was not some low wage sweat shop. Most employees are college grads and make $75K to $100K per year or more in a market where the average family income is less than $40K per year. Thanks to all for your feedback. I think I have a little better understanding of the attitude. I wish I knew what to do about the selfish and antisocial attitudes as this is obviously a problem that is not going away.____________________________________________________________________________ ________Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
-- Yousef Syed CISSP http://www.linkedin.com/in/musashi
Current thread:
- RE: Security and the Under 30 User, (continued)
- RE: Security and the Under 30 User Mngadi, Simphiwe (SS) (Feb 12)
- RE: Security and the Under 30 User G_Z_Gupta (Feb 12)
- RE: Security and the Under 30 User Mngadi, Simphiwe (SS) (Feb 12)
- Re: Re: Security and the Under 30 User grace . tom (Feb 11)
- RE: Security and the Under 30 User George, Joe (OCFO) (Feb 12)
- Re: Security and the Under 30 User Larry Offley (Feb 13)
- RE: Security and the Under 30 User Evert Breero (Feb 13)
- RE: Security and the Under 30 User Timmothy Lester (Feb 13)
- Re: Security and the Under 30 User infolookup (Feb 14)
- RE: Security and the Under 30 User Evert Breero (Feb 14)
- RE: Security and the Under 30 User Evert Breero (Feb 14)
- Re: Security and the Under 30 User Yousef Syed (Feb 13)