Re: Security and the Under 30 User

["Yousef Syed" <yousef.syed () gmail com>]

If you want to stop it all, then use White-lists.
Black-lists will never keep up.

ys

On 12/02/2008, George, Joe (OCFO) <Joe.George () dc gov> wrote:
> Slightly unrelated to the subject, but still relevant:
>
> One thing I'm discovering a lot are sites which claim to allow you to view
> the blocked sites like FaceBook, etc.  There are mirrors after mirrors and
> site after site that do this.  Are there ways to stop it or will savvy
> "under-30" types continue to be resourceful and circumvent?
>
> Here's an example:
>
> http://ysurfnow.info/index.php?q=aHR0cDovL3d3dy5teXNwYWNlLmNvbS8%3D
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Jason Thompson
> Sent: Tuesday, February 12, 2008 3:10 PM
> To: net sec consule
> Cc: security-basics () securityfocus com
> Subject: Re: Security and the Under 30 User
>
> I am 31, and have just left that Under 30 group :) My main line of
> work is information security pen tests, assessments, incident response
> and investigations. You are absolutely right about the ME ME ME
> attitude that many younger people have. They are the online generation
> and if they aren't able to connect to people on the net 24x7 its a
> huge issue. I'll admit if I am not near an Internet connection I feel
> a little out of sorts myself :)
>
> I agree with Chris, they understand consequences. I've done some
> demonstrations that have changed a few minds. Usually starts with "oh
> you think Facebook is secure? Watch this..." and 10 mins later they
> are deleting 2/3's of the data in their profile. Facebook is a
> fantastic social engineering tool, as a pen tester I love it. Made my
> job a lot easier. And I've seen it used in several embezzlement cases.
> I mean those apps people install are gathering information right out
> of the profile (you ALLOW it to do this when you add the app), so how
> hard would it be to add some 'special' features? Goes beyond that as
> well, I demonstrate how they can click a link and without doing
> anything their computer is under someone else's control, how just by
> chatting on MSN they can have their computer scoured for information.
>
> From a corporate standpoint, policy has to be forced. 'You will learn
> to like it or there's the door' is the way companies need to approach
> security sometimes. This PC is a company asset, and no problem if you
> want to use your MSN and whatever (with content filtering and
> restructions) and you can do your social networking on your lunch or
> whatever (you have to give them SOME slack) but you are being watched
> and if you have too many red flags (social networking for 5 hrs a
> day), the hammer comes down. And they have zero recourse if its a
> written policy. Policy requires technology to enforce it because
> frankly policies are meaningless to users unless you apply an
> enforcement method, but policy is required to ensure the employee
> doesn't come back and say 'well I didn't know'. And to be honest the
> people who raise a HUGE stink about this sort of thing are probably
> employees that are not adding any real value to the company (because
> they are social networking all the time), are thinking only of
> themselves, and should probably be working at a gas station anyway, so
> losing them isn't as big a loss as the company might think. And when
> they go looking for other jobs with no references and having been
> fired for lack of productivity, a gas station is where they will
> likely end up. Which is just fine. Consequences. You mentioned the
> company lost these 100K a year people... who were doing tons of social
> networking... to me that sounds like a good opportunity to gain some
> financial assets back :) I don't know what they did for the company
> but it sounds like they didn't do much. People are either assets or
> liabilities, and these people sound like liabilities. That may seem
> cold but its business... it is what it is :)
>
> This isn't restricted to under 30. I've met some folks who have 20
> years exp in security, but 20 years exp in doing security very poorly
> because security wasn't a forefront when they were in their 20's. One
> actually could argue that because of the lack of security awareness in
> the 80's and early 90's, the 40+er's are far more likely to practice
> poor security than the under 30 group. In fact, if I took a social
> sample, I would bet on it. They may be much less likely to have that
> need to be online, but when they are online, I'll bet their passwords
> are 'password123' or will click anything sent to them. It would be an
> interesting social experiment...
>
> I am more concerned about what's coming... To be blunt, the education
> system is forcing kids through the school system without failing them
> much more than it used to regardless of how little work they do (I
> have a lot of teacher friends on the high school level) and with no
> discipline because that is frowned upon now, so there are more
> graduating who shouldn't be and entering the workforce with no real
> skills or disciplined work ethic. In that same line, we have been
> trying to hire more consultants but its impossible to find one that
> knows what they are doing rather than saying they know and knowing
> nothing, and with no time management skills, poor work ethics, and a
> general lack of respect for authority because they were never taught
> to respect authority in school. This of course leads to a lack of
> respect for security.
>
> -J
>
> On Feb 10, 2008 3:36 PM, net sec consule <netseccon () yahoo com> wrote:
> > Thanks to everyone for their replies.
> >
> > Please let me clarify a few things.
> >
> > I agree that almost everyone has a lot of resistance
> > to security. However, I find that the old crowd tends
> > to be  more compliant and only grumble a little, but
> > in general go along with policy. The under-30 crowd is
> > where I constantly see the problem: They don't grumble
> > and then comply, they loudly object and rebel. The old
> > crowd generally appears to value their jobs, but I
> > find the younger crowd often has the attitude "If I
> > can't get my way around here, take this job and shove
> > it!". That is the biggest difference I see, outright
> > defiance on the part of the younger worker. I see this
> > in just about every one of my clients.
> >
> > Without question, but biggest concern I have about the
> > under-30 crowd is their not caring about privacy. This
> > really concerns me as it does not bode well for the
> > future of a democratic society. I am also concerned
> > about the "screwing the big corporations doesn't
> > impact me" attitude. After all, anything that makes it
> > more expensive to do business increases everyone's
> > cost of living.
> >
> > About the client with the under-30s quiting because
> > they had social networking taken away. Each employee
> > signs twice a year an agreement that includes that
> > computers and communications equipment (telephones,
> > company cell phones, etc.) are for official company
> > business only and usage may be monitored without
> > further notice. Computer login screens repeat the
> > notice every time someone signs in. The company has an
> > established history of docking paychecks for non
> > business cell phone use, suspending employees without
> > pay for trying to bypass computer security, spending
> > time on social network sites, and firing employees who
> > visit porn and other inappropriate sites. The company
> > has always prohibited cameras in the work place and
> > has prohibited personal cell phones in the work place
> > for several years. IM was blocked a few years back
> > when it started becoming a malware source. Social
> > networking sites have always been against policy, but
> > it was not until they were blocked that outright
> > rebellion occurred. The employees who quit knew they
> > were violating company policy but chose to ignore it
> > and those that got caught and suspended usually quit
> > the company. I should also point out that this was not
> > some low wage sweat shop. Most employees are college
> > grads and make $75K to $100K per year or more in a
> > market where the average family income is less than
> > $40K per year.
> >
> > Thanks to all for your feedback. I think I have a
> > little better understanding of the attitude. I wish I
> > knew what to do about the selfish and antisocial
> > attitudes as this is obviously a problem that is not
> > going away.
> ____________________________________________________________________________
> ________
> > Never miss a thing.  Make Yahoo your home page.
> > http://www.yahoo.com/r/hs



-- 
Yousef Syed
CISSP

http://www.linkedin.com/in/musashi