RE: Security and the Under 30 User

["Evert Breero" <Evert.Breero () aapt com au>]

Hi All,

Here is the original email that I received when I signed up to a Yahoo
group that sends out the info on a daily basis.  There is a link in the
email where you can sign up to become a member of the Yahoo group.

Also when I originally signed up, I signed up using a link on the actual
web proxy site, of which many Proxy Websites have links whereby you can
sign up and receive daily updates detailing new Proxy sites are
available and that haven't been detected by Web Filters.

Also, on the original subject, using our Web Filter, in accordance with
our Security Policy, staff are allowed to use the Web for personal use,
but not to abuse.  So obviously the question comes down to what is
termed abuse.  So in light of this, we implemented our filtering
policies to limit usage of sites like facebook, Youtube, Games Sites etc
to 10MB per day.  This seemed to stem the tide of staff staying
connected to the web all day, which in fact led to the staff to using
Web Proxies.

Cheers 

-----Original Message-----
From: infolookup () gmail com [mailto:infolookup () gmail com] 
Sent: Thursday, 14 February 2008 10:05 AM
To: Timmothy Lester; listbounce () securityfocus com; Evert Breero
Cc: security-basics () securityfocus com
Subject: Re: Security and the Under 30 User

Surfcontrol is apart of our web proxy also and there is an option to
blco remote proxies but taking it a step further and blcoking new
proxies is even better what is this mailing list you speak of?
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Timmothy Lester" <Timmothy.Lester () primeadvisors com>

Date: Wed, 13 Feb 2008 09:20:59 
To:"Evert Breero" <Evert.Breero () aapt com au>
Cc:<security-basics () securityfocus com>
Subject: RE: Security and the Under 30 User


Hello Breero,
What mailing list did you use?
thx
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Evert Breero
Sent: Tuesday, February 12, 2008 7:15 PM
To: George, Joe (OCFO); Jason Thompson; net sec consule
Cc: security-basics () securityfocus com
Subject: RE: Security and the Under 30 User

Hi Joe,

I had the same problem with our Web Filtering tool (SurfControl) and our
staff.  I found that they were using Web Proxies, and a large portion of
them.  What I did was block the category, and then I signed up to a free
mailing list, that on a daily basis sends out recommendations on what
proxies are new or undetected yet.
I then go to these sites, and if they are available, I then add them to
the blocked category.

Hope this helps.

Cheers 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of George, Joe (OCFO)
Sent: Wednesday, 13 February 2008 8:27 AM
To: 'Jason Thompson'; net sec consule
Cc: security-basics () securityfocus com
Subject: RE: Security and the Under 30 User

Slightly unrelated to the subject, but still relevant:

One thing I'm discovering a lot are sites which claim to allow you to
view
the blocked sites like FaceBook, etc.  There are mirrors after mirrors
and
site after site that do this.  Are there ways to stop it or will savvy
"under-30" types continue to be resourceful and circumvent? 

Here's an example:

http://ysurfnow.info/index.php?q=aHR0cDovL3d3dy5teXNwYWNlLmNvbS8%3D

 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On
Behalf Of Jason Thompson
Sent: Tuesday, February 12, 2008 3:10 PM
To: net sec consule
Cc: security-basics () securityfocus com
Subject: Re: Security and the Under 30 User

I am 31, and have just left that Under 30 group :) My main line of
work is information security pen tests, assessments, incident response
and investigations. You are absolutely right about the ME ME ME
attitude that many younger people have. They are the online generation
and if they aren't able to connect to people on the net 24x7 its a
huge issue. I'll admit if I am not near an Internet connection I feel
a little out of sorts myself :)

I agree with Chris, they understand consequences. I've done some
demonstrations that have changed a few minds. Usually starts with "oh
you think Facebook is secure? Watch this..." and 10 mins later they
are deleting 2/3's of the data in their profile. Facebook is a
fantastic social engineering tool, as a pen tester I love it. Made my
job a lot easier. And I've seen it used in several embezzlement cases.
I mean those apps people install are gathering information right out
of the profile (you ALLOW it to do this when you add the app), so how
hard would it be to add some 'special' features? Goes beyond that as
well, I demonstrate how they can click a link and without doing
anything their computer is under someone else's control, how just by
chatting on MSN they can have their computer scoured for information.

From a corporate standpoint, policy has to be forced. 'You will learn
to like it or there's the door' is the way companies need to approach
security sometimes. This PC is a company asset, and no problem if you
want to use your MSN and whatever (with content filtering and
restructions) and you can do your social networking on your lunch or
whatever (you have to give them SOME slack) but you are being watched
and if you have too many red flags (social networking for 5 hrs a
day), the hammer comes down. And they have zero recourse if its a
written policy. Policy requires technology to enforce it because
frankly policies are meaningless to users unless you apply an
enforcement method, but policy is required to ensure the employee
doesn't come back and say 'well I didn't know'. And to be honest the
people who raise a HUGE stink about this sort of thing are probably
employees that are not adding any real value to the company (because
they are social networking all the time), are thinking only of
themselves, and should probably be working at a gas station anyway, so
losing them isn't as big a loss as the company might think. And when
they go looking for other jobs with no references and having been
fired for lack of productivity, a gas station is where they will
likely end up. Which is just fine. Consequences. You mentioned the
company lost these 100K a year people... who were doing tons of social
networking... to me that sounds like a good opportunity to gain some
financial assets back :) I don't know what they did for the company
but it sounds like they didn't do much. People are either assets or
liabilities, and these people sound like liabilities. That may seem
cold but its business... it is what it is :)

This isn't restricted to under 30. I've met some folks who have 20
years exp in security, but 20 years exp in doing security very poorly
because security wasn't a forefront when they were in their 20's. One
actually could argue that because of the lack of security awareness in
the 80's and early 90's, the 40+er's are far more likely to practice
poor security than the under 30 group. In fact, if I took a social
sample, I would bet on it. They may be much less likely to have that
need to be online, but when they are online, I'll bet their passwords
are 'password123' or will click anything sent to them. It would be an
interesting social experiment...

I am more concerned about what's coming... To be blunt, the education
system is forcing kids through the school system without failing them
much more than it used to regardless of how little work they do (I
have a lot of teacher friends on the high school level) and with no
discipline because that is frowned upon now, so there are more
graduating who shouldn't be and entering the workforce with no real
skills or disciplined work ethic. In that same line, we have been
trying to hire more consultants but its impossible to find one that
knows what they are doing rather than saying they know and knowing
nothing, and with no time management skills, poor work ethics, and a
general lack of respect for authority because they were never taught
to respect authority in school. This of course leads to a lack of
respect for security.

-J

On Feb 10, 2008 3:36 PM, net sec consule <netseccon () yahoo com> wrote:
> Thanks to everyone for their replies.
>
> Please let me clarify a few things.
>
> I agree that almost everyone has a lot of resistance
> to security. However, I find that the old crowd tends
> to be  more compliant and only grumble a little, but
> in general go along with policy. The under-30 crowd is
> where I constantly see the problem: They don't grumble
> and then comply, they loudly object and rebel. The old
> crowd generally appears to value their jobs, but I
> find the younger crowd often has the attitude "If I
> can't get my way around here, take this job and shove
> it!". That is the biggest difference I see, outright
> defiance on the part of the younger worker. I see this
> in just about every one of my clients.
>
> Without question, but biggest concern I have about the
> under-30 crowd is their not caring about privacy. This
> really concerns me as it does not bode well for the
> future of a democratic society. I am also concerned
> about the "screwing the big corporations doesn't
> impact me" attitude. After all, anything that makes it
> more expensive to do business increases everyone's
> cost of living.
>
> About the client with the under-30s quiting because
> they had social networking taken away. Each employee
> signs twice a year an agreement that includes that
> computers and communications equipment (telephones,
> company cell phones, etc.) are for official company
> business only and usage may be monitored without
> further notice. Computer login screens repeat the
> notice every time someone signs in. The company has an
> established history of docking paychecks for non
> business cell phone use, suspending employees without
> pay for trying to bypass computer security, spending
> time on social network sites, and firing employees who
> visit porn and other inappropriate sites. The company
> has always prohibited cameras in the work place and
> has prohibited personal cell phones in the work place
> for several years. IM was blocked a few years back
> when it started becoming a malware source. Social
> networking sites have always been against policy, but
> it was not until they were blocked that outright
> rebellion occurred. The employees who quit knew they
> were violating company policy but chose to ignore it
> and those that got caught and suspended usually quit
> the company. I should also point out that this was not
> some low wage sweat shop. Most employees are college
> grads and make $75K to $100K per year or more in a
> market where the average family income is less than
> $40K per year.
>
> Thanks to all for your feedback. I think I have a
> little better understanding of the attitude. I wish I
> knew what to do about the selfish and antisocial
> attitudes as this is obviously a problem that is not
> going away.
________________________________________________________________________
____
________
> Never miss a thing.  Make Yahoo your home page.
> http://www.yahoo.com/r/hs


This communication, including any attachments, is confidential. If you
are not the intended recipient, you should not read it - please contact
me immediately, destroy it, and do not copy or use any part of this
communication or disclose anything about it.






This communication, including any attachments, is confidential. If you are not the intended recipient, you should not 
read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose 
anything about it.

> --- Begin Message ---
>
>
> From: "ProxInbox Moderator" <ProxInbox-owner () yahoogroups com>
>
> Date: Thu, 25 Oct 2007 16:45:06 +1100
>
>
> Welcome to the ProxInbox group at Yahoo! Groups.
>
> You're set to connect with your group, so drop by soon.
> Be sure to check out all the simple (and free) ways to
> communicate, share, and discover:
>
> * You choose when and how to stay in touch
> * Swap photos, files, polls, calendars, links, and more with members
> * Quickly scan new postings and browse detailed message archives
> * Plus enjoy many more ways to show and tell - 24/7
>
> So get started. Visit ProxInbox now.
> http://us.rd.yahoo.com/evt=42879/*http://groups.yahoo.com/group/ProxInbox
>
>
> Regards,
> Moderator
> ProxInbox
>
>  
>
> Complete your Yahoo! Groups account:
> ----------------------------------------------------------------------
> Your email address has been added to the email list of a Yahoo! Group.
> To gain access to all of your group's web features (previous messages,
> photos, files, calendar, etc.) and easier control of your message
> delivery options, we highly recommend that you complete your account
> by connecting your email address to Yahoo account. It is easy and free.
> Please visit:
> http://groups.yahoo.com/convacct?email=evert.breero%40aapt.com.au&list=ProxInbox
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 
>
>  
>
>
>
>
>
> --- End Message ---