Enemy At The Water Cooler

Trent Lucier writes "On most networks diagrams I've seen, the internet looks like a cloud. Sometimes it's a fluffy white cloud. Other times it's a dark ominous cloud. Regardless of the artistic style, the depiction usually conveys the mystery and danger of putting your company's network on a global information grid next to a billion users, kind of like those old maps with dragons drawn at strategic places in the ocean. Not surprisingly, corporations spend much time and energy protecting themselves from The Outside World. In Enemy at the Water Cooler, Brian Contos argues that just as many resources should be spent on defending against insider threats. Will this book help you detect the enemies at your water cooler?" Read below for the rest of Trent's review.

Contos, a Chief Security Officer himself, has written a primer on insider threats and the counter-measures that can be deployed against them. The book is written for a wide audience, so don't expect low-level details about encryption algorithms and security protocols. However, if you have to deal with a large company's IT infrastructure, you may benefit from Contos' descriptions of enterprise security concepts and anecdotes.

According to the book's terminology, an insider is someone who has more privileges than the common person and uses those privileges to abuse the system. It's important to understand the full scope of the term "privileges". In addition to computer privileges, Contos is also talking about physical access to hardware, paperwork, and even other employees that can be exploited in social engineering attacks. Even if a piece of information is useless to the insider, it may be something that a competitor would be willing to buy for the right price.

The early chapters provide background on all the standard attacks that are in the news these days: phishing, denial of service, keylogging, etc... What makes these sections interesting are the statistics that are sprinkled throughout the text. In a survey conducted by CERT examining known attacks, 49% were committed by insiders that were married. This goes against the profile of the insider being someone who has less personal risk (such as a family) at stake. In fact, the prevailing image of the last 30 years depicting a computer criminal as a socially awkward young male has started to become less accurate as organized crime has turned into the biggest threat.

Enemy At The Water Cooler does a great job of putting statistics in context. The book is always careful to mention that the crime statistics represent only the known incidents. Contos often explains why certain numbers matter. Near a chart showing that 59% of discovered crimes were committed by former employees, the author explains that recently fired employees can be highly motivated to commit revenge and still have access to accounts and passwords, which is a dangerous combination.

How does the book propose that businesses deal with threats? At the end of Part I, Contos introduces a technology called Enterprise Security Management (ESM). This is a blanket term used to describe a collection of enterprise-level tools that can perform information analysis, display event feeds, manage policies, and do everything else in the world besides make toast. The remainder of the book constantly mentions this technology, so if you are not interested in learning about ESM, this book may not be for you.

At this point, it should be noted that Brian Contos is the Chief Security Officer of a company that sells ESM products. The book is neutral on which product you should use, although some screenshots show Contos' program for illustrative purposes. I did not feel that the book was biased or trying to sell me something. Regardless of who the author works for, he makes a compelling argument that ESM systems are necessary for big companies that need to manage their IT security.

Case studies comprise Part II of the book. This is the entertaining stuff, and probably the type of thing most people want to read when they pick up a book called Enemy At The Water Cooler. There are 8 main case studies, each running about 5 pages in length. Contos puts the "study" in "case study" as he illustrates how tools (ESM) and training could prevent many of the scenarios he describes. Those expecting light reading in the form of amusing anecdotes about IT security will be disappointed. However, if you're looking for a detailed analysis of insider crime, these chapters provide it.

Many times, greed and hubris are the ultimate undoing of the insider. In one example, a company discovered that their servers were hosting pirated software. Little did the company know that the employee that was asked to clean up the server was actually the one who put the software there to begin with. The insider would have gotten away with it if only he hadn't bragged to a co-worker about how dim-witted his company was.

In other situations, employees can be blackmailed into committing crimes. In the case of a Spanish company, an employee was forced into planting a wireless access point in one of the development labs. The employee had lied about his educational background on his resume, and criminals threatened to expose him if he didn't cooperate by planting the device.

The final portion of the book discusses further capabilities of ESM. The main point is that ESMs should be able to monitor everything. Contos explains a scenario where an employee pulls financial information from a proprietary system and then uploads it to a P2P network. Most companies do not have the technology to detect such an action. Not that Contos claims technology is the only answer. It is just a tool, and it is useless when not supported by trained employees and policies. At the end of the book, the reader gets information about "soft skill" topics like incident management, hiring processes, and some legal case history regarding insiders.

The book's viewpoint is very top-down with regards to the corporate hierarchy. Executives will no doubt love all the capabilities that Contos claims can be at their fingertips, but individual employees might feel it is slightly Orwellian. Can all this information that the ESM vacuums up be used for evil? The book's implicit answer seems to be "yes", since it is repeatedly made clear that no one can be trusted. But there is never any explicit information given on how the ESM itself can be protected from abuse.

Enemy at the Water Cooler provides a thorough introduction to insider threats and the countermeasures that can be used against them. If you are just interested in stories about insider security crimes, then you may want to pass. (The section on case studies is only about a third of the book's content). However, if you are interested in learning about technology that can help defend against these threats, then this book provides a comprehensive overview.

Trent Lucier is a software engineer. His latest experiment is localhost80.com"

---

You can purchase Enemy at the Water Cooler: True Stories of Insider Threats and Enterprise Security Management from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

YOU TOOK THE LAST GLASS OF WATER

[Anonymous Coward]

you have now made an enemy at the water cooler..

Re:

[3chuck3 (512455)]

Actually, I guess I am one of the types of people the book is describing. I see it as in my best interests, as a System/Network/Citrix Admin, to be able to have Unix Root, Windows Full Domain administration.

It is job security, having management know I have cart-blanch full access to the whole company system, with no big brother security monitoring of my system and internet activities.

Make it harder for any of the CEO/CFO to let me go because they drove the business into a downturn, I make to much salarie

Re:

[Anonymous Coward]

Actually, I guess I am one of the types of people the book is describing.

Yep, sounds like it. You're the reason the rest of us have to put up with the kinds of onerous security protocols and limitations the book describes. Some people are solution-providers; you're one of the problem-providers.

re:YOU TOOK THE LAST BIT OF DIGNITY

[PopeRatzo (965947)]

You're the reason the rest of us have to put up with the kinds of onerous security protocols and limitations the book describes.

No, the reason we have to put up with "the kinds of onerous security protocols..." is that corporations have lost all sense of loyalty to their employees.

My father, three of his brothers and their father all worked for the same company for all their working life. They were well taken care of and they returned that loyalty several times over in the course of their careers.

Today, companies are more concerned with cutting another 10,000 employees so their stock price will jump a few cents for a couple of weeks than creating a relationship of trust and security with their employees. Benefits are cut, unions are fought, jobs shipped overseas and life is generally made as miserable as possible for the people who sweat blood on the shop floor. Meanwhile, the differential between what the CEO makes compared to the average employee has gone from 20 to 1 to 20,000 to 1.

I'm not surprised that corporations find themselves loathed by their employees and having to exert effort and money trying to protect themselves from their own people. What surprises me is that we don't see more all-out sabotage by disgruntled employees.

It's not coincidental that the period of enormous growth and prosperity of the few decades after World War II happened to also be a period of improving conditions, organization and influence for the workers. A period when labor unions were considered a crucial part of the economic system. Those unions were the only reason the US had such a strong and deep middle class from 1950 until their demise began at the hands of that doddering tool of the Right-Wing Rich, Ronald Reagan, who, if God is just, is burning in Hell.

different goals

[misanthrope101 (253915)]

The goal used to be to make money. Now the goal is to make as much money as possible. Though those seem like similar goals, in reality they aren't. Before, as long as you were making money then you could, with a good conscience, treat your employees well. Now, no matter how much money you're making, you still can't treat your employees well and feel good about it, because every cent spent on human decency is a cent of profit squandered. Also, many companies of old felt that they had a responsibility to their workers, whereas now workers are viewed as an expense, like paper clips or toilet paper. This attitude makes for a hotter stock price, but a worse quality of life for everyone who works there.

Also, CEO pay has skyrocketed in comparison to worker pay, and no company that pays hundreds of millions of dollars to departing executives can also afford to be loyal and supportive to the workers. In the corporate culture of today, executives are seen as the movers and shakers, the visionaries who create the value, while the workers are seen as expenses.

Re:YOU TOOK THE LAST BIT OF DIGNITY

[teh_chrizzle (963897)]

I'm not surprised that corporations find themselves loathed by their employees and having to exert effort and money trying to protect themselves from their own people. What surprises me is that we don't see more all-out sabotage by disgruntled employees.

it happens all the time... but i'll bet it doesn't often make the papers.

the word sabotage comes from the french word "sabot" which is a kind of wooden shoe or clog. during the industrial revolution, angry workers would kick the machines they worked on or throw the shoes into them, resulting in a "clog" in the output.

in the intelligence community, disgruntled soldiers and public servants make some if the best moles or double agents. in government, many whistleblowers act not out of a sense of duty or responsability but as a means of exacting revenge.

Re:YOU TOOK THE LAST GLASS OF WATER

[eln (21727)]

Sure, I guess you could take down their entire system if they fired you. That is, if you're okay with never working in the industry again.

Your career is heavily dependent on your reputation. If you have a reputation as a rogue who will hold the system hostage in order to make yourself indispensable, you will not be hired elsewhere.

In any job, your goal should be to make yourself valuable, not indispensable. Indispensable people make management nervous. If you are truly indispensable, then management's primary goal becomes to make you dispensable as soon as possible, even if they like you. It's the old "What if Person X got hit by a bus tomorrow?" dilemma: nobody wants their entire business to be dependent on any one person.

Beyond that, being indispensable in your current position makes it impossible for you to move up in the company. No one will promote you, because your current position can't be backfilled, since you're the only one who can do it. This is bad for your career.

Re:

[StikyPad (445176)]

Yeah, but only if it's demonstrable. It's really hard to defend in a case like that, especially if the employee indicates some sort of animosity toward him, which they would be inclined to do if they were the sort of people to hurt you out of spite. Moreover, is it really worth your time and energy to prevent a rival company from hiring an employee you don't like? Like I said, most employers won't mess with it.

Re:

[0racle (667029)]

If you think you have a surprise coming to you if you think any of that gives you job security.

Re:

[0racle (667029)]

Damnit, don't work and post people

Should have said:
You have a surprise coming to you if you think any of that gives you job security.

No more

[IflyRC (956454)]

We removed our water cooler so that this scenario never happens.

Re:No more

[tverbeek (457094)]

Removing the water cooler isn't enough! You need to get rid of drinking fountains, coffee makers, vending machines, shared refrigerators, wet bars... any place where liquid refreshments might be dispensed. For added security, photocopiers, fax machines, and any other equipment which people might stand in line for or loiter nearby, should also be eliminated. In sensitive environments and military installations, elevators should be replaced by single-file escalators. And water cannons should be used on the smokers who assemble outside. (Not just for security, but for their own good.) It's a jungle in here, people!

Re:No more

[qwijibo (101731)]

Cube farms are a secondary location where many of these attacks can be perpetrated. The only solution is to make each person work in a separate office. For added security, it would be best if each person connected to the network from a different location, unknown to most of the other people. Mandatory full time telecommuting is the only viable solution to combat these security risks.

Re:

[ConceptJunkie (24823)]

Just send them a shipment of smallpox blankets.

Uh oh, I think that joke may have gotten me on a terrorist watch list.

WAIT!!!

[matr0x_x (919985)]

I'm confused here - is he talking about protecting my corporations network from myself?

Re:

[Golias (176380)]

That, or it's about the fact that you are stealing office supplies. I lost patience midway through paragraph 2.

Visio

[spacemky (236551)]

Does anyone have Visio stencils of those ominous dragons? I'd love to replace my Internet clouds with these.

Update on the link

[Anonymous Coward]

I have no idea why Slashdot linked to B & N here, when Amazon has it considerably cheaper [amazon.com] (see the "Used and new from..." listings).

Re:

[gavri (663286)]

http://slashdot.org/book.review.guidelines.shtml [slashdot.org]
Speaking of links, please do not include links in your reviews to online bookstores. Slashdot has an linking arrangement with Barnes & Noble; that's why when bn.com carries a particular book, you'll see a link to it at the bottom of the review.

Re:

[budcub (92165)]

I have no idea why Slashdot linked to B & N here, when Amazon has it considerably cheaper

Slashdot used to link to Amazon for books, but they took a lot of criticism for it because Amazon had patented the "one-click". Now they link to Barnes & Noble and people criticise them for not linking to Amazon any more. I guess if you're Slashdot you just can't win.

Problems.

[jellomizer (103300)]

While internal security is important but the priority should always be towards protecting your self from external attacks. Internal security problems can be minimized because there is a smaller group of suspects. As well as good hiring practices can reduce it a bit more. Next is the Cost/Benefit of putting the effort into internal security. First there is the cost of designing and implementing then there is the cost of maintaining it and keeping the employees useful. If Employee X needs to put in a request to access some data and it takes a couple of hours to do so that is a time of loss productivity.

Re:

[drooling-dog (189103)]

Not to mention the loss of morale, initiative, and motivation that happens when restrictions become too draconian and employees are routinely treated like potential criminals...

Re:Problems.

[Belial6 (794905)]

You are right. The reason we are all running PCs on our desktop instead of terminals hooked to the mainframe is because of this. People were finding that they could be far more productive with a crappy (in comparison to the mainframe) C64 or Apple II than they could with the million dollar mainframe. So, they just circumvented the corporate computers by dropping a PC on their desktop. Eventually corporations had to start supporting the PCs because when they were faced with the dramatic drop in productivity from removing the PC, or the cost of supporting PCs, the choice was obvious.

I would also caution against restricting the individuals PC desktop too much. This can very quickly lead to employees looking for ways to circumvent your security, and create threats that you don't know about. Sometimes this even means making sure the employees computers properly play CDs, and can access entertainments sites on the internet. The best and the brightest often look for the most enjoyable work environment. Being able to listen to their music while working, or taking a short break to see if there will be a new episode of BSG this week could mean the difference between getting someone that is adequate at their job, and getting someone that is great. It could also mean the difference between an employee that dreads coming to work, and someone that looks forward to it.

snitch networks?

[haluness (219661)]

So what next - snitch networks? Informants?

Pissed off people (and assholes) will always remain so.

Re:snitch networks?

[IflyRC (956454)]

otherwise known as "HR".

I was waiting for this to get mentioned

[TubeSteak (669689)]

Executives will no doubt love all the capabilities that Contos claims can be at their fingertips, but individual employees might feel it is slightly Orwellian. Can all this information that the ESM vacuums up be used for evil? The book's implicit answer seems to be "yes", since it is repeatedly made clear that no one can be trusted.

And that's a problem created by solving the infosec problem.

Employees like to feel trusted. The kinds of security measures that will really protect your information are the kinds of security measures that will create a semi-oppressive environment.

I guess that's something that has to be balanced: the effects of your security implementation on morale/productivity vs the cost of a possible breach

Insiders only 20% of threat

[Anonymous Coward]

Not quite. Only around 20% of registered, reported attacks come from an insider threat, and of those, only 10% are from IT. You can find this at a Jan 23rd posting on CERT about insider threats.

http://www.cert.org/ [cert.org]

  Therefore, implying that the insider threat looms as large as others is highly divisive and misleading. Further, you can take concrete steps to reduce the risk of an insider threat, while you cannot have that level of impact in threat reduction (vulnerability and asset risk reduction, yes, but not threat) for the rest of the world.

- musides

Re:

[SamShazaam (713403)]

The same report that you quote states (page 8) that 74% of those insider attacks are successful to one degree or another. This is highly significant considering most security is located at the network perimeter.

Re:

[Otter (3800)]

While trying to reconcile this 20% with the claim of 49% of attacks by married insiders (short answer: the AC is correct and the 49% is the percent of insiders that were married)...

...I fell over laughing while reading this [cert.org]. (Go to slide 31)

Wine

[len_p (782308)]

In France they have a different approach. At lunch everybody takes a glass of wine and it's considered normal. Should replace the watter with wine and it will drastically reduce security threats :) Len [www.len.ro]

Re:

[MightyMartian (840721)]

Oh yeah, a bunch of drunks tottering around the office, falling over computers and fondling receptionists will really keep things together!

Nice Review

[steveit_is (650459)]

I'm definitely going to be purchasing this book, as we've recently had an 'incident' and in the health care field these kinds of things could mean jail time for me as the person responsible for security thanks to HIPAA.

Who talks at the water cooler anyway?

[The Fanta Menace (607612)]

Can we end the "talking around the water cooler" cliche? Very few people stand around the water cooler. They walk up to it, fill their cup or bottle, and walk away.

If someone wanted to have a good chat with their workmates, they'd wander off to a nearby cafe, where their conversation isn't going to be seen or heard by their managers.

More spinoffs of the terrorist threat

[Excelcia (906188)]

It really sounds to me like this is just a continuing tune on the terrorist theme. Watch out, you aren't safe anywhere, you can't tell who might be out to get you, no one is excluded from suspicion.

My assertion is that looking behind you all the time and treating everyone as a potential threat causes more damage than the problems it supposedly avoids. If the patriot act is the cure, I'd rather have the disease, thank-you. The same goes in the office.

Re:

[ScentCone (795499)]

It really sounds to me like this is just a continuing tune on the terrorist theme.

If you've dealt with a company that had an inside bad guy ship out a dumped database containing all of that company's customer's credit card numbers and personal data, you'd probably feel a little differently. Just like you'd probably feel differently if a family member had been on one of those trains in Madrid, or in a nightclub in Bali, or in one of those embassies in Africa, or in the WTC, or taking a flight that ended i

About that cloud

[biglig2 (89374)]

Nothing sinsister about it, I'm afraid. The cloud is used because it does not matter how the internet works, only that you put packets in one place with the right address, and they come out at that address. How they got there, we neither know or care. Hence the cloud, not because there is mystery, but because maybe it's fiber, maybe copper, maybe SDSL, or Frame Relay, maybe it's satellite, maybe it goes via Hamburg, maybe via London, we don't care because it doeesn't matter.

Re:

[drinkypoo (153816)]

It does suggest some fun, though. If you could get a nice big map to use as the basis you could develop some borders that would make your network maps look like some ancient shit you'd see on some pirate ship. Draw the lightning bolt not to a cloud (I used to simply mark it CFNC, the Cisco Fluffy Network Cloud, but that's when I worked there - now I label it "Internet" like everyone else) but to the area of the map which is labeled with "HERE BE DRAGONS" and illustrated with assorted mythical beasties.

Re:

[biglig2 (89374)]

Oh, yeah, I am so doing that on my next set of network diagrams.

Man, I've got mod points but if I mod you up my original goes and it all get confusing. Will you take a rain check?

Go off the grid

[vga_init (589198)]

What if your company's network weren't connected to the internet at all? Naturally, a lot of companies "need" this, but I'm sure there are other companies that can operate fine without the internet at all. Not only does it save the company from worrying about "outside" threats, but I imagine it also helps to deter inside threats. For example, look at the employee that hosted pirated software on company machines. Without the 'net, how is he going to host it?

Self-Generating Problem

[G4from128k (686170)]

I wonder how many companies, in an attempt to defuse "the enemy at the water-cooler", have treated employees with such contempt that they have created even more and more aggressive internal enemies. The more companies treat their employees as adversaries, the more adversaries they create.

Yes, companies should take prudent steps to oversee the security of their networks and systems. But I suspect they need to do more to enlist the aid of the allies at the water-cooler and in creating a positive work environment than in draconian control measures.

Every Few Months

[99BottlesOfBeerInMyF (813746)]

Every few months someone writes and article or publishes something talking about how insider threats are the largest avenue for security breaches. Usually, they are trying to sell some new "spy on your employees" device. My company even makes a device that tracks employee internet usage and finds abnormalities. We have one deployed internally and anyone can look at it to see what other people have been doing. Sometimes we'll make fun of someone for being the most frequent visitor to Slashdot this month, or some-such. That said, we have deployed an incredibly effective system for stopping insider threats. Such a system used to be commonplace in many companies, but has since fallen into disuse due to modern business strategies and short-term money saving concerns. This fabulous system is called, "beer in the fridge."

By spending a small amount of money to keep the kitchen fridge stocked with free beer for all employees, the company has cheaply bought all our loyalty. Sure we could perform extensive audits and spend time spying on potential insider threats and implement physical security to stop people from bringing in portable drives they could use to steal our customer databases, but really the beer is a lot cheaper. It has added benefits too. If an employee is gets a job offer elsewhere they often ask about the free beer situation. I think it is worth about 20K of salary in most people's comparisons. If people are moving on, they stay in touch with people here and recommend us to work for and to buy products and services from. People give lots of notice and will stay on to finish a project or train someone else. People are a lot more likely to stay late or come in on the weekends to work on something because of the free beer.

Yes, the fabulous "beer in the fridge" system has many advantages.

Treat employees well, like people instead of mercenaries. Be their friend as well as their boss. If they can't come in some day because they have something come up, or an old friend comes into town, let them take a day off. Make sure people don't fear they will be fired because management needs better numbers for the year. Make sure they know they are valued as employees and people. Take them out to lunch now and again or order a pizza, or get free donuts. Well treated people almost never betray their employer and tend to treat their boss well in return. This isn't rocket science.

Re:

[99BottlesOfBeerInMyF (813746)]

We have a policy of paying for cabs, rather than risking someone driving home. Besides, people will maybe have a beer at lunch, or one after work, then grab some dinner and head home. Anyone likely to get drunk probably went to a bar after work anyway.

Why even think about technological solutions?

[Beryllium Sphere(tm) (193358)]

Banks have been aware of insider threats for centuries. They have a battle-tested set of policies and procedures such as separation of duties to control the threats. Banks have been able to stay in business for a long time before ESM became available.

Banks have also gone out of business due to the insider threat people seem afraid to discuss. There's an old saying, "The best way to rob a bank is to own one". Crooked senior management stole one Sagan (billions and billions) of dollars during the 1980s US savings and loan disaster. Sometimes the thefts are even considered legal, as when a CEO walks away from a ruined company with a hundred million in "performance bonuses". How is ESM going to protect against Ken Lay, who did more damage than any random thousand "disgruntled former employees"? (*)

Banking procedures, such as requiring people to take vacations, have the other advantage that they don't risk violating privacy laws. In some countries you may not be allowed to spy on your workers to the extent you can in others.

(*) Who disgruntled them, anyway?

My name is Milton Waddams

[Stanistani (808333)]

>Will this book help you detect the enemies at your water cooler?

No. I will have to find out myself who took my red stapler.

*walks off muttering*

Re:

[eneville (745111)]

Windows Vista Forum [vistahelpforum.com]

the above, runs on php. that doesn't say much for vista does it!! like doesnt it come with a webserver?

Re:jumping ship

[tverbeek (457094)]

It may surprise you to learn that PHP can be run on a Windows system using Microsoft's IIS as its web server.

Re:

[BecomingLumberg (949374)]

Hey nah- we don't approve of yer Micro-soft 'round he-uh!

Re:

[drinkypoo (153816)]

the above, runs on php. that doesn't say much for vista does it!! like doesnt it come with a webserver?

PHP is not a webserver, it is a scripting language. You can use PHP with IIS, I've done it, I don't recommend it but not because there are problems with such a combo, just because IIS sucks.

Re:

[Chyeld (713439)]

Dude, I'm in your water cooler, stealing your secrets!

Re:

[Fred_A (10934)]

Isn't that exactly what they'd want us to believe ?