Enemy At The Water Cooler

Trent Lucier writes "On most networks diagrams I've seen, the internet looks like a cloud. Sometimes it's a fluffy white cloud. Other times it's a dark ominous cloud. Regardless of the artistic style, the depiction usually conveys the mystery and danger of putting your company's network on a global information grid next to a billion users, kind of like those old maps with dragons drawn at strategic places in the ocean. Not surprisingly, corporations spend much time and energy protecting themselves from The Outside World. In Enemy at the Water Cooler, Brian Contos argues that just as many resources should be spent on defending against insider threats. Will this book help you detect the enemies at your water cooler?" Read below for the rest of Trent's review.

Enemy at the Water Cooler: True Stories of Insider Threats and Enterprise Security Management
author	Brian T. Contos
pages	302
publisher	Syngress Publishing
rating	8
reviewer	Trent Lucier
ISBN	1597491292
summary	A thorough introduction to insider threats and the countermeasures that can be used against them

Contos, a Chief Security Officer himself, has written a primer on insider threats and the counter-measures that can be deployed against them. The book is written for a wide audience, so don't expect low-level details about encryption algorithms and security protocols. However, if you have to deal with a large company's IT infrastructure, you may benefit from Contos' descriptions of enterprise security concepts and anecdotes.

According to the book's terminology, an insider is someone who has more privileges than the common person and uses those privileges to abuse the system. It's important to understand the full scope of the term "privileges". In addition to computer privileges, Contos is also talking about physical access to hardware, paperwork, and even other employees that can be exploited in social engineering attacks. Even if a piece of information is useless to the insider, it may be something that a competitor would be willing to buy for the right price.

The early chapters provide background on all the standard attacks that are in the news these days: phishing, denial of service, keylogging, etc... What makes these sections interesting are the statistics that are sprinkled throughout the text. In a survey conducted by CERT examining known attacks, 49% were committed by insiders that were married. This goes against the profile of the insider being someone who has less personal risk (such as a family) at stake. In fact, the prevailing image of the last 30 years depicting a computer criminal as a socially awkward young male has started to become less accurate as organized crime has turned into the biggest threat.

Enemy At The Water Cooler does a great job of putting statistics in context. The book is always careful to mention that the crime statistics represent only the known incidents. Contos often explains why certain numbers matter. Near a chart showing that 59% of discovered crimes were committed by former employees, the author explains that recently fired employees can be highly motivated to commit revenge and still have access to accounts and passwords, which is a dangerous combination.

How does the book propose that businesses deal with threats? At the end of Part I, Contos introduces a technology called Enterprise Security Management (ESM). This is a blanket term used to describe a collection of enterprise-level tools that can perform information analysis, display event feeds, manage policies, and do everything else in the world besides make toast. The remainder of the book constantly mentions this technology, so if you are not interested in learning about ESM, this book may not be for you.

At this point, it should be noted that Brian Contos is the Chief Security Officer of a company that sells ESM products. The book is neutral on which product you should use, although some screenshots show Contos' program for illustrative purposes. I did not feel that the book was biased or trying to sell me something. Regardless of who the author works for, he makes a compelling argument that ESM systems are necessary for big companies that need to manage their IT security.

Case studies comprise Part II of the book. This is the entertaining stuff, and probably the type of thing most people want to read when they pick up a book called Enemy At The Water Cooler. There are 8 main case studies, each running about 5 pages in length. Contos puts the "study" in "case study" as he illustrates how tools (ESM) and training could prevent many of the scenarios he describes. Those expecting light reading in the form of amusing anecdotes about IT security will be disappointed. However, if you're looking for a detailed analysis of insider crime, these chapters provide it.

Many times, greed and hubris are the ultimate undoing of the insider. In one example, a company discovered that their servers were hosting pirated software. Little did the company know that the employee that was asked to clean up the server was actually the one who put the software there to begin with. The insider would have gotten away with it if only he hadn't bragged to a co-worker about how dim-witted his company was.

In other situations, employees can be blackmailed into committing crimes. In the case of a Spanish company, an employee was forced into planting a wireless access point in one of the development labs. The employee had lied about his educational background on his resume, and criminals threatened to expose him if he didn't cooperate by planting the device.

The final portion of the book discusses further capabilities of ESM. The main point is that ESMs should be able to monitor everything. Contos explains a scenario where an employee pulls financial information from a proprietary system and then uploads it to a P2P network. Most companies do not have the technology to detect such an action. Not that Contos claims technology is the only answer. It is just a tool, and it is useless when not supported by trained employees and policies. At the end of the book, the reader gets information about "soft skill" topics like incident management, hiring processes, and some legal case history regarding insiders.

The book's viewpoint is very top-down with regards to the corporate hierarchy. Executives will no doubt love all the capabilities that Contos claims can be at their fingertips, but individual employees might feel it is slightly Orwellian. Can all this information that the ESM vacuums up be used for evil? The book's implicit answer seems to be "yes", since it is repeatedly made clear that no one can be trusted. But there is never any explicit information given on how the ESM itself can be protected from abuse.

Enemy at the Water Cooler provides a thorough introduction to insider threats and the countermeasures that can be used against them. If you are just interested in stories about insider security crimes, then you may want to pass. (The section on case studies is only about a third of the book's content). However, if you are interested in learning about technology that can help defend against these threats, then this book provides a comprehensive overview.

Trent Lucier is a software engineer. His latest experiment is localhost80.com"

---

You can purchase Enemy at the Water Cooler: True Stories of Insider Threats and Enterprise Security Management from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

YOU TOOK THE LAST GLASS OF WATER

[Anonymous Coward]

you have now made an enemy at the water cooler..

Re:

[3chuck3]

Actually, I guess I am one of the types of people the book is describing. I see it as in my best interests, as a System/Network/Citrix Admin, to be able to have Unix Root, Windows Full Domain administration.

It is job security, having management know I have cart-blanch full access to the whole company system, with no big brother security monitoring of my system and internet activities.

Make it harder for any of the CEO/CFO to let me go because they drove the business into a downturn, I make to much salarie

Re:

[Anonymous Coward]

Actually, I guess I am one of the types of people the book is describing.

Yep, sounds like it. You're the reason the rest of us have to put up with the kinds of onerous security protocols and limitations the book describes. Some people are solution-providers; you're one of the problem-providers.

re:YOU TOOK THE LAST BIT OF DIGNITY

[PopeRatzo]

You're the reason the rest of us have to put up with the kinds of onerous security protocols and limitations the book describes.

No, the reason we have to put up with "the kinds of onerous security protocols..." is that corporations have lost all sense of loyalty to their employees.

My father, three of his brothers and their father all worked for the same company for all their working life. They were well taken care of and they returned that loyalty several times over in the course of their careers.

Today, companies are more concerned with cutting another 10,000 employees so their stock price will jump a few cents for a couple of weeks than creating a relationship of trust and security with their employees. Benefits are cut, unions are fought, jobs shipped overseas and life is generally made as miserable as possible for the people who sweat blood on the shop floor. Meanwhile, the differential between what the CEO makes compared to the average employee has gone from 20 to 1 to 20,000 to 1.

I'm not surprised that corporations find themselves loathed by their employees and having to exert effort and money trying to protect themselves from their own people. What surprises me is that we don't see more all-out sabotage by disgruntled employees.

It's not coincidental that the period of enormous growth and prosperity of the few decades after World War II happened to also be a period of improving conditions, organization and influence for the workers. A period when labor unions were considered a crucial part of the economic system. Those unions were the only reason the US had such a strong and deep middle class from 1950 until their demise began at the hands of that doddering tool of the Right-Wing Rich, Ronald Reagan, who, if God is just, is burning in Hell.

different goals

[misanthrope101]

The goal used to be to make money. Now the goal is to make as much money as possible. Though those seem like similar goals, in reality they aren't. Before, as long as you were making money then you could, with a good conscience, treat your employees well. Now, no matter how much money you're making, you still can't treat your employees well and feel good about it, because every cent spent on human decency is a cent of profit squandered. Also, many companies of old felt that they had a responsibility to their workers, whereas now workers are viewed as an expense, like paper clips or toilet paper. This attitude makes for a hotter stock price, but a worse quality of life for everyone who works there.

Also, CEO pay has skyrocketed in comparison to worker pay, and no company that pays hundreds of millions of dollars to departing executives can also afford to be loyal and supportive to the workers. In the corporate culture of today, executives are seen as the movers and shakers, the visionaries who create the value, while the workers are seen as expenses.

Re:

[misanthrope101]

The high executive pay isn't the entire picture. In a culture that pays an exec $400 million in severance pay, there are also expense accounts, fine art in the lobby, jets, and all the other accoutrements of that degree of wealth. And despite your condescension, it is less than obvious that sky-high executive pay has nothing at all to do with the quality of life of the little guy. I don't necessarily think that legislation is the answer--if CEOs and boards of directors want to pay themselves tens of mill

Re:

[PopeRatzo]

but I will be intellectually honest and admit that even if you brought the CEO's pay down to a 20:1 ratio of the average employee and distributed the remainder amongst all the employees, the amount added to each employee's paycheck would be trivial and not enough to make them any more happy or less disgruntled.

Maybe it's about more than money.

I understand that's a concept around which some people have a hard time wrapping their heads.

And we'll tell you when you're being "intellectually honest".

Re:YOU TOOK THE LAST BIT OF DIGNITY

[teh_chrizzle]

I'm not surprised that corporations find themselves loathed by their employees and having to exert effort and money trying to protect themselves from their own people. What surprises me is that we don't see more all-out sabotage by disgruntled employees.

it happens all the time... but i'll bet it doesn't often make the papers.

the word sabotage comes from the french word "sabot" which is a kind of wooden shoe or clog. during the industrial revolution, angry workers would kick the machines they worked on or throw the shoes into them, resulting in a "clog" in the output.

in the intelligence community, disgruntled soldiers and public servants make some if the best moles or double agents. in government, many whistleblowers act not out of a sense of duty or responsability but as a means of exacting revenge.

Re:

[Bob Uhl]

No, the reason we have to put up with "the kinds of onerous security protocols..." is that corporations have lost all sense of loyalty to their employees.

Why should an employer have any more loyalty to his employees than a shopper does to the stores he shops at? You should owe your employer nothing more than your labour; your employer should owe you nothing more than your wages. If someone else can provide the same labour for fewer wages (or more labour for the same wages), your employer should contract

Re:YOU TOOK THE LAST GLASS OF WATER

[eln]

Sure, I guess you could take down their entire system if they fired you. That is, if you're okay with never working in the industry again.

Your career is heavily dependent on your reputation. If you have a reputation as a rogue who will hold the system hostage in order to make yourself indispensable, you will not be hired elsewhere.

In any job, your goal should be to make yourself valuable, not indispensable. Indispensable people make management nervous. If you are truly indispensable, then management's primary goal becomes to make you dispensable as soon as possible, even if they like you. It's the old "What if Person X got hit by a bus tomorrow?" dilemma: nobody wants their entire business to be dependent on any one person.

Beyond that, being indispensable in your current position makes it impossible for you to move up in the company. No one will promote you, because your current position can't be backfilled, since you're the only one who can do it. This is bad for your career.

Re:

[syousef]

Sure, I guess you could take down their entire system if they fired you. That is, if you're okay with never working in the industry again.

It's pretty hard to work in IT from prison. What you honestly think you'd just be fired?

Re:

[kaoshin]

Many careers are heavily dependent on credentials and only slightly dependent on reputation. Some careers aren't dependent on either, but are instead totally dependent on BS. If I am a middle manager, having indispensable workers gives me perceived power which means additional job security for everybody! Being indispensable can also be reversed by releasing your secret documentation or automating a task for your replacement, etc. so you could still be eligible for that promotion after all. I disagree th

Re:

[StikyPad]

Your career is heavily dependent on your reputation. If you have a reputation as a rogue who will hold the system hostage in order to make yourself indispensable, you will not be hired elsewhere.

Most employers won't volunteer information about a past employee's performance, as they can be held liable if future employment is refused due to their testimony -- especially if they can't prove their assertions.

Now by no means am I trying to imply carte blanche. There are plenty of moral, ethical, and legal reaso

Re:

[Frank T. Lofaro Jr.]

In the US, truth is an absolute defense to libel and slander.

Re:

[StikyPad]

Yeah, but only if it's demonstrable. It's really hard to defend in a case like that, especially if the employee indicates some sort of animosity toward him, which they would be inclined to do if they were the sort of people to hurt you out of spite. Moreover, is it really worth your time and energy to prevent a rival company from hiring an employee you don't like? Like I said, most employers won't mess with it.

Re:

[jimicus]

They don't need to.

"We cannot provide a reference for this person" speaks quite enough.

Re:

[StikyPad]

Not really. In most cases, you're going to expect some amount of animosity between him and his former employer, since people don't generally leave jobs that they like. You think Microsoft wrote glowing reccomendations for employees who defected to Google? It ain't happening.

Really you can't put much faith in what either the previous employer or the perspective employee are telling you; you just have to evaluate based on the merits of the employee -- education, experience, and the interview.

Re:

[Tanktalus]

That's interesting. I had one former employee ("downsized") who asked if he could use me as a reference. I said I had no problem with that, but I would only tell the truth about their performance from the perspective of his former lead. That includes both his positive attitude, and his negative productivity (he had medical issues that seemed to interfere with getting his work done, and was not on a medical leave when he was laid off - I don't know the legalities, but neither was I his actual manager who

Re:

[0racle]

If you think you have a surprise coming to you if you think any of that gives you job security.

Re:

[0racle]

Damnit, don't work and post people

Should have said:
You have a surprise coming to you if you think any of that gives you job security.

Oblig

[make dev]

Will this book help you detect the enemies at your water cooler?

All your base are belong to the water cooler!!

Re:

[Chyeld]

Dude, I'm in your water cooler, stealing your secrets!

NOT Oblig

[Anonymous Coward]

Why do people keep insisting that their old and over-used references are obligatory?

Slashdot posts do not watch you, we do not need to welcome our slashdot overlords, our base do not belong to anyone, there is plenty to see here, and so on.

Stop trying to justify your re-use of an old joke by saying it is obligatory. It isn't. Come up with something new, or just don't post.

Re:

[sanso999]

But the over-use is exactly why it's always funny when one of those comments pops up in the middle of a discussion! Oh well, maybe I'm easily amused. Carry on.

Re:

[Crunchie Frog]

I am an obligatory old joke you insensitive clod!

No more

[IflyRC]

We removed our water cooler so that this scenario never happens.

Re:No more

[tverbeek]

Removing the water cooler isn't enough! You need to get rid of drinking fountains, coffee makers, vending machines, shared refrigerators, wet bars... any place where liquid refreshments might be dispensed. For added security, photocopiers, fax machines, and any other equipment which people might stand in line for or loiter nearby, should also be eliminated. In sensitive environments and military installations, elevators should be replaced by single-file escalators. And water cannons should be used on the smokers who assemble outside. (Not just for security, but for their own good.) It's a jungle in here, people!

Re:

[StikyPad]

I'm the CIO of a major hospital. Does our blood bank count as liquid refreshment, and if so, do you think we should sell it to help recoup our costs, or...?

Re:

[martyros]

Does our blood bank count as liquid refreshment

Only if your employees are vampires.

Re:No more

[qwijibo]

Cube farms are a secondary location where many of these attacks can be perpetrated. The only solution is to make each person work in a separate office. For added security, it would be best if each person connected to the network from a different location, unknown to most of the other people. Mandatory full time telecommuting is the only viable solution to combat these security risks.

Re:

[dario]

I always wondered how much damage a competitor could do by sending someone with a cold onto the premises, and having them infect as many vectors as possible such as the handles on the watercooler, doorknobs, keypads, vending machines, etc. It would be enough to get a few people sick to spread the cold throughout the company, and force everyone to stay home for a day or two. If this happened around a deadline... oy.

Re:

[ConceptJunkie]

Just send them a shipment of smallpox blankets.

Uh oh, I think that joke may have gotten me on a terrorist watch list.

WAIT!!!

[matr0x_x]

I'm confused here - is he talking about protecting my corporations network from myself?

Re:

[Golias]

That, or it's about the fact that you are stealing office supplies. I lost patience midway through paragraph 2.

Visio

[spacemky]

Does anyone have Visio stencils of those ominous dragons? I'd love to replace my Internet clouds with these.

Update on the link

[Anonymous Coward]

I have no idea why Slashdot linked to B & N here, when Amazon has it considerably cheaper [amazon.com] (see the "Used and new from..." listings).

Re:

[gavri]

http://slashdot.org/book.review.guidelines.shtml [slashdot.org]
Speaking of links, please do not include links in your reviews to online bookstores. Slashdot has an linking arrangement with Barnes & Noble; that's why when bn.com carries a particular book, you'll see a link to it at the bottom of the review.

Re:

[budcub]

I have no idea why Slashdot linked to B & N here, when Amazon has it considerably cheaper

Slashdot used to link to Amazon for books, but they took a lot of criticism for it because Amazon had patented the "one-click". Now they link to Barnes & Noble and people criticise them for not linking to Amazon any more. I guess if you're Slashdot you just can't win.

Problems.

[jellomizer]

While internal security is important but the priority should always be towards protecting your self from external attacks. Internal security problems can be minimized because there is a smaller group of suspects. As well as good hiring practices can reduce it a bit more. Next is the Cost/Benefit of putting the effort into internal security. First there is the cost of designing and implementing then there is the cost of maintaining it and keeping the employees useful. If Employee X needs to put in a request to access some data and it takes a couple of hours to do so that is a time of loss productivity.

Re:

[drooling-dog]

Not to mention the loss of morale, initiative, and motivation that happens when restrictions become too draconian and employees are routinely treated like potential criminals...

Re:Problems.

[Belial6]

You are right. The reason we are all running PCs on our desktop instead of terminals hooked to the mainframe is because of this. People were finding that they could be far more productive with a crappy (in comparison to the mainframe) C64 or Apple II than they could with the million dollar mainframe. So, they just circumvented the corporate computers by dropping a PC on their desktop. Eventually corporations had to start supporting the PCs because when they were faced with the dramatic drop in productivity from removing the PC, or the cost of supporting PCs, the choice was obvious.

I would also caution against restricting the individuals PC desktop too much. This can very quickly lead to employees looking for ways to circumvent your security, and create threats that you don't know about. Sometimes this even means making sure the employees computers properly play CDs, and can access entertainments sites on the internet. The best and the brightest often look for the most enjoyable work environment. Being able to listen to their music while working, or taking a short break to see if there will be a new episode of BSG this week could mean the difference between getting someone that is adequate at their job, and getting someone that is great. It could also mean the difference between an employee that dreads coming to work, and someone that looks forward to it.

Re:

[twistedsymphony]

mod parent up^

This pretty much describes my workplace. Users had fairly high levels of control over their PCs and unrestricted internet access. Someone quit and decided to steal some files and the lockdown began. CD drives disabled, background applications that monitor USB storage transfers LIVE and alerts IT of any traffic and a ridiculously restrictive internet filter. at least 1 out of every 4 site that come up when I'm searching for code snippets or examples gets blocked because it's someones "person

Re:

[P3NIS_CLEAVER]

Internal attacks generate much more press than external ones because they are psychologically much more devastating. When you get screwed by someone you know you feel much more violated than by a stranger. Statistically external attacks outnumber internal ones by a large margin.

snitch networks?

[haluness]

So what next - snitch networks? Informants?

Pissed off people (and assholes) will always remain so.

Re:snitch networks?

[IflyRC]

otherwise known as "HR".

I was waiting for this to get mentioned

[TubeSteak]

Executives will no doubt love all the capabilities that Contos claims can be at their fingertips, but individual employees might feel it is slightly Orwellian. Can all this information that the ESM vacuums up be used for evil? The book's implicit answer seems to be "yes", since it is repeatedly made clear that no one can be trusted.

And that's a problem created by solving the infosec problem.

Employees like to feel trusted. The kinds of security measures that will really protect your information are the kinds of security measures that will create a semi-oppressive environment.

I guess that's something that has to be balanced: the effects of your security implementation on morale/productivity vs the cost of a possible breach

Re:I was waiting for THIS to get mentioned

[PopeRatzo]

Perhaps before the oppressive (no "semi" about it) environment gets created, you try to to create an environment of loyalty and trust by being decent to your employees? It's amazing what a little goodwill could do to bring down employee-driven damages. I remember hearing employees of a tech startup a few years ago talking about their company like it was their family. Even though their stock options and profit sharing was kind of measly, it was enough to give everyone a feeling of being invested in the co

Insiders only 20% of threat

[Anonymous Coward]

Not quite. Only around 20% of registered, reported attacks come from an insider threat, and of those, only 10% are from IT. You can find this at a Jan 23rd posting on CERT about insider threats.

http://www.cert.org/ [cert.org]

  Therefore, implying that the insider threat looms as large as others is highly divisive and misleading. Further, you can take concrete steps to reduce the risk of an insider threat, while you cannot have that level of impact in threat reduction (vulnerability and asset risk reduction, yes, but not threat) for the rest of the world.

- musides

Re:

[SamShazaam]

The same report that you quote states (page 8) that 74% of those insider attacks are successful to one degree or another. This is highly significant considering most security is located at the network perimeter.

Re:

[Otter]

While trying to reconcile this 20% with the claim of 49% of attacks by married insiders (short answer: the AC is correct and the 49% is the percent of insiders that were married)...

...I fell over laughing while reading this [cert.org]. (Go to slide 31)

Re:

[WinterSolstice]

Why, I'm 17-60, married, and from any ethnic background!! I'm practically good as gone :)

-WS

jumping ship

[Anonymous Coward]

Every employee thinks about striking out on their own and about taking some data or IP along with them.

Windows Vista Forum [vistahelpforum.com]

Re:

[eneville]

Windows Vista Forum [vistahelpforum.com]

the above, runs on php. that doesn't say much for vista does it!! like doesnt it come with a webserver?

Re:jumping ship

[tverbeek]

It may surprise you to learn that PHP can be run on a Windows system using Microsoft's IIS as its web server.

Re:

[BecomingLumberg]

Hey nah- we don't approve of yer Micro-soft 'round he-uh!

Re:

[drinkypoo]

the above, runs on php. that doesn't say much for vista does it!! like doesnt it come with a webserver?

PHP is not a webserver, it is a scripting language. You can use PHP with IIS, I've done it, I don't recommend it but not because there are problems with such a combo, just because IIS sucks.

Re:

[imemyself]

Vista is not a server OS. You would not run a web server on it. While it does come with IIS 7, I presume that it has a limited number of connections like IIS 5.1 does in XP.

Wine

[len_p]

In France they have a different approach. At lunch everybody takes a glass of wine and it's considered normal. Should replace the watter with wine and it will drastically reduce security threats :) Len [www.len.ro]

Re:

[MightyMartian]

Oh yeah, a bunch of drunks tottering around the office, falling over computers and fondling receptionists will really keep things together!

I've got some friends...

[freeze128]

I'll call Jesus. He'll get right on it.

Re:

[arethuza]

I thought France was supposed to have a very high GDP-per-capita-per-hour figure:

List of countries by GDP (PPP) per capita per hour [wikipedia.org]

Nice Review

[steveit_is]

I'm definitely going to be purchasing this book, as we've recently had an 'incident' and in the health care field these kinds of things could mean jail time for me as the person responsible for security thanks to HIPAA.

Who talks at the water cooler anyway?

[The Fanta Menace]

Can we end the "talking around the water cooler" cliche? Very few people stand around the water cooler. They walk up to it, fill their cup or bottle, and walk away.

If someone wanted to have a good chat with their workmates, they'd wander off to a nearby cafe, where their conversation isn't going to be seen or heard by their managers.

More spinoffs of the terrorist threat

[Excelcia]

It really sounds to me like this is just a continuing tune on the terrorist theme. Watch out, you aren't safe anywhere, you can't tell who might be out to get you, no one is excluded from suspicion.

My assertion is that looking behind you all the time and treating everyone as a potential threat causes more damage than the problems it supposedly avoids. If the patriot act is the cure, I'd rather have the disease, thank-you. The same goes in the office.

Re:

[ScentCone]

It really sounds to me like this is just a continuing tune on the terrorist theme.

If you've dealt with a company that had an inside bad guy ship out a dumped database containing all of that company's customer's credit card numbers and personal data, you'd probably feel a little differently. Just like you'd probably feel differently if a family member had been on one of those trains in Madrid, or in a nightclub in Bali, or in one of those embassies in Africa, or in the WTC, or taking a flight that ended i

Re:

[Excelcia]

DO you want to go through metal detectors to go to work? Do you want your coworkers talking to the corporate security department if you happen to browse to a web site for a packet sniffer program on your break? A certain amount of vulnerability is the price a free society pays for freedom.

It's truly ironic that here in Canada, where far fewer personal freedoms are directly enshrined in our constitution, I today enjoy more personal liberty and freedom from state interferance than those in the United Stat

Re:

[ScentCone]

And if you treat your employees like criminals they're more likely to act like criminals.

I'm always a little perplexed by this sentiment. In a large operation with sensitive data involved, everyone who works there should be acutely aware of how important it is to keep things bolted down. Everyone's jobs depend on that being done properly. In a suitably large organization, everyone involved is also going to be aware that not every person out of a given thousand is going to be personally stable, financiall

About that cloud

[biglig2]

Nothing sinsister about it, I'm afraid. The cloud is used because it does not matter how the internet works, only that you put packets in one place with the right address, and they come out at that address. How they got there, we neither know or care. Hence the cloud, not because there is mystery, but because maybe it's fiber, maybe copper, maybe SDSL, or Frame Relay, maybe it's satellite, maybe it goes via Hamburg, maybe via London, we don't care because it doeesn't matter.

Re:

[drinkypoo]

It does suggest some fun, though. If you could get a nice big map to use as the basis you could develop some borders that would make your network maps look like some ancient shit you'd see on some pirate ship. Draw the lightning bolt not to a cloud (I used to simply mark it CFNC, the Cisco Fluffy Network Cloud, but that's when I worked there - now I label it "Internet" like everyone else) but to the area of the map which is labeled with "HERE BE DRAGONS" and illustrated with assorted mythical beasties.

Re:

[biglig2]

Oh, yeah, I am so doing that on my next set of network diagrams.

Man, I've got mod points but if I mod you up my original goes and it all get confusing. Will you take a rain check?

Re:

[JeanBaptiste]

We have these clouds on the inside of our network too. Because we're ..... good.

Re:

[Anonymous Coward]

Thanks for explaining that. I always wondered why they didn't just diagram out the whole Internet instead. That would have been less confusing.

Re:

[emurphy42]

They did. [xkcd.com]

Go off the grid

[vga_init]

What if your company's network weren't connected to the internet at all? Naturally, a lot of companies "need" this, but I'm sure there are other companies that can operate fine without the internet at all. Not only does it save the company from worrying about "outside" threats, but I imagine it also helps to deter inside threats. For example, look at the employee that hosted pirated software on company machines. Without the 'net, how is he going to host it?

Re:

[Paulrothrock]

Yes, but without the Internet, what will management do all day? Internet connections are like playpens for management to keep them from meddling with the people who do actual work.

Self-Generating Problem

[G4from128k]

I wonder how many companies, in an attempt to defuse "the enemy at the water-cooler", have treated employees with such contempt that they have created even more and more aggressive internal enemies. The more companies treat their employees as adversaries, the more adversaries they create.

Yes, companies should take prudent steps to oversee the security of their networks and systems. But I suspect they need to do more to enlist the aid of the allies at the water-cooler and in creating a positive work environment than in draconian control measures.

Re:

[Fnord]

I don't know how often the oppressive rules "internal security" fanatics actually cause, but they do drive away employees. The job I had before this one treated every employee like a suspect. It was a small company, so the owner could get away with a level of paranoia that would be impractical in a larger organization.

Each of the dev rooms had web cams trained on all the engineers, which the owner would actually watch (no joke, he'd pull you in at the end of the day and tell you "I see around 3:20 you wer

Re:

[Ephemeriis]

The more companies treat their employees as adversaries, the more adversaries they create.

Very true. Sure, take reasonable security measures... But if you start snooping on everything your employees do, start filtering out Internet sites, start sifting through email...your employees start feeling oppressed and resentful. Get enough resentment going and they'll start looking for ways to get back at you. Usually it's something minor...bringing a pencil home from work to get back at the man or something s

big fluffy white clouds are nice, but . . .

[cashman73]

The big fluffy, white clouds representing the internet are nice and all, but wouldn't it be more accurate to represent the internet on diagrams with a mugshot of Al Gore, instead?

Danger! Danger Will Robinson!!

[eno2001]

(Arms flailing in the air wildly)

What is it with people today who act like working in an office in corporate America is filled with intrigue and tales of espionage? Read this now: CORPORATE AMERICAN OFFICES ARE DULL AS HELL. There are no real secrets because the monkeys who work in these glorified cages have no real power of any kind. They have no knowledge of any value. They are basically button pushers who want to feel important after watching fantasies like Fox television's 24 series. Trust me, I've

Re:

[Fred_A]

Isn't that exactly what they'd want us to believe ?

Every Few Months

[99BottlesOfBeerInMyF]

Every few months someone writes and article or publishes something talking about how insider threats are the largest avenue for security breaches. Usually, they are trying to sell some new "spy on your employees" device. My company even makes a device that tracks employee internet usage and finds abnormalities. We have one deployed internally and anyone can look at it to see what other people have been doing. Sometimes we'll make fun of someone for being the most frequent visitor to Slashdot this month, or some-such. That said, we have deployed an incredibly effective system for stopping insider threats. Such a system used to be commonplace in many companies, but has since fallen into disuse due to modern business strategies and short-term money saving concerns. This fabulous system is called, "beer in the fridge."

By spending a small amount of money to keep the kitchen fridge stocked with free beer for all employees, the company has cheaply bought all our loyalty. Sure we could perform extensive audits and spend time spying on potential insider threats and implement physical security to stop people from bringing in portable drives they could use to steal our customer databases, but really the beer is a lot cheaper. It has added benefits too. If an employee is gets a job offer elsewhere they often ask about the free beer situation. I think it is worth about 20K of salary in most people's comparisons. If people are moving on, they stay in touch with people here and recommend us to work for and to buy products and services from. People give lots of notice and will stay on to finish a project or train someone else. People are a lot more likely to stay late or come in on the weekends to work on something because of the free beer.

Yes, the fabulous "beer in the fridge" system has many advantages.

Treat employees well, like people instead of mercenaries. Be their friend as well as their boss. If they can't come in some day because they have something come up, or an old friend comes into town, let them take a day off. Make sure people don't fear they will be fired because management needs better numbers for the year. Make sure they know they are valued as employees and people. Take them out to lunch now and again or order a pizza, or get free donuts. Well treated people almost never betray their employer and tend to treat their boss well in return. This isn't rocket science.

Re:

[squallbsr]

I agree with the whole treat your employees as people is the best way to gain loyalty. It also helps to keep burocracy out of the picture, it seems when a company starts bringing in the "Experienced" managers, the free beer goes out the window and loyalty takes a huge nose dive. Mainly because it is no longer fun to work there anymore. When you become a slave to a paycheck, the company's risk of an inside job increases.

BTW, I have the pleasure of working for a beer in the fridge workplace...

Re:

[ubuwalker31]

Yes, the fabulous "beer in the fridge" system has many advantages. You mean, like having an employee drive home under the influence, and then getting sued under the State's dram shop law when that employee injures someone on the way home?

Re:

[99BottlesOfBeerInMyF]

We have a policy of paying for cabs, rather than risking someone driving home. Besides, people will maybe have a beer at lunch, or one after work, then grab some dinner and head home. Anyone likely to get drunk probably went to a bar after work anyway.

Re:

[susano_otter]

Treat employees well, like people instead of mercenaries.

I'm sorry, but this is all wrong.

First, mercenaries, like soylent green, are people. A certain kind of people: people whose loyalty can be bought with money. And like Machiavelli says, mercs will go to the highest bidder. Much better to use family, or loyal subjects... neither of which are really solid business models these days.

And honestly? I didn't join the company to make friends, thanks. I joined the company to do business. I treat my boss a

Re:

[99BottlesOfBeerInMyF]

First, mercenaries, like soylent green, are people. A certain kind of people: people whose loyalty can be bought with money.

True, but if you hire that type of people you need to be aware that more money (such as an offer from a competitor or which they can make by stealing the customer database and reselling it) is likely to change their loyalties. A good manager wants to avoid ever putting their workers into the mindset that it is all a cold business calculation because in reality, employees can make mo

Re:

[GaryPatterson]

And that post is exactly why I have you on my 'friends' list on Slashdot. Well written, solid thought-out points there.

The last sentence - "Money is not happiness" - relates to why tomorrow I'm giving notice at my current workplace. Happiness has been replaced by constant stress and I'm at the point of no longer caring what I do. I love the people I work with, but have stopped liking my work, or finding it interesting. I'm ready to trade stress and money for happiness and less money. Or at least a better ba

Re:

[susano_otter]

Ah, but my job doesn't get more difficult every day.

I get paid to do whatever work they feel like paying me for. If they want to pay me to jump through hoops, fine with me. I honestly couldn't care less what kinds of policies it takes to run a company these days.

Again, my life is not my job, and my job is not my life.

Seriously, the corporation is a big, impersonal machine. I don't take it personally when the machine acts impersonal towards me. I just don't need the grief that comes from being disgruntled.

Re:

[colinrichardday]

I can't stand beer, you insensitive clod!

Re:

[autophile]

That said, we have deployed an incredibly effective system for stopping insider threats... This fabulous system is called, "beer in the fridge."

Maybe "The Beer in the Fridge" should be the sequel to "The Enemy at the Watercooler"...

--Rob

I have 17 humidifiers running non stop

[bxbaser]

I have had the shower on for 2 weeks straight.
My internet cloud in my house is really fast now.

does anyone know how to stop all the water from dripping everywhere ?

An acquaintance of mine

[mapkinase]

An acquaintance of mine has a startup that is devoted entirely to insider security tracing what comes outwards from within the firewall. He says business is very good.

Why even think about technological solutions?

[Beryllium Sphere(tm)]

Banks have been aware of insider threats for centuries. They have a battle-tested set of policies and procedures such as separation of duties to control the threats. Banks have been able to stay in business for a long time before ESM became available.

Banks have also gone out of business due to the insider threat people seem afraid to discuss. There's an old saying, "The best way to rob a bank is to own one". Crooked senior management stole one Sagan (billions and billions) of dollars during the 1980s US savings and loan disaster. Sometimes the thefts are even considered legal, as when a CEO walks away from a ruined company with a hundred million in "performance bonuses". How is ESM going to protect against Ken Lay, who did more damage than any random thousand "disgruntled former employees"? (*)

Banking procedures, such as requiring people to take vacations, have the other advantage that they don't risk violating privacy laws. In some countries you may not be allowed to spy on your workers to the extent you can in others.

(*) Who disgruntled them, anyway?

My name is Milton Waddams

[Stanistani]

>Will this book help you detect the enemies at your water cooler?

No. I will have to find out myself who took my red stapler.

*walks off muttering*

THe only enemies at our watercooler are...

[JustNiz]

ridiculously paranoid and power-crazy sys admins who lock our pcs down so tight its almost impossible to do any software development work on them.

Re:

[dbIII]

ridiculously paranoid and power-crazy sys admins who lock our pcs down so tight its almost impossible to do any software development work on them.

How else could we get time to read slashdot?

Client firewalls wide open from the inside out

[gelfling]

I work for a large security oriented IT company and our managed client firewalls are effectively, wide open from the inside out. We assume that anything inside is fine. This does in fact get us into trouble but it's easier to do that than re architect all our applications to work in bi directionally secure world.

The cost/benefit of paranoia?

[Per Abrahamsen]

I suspect the cost in lost productivity of treating your employees as potential enemies far outweigh the benefit in reduced risk of sabotage and theft. It might not even reduce the risk, people in general have a strange tendency of behaving the way you expect them to, so if you expect them to betray you, they are more likely to do so.

what protects the ESM ..

[rs232]

"At this point, it should be noted that Brian Contos is the Chief Security Officer of a company that sells ESM products"

Ah, So ...

"In one example, a company discovered that their servers were hosting pirated software"

Does the book tell us the names of the companies and the individuals involved.

"In the case of a Spanish company, an employee was forced into planting a wireless access point in one of the development labs. The employee had lied about his educational background on his resume, and c