When geeks go bad

Usually, no one pays attention

There are perks to working IT, as in all jobs. Golf outings, dinners or little gifts from vendor reps. "Free" demo products; software on personal machines with serial numbers that, technically, are assigned to the company.

Between pulling cable, building apps to specs that change every time a unit manager says "Mmm, you know what..." and lusers who still don't know the difference between the computer and the monitor, it's not a gig lacking in frustration -- even before you get into interdepartmental budget talks that are more like domestic disturbances than business meetings.

So if a copy of Office finds its way home instead of staying on the shelf, that's understandable. It doesn't mean IT people are budget-robbing, advantage-taking manipulators out only for their own good.


Computerworld's Tam Harbert reports on a company surprised to find itself targeted by the Business Software Alliance for software piracy, and finding the cause was a sysadmin who not only pirated the software, but also ran a commercial porn site form a corporate server and pulled 400 customer credit cards from the company's e-commerce server.

If you ever find yourself tempted, that one is definitely over the ethical line.

So does locking up San Francisco's FibreWAN network by changing the passwords on all the switches and routers, or shutting down an employer's servers because you're mad at how you're treated.

Three quarters of data-loss and sabotage comes from insiders rather than outsiders, according to studies from CERT (the Software Engineering Institute at Carnegie Mellon University). Most keep the crimes quiet to avoid embarassment.

That's a big mistake, according to CSO security guru Bill Brenner not only because it doesn't get all the bad apples out of the barrel, it also doesn't address the problem of spending most of your security budget keeping people out when the biggest problem is already on the inside.

It's possible to respond internally with extra training on where the ethical line is and how -- if you're a manager -- to spot those dancing on the wrong side of it.

Handled badly -- and it's a delicate balance -- a company ends up sounding like it's accusing all its employees of dishonesty and not affecting the dirty ones at all. Or turning the place into East Germany before the Wall came down. (Fans of The Office should imagine security by Dwight, rather than Jim.)

Simpler in concept but harder in execution is Data Loss Protection, which is designed to help identify what data needs protecting and do it, by keeping track of who should be allowed access to which resources, to what extent and when.

More effective user-access-privilege controls would have kept low-ranking Army intelligence analyst Bradley Manning from downloading thousands of secret U.S. State Dept. cables and walking out of an Afghan security area after burning them to a disk labeled as tunes from Lady Gaga.

Promising as it is, DLP isn't as effective as it should be, according to a CSO poll, which ranks it ninth as the ninth most effective change control/configuration management system available.

Much of that distaste is unfamiliarity with DLP; more is misuse. It can be far more effective than it typically is, though not nearly as effective as it should be.

Some of the problem is technical, some is behavioral. Almost 60 percent of companies think they're prepared to detect and respond to a security threat, but only 56 percent have a plan to report or respond to one, CSO said.

Only 43 percent of companies even audit their user accounts to even look for security risks, let alone breaches.

That's a great policy, like paying for an alarm system you never turn on, or worry about burglars but never checking to see if the doors are locked.

Most IT people -- like most people -- are mostly honest. A few are downright schmucks.

Every company knows this and has people in HR, management and IT management responsible for managing security risks from both IT and users. Every IT department also knows they have to cover the basics -- check the user accounts, please -- to have any hope of securing anything, no matter how bulletproof the firewall is.

Most continue not to do it.

So one or two every year shouldn't be surprised if they walk into some darkened sysadmin lair and find a commercial porn site or DVD with all the customer files since 1987.

For the benefit of the rest of us, though, please don't keep those cases quiet. Publicizing them might give some other company an example it can use to tighten its own security.

More important, it will give the rest of us something to laugh at.

When you spend days with your head stuck under someone else's gross desk or in a drop ceiling where you can see rat droppings and hear tiny footsteps behind your head, you need to find some humor somewhere.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon