Friday April 14, 2017

95% of Organizations Have Employees Seeking to Bypass Security Controls

Dark Reading has an article up regarding a Dtex Systems report indicating that 95% of all organizations have employees actively trying to bypass their corporate security measures at work. The report also shows that users are more frequently attempting to use private VPN services or TOR browsers to bypass organizational security and browsing restrictions.

Dtex uses this analysis to support the lesson that "Insiders are your biggest security threat", suggesting that organizations should take this as an indication that the employee is engaging in illegal activities, or attempting to illegally steal data, as if they couldn't just do this using a $5 32GB USB stick. I feel there is a different lesson to be learned here as well. Employees hate being patronized, and if corporate IT departments attempt to do so, they will see themselves as justified in circumventing their measures.

I should know. In the past I've been one of them, running a private VPN on port 443 (so that it blends in with HTTPS traffic) to my own home server (not a known VPN service). Not because I was trying to do anything malicious, mind you, but because during my lunchtime browse, I don't want anyone spying on what I'm looking at. That, and I've run into some over-reactive site blocks, like this one company which would block every site discussing firewall rules, categorizing them as "instructional pages for malicious hacking" or some nonsense like that.

There are certainly justified things for enterprises to block. Pr0n and online gambling come to mind, as do sites with known security exploits, but paint the blocking rules too broadly at your own risk. I once worked for a company that blocked Craigslist outright. Presumably this was because of the less savory sections on that site, but the end effect? I couldn't browse for deals on used speakers during my lunch break. It pissed me off, and I felt like I was being treated like a child. When I first started working in corporate settings 15 years ago, I always had full local machine admin access and a wide berth to do as I please as long as I got my work done. These days these freedoms have more and more been chipped away to the point where as an employee, in many places you feel like trash.

The lesson as always is, treat your employees with respect and dignity and like adults, and they will return the favor. Get overly petty with net-nanny techniques and they will get pissed off and try to circumvent them. This is not a right vs. wrong discussion, it's just one regarding how adult humans innately respond to being patronized.

News Image

For example, if a user threat assessment uncovers an employee using a TOR browser on the network, administrators should treat that as a red flag that the employee is engaging in prohibited or even potentially illegal behavior. Similarly, there’s a high chance that an employee who spends hours researching ways to get around security systems is trying to evade the controls within their own organizations.

"When an employee spends time researching how to bypass security controls, we often find that they are trying to exfiltrate data without being blocked by their DLP or without raising any flags on the network