CSO

Lately, I’ve noticed a disturbing industry trend in policing network acceptable use policies. A lot of the people that we’re catching are the supposed “good guys,” the smart ones, the postgraduate trained, the ones who really know better. Some of our “best and brightest” are the worst offenders when it comes to violating acceptable use policies and behaving badly on internal networks.  They set up various approaches to get around internet content (blocking) filters, download files, send inappropriate chat and e-mail, or execute the latest industry spoofing tricks. What really bothers me is not just that they go way out of their way to not get caught watching movies and worse. No, afterwards they deny the whole thing ever happened. In other words, it’s not just the initial violation, but how they continue to lie about it afterwards.    

 

While (we’re pretty sure) they’re not hacking into systems or bringing down networks, these self proclaimed experts regularly try to “out-fox” and go head to head with my “bat cave” cyber gurus. This is a major mistake – like picking a back alley fight with an NFL lineman. This type of behavior tends to “energize our security base” in political terms. That is, there is nothing that I know of that motivates a security professional more than misguided insiders who are trying to outsmart them. As we all have learned watching the endless number of newsworthy political and business scandals, it’s lying about events that often gets people into the most trouble.

 

 Cyberspace is no exception. Employees, who have had plenty of time to consider their dire situation, usually deny wrongdoing in front of HR, thus proving that they really can’t be trusted. Later, they eat crow and must confess when faced with the forensic evidence – which they thought they had successfully removed.        

 

Now maybe we’re just way better than we used to be at catching these people, or our CISSP training has worked, or our tools are more sophisticated, or they’re too lazy, or we’re just lucky – but I don’t believe any of those things get at the core issue. (Ooops, maybe our team is better than before – sorry guys ...) 

 

But before I tell you what I think is really going on, I want to fill you in on the results of some unscientific, nation-wide research that I’ve performed around this trend. To begin with, we’re not talking about a group of old-timers waiting for retirement with too much time on their hands and nothing to do. These are often the achievers. The “go to” guys and gals. They are often young, but some are in their 30s or 40s.   

 

I also wondered if this pattern was true just within government circles, so I asked around. Answer: nope. According to several colleagues in InfraGard, CISOs from other states, and security pros protecting our Nation’s critical infrastructure in the private sector, this is a very common problem out there.  Want more details? What should we do about it? That’s coming …