The Wall Street Journal Teaches Users How To Break Policy

Filed by Alex | 16 comments


  • Check this out, 10 Things Your IT Department Won’t Tell You.

    What an awful, terrible, no good, very bad article. Not necessarily only because the author, Vauhini Vara, just made life miserable for those of us who have invested significant resources and effort into Security Awareness (though that’s pretty bad, too), but because Ms. Vara presumes to know what the “risk” is, and the most probable loss event for any of these actions.

    I anticipate Ms. Vara being vilified by mainstream InfoSec professionals for this article, and well she should. Teaching users how to “Search For Work Documents At Home” or “How To Store Work Files Online” is a stupid thing to do, no doubt. But the IRM community should explain to Ms. Vara that she is not a professional risk analyst, does not have a clue as to what the most probable Threat Community Actions, Attack Vectors, or consequences of a Loss Event are, her “How To Stay Safe” suggestions are impotent, and as such - she would do very well to shut her piehole.

    To me, it feels like this article is more of the “we all don’t like or respect those guys in security, they’re anal about this sort of stuff - but shhhhhhhh - it’s ok! Take a hit - everybody else is!” nonsense that is better left to high school and has no place in business. And these days, especially with SOX, GLBA, PCI, and the rest of the alphabet soup - some of these actions have the potential to put people in a very, very bad spot.

    In that context, this article is exactly like the WSJ asking a seedy accountant to write an article about how to “bend” GAAP to inflate profits. One would think that the Wall Street Journal would hesitate to commission such an article, but here it is.

    You may feel free to tell Ms. Vara what you think of her article by emailing her: vauhini.vara@wsj.com

    Posted on August 1

    • 16 comments

    1. Chris Hayes Aug 1

      Yep- Completely irresponsible. In all candor, the articles looks like it was written by an intern and that it received no review whatsoever. Besides the “risks” being completely worthless, the “how to stay safe” sections are equally as worthless. I cannot send her email from my employer’s email but will try to fire something off.

    2. rybolov Aug 1

      I feel like I’ve been “outed” on some of my super-secret techniques.

      I’m glad to know, however, that using sftp to put files on my personal webserver and then giving somebody the url is still my best-kept secret. =)

    3. dutcher Aug 1

      Sweet fancy Moses!

      I like the fact that ad for Ms. Vara’s podcast “about just how damaging security screwups can be” is nestled on the same page.

    4. JCC Aug 1

      “Shut her piehole”? Geez, lighten up…

      #1: Don’t create policies you can’t or don’t enforce.

      #2: Don’t expect everyone in the organization to make your risk management crusade their highest priority. Their highest priority is getting their job done. That’s why they figure out ways around braindead IT infrastructure and onerous controls. That’s also why most readers probably liked this article.

      #3 You want security awareness? Then the next time someone breaks a policy or you have a *real* loss, try public shaming. It works. Silly posters or getting them to memorize tome-like policy manuals is a waste of time. People are also numb to all the scare-based hype coming from the news media and security technology vendors. We all know that most of it is hyperbolic crap.

    5. shrdlu Aug 1

      Don’t expect everyone in the organization to make your human resources/legal policies their highest priority. Their highest priority is getting their job done. That’s why they figure out ways around braindead anti-discrimination rules and onerous anti-fraud controls. That’s also why most readers probably liked this article.

      It’s clear that JCC is part of the problem.

    6. Alex Aug 1

      @JCC:

      My first inclination was to actually have a similar sentiment to yours. And, in fact, I agree with everything you wrote. Many policies are silly best practices designed to mitigate areas of very little risk, but sound good because we, the security community, are very good at creating Armageddon scenarios to justify beating one over the head with our InfoCop billyclub.

      And then I thought of the new era of legislation, the battles CISO’s face, the implications of folks breaking these policies (disciplinary action against the reader - if you work at a bank some of this stuff can get you fired), and exactly what this article was suggesting within the context of privacy legislation. What decent data we DO have suggests that the most very significant amount of PII exposure is due to stupid crap exactly like she’s writing here, carelessness and ambivalence on the part of end users (see emergentchaos slides on loss events). It kind of got my dander up (This is not to mention that for each “risk” she identifies I can come up with much more probable frequency of loss events that have more significant probable loss magnitudes).

      At the end of the day, I stand by my statement. You wouldn’t see the WSJ letting an intern write an article condoning the blatant misrepresentation of expenses on the GL, you wouldn’t see the WSJ publishing articles that suggest it’s OK for firms to be “a little loose” with hazardous materials - so why should they publish an article that suggests that it’s OK if people ignore security policies designed to control the exposure of their business to Fines/Judgments?

      But then again, you may have more risk tolerance for the loss of your PII than I do. And that’s OK.

    7. shrdlu Aug 1

      No, Alex, I have to disagree with your last statement here. Employees are NOT authorized to make risk decisions with the PI of their companies — or, worse yet, with the PII of the people they are serving. If some asshole creates a risk of identity theft for a million or so strangers because he felt entitled to ignore HIPAA and get his files from home, I would terminate him with extreme prejudice and throw what was left of him in jail.

      People like JCC have probably never held a position of responsibility in their lives and wouldn’t know accountability if it bent them over a barrel.

    8. Alex Aug 1

      @shrdlu:

      “I would terminate him with extreme prejudice and throw what was left of him in jail.”

      I suppose that dovetails very nicely with JCC’s 3rd point. Ignoring the “lighten up” aspect of his comment, I only take issue with the following re: his comments (and JCC, please feel free to discuss further):

      #1: Don’t create policies you can’t or don’t enforce.

      “Don’t enforce”, yes. “Can’t enforce” I wish. Anyone who is a position of InfoSec mgmt. knows that rules will be broken, and rules are made that cannot possibly be enforced with 100% effectiveness. However, policy in these days of heavy compliance, are not just about enforcement. They are also about exhibiting due diligence.

      #2: The more secure path is rarely (if ever) easier than the insecure path. However, the incentives to follow the most secure path most be in place to make the choice braindead. Incentives are designed to change the values of culture. This (agreeing with JCC) more than knowing “rules” should be the purpose of awareness.

      #3: This assumes you’re around to do the shaming. The poor infosec folks at Ohio Univ. were never given the ability to influence culture or implement proper controls. When someone else lost PII, however, THEY were the ones that were shown the door - even after they had asked for compensating controls long before the incident took place. I have a feeling that this sort of situation is not uncommon.

      RE: silly posters et.al… You know what people *do* like? They like getting caught doing something right. Positive reinforcement will get you a lot further than posters that say “It Can Happen To You!!!”

      Last month I did an SE exercise where I got into a secure area but got caught by an administrative employee. Even after a week of being there, she was absolutely BEAMING with pride about catching me (the organization even gave her reward). Chances are that she will now never fear (or hesitate) to challenge strangers without escort, even if they DO have vendor shirts, boxes, business cards and made up work orders.

    9. JCC Aug 1

      I am not advocating that people ignore or break policies.
      They do so at their own risk. And I certainly think it can increase the risk to their companies and customer data.
      I just don’t think an article like this is going to materially increase that risk significantly in the large scheme of things. Lots of people already do the kinds of things.

      I read the WSJ every day. Some of the stuff they print on the editorial page is a lot more irresponsible that than this! :-)

      (and shrdlu1, spare me the ad hominem attacks.)

    10. Osama Salah Aug 1

      First of all most of the “tricks” don’t work if you have a few simple well implemented controls.
      2nd I know now of three companies that I would hesitate to work with since they lent their reputation to a crappy article and in the process they ruined their own reputation.

    11. Saso Aug 2

      *Sigh*

      Well, I figured the best I can do is pass the link along to as many people at work as I can. I’ve asked our policy person to check the list and add links to all the relevant policy statements and standards that the article recommends people to break.

      Might also pass it along to HR; I am sure they will love to cross-reference it with the AUP.

    12. Andre LePlume Aug 2

      That’s going way overboard Saso. We all know that McAfee and PWC would never expose PII or be involved in activities which violated any regulations. I never heard of the 3rd outfit, but with strict european laws regarding disclosure of security breaches I am sure there’s nothing whatsoever to be concerned about.

    13. LonerVamp Aug 2

      You know, realistically, this article shouldn’t be an issue. It seems almost like full disclosure. Shhh, don’t tell people about it because then it’ll get leveraged. Wait…should solid security be able to withstand these disclosures?

      Just adding to the discussion. :) (Oh, and how any companies really do have “good security” good enough to not worry? Yeah, a little idealistic…)

    14. Alex Aug 2

      @LV-

      Well, if I hadn’t been so stupid busy, I was going to link to your and Layer8s articles on the article, as well. I happen to like your post on the subj.

      That said, my issues still remain 2 fold:

      1.) Her telling me what risk I (or my users) have is, at best, presumptuous.

      2.) It’s just very bad journalism on the part of the WSJ in this day and age of privacy & regulation.

    15. Jack Aug 3

      Bad journalism? I guess that depends on one’s perspective. What’s good journalism, or “not bad” journalism for that matter? I can only assume that the people at WSJ who are responsible for deciding what gets printed (certainly not the author) believed the article met some objective AND met their criteria for “not bad” journalism. They probably felt due diligence (or the appearance of due diligence) was met by seeking input from security professionals. Assuming they weren’t trying to undermine our security policies, I’ll give them the benefit of the doubt for now and just consider them REALLY ignorant on the topic.

      As for the argument of “full disclosure” or “this stuff is already out there and known so what’s the harm”…I have to disagree. Yes, a subset of employees already knows these tricks, so no harm done for that threat community. And yes, anyone who is serious about being malicious or abusive can find this information easily enough. Consider, though, that one of the threat capability factors is “Knowledge”. So, for that community of “maliciously or abusively inclined but (previously) ignorant employees who wouldn’t have gone to the trouble of figuring this stuff out but who are kinda jazzed about having it tossed in their lap”, the knowledge component of their capability just increased. Consequently, the job just got tougher for those of us who are tasked with managing the potential for bad things happening. The good news is that they also aren’t the ones who are likely to be adept at hiding their acts.

      And yes, an effective security program should be able to deal with this change in the threat landscape — but there are a lot of imperfect security programs out there that don’t welcome this change. We appreciate (and sometimes count on) the fact that our threat communities aren’t always fully informed (did I just admit to having an imperfect security program??? Redact, redact, redact). At the very least it simply adds to our already too-full portfolio of things to deal with.

      As for the security pros who contributed to the article…ouch. Based on my experience with the press, however, I’d guess that either these poor souls weren’t given a completely clear picture of what the article was going to turn out like, or (more likely) they had offered far more input than what got into print. Every time I’ve been interviewed for an article, what gets printed is both much shorter than I imagined it would be (but then I CAN be a bit verbose), and the content of what I offered was altered. Every time.

      So, yeah. I would have strongly preferred the article hadn’t been printed, and yeah, I’m glad I wasn’t one of the infosec contributors.

    1. (At Least) Ten Things The WSJ Got Wrong | Computer Security

    Leave a reply