Today, it has been reported that an employee of the US Geological Survey (USGS) viewing adult content at work has led to a government network being compromised by malware. Investigators have since found that the culprit had viewed over 9,000 sites at work.
IT security experts commented below.
Richard Walters, CTO at CensorNet:
“This story is a fable in how the bad actions of one employee can throw an entire network into jeopardy. And before we get on our high horse and start to think that it could never happen in the UK, remember that official data found 160 adult content requests a day from devices connected to the Houses of Parliament. In fact, in a survey we ran of 1000 UK adults, 10% of respondents openly admitted to visiting adult websites on a work device or while connected to a company network. And that’s just scratching the surface of what the average employee is up to. A further 13% admitted to downloading or viewing pirated content. Putting aside the inappropriateness of these activities, adult and pirate websites are often cesspools of malware and viruses.
“The lesson is that all organisations, government or not, cannot just assume their employees are operating appropriately online – they need to deploy solutions that monitor and control what employees are accessing on their work devices to reduce the risk of malware getting onto the corporate system. There is no way that this employee’s consumption of adult content should have only been identified retrospectively – if the USGS had taken the right measures they could have stopped this activity long before malware made it onto the network.”
Fraser Kyne, EMEA CTO at Bromium:
“Not only has this employee earned a stinging HR rebuke, they also laid high value assets bare and put the organisation at risk. Luckily for them, The Earth Resources Observation and Science (EROS) Centre doesn’t operate any classified networks, meaning a major breach of national security was avoided. But hackers still had access to the US Geological Survey network, giving a clear indication of how fundamentally flawed the traditional approach to security is. Investigators have recommended blacklisting unauthorized websites and monitoring web usage, but this doesn’t provide the protection needed. Of course, blocking porn sites at work is a given, but how do you identify them all? Also, locking down uncategorized websites can often lead to denying access to web resources that employees actually need to use for their job. This creates friction, and users will inevitably find ways around restrictions and create black holes for security teams.
“Ultimately, this highlights that users are still the weakest link and can sometimes make stupid decisions. Threats can come anywhere, from dodgy websites to unknown email attachments and downloads. At the moment hackers need to only get it right once, because there will always be someone that will visit the wrong site or click on the wrong link. No amount of blacklisting (or HR chats) will change this, and it’s time to stop putting the burden of security on employees, because it is not their job to be the last line of defence. To do this, federal agencies should adopt layered cybersecurity defences that incorporate virtualisation-based application isolation, which allows users to open web pages, emails and documents in isolation from the host PC and network. This leaves hackers with nowhere to go and nothing to steal, allowing employees to get on with their job.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.