Stop Firing the Victims
A /r/cybersecurity Reddit thread yesterday caught my attention - Worst BYOD Story From Work. I'm a sucker for stories so I dove in, but one comment caught my attention:
Fired for plugging in a device? That seems harsh to me.
Let me preface this with we don't know the full story. Maybe they were a repeat offender and had been warned many times. Maybe they had caused issues in the past. Maybe there was evidence of other wrongdoing that was uncovered.
But I submit that firing anyone for plugging in a USB device, or in more general - causing a cybersecurity event - is going to have negative effects to the organization's security.
Lets take this situation: an employee gets a phish, clicks on it, and gives their credentials to the attacker. The organization does not detect it.
In an organization where it is known you could be fired for clicking on a phish (which is a violation of the policy), its less likely the user will report what happened. Attacker gets in, data is exfiltrated, additional damage occurs.
However, in an organization where employees know they won't get punished, the victim is more likely to report the event. Passwords get reset, investigations occur, and the attack is stopped before much damage can happen.
I argue that in our phone example above, the organization is partially at fault. If users aren't allowed to plug in USB devices, why isn't that disabled? Why didn't they cement the USB ports? Why didn't their EDR automatically scan the USB for malware instead of having an analyst manually do it?
I'm not saying punishment isn't necessary for an event - it is definitely warranted in some cases such as theft or malicious insider threat. But for other cases - such as plugging in a phone to a system when they shouldn't - make sure you (as the organization) are taking the right steps to ensure 1) you are protecting the organization properly, 2) users have been well educated, and 3) users are given warnings to allow them to correct their future behavior.
My point here is organizations should be clear with what they do, how they react to incidents, and give chances to users.
And because I couldn't resist, here is a familiar exchange, slightly modified, with help from AI.
Cruise: Colonel Jessop, let’s cut to it. Do you or do you not allow USB devices to be plugged into systems at your command?
Recommended by LinkedIn
Jessop: (smirking) Lieutenant, we run a tight ship. My Marines don’t so much as look at a USB drive without authorization.
Cruise: So you’re saying there’s zero chance an unapproved device ever gets plugged in?
Jessop: That’s right.
Cruise: Then how did a rogue USB full of malware end up in your operations center?
Jessop: (leans forward) You’re asking the wrong questions.
Cruise: I think I’m asking the exact question: Who plugged in the USB?
Jessop: You want answers?
Cruise: I think I’m entitled to them.
Jessop: You want the truth about USB devices?
Cruise: I want the truth!
Jessop: You can’t handle the truth! Son, we live in a digital world that has firewalls and intrusion detection systems. Those systems are guarded by admins with policies so tight they squeak. Who’s gonna enforce those policies? You? I have a greater responsibility than you could possibly fathom. Yes, a USB was plugged in. Yes, it caused an incident. And my existence, while grotesque and incomprehensible to you, keeps this network secure.
You want to blame someone? You want to slap cuffs on the poor rookie who fell for the “USB in the parking lot” trick? I’d prefer you just said “thank you” and moved on.
Cruise: So you admit it—someone plugged in an unauthorized USB.
Jessop: (grumbling) You’re damn right they did.
I've said for a while that if we want to fire employees for making a poor security decision, then we should be comfortable firing *all* the employees who made poor security decisions which allow a single compromised endpoint to result in a breach. Oh, not so bloodthirsty now, eh? :-)
Long ago I worked as a security-interested IT fix-it tech at Chrysler. The engineers had local admin on their laptops. I’m sure this has changed. If an engineer got malware, first time they had their laptop wiped. Second time, same thing. Third time, their laptop would be reassigned to someone hired to replace the now-fired engineer. This was written in policy. No one paid attention. I requested that I get all of these people. I had a monitor I could turn so they could read it. I’d bring up the policy, and while I fixed their laptop I would direct them to read the policy to me, out loud. No saying “I read it.” Usually they would say “am I fired?” I’d say “no, that’s not my role. But if you’re fired you won’t see me.” I had a return rate from these folks of zero percent. First time offenders were last time offenders. People can follow policy.
Hot unpopular take. I work in a place where thou shalt not plug in BYOD USB devices into the org network, and while this isn’t true everywhere in this organization, I’m not even allowed to bring my mobile device in proximity of my specific work site. Yes, they do provide approved lockers for us to store our mobile devices. I do agree with Ira Winkler that if the network can get tipped over by someone plugging in a rogue device that there is something wrong with the architecture. So that far, I agree with you. At the same time there are expectations that users can follow rules. 1) thou shalt not view pornography on work computers, with a special emphasis on not viewing child porn. 2) thou shalt not engage in risky behaviors on the network, which means thou shalt follow the org acceptable use policy. 3) thou shall have no expectation of privacy on the network. It is for the benefit of the org and not the end user. 4) thou shalt not be a whiny bitch if we get hacked and your credit card number was compromised because you chose to order Amazon products at work that you should have done on your own time at home. More in next post.
Didn't think I'd wake up and see "A Few Good Men" being used as a security tete a tete in incident tirade :)
Tyler Hudak - respect history. The owners of the Triangle Shirtwaist Factory fired the workers who reported to work dead after they were fired literally.