[Infowarrior] - Lifestyle Hackers

Richard Forno rforno at infowarrior.org
Thu Nov 5 10:50:22 UTC 2009 

Lifestyle Hackers

Jim Routh and Gary McGraw examine why twenty-somethings skateboard  
right past security controls, and what it means for employers (i.e.  
you!)

Jim Routh and Gary McGraw, CSO
November 02, 2009
http://www.csoonline.com/article/print/506309

The insider threat, the bane of computer security and a topic of  
worried conversation among CSOs, is undergoing significant change.  
Over the years, the majority of insider threats have carried out  
attacks in order to line their pockets, punish their colleagues, spy  
for the enemy or wreak havoc from within. Today's insider threats may  
have something much less insidious in mind—multitasking and social  
networking to get their jobs done.
There's a growing risk within most organizations today that is clearly  
an insider threat but is also clearly not caused by a disgruntled or  
disillusioned employee. In fact, the new insider threat is more likely  
to manifest itself as a gung-ho new employee or contractor. And more  
often than not, the new insider threat is a recently hired twenty- 
something. We've coined the term "lifestyle hacker" to refer to this  
new cadre of insider threats. The lifestyle hacker does not have  
malicious intent. Nevertheless, the lifestyle hacker is highly  
successful at skirting various corporate controls put in place to  
protect security-related websites and critical endpoints. The most  
interesting and ironic aspect of the lifestyle hacker is that he is  
motivated by the pursuit of productivity, often the very same  
motivation driving the implementation of various corporate controls  
(including but not limited to Web proxies, DLP solutions, firewalls,  
etc.).

Also see 4 Tips for Writing a Great Social Media Security Policy
Tightly managed organizations (especially huge financial corporations)  
often block access to Web 2.0 capabilities in order to "promote  
productivity of staff." However, this very same staff often desires to  
utilize Web 2.0 capabilities (including social networking, external  
IM, Skype, Twitter, etc.) in the name of enhancing personal  
productivity. And never the twain shall meet!

This conundrum exists as the inherent conflict between those who make  
the rules and those who break the rules, both of whom are driven by  
the exact same motivation—being more productive in the work  
environment. There are two fascinating and problematic aspects of this  
situation worth mentioning:

1. The population of lifestyle hackers is growing in size and  
diversity as demographics of new hires shift toward those people who  
grew up on the Internet.

2. Neither the corporate decision makers who make the rules nor the  
lifestyle hackers understand the security ramifications of emerging  
and evolving Web 2.0 capabilities (see McGraw's article "Twitter  
Security" at www.informit.com/articles/article.aspx?p=1350268).

To get a handle on the growth of the lifestyle hacking problem,  
consider this: One Wall Street firm we're both very familiar with  
estimated that 45 percent of all security incidents in the past two  
years were lifestyle hacks. A quick look at demographics reveals  
what's going on. The root of the problem is that newly minted staff  
members being hired today were generally born in the late '80s; their  
managers and rule-imposers are of the Baby Boom generation (born  
between 1947 and 1961). Baby Boomers were brought up with television  
as the dominant household technology, while the Net Generation (as Don  
Tapscott calls them in Growing Up Digital: The Rise of the Net  
Generation) was exposed to the Internet as early as they can remember  
(and some even earlier than that). Television is a mostly passive  
broadcast medium. By contrast, the Internet promotes widespread  
collaboration. This difference engenders significant divergence in  
behavior for the two generations. Baby Boomers focus on a single task  
when under pressure, while the Net Generation prefers multitasking.

Baby Boomers don't even like listening to music while they work. Net  
Gen'ers listen to music (sometimes even watching music videos) while  
browsing a website or six, instant-messaging with whoever is around,  
sending text messages and pecking at a Microsoft Office file. The  
University of Oregon Library published a study that showed that the  
average Net Gen'er, by the age of 21, has been exposed to:

	• 10,000 hours of video games
	• 200,000 e-mails
	• 20,000 hours of TV
	• 10,000 hours of cell phone conversation
	• Less than 5,000 hours reading books

Some demographers bifurcate the Net Generation into Generation X and  
Y, but for the purposes of understanding the lifestyle hacker, Net Gen  
says it all. As Internet-facing technology became ubiquitous and  
leaped from the home to the mobile device, the Net Generation adapted  
by incorporating new technology into its very social fabric. The Net  
Generation prefers SMS texting and using instant messaging in many  
social situations. (Organizing a particular time and place to meet is  
rather silly if the people doing the meeting all have cell phones and  
a vague plan.)

Utilizing a texting system as an essential productivity tool in a  
professional environment is a natural extension of normal Net Gen  
social behavior. The same can be said for social networks such as  
Facebook, which offer excellent tools for collaborating on complex  
problem solving and building effective relationships.

Unfortunately, many Baby Boomers have never used Web 2.0 tools at  
work. Such tools simply did not exist when they entered the work  
force. As a result, they often view such tools as distractions from  
doing "real" work.

Also see Security and the Generational Divide
One high-tech firm did a study on the primary reason for undergraduate  
offer rejections by prospective new hires and discovered that the  
number-one reason for rejection was that access to Facebook was  
blocked. The firm now offers access to Facebook. Along the same lines,  
but without a solution to the problem, FS-ISAC survey results from  
April 2009 indicated that over 90 percent of financial service firms  
block access to social networking sites. The number-one reason for  
blocking access is a concern over productivity, not security. Ninety- 
five percent of the firms responding to the survey have no plans to  
change policies to allow access to social networking sites. You can  
see the storm clouds gathering.

To restate the conundrum, leaders believe that social networking,  
instant messaging and using SMS constantly in the work environment  
will lead to lower overall productivity, so they block access. Net  
Gen'ers believe that Web 2.0 technologies are essential for  
collaboration and relationship management and that they improve  
productivity. Impasse.

Enter the lifestyle hacker. To sidestep the impasse, a growing number  
of Net Gen'ers are using their technical savvy to find creative ways  
of bypassing controls so they can leverage Web 2.0 capabilities.  
Perhaps an example can make this clear.

Dylan (not his real name) was an intern working in the technology  
department doing server administration for two years while he  
completed graduate school. He then applied for and was hired as an  
analyst working in the operational risk department. Dylan established  
himself as an effective contributor to the department over a period of  
six months.

One day, the corporate security staff noticed a spike in network  
traffic coming from Dylan's workstation. The large volume of data  
transfer indicated the possibility of a security breach in which  
company information was being shoveled off to an outside party. The  
security staff initiated an investigation. They eventually approached  
Dylan and completed a forensic analysis of his computer. What they  
uncovered was that Dylan had constructed a secure tunnel by exploiting  
a vulnerability in the company's Web proxy, and he was connecting his  
workstation to his ISP at home. This allowed Dylan to watch pirated  
movies running on his home PC while he was streaming music from sites  
no longer filtered by the proxy.

As it turns out, Dylan was also modifying a sensitive risk report at  
the same time. When Dylan's boss was told what was going on, Dylan was  
asked to leave the firm. His boss was disappointed, since Dylan was  
one of her most productive employees.

Note that Dylan was not malicious and in fact did not intend to break  
established policies and federal laws. His actions were motivated  
purely by his desire to multitask, unfettered by the standard controls  
that all other employees had to live with.

The question is, how many "Dylans" work in your organization? And what  
are you to do if you're the CSO trying to safeguard your firm while  
also enabling business growth? As usual for computer security, there  
are no easy answers here, just as there are no simple Web 2.0  
technology controls ready for prime-time implementation.

Upon reflection, we believe the most important thing to do is to  
educate staff about the security and brand risks associated with  
unfettered use of Web 2.0 capabilities while exploring ways to offer  
tools with collaborative capabilities with a level of control that the  
organization can manage effectively.

This solution is likely to necessitate updating your security policies  
as well as communications and marketing policies governing publication  
of the firm's information. In addition, the firm's IT strategy should  
clearly define a road map for Web 2.0 implementation over time that  
provides for increased collaboration outside the firm. The right  
approach for each organization must, of course, be driven by its  
respective business model, since business and security risks always  
differ. The good news is that the problem of the lifestyle hacker  
provides a clear opportunity for innovative leadership by the CIO and  
the CSO.

What is clear is that the technology frontier has moved well beyond  
the workstation to an increasing constellation of mobile devices and  
distributed software (some of it already in the cloud). As more  
processing capability emerges in PDAs, there will be no avoiding them  
or their distributed software as a work platform. Collaborative  
technology is here to stay.

Solving the Net Gen productivity problem in order to avoid lifestyle  
hacking is thus a critical aspect of the CSO's job. Finding the right  
balance for your organization will require innovation, education and,  
most importantly, courage. We certainly can't hold back Web 2.0 in the  
name of security! At least not for long.


Gary McGraw is chief technology officer at Cigital. Jim Routh is CISO  
of KPMG.
© CXO Media Inc.

More information about the Infowarrior mailing list