If a flash drive infects a network, who's to blame?
Summary: With a London borough's council facing a £500,000 bill because a user crippled the network with an infected flash drive, I ask who is to blame: the user or the IT staff?
Ealing Council, the local authority for a number of London boroughs, was infected by a virus which crippled the vast majority of the council's network.
The damage knocked out the housing department, the library service, telephone network and others, according to the BBC, as a result of plugging in an infected flash drive on a networked computer. But this raises a question of those who are still not yet fully IT literate.
If you plug in a flash memory drive and it infects a network, who is to blame - the user who doesn't know any better, or the IT staff responsible for the network?
Bruce Hughes from CNET seems to think it is those responsible for the network and the company. I'm inclined to agree.
In British (and I suspect in American) law, ignorance is not a defence. You cannot get away with ploughing someone in your car, reversing and going over them again because, "you didn't realise murder was a crime". If the judge said, "you'd forget your head if it wasn't screwed on, you little scamp. Go on, go free!", I would seriously wonder about the state of the justice system.
But in cases such as these, a legal aspect could easily be thrown into the equation. A bill reaching over £500,000 ($817k) needs to be pinned somewhere, and whether or not legal action could be taken is yet to be decided. At the end of the day, it will be the taxpayer who pays the brunt of the cost.
Even though the Conficker virus never "really" activated or caused damage per se, the proof of how powerful a virus can be in this day and age still exists. It infected as far wide as the French Navy, the German Bundeswehr, the UK Ministry of Defence, the UK Houses of Parliament and more universities than you could shake a stick at.
It is my professional opinion and belief that standard university network security is greater than the average security of businesses and corporate networks. As public machines on campus are all or often in buildings where the doors are opened with your university smart card, access is still limited to those within the establishment.
Not only that, in comparison to a local council or district governance, universities are themselves councils and governors of the campus. Students live and breathe on the campuses and the work that goes on within the network keeps the world ticking over - literally. For the fact they are all inter-connected in one way or another, in the UK at least, to limit spread of malware they have to be secure.
But ultimately it comes down to education, education and education: the do's and don'ts of computing security. You may not get booted out of university for accidentally offloading a payload of electronic sewage, but you can bet your arse in the real world - you could easily get fired.
So, if a user's flash drive infects a network, who is to blame?
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I think the answer could be both are to blame...
Let's try using some analogies...
blame?
If a cigarette burns down a gas station, who's
to blame?
If a space heater burns down an office
building, who's to blame?
Ultimately it's the person directly responsible
for the one action that caused the incident.
Granted, others may have contributed to a
"unsafe" environment by not posting signs,
setting policies, educating the ignorant, etc.
But it all boils down to the one offender.
Ignorance is not a valid excuse for anything.
Flawed Analogies
At the same time, an IT admin is charged with keeping the network safe. The real question here should be: Did the IT admin do his or her job to the best of their ability as expected of an IT admin of a government network? If yes, then the only person to blame is the writer of the virus, learn from the experience, and move on. If not, then the IT admin is to blame for not taking the proper precautions to secure the network.
Like with the officer at the security checkpoint, if everything was done proper and as well as could have been expected, but the live grenade still found its way in, then I wouldn't put fault on the officer.
Your analogy is flawed.
Secondly, regardless the IT groupd has to put into place 2ndary checkpoints to detect and remove virus' before they affect a network and additionally education of their users so they practice safe data transfer.
Congratulation!
More info please
I don't even put my name on my computer - It's
that big of a Joke .
Lets assume you're completely wrong..
The point is that the user is ultimately responsible for picking up the virus. If it hadn't been somewhere unprotected or dodgy it wouldn't have happened.
I'm not saying they should be sacked, yet, but clearly they are at fault for bringing a virus in from somewhere. Why should a USB stick be used across systems unless by a support person; and then again they should know better.
What if the building was made of flammable material?
responsible here because they've made such an uniquely vulnerable and
fragile platform.
Yours is a weaker analogy.
fragile platform.[/i]
Sorry, but that is incorrect.
If you have a prison with holes in the wall, you can still keep it secure. Takes more resources, but you CAN still keep it secure.
Likewise, an OS is only as secure as the people using/administering it.
Who is to blame? Both. The IT should take more precaution, and the user should have as well. Ultimately, IT can not always foresee, and prevent users from doing stupid things, but the best practice is to never underestimate the power of users to mess things up.
In the end, you hope for the best, and prepare for the worst.
wrong premise & deeply flawed logic
Networks should always, in principle, be designed to safeguard the end-users from themselves - to the highest degree practicable. The central idea behind sound network security conceptualization and planning is really quite simple: if a user can (inadvertently or not) ruin a network, they will. With that in mind, "secure-by-default" network design practice *must* be adhered to.
Services that 'can' reasonably be seen as possible avenues for exploitation of a network have to be considered on a case by case basis: yes, that is how seriously systems security has to be.
"Ignorance is not a valid excuse for anything."
But it is exactly the reason *why* locking down / disabling highly vulnerable services on a network is a major part of security planning in regards network design. This should *never* be a task that is left 'to chance' - and certainly not at the 'whims' of end-users.
Frankly, you've just made some things abundantly clear. You have a sheer lack of understanding of secure network planning or design. I would never want someone like you on my network administration team - you're thinking is flawed, misguided and idealistic: all tell-tale traits of a bad network admin'.
Sinceremente
wrong premise & deeply flawed logic
This is not a 'logical' argument, but a policy statement, that boil down to a philosophical position:
Are individuals responsible of their acts and lack there-of ?
Should a big brother entity decide in lieu and place of individuals what is good for them ?
thx-1138 said:
"Services that 'can' reasonably be seen as possible avenues for exploitation of a network have to be considered on a case by case basis: yes, that is how seriously systems security has to be."
If you are serious about security, the first thing you do is not use Windows. "yes, that is how seriously systems security has to be."
thx-1138 said:
'"Ignorance is not a valid excuse for anything."
But it is exactly the reason...'
Talking about flawed logic, _that_ is a nice non sequitur.
wrong premise & deeply flawed logic
What if...
If they really wanted it secured they would have used Solaris with Secure Extensions enabled, that way the USB device would have been ignored or sent to nul if it didn't match a pre-approved device. There is a reason that in secure environments, Windows requires an air gap if it resides on a secure network.
Your statement is flawed because none of us have the details of what the infected machine was used for.
wrong premise & deeply flawed logic
Would you all agree that the network is a business asset? I think it's a reasonable statement.
A network administrator then, is responsible for maintaining and protecting that asset.
Some people on here...
They made the choice to work for the company, and as such, have the right to leave if the network security bothers them that much.
I feel that in doing so, they will run out of options for employment soon. No one in their right mind will allow users to run freely on their network. It's just plain stupid.
Very Simply
then one has total control.
Thinking (if any) is flawed
Anology - Electrical circuits are fused to prevent fires from faulty equipment, preveting catastrophic damage. Unfortunatly malicious viruses are more difficult to protect against but all reasonable effort is the reponsibility of the owner/administrator not the ignorant user.
As already stated, ignorance is no defence in law.
It might prove a very interesting case if it came to court.
Similarly if action is taken against Ealing council....
By the way has the USB employee fled the country?
disappointing and unecessary ending
Person Responsible?
And the winner is:
The original creators of the malware, without them none of this would have happened at all!
The original question is flawed as it assumes either the IT department or the user is to blame and niether are to blame as neither created the original malware in the first place!
Even under the law this would be true, and neither the IT department nor the user could be held responsible for this, as they had no hand in creaing the original offending maleware! All good lawyers would eventually figure this out and trace true blame back to the orginal maleware creators, and this is why malware creators are going to jail today, and it's very sad that we can't catch more of them!