Porn-Surfing Execs Infecting Corporate Networks With Malware

wiredmikey writes "According to a recent survey of malware analysts at U.S. enterprises, 40% of the time a device used by a member the senior leadership team became infected with malware was due to executives visiting a pornographic website. The study, from ThreatTrack Security, also found that nearly six in 10 of the malware analysts have investigated or addressed a data breach that was never disclosed by their company. When asked to identify the most difficult aspects of defending their companies' networks from advanced malware, 67% said the complexity of malware is a chief factor; 67% said the volume of malware attacks; and 58% cited the ineffectiveness of anti-malware solutions."

malware and porn

[Anonymous Coward]

last time i saw an article about that on /. it was stating how most porn sites have very little malware and most malware comes from stupid wholesome crape like smileys and bars and other retarded crap the mouth breathers think they need to install

It's good to be the king.

[themushroom]

-- Mel Brooks, "History of the World pt 1"

So, in other words, they violate basic IT policy

[generic_screenname]

The top threats listed in TFA are all common-sense things to avoid with work machines. (Visiting porn sites, letting family members use equipment, installing malicious mobile apps, and falling for phishing emails.) There is a reason us IT folks tell people not to do these things at work.

Re:So, in other words, they violate basic IT polic

[idontgno]

And there's a reason why the executive suite doesn't listen:

"You're not the boss of me!"

(Supported by "If anything does happen, it's your fault anyway.")

Do different rules apply to senior managers?

[grahamsaa]

I've never understood why people do stuff like this. Years ago I recovered data from a CFO's laptop, only to find the thing filled with porn. Senior managers generally make enough money to have personal devices to look at porn on -- why do they risk the embarrassment of being discovered misusing company resources? I guess now that I think of it, the CFO in question wasn't fired (or even really disciplined) for this, as far as I can tell, so maybe senior managers just think that they're important enough that rules and common sense don't matter. If the laptop had belonged to a lower-level employee, he or she probably would have been disciplined.

Re: Occam's Razor

[Opportunist]

They don't get fired for it.

Re:Solution

[Opportunist]

Does Antivirus software get everything? Hell no. Is it useless because of it? No, far from it.

The world is not black and white and neither is security. I mean, by the same logic you could say that anti-drug laws didn't work, so let's abolish them. Police didn't arrest every murderer out there, away with it. And since doctors fail at saving every patient, shut down those hospitals.

Would that be stupid? Of course it would be. No, anti malware programs do not catch everything. But even the worst of them (interestingly named after its currently quite mobile founder) finds about 95% of the threats. Yes, that means that one out of 20 attacks could bet past it. But the other 19 do not!

Not to mention that the best security system is powerless against user stupidity. I think I pull that link every time we're discussing this, but it just was true, is true and probably will be true forever until I find a way to kill clickmonkeys via internet: Given a choice between dancing pigs and security, users will pick dancing pigs every time [wikipedia.org]. There is exactly NO way how you can secure a system against a clickmonkey that has admin privs. And those idiotic execs do! Not that they need them or know how to wield them, but they want that "in control" feeling. Needed or not.

The very LAST thing I want is any kind of privileges beyond the bare minimum to do my job. Simple reason: Credible deniability. What I could not do, I most certainly did not do. Your database is missing? Could not have been me, I can only enter data but I can't delete or edit anything. Go look elsewhere for your culprit.

But back on topic. Statistic is a multi-layer system. Relying on only one part of security is simply dumb. There is no such thing as 100% security. It's a myth. Like 100% uptime. You can lower the chance for a security breach, with technology (firewalls, antivirus), with policies (least privileges, secure processes) and a few other things. And yes, hence the solution to security is more security. Well, within reason and at sensible points, of course, but the solution can't be "can't stop it, so why bother trying?"

get a linux box

[cyfer2000]

For the pron, get a linux box please!

Re:malware and porn

[Anonymous Coward]

Most CEOs don't even have all the keys to the factories and plants, and when they need access for whatever reason, they go in with someone who knows what they are doing- just in case they screw something up - press the wrong button etc.

But when it comes to IT - they just love logging in with an account with full domain admin privileges (you could create a different account for them to use if they ever need it - which could be rarely, but no, it has to be their main account).

Re: Safe Surfing

[Anonymous Coward]

You jest but the threat is real. We have a slew of android users who had their phone done over.

It used to be that we would tell users "don't click that link. " where now web sites like yieldmanager throw apk files at them.. which download automatically .. they install... and we have to clean their phone and explain that their phone is a small pc. Sigh. The 90's all over again.
Those who do not learn from the past.