Often times as information technology (IT) security professionals (a.k.a. Security Pros), we meet others who are interested in what we do for a living. The transfer of knowledge serves as a good way to promote IT security and often kick-starts an impromptu IT security awareness discussion. However this brings more than its average share of questions. Of course, answering these questions can be fun, but there’s one particular question that can cause heartburn for Security Pros and it is, “DO YOU EVER SEE ANY PORN?” Unfortunately, the answer is YES! When an employee has been viewing porn on a company computer, an array of questions soon follows (making the conversation rather awkward…LETS BE REAL). The lack of regard users take by viewing PORN on their company issued device is alarming. This brings me to the conclusion that “YOUR PORN DOES NOT IMPRESS US!!!”
Inherently, users will perform unauthorized actions on the network that violates organization policies regardless how much IT security is enforced. At one point in time you too probably have violated policies and directives when it comes to IT systems—unintentionally, of course. Deliberate violations by users are constantly growing in the areas of viewing and downloading pornographic materials on the organization’s computers and/or devices. As a result, the organization could be exposed to data breaches, loss of revenue, and loss of customers, just to name a few negative effects. While it’s the Security Pros job to protect the organization and its assets through the implementation of risk assessment, remediation, oversight and record of such violations, it’s the user’s job to practice integrity, self-monitor and most importantly, exercise self-control (seriously, you are at work!!!). As Security Pros, we should inform the users how their actions on the network impact the organization and its day-to-day operations. The organizational leaders also need to reinforce this information with their employees by having detailed discussions and trainings on IT security risk its cost implications.
Here is what the typical offender fails to understand:
Many times these porn sites contain malicious ads, mobile codes, software install to play videos, free subscriptions that hide the attacker’s intent. These programs exploit and seek to run in the background processes of any computer that allow access, without the user’s knowledge. As a result, the user will notice:
- Decrease in system performance
- Inappropriate pop-ups
- Ransom-ware (when someone charges you to decrypt or remove malware after they installed it)
- Extracting of organization data
- Installation of backdoors (when point of access into system without user permission)
- Command & control (this allows an attacker to do whatever he or she choose on the device)
- Stolen user login credentials (to the devices, bank accounts or any other username/password used on that device)
- Spreading of viruses to other critical systems
- Trojans
- Key logging program (i.e. recording every key pressed on the user’s keyboard)
- Rootkits (stealthy type of software designed to hide the existence of certain processes or programs from normal methods of detection and enable privileged access to a computer or device)
In addition, an attacker can pivot from the organization’s network to their third-party vendor networks, which provides additional gateways. This broadens the attack surface for the attacker to steal more data. Oh yeah, this can be done just by visiting any website, but more popular with PORN websites.
These are only a few of the nasty things these sites do. If your organization maintains and/or stores sensitive data; the impact to the organization’s network is detrimental all by way of the infected system/device. Furthermore, legal ramification can be brought against the organization if it cannot prove that it did its “due diligence” to protect the customer’s data. Some sites, such as those that contain PORN, are set up to harvest user credentials and other information for profit (i.e. SSN, credit card numbers, etc.). The attacker can also spread whatever malicious code, tools, etc. he or she needs to “TOTALLY PWNAGE” (i.e. OWN)” the system and/or network. The long and short is that your device will no longer be controlled by YOU.
Sounds like something from a movie right? Unfortunately, it’s not. This is why organizations are serious about their IT security program and seek to develop contingency, incident response and configuration management plans. An organization should employ Security Pros to include an Incident Handler that helps to continuously monitor the organization’s IT assets. The incident handler team works close with all departments within the organization to effectively research, investigate and collect evidence that protects the organization from attacks involving breach of network via explicit sites. Hence, the security tags you always see when you log on that say, “DON’T USE YOUR WORK DEVICES TO GO TO PORN SITES!”
Seriously, just don’t go to the—period. Their request is solely based on the notation that “YOU CAN NOT UN-SEE, WHAT YOU HAVE ALREADY SEEN”. Security Pros absolutely HATE when images of MINORS are discovered during an investigation. This requires immediately contacting Law Enforcement in accordance with the organization’s directives. This part of the investigation is disturbing and frustrating, especially if you have kids, but someone needs to catch the bad guys, right? So please remember, the organization’s computers or devices are NOT your personal devices. In addition, think about the people who clean up after YOU! This job is stressful and frustrating already; don’t add to it. Lastly, no one should be subjected to go through someone else’s trash. So PLEASE STOP because your PORN DOES NOT IMPRESS US…
