That's all good and nice but in most cases, this is a matter of policy. If someone actively tries to circumvent the policy or the process, odds are that most software shops would fall victim to the same thing. Especially in the case of internal software. Even if you have a system that attempts to enforce the process, odds are that the system isn't without flaw and is not too hard to circumvent.
Most businesses who's primary money maker is not defense or security related... are not running their operation with a focus on defending themselves from themselves.
> If someone actively tries to circumvent the policy or the process, odds are that most software shops would fall victim to the same thing.
Too often the focus is entirely on outside attacks, with little consideration given to insider attacks. Previous job was at a cyber security firm. We'd routinely come under attack from criminal and, we believed, occasional nation state attacks as our researchers attributed a few "Axis-of-Evil" nation-state operations.
Then you'd come back from lunch and find the mantrap doors propped open, or someone left a workstation unlocked with root access to something important, or random guests just wandering around. It's a miracle we never were compromised by a disgruntled employee (of which there were many).
New job, new industry, same behavior. Folks leaving "secure" doors open, workstations unlocked with root access, and all that jazz. They're happy to cite a vague SEC regulation that may have applied at their last job, but doesn't apply to ours and even then, it's not like an attacker would ever give a flying fuck about what the SEC thinks.
I'm starting to wonder if this isn't all a comically bad dream.
> Then you'd come back from lunch and find the mantrap doors propped open, or someone left a workstation unlocked with root access to something important, or random guests just wandering around. It's a miracle we never were compromised by a disgruntled employee (of which there were many).
Maybe not the most technical solution to this, but one of my previous employers had a workplace culture of setting the desktop background to a rainbow with unicorns if someone left their computer unlocked. Sometimes even teams of two would work together to pwn some of the more alert members, by temporarily keeping them distracted while the other "attacker" did the business.
3 or more fails and the background bumped up to something pretty gross that nobody wanted, simply as a practical matter.
I actually thought gamifying it made it pretty fun, and at least for workstation locking, we were elite. Even today I'm sharp about it. Maybe it could be extended to physical access to areas as well.
Yup, we had two approaches. You could send out an "I love purple flowers" email to everyone, or the victim would be "Hoffed." That meant setting the desktop background to that picture of David Hasselhoff, nude with strategically-placed pups.
I worked at a place that did something similar. If you walked away from your unlocked computer, when you came back you might find you'd sent an email to everyone in the office saying that you're buying lunch today.
Yeah, this is funny, but a bad idea. You getting on somebody elses workstation, under their login - what happens if they are doing bad shit to the company? Now you have to explain why you were seen on their workstation.
We used to do this at LAN parties in the 90s... of course goatse was the preferred background. People quickly learned never to leave their seats for more than 30 seconds. Most people would just do a 5-10 minute power-nap in their chairs.
Doesn't even need to use unicorns or something gross, the simple fact that the person was perceived as a "he got caught" is enought. Yes, shaming has its uses...
Not sure if you've tried lately, but when you pay cash for a burner phone, most retail outlets require a driver license to scan your information into their system. When you activate it, you need quite a bit of personal information.
It used to be really easy, but law enforcement is cracking down on the ability to buy and activate these anonymously for obvious reasons.
Are there ways around these? Sure, but it's not nearly as easy as you're proposing.
Most businesses who's primary money maker is not defense or security related... are not running their operation with a focus on defending themselves from themselves.