FOCUS BRIEF
High profile cases of insider abuse appear in the press almost weekly. Jerome Kerviel at Societe General bank in France abused his knowledge of back office operations to subvert controls on his trades, covering up $7 billion in bad trades that came to light just when the world's financial systems were least resilient to bad news.
The insider threat is posed by employees, contractors, and visitors that are granted too much trust. In some cases that trust is almost naively granted. Anyone within an organization could have motivations, access to resources, and the tools to steal information, or even destroy critical resources. While often overlooked, the insider threat actually outweighs the threats from cyber criminals, hackers and the random malware that most organizations concentrate on. It is the insider that understands where the keys to the kingdom are hidden.
In my travels I talk to a lot of people on the airplane. When I mention that I am in security to a small business owner I often get the same response: "You know, I think I have a problem with my IT guy." Since most small businesses seem to rely on one key person for most of their computer and network support it is not surprising that that one person poses a risk. What if he/she gets mad and leaves? Will he be nice and help the transition, or will he take the customer lists, passwords for critical servers, or even be malicious and destroy data and resources? The City of San Francisco had a problem when Terry Childs, a 43-year-old computer network administrator, changed all the passwords to the Cisco routers on their WAN and refused to give them up even after being jailed.
Large organizations have the ability to create divisions of labor and deploy lots of technology to counter such risks. But what is a smaller organization to do? Here are five steps to take.
- Post your acceptable use and confidentiality policy. Sounds basic but this is the first step. Don't let someone argue that they did not know it was wrong to steal the customer list or access your servers after they left your employee.
- Deploy URL content filtering. This is available at modest cost from any UTM vendor (Sonicwall, Fortinet, Cyberoam, Watchguard). Block access to non-productive sites and create a custom splash page that informs your employees that browsing to a particular site violates company policy. This creates the awareness that "big brother is watching."
- Fix your password policy. While full Identity and Access Management solutions are expensive there are protections and controls you can employ just with Windows Active Directory(AD). As soon as an employee leaves remove them from AD.
- As part of your new policy require all passwords for servers and routers (privileged access accounts) to be updated at least monthly and copies of them be available to the business stake holders, even if they are printed out and put in a safe.
- Network monitoring. Use free network sniffing technology (Wireshark, or Netwitness) to monitor for unusual behavior. I am not suggesting that you make a huge investment here, just enough to let even the people who work on your IT systems know that you are watching and able to enforce that Acceptable Use Policy.
The first time you fire up a network monitoring solution you may be surprised to discover the activity on your network: copies of LimeWire sharing documents or copyrighted material, web servers, spam bots etc. It can be an eye opener.
The most important security measure any organization can take is to reduce exposure to the insider threat. Use these five steps to guide you.
See the tutorial at InternetEvolution.com for a video of the author on insider threats.
Currently founder and Chief Research Analyst, IT-Harvest. I research and report on the IT security industry.
CMO, Fortinet, Inc. Helped establish brand recognition in EMEA, AsiaPac, and Americas through speaking tours and press management.
VP Threat Research, Webroot Software, Inc.
VP Research, Gartner
Manager Technical Risk Management, PricewaterhouseCoopers
Director of BD Netrex, Inc.
BEST OF FOCUS RESEARCH
Check out the research that readers are downloading most often.
2010 Enterprise Phone Systems Comparison Guide
Updated for 2010! Take the guesswork out of selecting an enterprise-class phone system with our comprehensive Comparison Guide.
Cisco vs. ShoreTel: Who Really Delivers Value for Large Enterprise Companies?
Get the side-by-side comparison of industry’s leading Enterprise PBX solutions and vendors. Our Focus product specialists evaluated big players, like Cisco Systems and ShoreTel, across various feature categories.
2010 Enterprise Phone Systems Buyer’s Guide
Our updated Buyer’s Guide will help you fully understand both your business phone system needs as well as the purchase process.
2 Comments
Add a comment
Protecting oneself from employees? It's almost as if, by design, a company sets up an adversarial relationship: prisoner vs. inmate. I believe this premise is wrong-minded and at the heart of many persistent problems. First, I believe management bears a large part of the responsibility for errant employee behavior. Lack of communication, training and supervision all lay the foundation for a untrustworthy relationship. And based on the number of divorces, likely some of the managers are bringing their own personal bad behaviors to work with them and, by extension, causing disharmony, strife and irreconcilable differences among their co-workers.
Though the 5 suggestions have some merit on a process basis, I think they most address symptoms. Posting a freaking policy assumes a lot: that people read it; understand it and that it will be actively monitored and enforced.
URL content filtering is a huge freaking band aid and poor substitute for lazy, unthinking management. Why spend all the cash on Internet if you're not going to specific a legitimate business purpose? Making it available for news, idle surfing or whatever, given the amount of media available, is akin to putting an AM/FM radio and TV on everybody's desks. It's a huge productivity killer not to mention gateway for compromise. Before buying a filter management should first start by defining HOW the Internet will put money on their bottom line.
Paswords, no argument. In fact, there should be complete transparency among all the network operations information. No management silos! I've seen way too many instances where on internal group rides roughshod over others due to separation of duties. Security can't get a port from the networking guys...because they don't want anyone to see what they're doing etc. It's insanity that in many cases in sanctioned by upper management.
Wireshark or Netwitless? Have you used these tools? I agree that monitoring and reporting is paramount, but consigning someone to use the aforementioned tools is laughable. There's no management intelligence aspect to either. They're geek-tools. If the business resources are truly to be treated and managed as such, there should be a monitor/report system that accommodates all the stakeholders. We have been advocating these principles since our company was founded in 03. Free tools DO come with a cost. Our philosophy is offering extremely high value, ease-of-use and extensibility in a "super-affordable" software package.
Educate. Communicate. Monitor. Enforce. Change control. This simple formula fosters a greater good without all the inter-company acrimony.
Scott W Smith
Congruity Technologies
www.congruitytech.com
(0) (1)
Flag FlaggedBlimey, I find myself aligning quite a lot with Scott though with slight less "freaking" about it.
I find the urge to control every action an employee takes counterproductive, and I find it hard to believe that every small business doesn't trust its IT guy either.
An acceptable use policy is a good idea, mainly because it protects the employer from unecessary litigation. Much of the "harassment" legislation out there in Europe requires that you let people know that certain behaviours can't be tolerated (such as browsing for pornography or race hate material - though don't forget in some European nations it is actually a right to view pornographic material in the workplace) and a policy covering these areas is a good idea.
Content filtering is a lousy idea, both URL and mail content, you often find it blocks access to legitimate sites and or excessively filters content and treats users like children too. Are you really saying that you object to employees accessing Facebook and hotmail (for example)100% of the time, even their breaks and lunch hours?
Windows Active Directory is fine for password management, but don't forget that there are still plenty of applications which don't use active directory and you need to continue to monitor these too.
Holding admin passwords centrally makes sense but significantly increases the risks of inappropriate usage.
Network monitoring? I'm still in two minds about that and Scott seems to have some sensible issues regarding the software you recommend.
This is another series of ideas with some good points that still manages to glorify an adversarial relationship between employer and employee. It really doesn't need to be like that, when treated with respect and trust most people will give you far more than when you watch, monitor and derogate.
(1) (0)
Flag FlaggedAdd a comment