Dynamic Security helps fighting the insider's problem

Insiders: The Improvised Explosive Devices of Corporate Networks

Ben Rothke   

 February 26, 2007 (Computerworld) -- Reading about improvised explosive devices (IED) in Military & Aerospace Electronics got me thinking about information security. According to Annie Turner’s article, although the U.S. is spending hundreds of billions of dollars on the Iraq war, it is losing soldiers left and right to IEDs that cost a few bucks.

IEDs are typically detonated by simple electronic devices like cell phones or garage door openers. They can be jammed, but locating those low-power signals among a lot of noise is difficult — and they usually aren’t found before it’s too late.

How do IEDs relate to information security? Companies spend billions of dollars on secure hardware and software to protect their networks from sophisticated hackers who try to break in with state-of-the-art tools. But those efforts have no effect on the IED of the corporate world: the trusted insider. If your network is breached by a typical hacker, the effects will likely be a basic port-scanning exercise or a denial-of-service attack.

But insiders have no need to bypass the physical and digital perimeter controls you have in place, and they have enough knowledge of the corporate and network topology to gain quick access to terabytes of corporate data.

What can you do to mitigate the risks of insider threats? The following five steps are a start. They must be executed within the framework of a formal program to deal with risk and the insider threat.

Get real about the danger. Most managers deride the very idea that their insiders would do malicious things on their networks. Ofcourse, those same managers padlock supply closets to protect precious stocks of pencils, paper and printer toner. So why don’t they lock the digital closets as well?

A great place to get a realistic understanding of the scope of the threat posed by insiders is at the CERT Insider Threat Research page (www.cert.org/insider_threat), which offers a lot of valuable information on the subject.

Naturally, you can’t forget that insiders are the people who keep your organization going. The vast majority of insiders are loyal and trustworthy. Unfortunately, all it takes is one bad apple to do a lot of damage. Controlling those bad apples is what this is allabout.

Know your network. Far too many organizations have no idea what their networks look like or even what assets are on them. In such a climate, insiders can carry out attacks using network paths that management knows nothing about.

If you don’t know where your network starts or stops, then you can’t protect it.

Perform periodic enterprisewide risk assessments. They’ll ensure that you are worrying about the right things.

Monitor. Do you know what your users are doing on the network? Do you know which users have had what kinds of disciplinary problems? Talk to HR.

Control. All operating systems have significant levels of access control capabilities. But if those controls are not activated, then users will walk all over the network. You paid for the software, and it is imperative to use these and other controls to restrict access and accounts.

Insider abuse of digital assets is a reality. Denying it is like denying gravity. Organizations must understand the threats and have a plan to deal with them. If they don’t, their corporate data will be pilfered by insiders.

Ben Rothke, CISSP, is a senior security consultant at International Network Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006). You can contact him at ben.rothke@ins.com.