|
 |
|
General Information
|
Add To My Personal Library |
March 7, 2008
• Vol.30 Issue 10
Page(s) 10 in print issue
|
Inside Invasion
How To Fight Back Against The Rising Tide Of Threats From Inside Your Enterprise
|
Legendary military strategist Sun Tzu once advised to keep your friends close but your enemies closer. Increasingly in small and midsized enterprises, enemies are indeed close; in fact, they might be right down the hall, in the office next door, or even in the same cubicle. Companies continue to pour plenty of resources into security that protects their business from outside threats, but unfortunately, many security risks today originate from the inside.
Internal threats, whether they stem from well-meaning employees or from disgruntled or thieving employees, can be difficult to track, particularly if an SME has placed most of its efforts on shoring up its external security. For example, such employees can exploit trusted networks—or even other employees—using sophisticated phishing routines, WAP (wireless access point)-based attacks, spyware, Trojan horses, and other methods.
Employees who accidentally share sensitive data also put company data at serious risk. These actions are widespread, says Taher Elgamal, CTO of Tumbleweed Communications (www.tumbleweed.com) and widely known as the inventor of SSL. “These enterprises also face threats from employees going beyond secure company email or managed file transfer to use consumer technologies to send sensitive business files. Some examples of these risky technologies are Web mail, Web-hosted file sharing services, and IM,” Elgamal says.
 Check The Locks
According to Elgamal, the process of discovering internal vulnerabilities starts with the basics. First, he recommends that companies establish a security office in the IT organization, and for small companies, this easily can be a part-time effort. He adds that companies must also have a good understanding of the data that the business manages so that administrators can create effective processes for employees and others to follow to protect that data.
Security threats originating from the outside are numerous, but internal threats are equally abundant. And like external risks, those on the inside generally aren’t discovered until an infiltration actually occurs. “Once numerous risks are uncovered, it is important to choose your battles and prioritize in order to bring the biggest reward,” Elgamal says. “Focus first on the most important aspects of managing important business data to improve its security.”
That process of properly securing data can not only expose holes to IT personnel, but it can allow them to remedy the problem to prevent future data theft. Jeff Pryslak, senior database evangelist for Sybase (www.sybase.com), says that administrators need to cover plenty of bases when rooting out internal threats. These include network access (ensure only required access is occurring), server protection (use trusted configurations and remove all unwanted traffic, ports, and even DNS lookups), application security (use two-factor authentication with policies for password strength, expiration, etc.), and packet transportation security (use IPSec configurations for tunneling). Also crucial is how enterprises secure their data at rest.
“Encrypting the data that needs to be secured is very important,” Pryslak says. "However, never encrypt the whole disk. . . . Encryption is great, but it has its purpose, and within the context of a business, performance matters. I have seen too many instances of hardware encrypting a disk, an OS encrypting its files, and an application encrypting its data. In the security world, this is the same thing as a rabbit attack—denial of service of a system due to overuse of the CPU or other resources.”
Online Under Scope
Perhaps more than anything else, the proliferation of sloppy online usage habits ultimately leads to malicious code finding its way into the enterprise. Tsion Gonen, vice president of the Aladdin eSafe Business Unit at Aladdin Knowledge Systems (www.aladdin.com), explains that businesses should take a close look at their current policies.
"Proper Web usage policies should be examined to make sure they answer both productivity and security needs. Organizations should examine their existing Web content security policy and products and see if they are able to properly handle the growing threats,” Gonen says.
An effective content security product, he says, shouldn't just deliver a "black-and-white" approach of blocking malicious Web sites or viruses by signature but instead inspect all Web content, including dynamic Web 2.0 content. Further, Gonen recommends that managers should prevent and monitor the use of anonymizers to discover which employees are attempting to work around policies. They should inspect both encrypted (or HTTPS) and unencrypted Web site content. For more information on this, please see the “Internet Security Vulnerabilities” article on page 1.
Also, while many employees are tempted to use Internet tools that they often use at home, experts recommend curtailing their use to avoid potential security problems. For example, Gonen warns that applications such as Skype (www.skype.com) could allow the uncontrolled transfer of confidential information through technologies such as P2P.
Although these and other steps can help reduce internal threats, Pryslak recommends that companies be vigilant in their approach and generate a user-required policy that has legal and personal ramifications. “If a user has to make a bid on an auction or a trade in a fantasy football league, they can walk down to the local coffee shop and use their free wireless access,” Pryslak says.
Elgamal notes that preventing or mitigating against data breaches is simply standard operating procedure among certain business processes. “Finding and catching ill-intended individuals should be looked at as the last resort in terms of security management,” he says. “The current levels of security breaches and associated losses are primarily the result of incidental problems by regular users rather than intentional misuse.” 
by Christian Perry
Top Tips
Don’t get lax with logging. Rohyt Belani, managing partner of Intrepidus Group (www.intrepidusgroup.com), says that companies should ensure logging of administrative activities to a centralized location. “It is especially critical to ensure that all activity audit logs are stored at a location that is not in [IT administrators’] control. This separation of duties between the entities managing systems and those reviewing the administrative activity will ensure that insider attacks don’t go unnoticed, unless there is collusion between the two,” he says.
Watch the virtual side. Managers might tend to disregard security around virtual machines, but Tsion Gonen, president of the Aladdin eSafe Business Unit at Aladdin Knowledge Systems (www.aladdin.com), warns that these machines carry the same threats as actual systems and can provide access to corporate resources.
Establish employee termination procedures. Belani says enterprises face major risks from former employees with administrative access—especially if they’re disgruntled. As such, it’s imperative to create well-defined procedures that cleanly revoke such access.
Monitor the mobiles. Internal infiltrations don’t always actually occur within company walls. Mobile employees use devices to access corporate data, and Gonen says that both laptop and corporate cellular users should have the same protection envelope when they’re at the office and on the road. |
|
|
