When it comes to internal security threats there are two types
of employees -- those who mean to do it, and those who haven't a
clue. Both are equally dangerous.
While delivering his keynote address at the IT Compliance
Institute's conference on Monday, cybersecurity author Dan Verton
said malicious or not, an IT organisation faces an uphill battle
when it gets down to protecting its assets. Old-fashioned IT
perimeter defenses have been rendered useless.
"Your security programs, policies and procedures are failing
miserably and you don't know it," Verton told his audience. "You
might be spending millions on perimeter defense, and you have no
perimeter."
Verton, who authored The Insider: A True Story, said
companies need to use technology to enforce security procedures
that thwart malicious insiders and protect against threats from
loyal employees who take a lax approach to policies.
When ignorance is not bliss
The criminal insiders' motivations are obvious, Verton said:
They want to steal data.
Then there are the loyal, but unaware, employees who work around
security policies and procedures in an attempt to be more efficient
or download pornography, exposing the system to malicious code that
could lead to a data breach.
According to Verton, malicious insiders often come from within a
company's IT organisation -- something no CIO wants to hear but can
no longer afford to ignore.
"There's a psychological aspect to these employees that you have
to pay attention to," Verton said. "They are people who say, 'This
company doesn't know what it's doing.' They feel they own your
network. These are individuals who are ripe for when you go through
downsizing or layoffs -- if they are on your list you have to put
that into consideration when you're planning."
Verton said data must be protected even if it's behind a
perimeter, such as a firewall. He said companies cannot rely on
strict data access controls. Experts say a hardened perimeter
security strategy is impossible to sustain.
"You have average users who are loyal, but they're handling data
in such a way that it is distributed all over the enterprise
unprotected." For instance, they may use Web-based email to send
customers information about their accounts for expediency, even
though the company may have a policy of sending such information
through encrypted email. A virus or worm that penetrates an
organisation's perimeter security can then harvest that data.
"It comes down to creating a culture of security," Verton
said.
Verton said organisations need effective policies for security.
This means identifying key data assets and authorised network
systems and devices. They must document and publish their policies
and procedures that govern access and acceptable use of data.
He said organisations must also routinely scan for rogue
wireless access points or unauthorised software. They must restrict
or actively monitor the use of Web email, FTP and instant messaging
and automate antivirus updates, vulnerability scanning and patch
deployment. He added companies should also identify and deactivate
all unnecessary processes and automate detection of changes to
security settings.
An IT executive for the security department of a major U.S.
retailer, who asked not to be identified, said the loyal insider as
a security threat is a growing problem. He said such people have
become just as common as insiders with malicious intent.
"The fact that technology has become so ingrained into business
and people use the technology as part of their everyday work
habits, they don't think about what they are doing … such as
sending an email to a vendor with sensitive information in it," the
executive said.
The analyst said awareness is the key to cutting down on
nonmalicious threats. "The only way to do that from an IT
standpoint is to set out clearly what is right and wrong. This is
what our company considers public and private, and here are some
best practices to adhere to."
Let us know what you think about the story; email:
Shamus McGillicuddy,
News Writer