Few enterprises could bear a $7.2bn loss caused by a "computer
genius" avoiding company policies and controls. But for
international bank Société Générale, January 21 this year must have
been a day of escalating horror, as the extent of
Jerome Kerviel's fraudulent trading became apparent.
"An internal audit alleged that the user was not controlled
enough, and was asked to bypass the security systems for
performance reasons," explains Eric Domage,
IDC research manager for security
products and services.
"We need to educate the user. It is stage one of security, but
it is not enough," says Domage.
"The new stage of security, to fight against internal threats,
is end point solutions (EPS)." At Société Générale, "the user
behaved badly, for sure. He bypassed every control, but he was
asked to do that. End point solutions could have helped manage that
situation. The user is the main threat now, and the insider is the
biggest threat"
EPS, sometimes called end point security, even end point
protection, combines features of many security technologies -
usually anti-virus, anti-spyware, firewalls, intrusion detection,
perhaps cache cleaning and even policy enforcement - in a
distributed agent downloaded to the client. Desktop protection is
always current, in a known state and the user is prevented from
meddling.
Powerful users dislike controls on the way they operate, "Which
is why the end point solution should be silent and very, very
invisible," says Domage. He cites a
USSS/CERT
insider threat survey, that suggested fully 87% of internal
incidents are initiated by privileged users such as system
administrators, database administrators and information owners and
custodians.
Users are given administrative privileges to keep poor software
from failing and to allow downloading of useful utilities needed to
do their jobs, explains Miles Clement, senior research consultant,
Information
Security Forum (ISF). "The big issue is availability. If it's
not available, it's no good. If you think about it, we've known for
years that user name and password is not particularly secure, so
why do we still use it? We use it because it works."
Unconstrained employees
It's a concern in all companies, one which Clement thinks has
escalated recently as
"Generation
Y" wrestles limitations on the way it works. "They don't think
that their computers should be locked down in any way. They believe
they should be able to talk to their mates, they should be able to
chat away to each other. They are used to communicating much more
than non-generation Y people," he explains.
Tough, you might say, but increasingly companies find it
difficult to recruit unless they offer new starters this kind of
freedom. As a consequence, Clement adds, "A lot of corporates now
think Facebook is an acceptable
application."
Many companies fear putting more than basic security in place in
case workplace flexibility is damaged. Directing which applications
are permitted, and which are not, is a control too far.
Controlling access
Group policy controlling access to applications has been
generally available since Windows 2000 and the first version of
Active Directory, says Clement. "One, people don't understand
how to do it, and two, they don't like the management overhead, and
three, availability is king." They would rather put up with a few
broken laptops and rebuild them if there's a problem, he says.
Yet for other enterprises, such an abuse-then-re-build policy is
impossible. Regulation and compliance, particularly around
financial data and customer information, require tight controls,
"If you open up new facilities and you allow them to take place on
your equipment, ultimately, you are responsible, even if you don't
know how it's being used," says Andy Kellet, senior analyst at
Butler Group.
"The first stage is understanding what's going on. Before you
can actually control what people can do, you have to have a sound
basis for making the decisions about what is and what is not
allowed," he adds.
Darrell Jordan, software asset manager at power group
RWE, understands this advice. Once a week his
Centennial
Discovery tool audits more than 2,000 desktops and servers
reporting back on all software installed and running on the
machines.
His primary concern is the installation of unlicensed software
and the breach of licence agreements already in force. "Software
asset management is coming to the forefront now, I think because of
large fines being handed out to organisations," he says.
"We have internal policies which are published to end users,
which gives guidance as to what is acceptable software and what
isn't. It is not acceptable to download software off the internet.
Centennial will report back on anybody abusing their administrator
rights."
Jordan says his role is still seen as a "black art" by some who
fail to understand how their downloading habits are discovered, but
his specific task is to control what is placed on the desktops. "We
are worried about viruses, but also, when you download a piece of
software, the end-user licence is mostly specific for a home user
and cannot be used in a commercial environment."
Yet it's not just compliance to licences that companies should
worry about. Mark O'Dell, operations director at IT outsourcing
provider Connect, has seen client networks crippled by downloaded
movies and MP3 files. "It's potentially dangerous because you don't
know what is inside those files. We have problems from users where
they don't have great kit for blocking these things, and they are
sharing 50,000 music files."
O'Dell deals with all sizes of enterprise and is cautious about
recommending expensive technical solutions for everybody. "For
smaller companies you have to start with education. They've got to
understand they can't do it [download] and if they do, they have to
understand they will be disciplined. Very quickly, once someone's
had a disciplinary hearing for sharing MP3s about the place, it
doesn't happen anymore.
"You've got to couple that with IT solutions, though." For
clients that want it, O'Dell offers other measures including
internet filtering for controlling content. "The device we use is a
Barracuda web
blocker. All internet traffic goes via it and it logs, blocks
and records everything that happens. Websense does it and there are
lots of companies that provide this."
Yet this does not prevent compromised devices connecting to a
network, which requires a further shield known as NAC or Network
Access Control. Sharing many similar aims to EPS - indeed,
Symantec offers both in a
twin-licence product - NAC controls network access with
pre-admission endpoint security checks and post-admission controls
over network navigation and abilities. Devices can be quarantined,
constrained, or refused connections, depending on their
configuration and status.
For supporters, there is a subtle difference in emphasis between
NAC and EPS, explains Domage. "EPS is growing in the market now.
NAC is a reactive tool based on the network. Its main function is
as the watch tower for incoming users. EPS is dedicated to the
user, NAC is the gateway. NAC is a conversation to have but it's a
bit behind."
Trust no one
The days of the fully trusted device are disappearing, says
ISF's Clement. "If you take that view, you say, 'We consider all
machines out there to be malicious and we demand certain controls
before we allow them to connect.' That's where the NAC guys are
sitting."
Yet for all the rather complex IT solutions to desktop security,
companies are still fighting a battle to prevent data leaking from
their organisations through e-mail attachments, USB ports and other
communications software.
The answer is, unfortunately, further complexity, and the next
big move, say both Kellet and Domage, is in a field known as DLP,
Data Leakage Prevention.
"Let's confirm what the user is doing with all this information
that doesn't belong to him, says Domage. "It's not embedded yet, we
see some strong reluctance to it, but it will come one day. "
DLP requires tagging of all data and then comprehensive policies
to determine what users may or may not do with that data. "DLP is a
project. You need a data discovery program that goes all over the
network looking for information, then asks you to tag it. Look at
the nightmare," Domage adds.
"Most of the major providers have moved aggressively into that
space. But with some solutions the technology is not as mature as
we need it to be," says Butler's Kellet, explaining that tools are
always trying to keep up with the reality of data use, rather than
the other way round.
Consequently a "computer genius" will always find a way to
circumvent the rules, whether maliciously or in the name of
efficiency, as Société Générale found to their cost.
All you can do is manage the risk and close the doors once you
find them open. To achieve this, education, policy and monitoring
are essential strategies.
The risks of not licensing
The
Business
Software Alliance (BSA) is the "foremost organisation dedicated
to promoting a safe and legal digital world and is the voice of the
world's commercial software industry and its hardware
partners".
This includes actively enforcing software licences for its
members. Last year an international multi-media firm agreed to a
record global settlement of €2.5m after being found to have
significant shortfalls in its software licenses.
The UK also saw its highest ever settlement when a construction
firm paid the BSA £250,000.
In June 2008 BSA agreed an out-of-court settlement with
networking security enterprise
e92plus . The
Surrey-based firm was found to be running unlicensed copies of
Microsoft software on many of its PCs and servers.
"It's easy to get tied up with financial regulations and HR
directives, but companies also have a responsibility to carefully
manage their software and nurture such a culture within their
company. This has become particularly important with the rise of
the internet and mobile working, making it even easier for
unlicensed software to appear on a company's network," explains
Julie Strawson, chair, BSA UK member committee. l