Few enterprises could bear a $7.2bn loss caused by a "computer genius" avoiding company policies and controls. But for international bank Société Générale, January 21 this year must have been a day of escalating horror, as the extent of Jerome Kerviel's fraudulent trading became apparent.
"An internal audit alleged that the user was not controlled enough, and was asked to bypass the security systems for performance reasons," explains Eric Domage, IDC research manager for security products and services.
"We need to educate the user. It is stage one of security, but it is not enough," says Domage.
"The new stage of security, to fight against internal threats, is end point solutions (EPS)." At Société Générale, "the user behaved badly, for sure. He bypassed every control, but he was asked to do that. End point solutions could have helped manage that situation. The user is the main threat now, and the insider is the biggest threat"
EPS, sometimes called end point security, even end point protection, combines features of many security technologies - usually anti-virus, anti-spyware, firewalls, intrusion detection, perhaps cache cleaning and even policy enforcement - in a distributed agent downloaded to the client. Desktop protection is always current, in a known state and the user is prevented from meddling.
Powerful users dislike controls on the way they operate, "Which is why the end point solution should be silent and very, very invisible," says Domage. He cites a USSS/CERT insider threat survey, that suggested fully 87% of internal incidents are initiated by privileged users such as system administrators, database administrators and information owners and custodians.
Users are given administrative privileges to keep poor software from failing and to allow downloading of useful utilities needed to do their jobs, explains Miles Clement, senior research consultant, Information Security Forum (ISF). "The big issue is availability. If it's not available, it's no good. If you think about it, we've known for years that user name and password is not particularly secure, so why do we still use it? We use it because it works."
It's a concern in all companies, one which Clement thinks has escalated recently as "Generation Y" wrestles limitations on the way it works. "They don't think that their computers should be locked down in any way. They believe they should be able to talk to their mates, they should be able to chat away to each other. They are used to communicating much more than non-generation Y people," he explains.
Tough, you might say, but increasingly companies find it difficult to recruit unless they offer new starters this kind of freedom. As a consequence, Clement adds, "A lot of corporates now think Facebook is an acceptable application."
Many companies fear putting more than basic security in place in case workplace flexibility is damaged. Directing which applications are permitted, and which are not, is a control too far.
Group policy controlling access to applications has been generally available since Windows 2000 and the first version of Active Directory, says Clement. "One, people don't understand how to do it, and two, they don't like the management overhead, and three, availability is king." They would rather put up with a few broken laptops and rebuild them if there's a problem, he says.
Yet for other enterprises, such an abuse-then-re-build policy is impossible. Regulation and compliance, particularly around financial data and customer information, require tight controls, "If you open up new facilities and you allow them to take place on your equipment, ultimately, you are responsible, even if you don't know how it's being used," says Andy Kellet, senior analyst at Butler Group.
"The first stage is understanding what's going on. Before you can actually control what people can do, you have to have a sound basis for making the decisions about what is and what is not allowed," he adds.
Darrell Jordan, software asset manager at power group RWE, understands this advice. Once a week his Centennial Discovery tool audits more than 2,000 desktops and servers reporting back on all software installed and running on the machines.
His primary concern is the installation of unlicensed software and the breach of licence agreements already in force. "Software asset management is coming to the forefront now, I think because of large fines being handed out to organisations," he says.
"We have internal policies which are published to end users, which gives guidance as to what is acceptable software and what isn't. It is not acceptable to download software off the internet. Centennial will report back on anybody abusing their administrator rights."
Jordan says his role is still seen as a "black art" by some who fail to understand how their downloading habits are discovered, but his specific task is to control what is placed on the desktops. "We are worried about viruses, but also, when you download a piece of software, the end-user licence is mostly specific for a home user and cannot be used in a commercial environment."
Yet it's not just compliance to licences that companies should worry about. Mark O'Dell, operations director at IT outsourcing provider Connect, has seen client networks crippled by downloaded movies and MP3 files. "It's potentially dangerous because you don't know what is inside those files. We have problems from users where they don't have great kit for blocking these things, and they are sharing 50,000 music files."
O'Dell deals with all sizes of enterprise and is cautious about recommending expensive technical solutions for everybody. "For smaller companies you have to start with education. They've got to understand they can't do it [download] and if they do, they have to understand they will be disciplined. Very quickly, once someone's had a disciplinary hearing for sharing MP3s about the place, it doesn't happen anymore.
"You've got to couple that with IT solutions, though." For clients that want it, O'Dell offers other measures including internet filtering for controlling content. "The device we use is a Barracuda web blocker. All internet traffic goes via it and it logs, blocks and records everything that happens. Websense does it and there are lots of companies that provide this."
Yet this does not prevent compromised devices connecting to a network, which requires a further shield known as NAC or Network Access Control. Sharing many similar aims to EPS - indeed, Symantec offers both in a twin-licence product - NAC controls network access with pre-admission endpoint security checks and post-admission controls over network navigation and abilities. Devices can be quarantined, constrained, or refused connections, depending on their configuration and status.
For supporters, there is a subtle difference in emphasis between NAC and EPS, explains Domage. "EPS is growing in the market now. NAC is a reactive tool based on the network. Its main function is as the watch tower for incoming users. EPS is dedicated to the user, NAC is the gateway. NAC is a conversation to have but it's a bit behind."
Trust no one
The days of the fully trusted device are disappearing, says ISF's Clement. "If you take that view, you say, 'We consider all machines out there to be malicious and we demand certain controls before we allow them to connect.' That's where the NAC guys are sitting."
Yet for all the rather complex IT solutions to desktop security, companies are still fighting a battle to prevent data leaking from their organisations through e-mail attachments, USB ports and other communications software.
The answer is, unfortunately, further complexity, and the next big move, say both Kellet and Domage, is in a field known as DLP, Data Leakage Prevention.
"Let's confirm what the user is doing with all this information that doesn't belong to him, says Domage. "It's not embedded yet, we see some strong reluctance to it, but it will come one day. "
DLP requires tagging of all data and then comprehensive policies to determine what users may or may not do with that data. "DLP is a project. You need a data discovery program that goes all over the network looking for information, then asks you to tag it. Look at the nightmare," Domage adds.
"Most of the major providers have moved aggressively into that space. But with some solutions the technology is not as mature as we need it to be," says Butler's Kellet, explaining that tools are always trying to keep up with the reality of data use, rather than the other way round.
Consequently a "computer genius" will always find a way to circumvent the rules, whether maliciously or in the name of efficiency, as Société Générale found to their cost.
All you can do is manage the risk and close the doors once you find them open. To achieve this, education, policy and monitoring are essential strategies.
The risks of not licensing
The Business Software Alliance (BSA) is the "foremost organisation dedicated to promoting a safe and legal digital world and is the voice of the world's commercial software industry and its hardware partners".
This includes actively enforcing software licences for its members. Last year an international multi-media firm agreed to a record global settlement of €2.5m after being found to have significant shortfalls in its software licenses.
The UK also saw its highest ever settlement when a construction firm paid the BSA £250,000.
In June 2008 BSA agreed an out-of-court settlement with networking security enterprise e92plus . The Surrey-based firm was found to be running unlicensed copies of Microsoft software on many of its PCs and servers.
"It's easy to get tied up with financial regulations and HR directives, but companies also have a responsibility to carefully manage their software and nurture such a culture within their company. This has become particularly important with the rise of the internet and mobile working, making it even easier for unlicensed software to appear on a company's network," explains Julie Strawson, chair, BSA UK member committee. l