The enemy within

They may have no malicious intent, but end-users still represent a serious flaw in your security

They may have no malicious intent, but end-users still represent a serious flaw in your security

The conventional wisdom is that 80% of security breaches originate inside an enterprise - but does this mean that four out of every five of your staff are potential cyber-terrorists?

We have all heard horror stories about sacked workers deleting the company archives. But how often does it happen and how many staff do you sack per week anyway? The bulk of that 80% has to be explained another way.

In the battle for network security, idle hands really do the devil's work. It is amazing how much time goes on private Internet access during working hours. Vast quantities of untrusted data and software are downloaded every day onto the corporate network by people who have no clue what they are doing, making complete nonsense of your firewall.

MP3 files, movie clips, porn images and even device driver updates can hide nasty "malware" like Sub7, Chernobyl and 911. Spam e-mails flood in, offering screen savers, pictures of naked tennis players or promises of the Timothy McVeigh execution movie. But do they carry a destructive payload? What about those active scripts buried in "must-view" Web pages?

This is true "social engineering" - fooling people into attacking themselves by tempting them into clicking on a link or attachment they subconsciously know they should not. And it is an escalating threat.

Your staff are constantly compromising your network. But get one thing straight: there is no malice in this. They are just thinking of themselves, not the company. And they probably don't know that there is a hazard anyway. Did anyone actually explain PrettyPark, Sircam or Anna Kournikova to them, or did they just get another "Thou shalt not" e-mail from IT support? Did they even get that?

It is a human problem, not a technological one. Mopping up the symptoms with technical fixes can reduce the hazard, but not eliminate it. Even up-to-date anti-virus tools can only address reported malware, which means if an attack is covered, someone has fallen victim already. And it might be you.

So how can you stem this tide of illicit and dangerous files? For a start, be clear about who actually needs what facilities for their job function. Applying minimum privileges does wonders in reducing risk. But, ultimately, it is about educating people.

Make sure your technical support team understand the threats and can explain them clearly. Involve all users. Brief them and listen to their feedback. Provide incentives for them to pay attention. A bottle of wine and some public recognition is the least you could do for someone who reports a serious threat.

Be cautious with ferocious penalties - they can backfire, but if you do use them, make them stick, even if the culprit is the managing director.

Get your workers on your side. Make sure they know it is their problem as much as yours. An attentive, security-conscious workforce is a powerful cohort in your army. Then, with the bulk of the risk under control, you will just be left with the small core of crazies. Provided you are paying attention you can use the resources you have freed up from constant firefighting to identify these before they strike.

Mike Barwise is an independent security advisor

Are your users putting you at risk with their wolfish behaviour?
End-users can put their company in danger through ignorance, curiosity and stupidity. The following examples demonstrate the extent of the problem.

1. Someone opens a Web page that infects a PC with Nimda. The user wasn't to know because Nimda contaminates the pages held on a server it has taken over. What do you do?

  • Staff in the IT support department need to be aware of the latest threats and how they work. They should be scanning news and anti-virus sites and taking preventative measures.

  • Identify the more able members of the support team and give them training and time so that they are capable of intelligence gathering and can become competent in security.

2. A user opens up a Kournikova or Naked wife e-mail attachment having been previously warned - either he has forgotten or hasn't taken the threat seriously. He is a victim of his own curiosity. What do you do?

  • Many users don't read or take seriously e-mail alerts about a security threat. When a new threat is identified, you could send people to the different departments within your company to carry out 10-minute briefings - this is a far more memorable way of getting across the seriousness of the situation.

3. A user working in the music industry discovered the Sub 7 Trojan on his PC, and he and his colleagues all began to attack each other with the malware as a joke (this really happened). The obvious risk is that it will be spread company-wide. What to do?

  • If you are going to deliver a harsh punishment, you must be consistent and do so for all perpetrators. Notification of the potential outcomes must be written into contracts and highlighted at induction. And you must comply with increasingly tricky rights legislation.

  • There are alternatives. One firm made people attend a really boring workshop on computer viruses every time someone broke the rules. This makes people think twice and may not cause as much consternation as a hard-line punishment.

Read more on Antivirus, firewall and IDS products