Insider threat seen as biggest data security issue

Sean Curry is all too aware of the chaos someone could unleash if they got past the physical security barriers in one of Calpine Corp.'s 92 buildings or hacked into its computer network from cyberspace.

A major power company operating in 21 U.S. states and three Canadian provinces, Calpine follows a strict schedule set by the grid operators when it sends energy. If someone tampered with that schedule by a hair, Calpine might send power to a grid at the same time as another company and spark an overload and blackout possibly as bad as the August 2003 affair that crippled large parts of the American Midwest and Northeast along with parts of Ontario, Canada. Companies that miss their schedule also risk major fines and a damaged reputation.

THE MERGING PHYSICAL-CYBER THREAT Hurricane Katrina and the 9-11 terrorist attacks demonstrated how physical catastrophe can kill companies. Security experts have long warned that an Internet-based disaster could have similar consequences.   As buildings and business processes become more computerized and companies grow more dependent on e-commerce, those tasked with enterprise security are having a harder time separating threats in the physical world from those in cyberspace.   In this three-day series, security officers describe how their operations are evolving to confront the combined threat; where they see the most damage potential and where they're finding the best survival tools.

Calpine has been lucky so far. It's had a couple of situations where someone walked into a corporate office dressed as a janitor and stole laptops, said Curry, infrastructure engineering manager for the San Jose, Calif.-based company with 3,500 employees. But nobody has penetrated the network core that controls those critical schedules and other operations. Nobody has breached security at the main plant, and Curry has centralized network monitoring and logging so he can spot strange activity and stop it before something bad can happen. Employees are also trained to keep a sharp eye out for people who don't belong.

But for many security managers, it's tougher when someone looks like they do belong. It could be the intruder disguised as a vendor. Or it could be an employee with authorized network access. This is their nightmare scenario -- that a physical or cyber disaster will start with a malicious insider who accesses the network, flies below the radar and knocks out vital computer functions.

"Internal threats are real," Curry said. "It presents a major threat that the common perimeter security defense model isn't well adapted to deal with. We're certainly looking for internally sourced malicious activity, as we see that as a more likely source of attack."

The same can be said at Happy State Bank. "Internal threats are what keep me up at night," said Jason James, VP of IT for the expanding financial chain of 205 employees and 13 offices in Texas and Arizona. "We haven't seen anything yet, but the bigger you get, the less knowledge you have of the people you work with. My worry is that you get a smart college student working in a remote office that can do damage."

The insider 'thing'
Gil Nolte can relate to what Curry and James are talking about. He helps keep track of users in one of the world's most widespread networks as director of the U.S. Department of Defense's (DOD) PKI Program Management Office. As the man in charge of the DOD's public key infrastructure, he must decide how and where credentials are rolled out and used.

"As anyone living in the security world knows, it's getting harder to separate physical security from cyber and other issues," he said. "I worry about physical security in the sense of who can access what, but the big thing with PKI is having an authentic, digital representation of an identity." As more business is done online, that digital representation is critical, he said.

He added that the insider threat isn't just about the physical and online users. It's also about the insidious devices someone might leave behind, like malware on the network that can keep doing damage long after it's been planted. He calls it the insider thing. "That can do a lot more damage than the insider person," he said. "Knowing all the devices and software included on the network as well as all the people on the network takes identity proofing to a whole new level."

Nolte believes the DOD's PKI program is well on its way to reaching that next level. And one of the vendors helping the program take shape is seeing increased interest in the private sector for tools mostly used by the military establishment in recent years.

An infrastructure that stands up to disaster
By the end of next year, Nolte said the DOD's PKI infrastructure will be comprised of six nodes, each supporting 650,000 clients who can be validated at once. His department is using several vendors to build it, including Falls Church, Va.-based General Dynamics, Redwood City, Calif.-based Tumbleweed Communications Corp. and Cambridge, Mass.-based CoreStreet, Ltd.

For Nolte, PKI technology isn't just about preventing disaster. It's about minimizing the pain if catastrophe does occur. He wasn't working for the Pentagon on 9-11, but he knows how PKI systems would help in a similar event.

"In a physical disaster like 9-11, there are devices today where you can put a smart card into a wireless device and be validated," he said. "In a 9-11-style mass panic in New York -- where you don't know who's coming in to help and you want to clear casualties out of the way -- that's when you really need to know who you're letting in. Checking cards and validating credentials over a wireless network using PKI can really speed up the process of emergency action."

PKI would work the same way after a major cyberattack, he said. "In a cyber event, someone must be able to throw a switch and say only certain people can be on the network," he said. "PKI will get us there."

Page 2: Will today's threats push PKI into the mainstream?