Just in case you thought that deploying a firewall and an anti-virus should render you secure,the bad news are that times have changed and the "coconut" security model starts showing it’s limitations. Protecting solely the perimeter just makes your network hard on the outside and juicy on the inside.
According to to Forrester Research, the majority of security breaches involve internal employees, with some estimates as high as 85 percent.
in "The Top 5 Internal Security Threats" , itsecurity.com presents the most common security vulnerabilities and threats which involve the internal staff :
- Spear phishing
- Laptop theft / loss
- Unintentional Access and Disgruntled Ex-Employees
- Missing Security Patches
- Lack of AUP ( Acceptable Use Policy)
I would toss a few more threats / vulnerabilities which most commonly lead to internal security risks :
- Improper network segregation and failure to handle rogue mobile computers
- Improper segregation of duties and authorization among the corporate business and IT processes.
- Lack of audit trails – Who did what and when ?
- Improper handling of removable media devices such as thumb drives, memory cards, etc which facilitate the information leak
I know that it’s a thin line between the "BigBrother is watching you!" corporate culture and a secure information environment but one thing is clear: neglecting the internal threats can have desastruos consequences.
Information Security can be achieved if we go back and look into it’s 3 basic components : People, Technology and Processes. If you wnt to deploy proactive security actions you must address each of these 3 components.
Some of the countermeasures against internal threats are :
Phishing-fighting strategies include implementing anti-phishing toolbars that display a website’s real domain name, as well as maintaining a roster of well-known phishing sites for employee reference. But companies should forget about training IT personnel and staging corporate awareness campaigns, says Alan Paller, director of research at The SANS Institute. Rather, he suggests running “benign spear phishing exercises against your own employees….There’s no other way to solve it.”
Laptop theft / loss
Companies should require employees to protect their laptops with a startup password so that if they are stolen, at least the data is unusable. Make a practice of deleting old e-mails, text messages, call logs and unwanted files from all portable devices. And it’s always a good idea for employees to take advantage of a device’s built-in encryption capabilities and password protection features. Kingston’s Data Traveler Elite Privacy Edition, for example, is a USB Flash drive that secures 100% of data on-the-fly via 128-bit hardware-based AES encryption, and locks out potential users after 25 consecutive failed password attempts.
Unintentional Access and Disgruntled Ex-Employees
There’s no shortage of vendors promising to simplify the user provisioning process. Entrust, for example, offers solutions that automate policy enforcement and delegate administration for user provisioning which helps maintain security levels while managing large numbers of users. Another example is Courion. Courion’s AccountCourier is an automated user provisioning solution that instantly grants, revokes or modifies access to any operating system, application, Web portal or other IT assets without manual intervention.
Missing Security Patches
Patch management software and services can greatly ease the burden on today’s administrators. Ecora’s Patch Manager automates system discovery, patch assessment and patch installation on workstations and servers. Ideal for heterogeneous IT environments, Novell ZENworks Patch Management notifies administrators of exactly what patches and security holes reside on each server, desktop and laptop. And then there’s SecureCentral PatchQuest, automated patch management software for distributing and managing security patches, hotfixes and updates across networks comprising Windows, Red Hat and Debian Linux systems.
Lack of AUP
Strict usage policies can prohibit employees from sedning sensitive information via insecure e-mail. E-mail content scanning technology can also help. IBM Expresses Managed Security Services for example, scans and monitors e-mail before it ever reaches a network, ensuring that it’s free from harmful or damaging content. And MessageLabs’ Boundary Encryption service lets businesses set up a secure private email network between themselves and their partners to ensure the end-to-end delivery of encrypted communications.
I invite you to comment on how do you handle these internal threats ? And from which perspective : the employer’s position or the "always finding a way out" employee perspective ?
Thank you for reading this post. You can now Read Comment (1) or Leave A Trackback. Print This Post
Post InfoThis entry was posted on Thursday, April 19th, 2007 . Tagged with:
Previous Post: Application Classification in Secure Application Development »
Next Post: GFI LANguard N.S.S. 8 review »
Read MoreRelated Reading:
- How to Protect Your Business Network from Phishing Attacks
- Animated Presentation on Sony PSN Hack
- ArcSight Tip #1 – arcsight managersetup notification test
- I’m a CISSP
- Operation:Payback or Social Vendetta is Here
- I got owned by Malware Destructor 2011 Virus
- New Downtime Cost Calculator by Storagepipe.com. What if ?
- Securing Your Network from Web Threats
- My Twitter Notes on 2010-07-25
- New NetWitness Visualize : Welcome To The Future!