Locating the real threats to corporate security
Published: 27 Jul 2007 17:06 BST
...concerned about web threats such as cross-site scripting attacks, as more applications vendors move services online.
Many companies have invested in the technology necessary to secure systems and in educating employees in good security practice. But new methods such as Wi-Fi hacks are emerging all the time, so any security policy has to evolve to keep pace.
Hackers who stole 45 million customer records from TJX, the parent company of TK Maxx, did so by breaking into the retail company's wireless LAN. TJX had secured its wireless network using Wired Equivalent Privacy (WEP) one of the weakest forms of security for wireless LANs. Hackers broke in and stole the records which included millions of credit-card numbers in the second half of 2005 and throughout 2006.
Infiltrating businesses
The involvement of organised gangs in cybercrime has also led to a blurring of the line between internal and external threats.
Speaking at the Infosecurity 2006 conference in London, Tony Neate, e-crime liaison for the SOCA, said insider "plants" are causing significant damage to companies.
Behaviour is the key to determining whether an insider is a threat
"[Organised crime] has changed. You still have traditional organised crime, but now they have learned to compromise employees and contractors. [They are] new age, maybe have computer degrees and are enterprising themselves. They have a wide circle of associates and new structures," he added.
SOCA paints a bleak picture of the threat to business from organised crime, especially criminals corrupting the susceptible. As well as the criminal justice system being exposed to corruption, some local and central government employees are not above the odd back-hander, says SOCA, while accountants and bankers may be seduced by the lure of ill-gotten gains.
"The use of corruption by serious organised criminals is not restricted to those employed within the criminal justice system, or only for essentially defensive purposes," said SOCA's most recent report, the 2006 United Kingdom Threat Assessment of Serious Organised Crime.
"There are examples of corrupt relationships with central and local government employees, accountants, and others in the financial field, plus a range of other professionals, all aimed at facilitating money-making criminal activity," said the report. "Similarly, serious organised criminals involved in high-value robberies or lorry thefts may look to corrupt someone with inside information about security measures at sites where valuable items are stored, or about shipment details of such items."
When asked by ZDNet.co.uk, neither SOCA nor the Home Office could provide statistics showing just how much of a threat organised crime is to businesses in terms of infiltration rates, or the relative percentages of IT security breaches caused by insiders and outsiders.
Spotting the mole
Behaviour is the key to determining whether an insider is a threat to your organisation, according to Stephen Bonner. While the CERT team reported on negative behaviour, Bonner said that positive behaviour could also be displayed by criminals who had managed to infiltrate organisations.
"Some of the main indicators are a willingness to work late, taking an interest in other people's work, and trying to extend responsibility. Unfortunately, these are also the signs of a good employee," says Bonner.
However, there are still some obvious ways to spot potential moles in your business, according to Bonner. Approximately half of the people who turned out to be employed by organised criminal gangs already had criminal records, indicating that organisations concerned about infiltration should employ rigorous screening of job applicants. As the goal of an outsider is to become an internal administrator, reducing the number of accounts with administrator privileges controls both internal and external threats, he claims.
There are other ways to protect information from employees who may be acting suspiciously. Richard LeVine, senior manager at Accenture, who will be hosting a talk on the risks posed by insiders at the RSA Conference Europe in London later this year, claims there are technologies available to limit the damage employees can do - even if documents are held on an employees home computer: "With the application of Information Leak Prevention and DRM technologies we can begin to lock down leaks and make it possible to revoke all document access when an employee leaves a firm, even if there are documents on the employees home computer we dont have to delete them or even ask to see his home computer we just revoke the key and they cannot be opened. This even serves to revoke documents on read only media such as CD-R disks," he says.
IT managers obviously have a difficult balancing act when it comes to protecting systems from both within and without. If recent predictions that more attacks now come from external sources are correct, IT managers should not blindly rely on technology to mitigate security threats, according to analyst Jon Collins of Freeform Dynamics.
"I hear of organisations that have bought security technologies, and they're not necessarily delivering what they promised to deliver," says Collins. "You have to start from the beginning with security, do an audit to understand the overall security architecture you need. Once you've done that, be sure you put a clear policy in place."
Collins said that awareness training for external computer threats could be particularly effective for employees, especially in smaller companies. "It's about assessing the risk. If infrastructure detection statistics were all true we would all have been hacked by now. You can't believe everything you read in press releases," he adds.
When assessing internal threats, IT managers should bear in mind that unusual user behaviour, both positive and negative, can be the key to determining whether an insider is a threat to your organisation.
Rigorous screening of job applicants can mitigate the threat of criminal infiltration, but the main way to keep employees motivated and on the straight and narrow is to treat them well, according to Bonner.
A well-motivated workforce, trained and educated about potential security threats, will go a long way to improve the robustness of a company's network defences.
However, dissecting threats to IT systems into internal and external threats may be counterproductive. A good IT security strategy should involve an audit of all the potential threats to an organisation, regardless of their source, and develop suitable responses.
Previous
Did you find this article useful?
8 out of 8 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
