The Threat Within:
Is Your Company Safe from Itself?

Did you know the greatest information security threat facing your organization may be sitting in your office right now? This threat has the ability to bypass the physical and logical controls you've put in place to protect the perimeter of your network and has already obtained credentials to access a significant portion of your infrastructure.

What is this dangerous -- and often underestimated -- threat?

It's your insider threat -- the trusted employees, ex-employees or business partners with authorized access to your corporate network resources and proprietary data.

These inside attacks are often the most dangerous because attackers are already familiar with your organization's computers, applications and security measures and know which actions might cause the most damage. And too often, companies don't discover these security breaches until it's too late.

Indeed, it may not be a matter of if your company will experience insider security breaches --but when.

In fact, the National Threat Assessment Center of the U.S. Secret Service recently completed an Insider Threat Study in conjunction with the renowned Software Engineering Institute Carnegie Mellon University. Consider a few of the sobering facts this study uncovered:

• Most insider events were triggered by a negative event in the workplace.
• Most perpetrators had prior disciplinary issues.
• Most insider events were planned in advance.
• Only 17% of the insider events studied involved individuals with administrator access.
• 87% of the attacks used very simple user commands that didn't require any advanced knowledge.
• 30% of the incidents took place at the home of the insider using remote access to the organization's network.

Worse yet, insider attacks are extremely costly. A recent report from Ernst & Young reported that insider attacks against large companies cause an average of $2.7 million in damages, whereas the average outside attack costs only $57,000.

Just who, exactly, are the insiders most likely to pose a threat to your businesses? Let's examine a few of the most common culprits.

Disgruntled Workers

The first time William got passed over for a lucrative promotion to IT director, he got frustrated. The second time it happened, this seven-year employee decided to retaliate.

He used his IT knowledge to plant a "logic bomb" in the corporate network. This malicious code -- a Trojan horse -- lay dormant in the computing system until two months after William resigned. When the target date was reached, the program automatically triggered its destructive code, which made malicious copies of itself, deleted and corrupted critical data and kept "exploding" until the entire system was locked.

With the economy fluctuating and layoffs mounting, a large segment of companies' employee population is in a disgruntled state. At the same time, as companies cut back on full-time employees, the use of temporary workers is increasing. From a security perspective, this environment represents a dangerous mix.

If you have current or former employees who hold a grudge against your company, they may decide to take revenge into their own hands. These individuals likely know the inner workings of your organization and may retain system access due to weak security policies. This concern has escalated in recent years because of increased outsourcing and organizational downsizing in both public and private sectors -- both of which can leave individuals bitter and hostile.

In fact, earlier this year, the Department of Homeland Security fired an IT administrator who misused his access privileges to read his superior's confidential e-mail.

Keep in mind, not all insider threats come from current employees. They could also be consultants, contractors, temporary employees and close-knit business partners who have detailed knowledge of your company's information technology systems. They may also know how to hit your organization where it hurts -- by stealing, deleting or altering sensitive information or otherwise sabotaging your systems.

Fortunately, we can recommend intrusion prevention technology that virtually stops disgruntled employees in their tracks. These solutions -- typically combinations of host-based software and/or network-based hardware -- continually scan for behavioral anomalies on your network and automatically mitigate each threat before any damage is done.

Corporate Spies

Alan is a temporary data entry clerk in a medial office who has been waiting for his opportunity to score a quick financial gain. Once given authorized access to the office's network, he installed a common key-logger software program and hacked his way into the storehouse of sensitive patient health records. Once this was complete, Alan was poised for his ultimate feat: stealing the confidential information and selling it to the highest bidder.

Today's criminals now realize there is money to be made on the web, and more and more are plugging into the financial resources of organized crime rings. These gangs team up with trained phishers, con artists, spammers and virus writers to create programs that exploit personal data and net some quick cash.

While potential spies represent a very small minority of employees, they have the power to maliciously hack into IT areas that are off-limits or infect the network purposely from within, usually for financial gain.

Unfortunately, these malicious insiders typically pose the biggest security threats and yet are often the hardest to catch. These folks spend most of their day doing things they shouldn't and often abuse their internet privileges to install "underground" applications and, even worse, send confidential company data to outside parties.

Fortunately, intrusion prevention technology helps combat even the most sophisticated criminal minds. We can recommend intrusion prevention solutions that combat common key-logging strategies. Or, we may suggest some of the latest innovations, such as whole-disc encryption solutions, PC keys, and proximity sensors that automatically log off network users when they leave their computers to dissuade opportunistic spies who had been waiting for an easy target.

Nonmalicious Employees

When Sally's friend suggested she use a new software program to generate more sales leads, she was thrilled. She didn't know, however, that downloading this unauthorized software program from the internet onto her company laptop could do a lot more harm than good. Unfortunately, Sally not only downloaded the software, but also some hidden malware and phishing ploys that were quickly transmitted to the company network.

Hackers and crackers aren't the only ones who can harm your organization. Ignorant or inexperienced users, data entry clerks, system operators and programmers frequently make accidental errors that contribute to security problems, both directly and indirectly. Sometimes the threat is the error itself -- such as a data entry error or a programming error that crashes your system. In other cases, errors (such as improper configuration of web-based protocols) create security vulnerabilities that can leave your network open to harm.

Unfortunately, those who use your company IT resources in ways they shouldn't (i.e., by storing content or playing games) comprise the vast majority of your employees.

Chances are, there are many people in your company today who take small liberties with your company network. They may check their personal e-mail, play games and do some online shopping while on the clock. While they can pose a significant security threat, it is rarely intentional.

As a general rule, these employees have a very limited knowledge of security practices and can put your company at risk simply through some bad habits or improper training. Others may come to work armed with a variety of devices and gadgets, all of which get plugged into their PC.

As harmless as their intentions may be, they still represent a security threat that needs to be harnessed.

Thankfully, we can recommend technology solutions that prevent uninformed employees from causing harm to the network. We may propose intrusion prevention solutions that monitor the entire network, recognize external devices that could pose a security threat, and automatically disables employees from saving network data on external storage devices (e.g., flash drives). Or, we may recommend sophisticated content filtering solutions that prevent naïve employees from visiting web sites that are not only unproductive and illegal, but possibly dangerous to the company security, as well.

Disgruntled employees. Corporate spies. Inexperienced employees. Your company may have a few within its walls right now.

The good news is that you don't have to live in fear of insider threats. We can help you bolster your security and minimize your risk of insider threats. Call us today to find out how.

Tips on Protecting Yourself

• Conduct a thorough background check on all new users. Coordinating with your HR department to conduct more than a first-level background check -- including reference checks and other pre-employment screening -- can go a long way toward ensuring that you don't hire the wrong people. By examining individuals' employment histories, prior residences and travel destinations, companies may spot red flags and ultimately discourage corporate spies from entering through the front door.
• Monitor employee behavior. Work with your HR department to ensure that procedures are in place to refer troubled employees to appropriate counseling resources and to take additional corrective action when necessary.
• Restrict accounts that access resources remotely. The majority of insider attacks use some type of remote access mechanism. If you offer VPN or dial-up access to your employees, consider limiting remote access accounts to those with a legitimate business need.
• Restrict the scope of the remote access. Don't automatically grant remote access users the same level of privilege that they would have in the office. You'll not only be protecting yourself against the insider threat, but also against the increased risk of malware propagation through a remote access link.
• Enforce the principle of "least privilege" throughout your organization. Every security professional knows the least-privilege mantra. Each user should have the minimum necessary set of permissions required to fulfill his job responsibilities.
• Perform regular security patch remediation. Believe it or not, many security vulnerabilities already have existing patches. By using them, you'll greatly reduce the likelihood of security threats -- from insiders as well as outsiders.
• Create effective security policies. After you set up the business rules that guide both human behavior and system settings, gain buy-in (and signatures) from all employees, and strictly enforce those policies.
• Stress employee awareness and education. Educate your employees on what constitutes dangerous and/or unacceptable behavior, and reinforce these guidelines through regular security awareness campaigns. These efforts may include posters, seminars, and e-mail reminders of existing security dangers and how to avoid them.
• Examine and strengthen your existing network security. Conduct regular security assessments to identify areas of vulnerability for your customers. This should be done every six months, though more frequently for such critical industries as financial institutions, and utility companies.

---

---