The Threat Inside
Imagine an employee takes out his disgruntled revenge on the organization that employs or once employed him. It’s not a new idea. Information technology, by its ubiquitous nature, is chock-full of risks for the organization. Outside hackers abound, determined for whatever reason to cause as much mayhem as is humanly possible. Yet the threats inside an organization are more frequent and potentially more dangerous than those outside the firewall. For instance, there are those well-intentioned, friendly dopes who inadvertently cost the company thousands by erasing something vital, or cause system-wide corruption via an intense and uncontrollable curiosity about a mysterious e-mail attachment. With just as many threats to the enterprise inside as out, how do IT pros handle the security risks that come from within their own ranks?
Think Like a Thief
People who cause problems through unintentional error can cost a company money, but insider threats are a security person’s nightmare because their activities are hard to detect and frequently go completely unnoticed, said Johnny Long, researcher, Computer Sciences Corp. and owner of Web site Johnny.ihackstuff.com. “You have to keep in mind that there are a couple of different perspectives that you might see an insider threat from. You have system log files. Obviously system log files are going to keep transactions. You’re going to have records of things that go on individual systems and applications. You have a network perspective where it’s actual network traffic crossing the wire. Then you have the workstation itself, if you want to call it the attack machine. All those different sorts of traces look very different from each other. But obviously the insider threat is one of the most dangerous of any of the security threats, because this person has prior knowledge. They have information about how the systems are connected. They have information about how the applications work, and they have prior access. The threat is real, and statistics say that the majority of intrusions, even today, are coming from the inside.”
In order to combat deliberate hacking and prevent the sharing of privileged information, IT pros have to think like the enemy in order to preempt crisis and plan for damage control in the event of one. So, think like a criminal. “The bad guys won’t stop at anything,” Long said. “To a certain extent, IT pros need to walk a mile in the bad guy’s shoes. It helps to think in terms of, ‘If I was hired to break into my own company, what are some of the things that I would do if I didn’t have to worry about rules?’ Take the gloves off and think of it in terms of, ‘I have nothing to lose. What am I going to do to break into my own company?’ Thinking like a bad guy is key, and that’s what a lot of our technicians do when they’re in the field.”
Increase Training and Security Awareness
After you’ve placed your self in the bad man’s shoes, the next step to combat social engineering and other security slip-ups is education. Not only must employees be made aware that threats exist, but they also must believe in the importance of security and thoroughly understand all of the existing security policies in the organization. Sometimes people are unintentionally careless with their company’s very important knowledge and vital company information because their focus has been on the home. Shredding important documents to prevent identity theft, monitoring what the kids say when they answer the phone—that sort of thing. It doesn’t occur to them to be as vigilant on the job. It’s the IT professional’s job to increase awareness. For instance, point out that wearing a name badge in public could lead to a security breach if someone were to re-create that badge and use it to gain access to your workplace. “Ultimately, the end users need to be aware that they play a critical roles in protecting against this threat,” Long said.
“Insiders can be a threat on several fronts,” said James Michael Stewart, writer/trainer, Impact Online. “One is because of their ignorance or lack of understanding. Insiders make mistakes or oversights that can open up security holes or cause damage or problems just because they don’t know any better. One of the most common forms of attack these days, which may be called spamming or phishing, which is where somebody sends an unwitting person an e-mail attachment and they open it. If an attacker can get an entry point into your network, then they can do a wide variety of things. Another way insiders can cause problems is by not being trained on how to use the security provided by a company. If an insider doesn’t fully understand what security is, why it’s important and how to do their job within the confines of the security established by the organization, they can inadvertently cause problems, find ways around the security or simply not use things correctly and leave holes. A third area is through actual direct malicious intent. It’s possible for an insider to specifically disconnect security or open up holes because they’re disgruntled in some ways. There are lots of things that they can get a hold of on the Internet or that they can download directly inside the company or bring from home on floppies, CDs or even USB drives now.”
Stewart said that outside intrusions and hacking get a lot of media coverage but only account for maybe 20 percent of all security breaches that occur. The majority of violations are caused by internal employees. To combat the threat effectively, Stewart said, you can’t rely solely on legitimate solutions. “When an intruder or malicious intent person tries to violate your security, they’re not always going to use the tools that can be purchased from commercial sources,” Stewart said. “They’re going to be using underground, customized tools from the wild. It’s important for a security professional to be familiar not only with all the legitimate tools, but with all the illegitimate ones that can be found on underground Web sites, hacker sites—places that aren’t necessarily safe but also require you to seek them out and understand, seek them out and watch them. If you know your enemy, you’re going to be able to better prepare to protect against him. In most cases, you’re going to have to get management approval for these types of activities because they do involve some risk and they may expose their organization to risk.”
Additionally, IT pros must increase workers awareness of the ways their natural work habits can be used against them. Social engineering, when a hacker uses charm to gather information, or uses soft skills to trick the unsuspecting into giving up privileged information is very common. “It could be something as simple as calling someone at the help desk and pretending to be someone else,” said Clement Dupuis, president and chief learning officer, CCCure.org. “There’s lots of ways because when you do this, you do it the same as if you would do a technical attack. You select your target and usually you find a person who is forthcoming, and this is not hard to find today because we work for service companies in a lot of cases, and that’s the way we have been educated, to be friendly, forthcoming and serve the client. Most people will not see anything wrong if you call for help and ask them questions. Sometimes by asking a little series of questions you’re able to get a little bit of information to build a bigger picture. In some cases, you might even be able to trick somebody into giving you access, IP address, passwords. I’ve done this on penetration tests in the past, and it does work very, very well.”
And those are just the soft targets said Dupuis. “Lots of people still see security today as a black box,” he explained. “We have a firewall, we have a content-scrubbing engine, we have anti-virus, but this does not help you if your users are not educated, or if the people working in the company don’t k