When insiders go outside the lines: for all the money companies have spent to secure their networks' outside perimeters against hackers and viruses, the problems posed by employees and other insiders may not be getting enough attention.
"Enemy" may be too strong a word, since few employees anywhere are actively working to subvert corporate networks or introduce malicious code or viruses--or worse, using corporate access to commit fraud. Yet any number of seemingly innocent activities, such as opening email attachments or recreational surfing of Web sites while at work, is creating significant security threats and impairing network performance, say IT infrastructure and security experts. The dangers are compounded when customers, branch offices or suppliers are given wide-ranging access to the corporate network.
The resulting problems include unknowingly importing viruses or worms that can infect and possibly even disable networks or Web sites; unwittingly downloading "spyware" that hurts network performance; transmitting sensitive customer data or intellectual property in unsecured emails; and creating sham vendors to be paid by company funds.
These "inside" issues are largely separate from the perimeter defenses most organizations have built to keep hackers and unauthorized users from invading their networks and wreaking havoc. "We've spent lots of money on building the moat around the castle," says Pascal Luck managing director of Core Capital Partners, a private equity firm in Washington, D.C., specializing in early-stage technology ventures.
One way to view this inside/outside threat environment is as a complex "ecosystem" in which there are a variety of different dangers, as well as considerable cooperation and collusion among the parties creating the threats, says Christian Christiansen, vice president of Security Products and Infrastructure Software Overview Research for International Data Corp. (IDC), the high-tech research and publishing firm in Framingham, Mass.
To Christiansen, well-intentioned firewall frameworks have frequently given way to the "perforated perimeter." It's often difficult, he says, to know who is inside and outside the company network, since customers, branch offices and remote users are commonly given the same privileges as employees--and sometimes even more.
"We're seeing a significant amount of access by third parties," says Harry Segal, president of Networks Unlimited, a security consulting firm in Hudson, Mass. "Companies have often treated them as if they are trusted users," when perhaps they should not be. All told, it's widely reported that half of all "hacking" episodes are carried out from inside a company network, though not necessarily by employees.
Worms and viruses are still imported primarily through infected email attachments, and IT departments are kept busy issuing warnings about the latest worm and dealing with the damage done by those that do infect office PCs. A lesser but growing problem, however, involves employees doing recreational surfing of Web sites and downloading files. That's not incidental: A recent Harris Interactive Study concludes that the average employee with Web access spends 8.3 hours of each workweek visiting non-work-related sites.
Christiansen says lots of "loser-users" continually frustrate corporate IT security by poking into various crannies of the Web and committing "mischievous acts," such as going to illicit Web sites and downloading "executables" that may be infected with viruses.
"Surfing activity is causing a variety of problems, much of it when employees inadvertently download spyware," says Segal. "Some are going to legitimate sites and having cookies (pieces of identifying information generated by a Web server and stored in the user's computer, ready for future access) placed on their machines." He mentions a couple of popular sites, like the screensaver provider Webshots and Web account manager Gator, which he says have become popular conduits for spyware.
"We went into 20 different organizations that were not using an employee Internet management system to prevent users from doing these things," Segal notes. "In one organization we looked at, in 30 days, users had gone to 300 gambling or pornographic sites; practically every machine they had was infected with spyware."
While spyware, which sends a user's cookies to advertisers for potential pitches, might seems relatively harmless, Segal says that more than 10 percent of overall network traffic at this company was represented by spyware transmitting Web data back to third parties, which significantly hurt network efficiency. At two of the companies analyzed, ranging from 400 to 1,000 employees, troubles triggered by this work-hours surfing was costing them an estimated $1.5 million to $1.8 million a year, Segal adds.
Of course, there is the occasional bad actor inside the company who tries to exploit security for personal gain. Segal says his firm recently worked with a company that discovered one of its computers had a "hacking" tool installed, and that an employee was using it to scan for vulnerable machines where he could obtain confidential information.
In general, tools are widely viewed as a good thing, and one of the key layers in a strong security system. One popular tool blocks access to named gambling or pornography sites, or might provide "soft blocks" (reminding users that this isn't a recommended site for company business) for shopping or catalog-related sites, Segal says. Such blocking tools tend to be charged on per seat basis, he says, and are quite reasonable, with licensing fees running perhaps $10-$20 a year per employee.
Another tool commonly used from inside the perimeter is email content filtering, where the software looks for activity that violates prescribed policies by searching for keywords. This is of particular concern if there's threat that intellectual property or sensitive customer information could be emailed out.
A related and ever-increasing danger is posed by mobile devices like personal digital assistants (PDAs), smartphones and other hand-held devices that mobile workers routinely use to download data from the network. Very shortly, says Gartner Inc., 60 percent of Fortune 2000 employees will have mobile devices, and 40 percent of all corporate data will have been downloaded to them.
"There's no stopping someone from downloading files via a PC as an authenticated user--he could download an entire CRM (customer relationship management) system onto his PDA," says Nick Magliato, CEO of Trust Digital, a McLean, Va., firm providing security solutions around mobile technology. "Larger enterprises recognize this as security hole." PDAs could also pick up viruses and transmit them to the network.
Trust Digital creates a "policy-based security management system that watches the interaction of mobile devices with the network," Magliato adds, and it offers IT security officers a set of up to 100 parameters in terms of allowing or denying access to data. Magliato says the company has 50 very active customers, including financial services and health care firms, as well as government clients.
Luck of Core Capital says that "we now have a very diffuse perimeter in [which you have] Wi-Fi and wireless synch and mobile devices--these create a class of problems the IT guys never expected." An employee whose PDA is synched to the network both at work and at home might not have his or her virus defenses updated at home, he notes--and inadvertently transmit a virus from the home computer. "People have taken down networks that way," he says.
"Since PDAs were never an IT purchase--they were an individual purchase--they represent a Trojan horse for the IT shop," Luck adds. "They've been trying to react to it. But the fact is, the IT guys will not be able to take those PDAs away."
A few software providers have sprung up to monitor large networks for the "rights" assigned to certain individuals, to make sure they are authorized to carry out certain functions. Approva, one of those companies, has been selling its BizRights application chiefly to $1 billion-plus corporations.
"Our angle is making sure a company can do an effective job of assigning the right roles to people inside the organization," says Neil Selvin, Approva's chief marketing officer. "A lot of people want to focus on who has access to what kinds of transactions, and who actually did them. We want to make sure that people can't create a vendor and then pay that vendor."
BizRights, which can be set up for all different levels of authorizations, can also do "what-if" scenarios that might, for instance, assess the result of giving a lower-level purchasing manager more authority. It also compiles reports on who executed various transactions, allowing managers to consider appropriateness and make adjustments.
Yet another twist on inside security has been created by Intrusic, a Waltham, Mass.-based firm whose software tool, Zephon--named for an archangel in Milton's Paradise Lost--tracks the way network components react to a breach and analyzes just which systems have been affected.
"One of the leaps of faith we're introducing is that you can't trust the user," says Intrusic's president, Jonanthan Bingham. "Access controls are the customary method of control, but based on our research with large companies and government organizations, you can't trust them." Many malicious attacks, he notes, are launched by hackers who appear to be authorized because they've gained access to the network by scanning for and locating users on virtual private networks (VPNs) that companies set up for authorized employee users working outside the office walls.
Zephon analyzes all incoming and outgoing traffic and reports automatically on any compromise. What it finds in the way of information interception, covert data channels and so-called "reverse tunnels" that allow information to be sucked out through the firewall represents "the black hole of network security," Bingham says. "CIOs have no visibility into it."
Common Sense Rules
However effective, blocking and monitoring tools still need to be considered as complements to a set of well-defined rules and policies. Industry experts describe that as the first and foremost layer of network security.
"One rule is to only allow what is required for access--if all a person needs is one application, like online order entry, lock it down so that only that function can be used," says Segal. "That's common sense, but so many organizations are not taking that approach." In once instance he came across, the company had set up a blocking tool for certain Web sites, but employees found they were able to bypass it by logging on at a customer's Web site.
Vericept, a content monitoring software provider in Englewood, Colo., argues that "while organizations have increased their use of acceptable use policies (AUPs), rarely are they enforced. AUPs should be updated on a regular basis to include the latest in communication tools available, such as Web-based email, chat rooms, instant messaging, bulletin board postings and peer-to-peer file sharing."
Proactive strategies are critical. These involve a combination of technologies and frequent updates, but they don't have to be complicated: In one surpassingly simple move, some companies have lowered their vulnerability by forcing users to switch their browsers from Microsoft's Internet Explorer to something more low-profile. Since the near-ubiquitous Explorer has been the target of choice for most virus spreaders, the theory goes, taking it out of play could take a big "X" off a company's back.
RELATED ARTICLE: Strategies for Shoring Up Internal IT Defenses
1 Establish firm policies on access and authorization
2 Use blocking tools that bar access to certain Web sites
3 Use email filtering tools to search outgoing messages for sensitive data or intellectual property
4 Deploy monitoring tools to scan for illicit entry or breaches
5 Limit functionality available to non-critical users
6 Consider mandating use of less-popular Web browsers