When insiders go outside the lines: for all the money companies have spent to secure their networks' outside perimeters against hackers and viruses, the problems posed by employees and other insiders may not be getting enough attention."Beware of strangers" is time-honored advice. But for companies everywhere, when it comes to information technology (IT) security, there's another key maxim to heed these days: beware the enemy within. [ILLUSTRATION OMITTED] "Enemy" may be too strong a word, since few employees anywhere are actively working to subvert corporate networks or introduce malicious code or viruses--or worse, using corporate access to commit fraud. Yet any number of seemingly innocent activities, such as opening email attachments See e-mail attachment. or recreational surfing of Web sites while at work, is creating significant security threats and impairing network performance, say IT infrastructure and security experts. The dangers are compounded when customers, branch offices or suppliers are given wide-ranging access to the corporate network. The resulting problems include unknowingly importing viruses or worms that can infect and possibly even disable To turn off; deactivate. See disabled. networks or Web sites; unwittingly downloading "spyware" that hurts network performance; transmitting sensitive customer data or intellectual property in unsecured emails; and creating sham False; without substance. A sham Pleading is one that is good in form but is so clearly false in fact that it does not raise any genuine issue. vendors to be paid by company funds. These "inside" issues are largely separate from the perimeter defenses A defense without an exposed flank, consisting of forces deployed along the perimeter of the defended area. most organizations have built to keep hackers and unauthorized users from invading their networks and wreaking havoc. "We've spent lots of money on building the moat around the castle," says Pascal Luck managing director of Core Capital Partners, a private equity firm in Washington, D.C., specializing in early-stage technology ventures. One way to view this inside/outside threat environment is as a complex "ecosystem" in which there are a variety of different dangers, as well as considerable cooperation and collusion An agreement between two or more people to defraud a person of his or her rights or to obtain something that is prohibited by law. A secret arrangement wherein two or more people whose legal interests seemingly conflict conspire to commit Fraud among the parties creating the threats, says Christian Christiansen Christian Christiansen (born October 9, 1843 in Loenborg, Denmark, died 1917) was a Danish physicist. Christiansen first taught at the local polytechnical school. In 1886 he was appointed to a chair for physics at the University of Copenhagen. , vice president of Security Products and Infrastructure Software Overview Research for International Data Corp. (IDC), the high-tech research and publishing firm in Framingham, Mass. To Christiansen, well-intentioned firewall frameworks have frequently given way to the "perforated per·fo·ra·ted adj. Pierced with one or more holes. perimeter." It's often difficult, he says, to know who is inside and outside the company network, since customers, branch offices and remote users are commonly given the same privileges as employees--and sometimes even more. "We're seeing a significant amount of access by third parties," says Harry Segal, president of Networks Unlimited, a security consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a in Hudson, Mass. "Companies have often treated them as if they are trusted users," when perhaps they should not be. All told, it's widely reported that half of all "hacking" episodes are carried out from inside a company network, though not necessarily by employees. Worms and viruses are still imported primarily through infected email attachments, and IT departments are kept busy issuing warnings about the latest worm and dealing with the damage done by those that do infect office PCs. A lesser but growing problem, however, involves employees doing recreational surfing of Web sites and downloading files. That's not incidental: A recent Harris Interactive Harris Interactive (NASDAQ: HPOL) is an American market research company that specializes in public opinion research using both telephone and surveys on online panels. The company is the product of a 1996 merger between the Gordon S. Black Company and Louis Harris & Associates. Study concludes that the average employee with Web access spends 8.3 hours of each workweek visiting non-work-related sites. Christiansen says lots of "loser-users" continually frustrate corporate IT security by poking into various crannies of the Web and committing "mischievous mis·chie·vous adj. 1. Causing mischief. 2. Playful in a naughty or teasing way. 3. Troublesome; irritating: a mischievous prank. 4. acts," such as going to illicit Web sites and downloading "executables" that may be infected with viruses. "Surfing activity is causing a variety of problems, much of it when employees inadvertently download spyware," says Segal. "Some are going to legitimate sites and having cookies (pieces of identifying information generated by a Web server and stored in the user's computer, ready for future access) placed on their machines." He mentions a couple of popular sites, like the screensaver provider Webshots and Web account manager Gator, which he says have become popular conduits for spyware. "We went into 20 different organizations that were not using an employee Internet management system to prevent users from doing these things "These Things" is an EP by She Wants Revenge, released in 2005 by Perfect Kiss, a subsidiary of Geffen Records. Music Video The music video stars Shirley Manson, lead singer of the band Garbage. Track Listing 1. "These Things [Radio Edit]" - 3:17 2. ," Segal notes. "In one organization we looked at, in 30 days, users had gone to 300 gambling or pornographic sites; practically every machine they had was infected with spyware." While spyware, which sends a user's cookies to advertisers for potential pitches, might seems relatively harmless, Segal says that more than 10 percent of overall network traffic at this company was represented by spyware transmitting Web data back to third parties, which significantly hurt network efficiency. At two of the companies analyzed, ranging from 400 to 1,000 employees, troubles triggered by this work-hours surfing was costing them an estimated $1.5 million to $1.8 million a year, Segal adds. Of course, there is the occasional bad actor inside the company who tries to exploit security for personal gain. Segal says his firm recently worked with a company that discovered one of its computers had a "hacking" tool installed, and that an employee was using it to scan for vulnerable machines where he could obtain confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead . In general, tools are widely viewed as a good thing, and one of the key layers in a strong security system. One popular tool blocks access to named gambling or pornography sites, or might provide "soft blocks" (reminding users that this isn't a recommended site for company business) for shopping or catalog-related sites, Segal says. Such blocking tools tend to be charged on per seat basis, he says, and are quite reasonable, with licensing fees running perhaps $10-$20 a year per employee. Another tool commonly used from inside the perimeter is email content filtering See Web filtering and parental control software. , where the software looks for activity that violates prescribed policies by searching for keywords. This is of particular concern if there's threat that intellectual property or sensitive customer information could be emailed out. A related and ever-increasing danger is posed by mobile devices like personal digital assistants (PDAs), smartphones and other hand-held devices that mobile workers routinely use to download data from the network. Very shortly, says Gartner Inc., 60 percent of Fortune 2000 employees will have mobile devices, and 40 percent of all corporate data will have been downloaded to them. "There's no stopping someone from downloading files via a PC as an authenticated au·then·ti·cate tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. user--he could download an entire CRM (Customer Relationship Management) An integrated information system that is used to plan, schedule and control the presales and postsales activities in an organization. (customer relationship management) system onto his PDA (Personal Digital Assistant) A handheld computer for managing contacts, appointments and tasks. It typically includes a name and address database, calendar, to-do list and note taker, which are the functions in a personal information manager (see PIM). ," says Nick Magliato, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Trust Digital, a McLean, Va., firm providing security solutions around mobile technology. "Larger enterprises recognize this as security hole." PDAs could also pick up viruses and transmit them to the network. Trust Digital creates a "policy-based security management system that watches the interaction of mobile devices with the network," Magliato adds, and it offers IT security officers a set of up to 100 parameters in terms of allowing or denying access to data. Magliato says the company has 50 very active customers, including financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. and health care firms, as well as government clients. Luck of Core Capital says that "we now have a very diffuse perimeter in [which you have] Wi-Fi and wireless synch and mobile devices--these create a class of problems the IT guys never expected." An employee whose PDA is synched to the network both at work and at home might not have his or her virus defenses updated at home, he notes--and inadvertently transmit a virus from the home computer. "People have taken down networks that way," he says. "Since PDAs were never an IT purchase--they were an individual purchase--they represent a Trojan horse See Trojan. Trojan Horse hollow horse concealed soldiers, enabling them to enter and capture Troy. [Gk. Myth.: Iliad] See : Deceit (application, security) Trojan horse for the IT shop," Luck adds. "They've been trying to react to it. But the fact is, the IT guys will not be able to take those PDAs away." A few software providers have sprung up to monitor large networks for the "rights" assigned to certain individuals, to make sure they are authorized to carry out certain functions. Approva, one of those companies, has been selling its BizRights application chiefly to $1 billion-plus corporations. "Our angle is making sure a company can do an effective job of assigning the right roles to people inside the organization," says Neil Selvin, Approva's chief marketing officer. "A lot of people want to focus on who has access to what kinds of transactions, and who actually did them. We want to make sure that people can't create a vendor and then pay that vendor." BizRights, which can be set up for all different levels of authorizations, can also do "what-if" scenarios that might, for instance, assess the result of giving a lower-level purchasing manager A Purchasing Manager is an employee within a company, business or other organization who is responsible at some level for buying or approving the acquisition of goods and services needed by the company. more authority. It also compiles reports on who executed various transactions, allowing managers to consider appropriateness and make adjustments. Yet another twist on inside security has been created by Intrusic, a Waltham, Mass.-based firm whose software tool, Zephon--named for an archangel archangel, in religion archangel (ärk`ānjəl), chief angel. They are four to seven in number. Sometimes specific functions are ascribed to them. The four best known in Christian tradition are Michael, Gabriel, Raphael, and Uriel. in Milton's Paradise Lost--tracks the way network components react to a breach and analyzes just which systems have been affected. "One of the leaps of faith we're introducing is that you can't trust the user," says Intrusic's president, Jonanthan Bingham. "Access controls are the customary method of control, but based on our research with large companies and government organizations, you can't trust them." Many malicious attacks, he notes, are launched by hackers who appear to be authorized because they've gained access to the network by scanning for and locating users on virtual private networks (VPNs) that companies set up for authorized employee users working outside the office walls. Zephon analyzes all incoming and outgoing traffic and reports automatically on any compromise. What it finds in the way of information interception, covert data channels and so-called "reverse tunnels" that allow information to be sucked out through the firewall represents "the black hole of network security," Bingham says. "CIOs have no visibility into it." Common Sense Rules However effective, blocking and monitoring tools still need to be considered as complements to a set of well-defined rules and policies. Industry experts describe that as the first and foremost layer of network security. "One rule is to only allow what is required for access--if all a person needs is one application, like online order entry, lock it down so that only that function can be used," says Segal. "That's common sense, but so many organizations are not taking that approach." In once instance he came across, the company had set up a blocking tool for certain Web sites, but employees found they were able to bypass it by logging on at a customer's Web site. Vericept, a content monitoring software provider in Englewood, Colo., argues that "while organizations have increased their use of acceptable use policies (AUPs), rarely are they enforced. AUPs should be updated on a regular basis to include the latest in communication tools available, such as Web-based email Web-based email or webmail is a term referring to an e-mail service intended to be primarily accessed via a web browser, as opposed to through an application such as Microsoft Outlook or Outlook Express, Mozilla's Thunderbird or Apple's Mail. , chat rooms, instant messaging Exchanging text messages in real time between two or more people logged into a particular instant messaging (IM) service. Instant messaging is more interactive than e-mail because messages are sent immediately, whereas e-mail messages can be queued up in a mail server for seconds or , bulletin board postings and peer-to-peer file sharing Copying files from one computer to another. See peer-to-peer network, file sharing protocol and file and printer sharing. ." Proactive strategies are critical. These involve a combination of technologies and frequent updates, but they don't have to be complicated: In one surpassingly simple move, some companies have lowered their vulnerability by forcing users to switch their browsers from Microsoft's Internet Explorer Microsoft's Web browser, which comes with Windows starting with Windows 98. Commonly called "IE," versions for Mac and Unix are also available. Internet Explorer is the most widely used Web browser on the market. It has also been the browser engine in AOL's Internet access software. to something more low-profile. Since the near-ubiquitous Explorer has been the target of choice for most virus spreaders, the theory goes, taking it out of play could take a big "X" off a company's back. RELATED ARTICLE: Strategies for Shoring Up Noun 1. shoring up - the act of propping up with shores propping up, shoring supporting, support - the act of bearing the weight of or strengthening; "he leaned against the wall for support" Internal IT Defenses 1 Establish firm policies on access and authorization 2 Use blocking tools that bar access to certain Web sites 3 Use email filtering tools to search outgoing messages for sensitive data or intellectual property 4 Deploy monitoring tools to scan for illicit entry or breaches 5 Limit functionality available to non-critical users 6 Consider mandating use of less-popular Web browsers The following is a list of web browsers. Historical Historically important browsers In order of release:
|
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion