Companies find it convenient to single out employees as the main threat to internal network security so they can put a face on the problem. But unwanted intruders, not employees, pose the greatest risk to organizations. An intruder can be a malicious hacker, former employee or one of the thousands of third-party connections organizations have opened to help further business goals.
Solutions exist to protect against employee abuse. The most common is access control - locking down file servers, desktops and applications. Recently, vendors have tried to protect content on the networks. This approach only fortifies against the casual employee who is bored or looking to get a head start with the sales list before heading to the next job. These solutions cannot protect against sophisticated intruders who employ state-of-the-art tools and technologies to cause damage to companies.
Today, hackers circumvent network security by disguising themselves as legitimate users. With one legitimate access account, the intruders can infiltrate systems - not breaking down gates, but accessing each system with legitimate credentials they gather along the way. They steal these credentials in a variety of ways: compromising a home user's computer, tricking employees into divulging passwords or user names, or sniffing an ISP.
Scarier still, most companies don't have a way to detect these compromises. Compromises are usually discovered while operating or rebuilding a server or, more likely, when a CEO wakes up to find his proprietary data publicly available.
Criminals use an arsenal of techniques to access valuable data: reverse HTTP tunnels, Internet Control Messaging Protocol backdoors, sniffers, Trojans, even steganography - embedding data in images. And with the proliferation of sources to download these tools on the Web, users need less sophistication than they did even six months ago. That's why companies should worry about sophisticated hackers and not employees who blindly access networks.
A new technology - compromise detection - exists to combat the risk malicious hackers pose. Unlike both access controls and content filters, compromise detection was built specifically to defend against the stealthy and sophisticated attacks that intruders will use now and in the future.
Compromise detection exposes hackers as they enter and move through the network. This approach independently audits and tracks internal traffic, looking for specific telltale signs pointing to the footprints intruders leave behind. To identify these covert actions on internal networks, a product must have a deep understanding of how internal networks fundamentally behave.
The fact is, companies assume risk for a compromise anytime they grant access to their networks. Employees happen to be the easiest risk factor to guard against. It is imperative for organizations to realize employees are not the main problem. Thinking so leaves networks consistently and dangerously exposed.
Bingham is president and co-founder of Intrusic, a security software vendor. He can be reached at firstname.lastname@example.org.