/
All the hype and media flash about denial-of-service attacks, destructive break-ins and teenage computer geniuses are distracting network executives from the real threat to their computer networks - their own employees. Industry analysts estimate that in-house security breaches account for 70% to 90% of the attacks on corporate computer networks. And the percentage is probably even higher than that because most insider attacks go undetected. In fact, Dennis Szerszen, director of security strategies at The Hurwitz Group in Framingham, Mass., says for every in-house attack reported, there could be as many as 50 that go unreported or undetected. That means most companies are blind to the majority of attacks on their systems. It also means the financial losses associated with these attacks are going uncalculated. "People are ignoring their biggest threat," says John O'Leary, director of education for the Computer Security Institute in San Francisco. "The attention given to hackers by the press is what gets the attention of upper management, and that's what they base their security purchases on. . . . People need to be worried about the insiders because they know how to hurt the organization specifically, drastically and quickly."
That often invisible inside threat comes in many forms. It could be a disgruntled employee who has been put on probation or received a bad work review and wants to lash out at the company by deleting files or changing information. It could be someone who is struggling financially and has been offered thousands of dollars to e-mail or print out classified information. Or it could be a worker breaking into files to change payroll numbers.
And these are the last people you would suspect. They're the people the network administrator chats with over coffee in the lunchroom; the people having their questions answered by the help desk. These are the people -- more than any outside hacker -- who know the system, know the company and know what to do and where to go to make an attack really hurt.
"The vast majority [of employees] are scrupulous and honest and want . . . their company to succeed," O'Leary says. But even someone who is generally satisfied is going to be somewhat disgruntled when they hear about booming salaries or stock options at other places. They hear about the 23-year-old millionaire loaded down with options, and suddenly they're not satisfied.
"It might be a matter of vandalizing or selling information to competitors. Sometimes it's getting information for themselves, say about a coming merger, and buying stock beforehand," O'Leary says. "It all comes down to the fact that we now have highly interconnected systems. With the speed and the power of our own network tools, the ability of one or a couple of disgruntled employees to cause a significant amount of damage has multiplied."
Reviewer Tere' Bracco uses every trick in the book - including identical twins - to try to fool a variety of biometric authentication suites. Face-off: Is the use of biometrics an invasion of privacy?
Companies are beginning to use biometrics to secure networks, but is it an invasion of privacy? Samir Nanavati of the International Biometric Group and Barry Steinhardt of the ACLU are online this week to debate with you. Read their statements and then jump in with your comments and questions. Security survey
According to our exclusive Network World/Enterprise Management Associates survey, authentication tops the list of security concerns. Crossword puzzle
Test your security prowess with our crossword puzzle. Biometrics research page
Loads of info including white papers, publications, forums and usergroups.
The enemy within
Teen crackers get the ink, but the real threat to your network could be sitting in the next cubicle.
 
|
|||
 | |||
|
By Sharon Gaudin
Network World, 05/08/00
Long after most people have called it a day, a network administrator sits at his desk, studying a monthly report detailing activity at the company's firewall. He searches for holes that crackers could use to infiltrate the network to steal or sabotage critical information.
The inside story
Computer crime survey
Feature: Biometrics eyes the enterprise
Review: Biometrics suites earn a thumbs up
Face-off: Is the use of biometrics an invasion of privacy?
Security survey
Crossword puzzle
Computer crime survey
Feature: Biometrics eyes the enterprise
Review: Biometrics suites earn a thumbs up
Face-off: Is the use of biometrics an invasion of privacy?
Security survey
Crossword puzzle
All the hype and media flash about denial-of-service attacks, destructive break-ins and teenage computer geniuses are distracting network executives from the real threat to their computer networks - their own employees. Industry analysts estimate that in-house security breaches account for 70% to 90% of the attacks on corporate computer networks. And the percentage is probably even higher than that because most insider attacks go undetected. In fact, Dennis Szerszen, director of security strategies at The Hurwitz Group in Framingham, Mass., says for every in-house attack reported, there could be as many as 50 that go unreported or undetected. That means most companies are blind to the majority of attacks on their systems. It also means the financial losses associated with these attacks are going uncalculated. "People are ignoring their biggest threat," says John O'Leary, director of education for the Computer Security Institute in San Francisco. "The attention given to hackers by the press is what gets the attention of upper management, and that's what they base their security purchases on. . . . People need to be worried about the insiders because they know how to hurt the organization specifically, drastically and quickly."
That often invisible inside threat comes in many forms. It could be a disgruntled employee who has been put on probation or received a bad work review and wants to lash out at the company by deleting files or changing information. It could be someone who is struggling financially and has been offered thousands of dollars to e-mail or print out classified information. Or it could be a worker breaking into files to change payroll numbers.
And these are the last people you would suspect. They're the people the network administrator chats with over coffee in the lunchroom; the people having their questions answered by the help desk. These are the people -- more than any outside hacker -- who know the system, know the company and know what to do and where to go to make an attack really hurt.
"The vast majority [of employees] are scrupulous and honest and want . . . their company to succeed," O'Leary says. But even someone who is generally satisfied is going to be somewhat disgruntled when they hear about booming salaries or stock options at other places. They hear about the 23-year-old millionaire loaded down with options, and suddenly they're not satisfied.
"It might be a matter of vandalizing or selling information to competitors. Sometimes it's getting information for themselves, say about a coming merger, and buying stock beforehand," O'Leary says. "It all comes down to the fact that we now have highly interconnected systems. With the speed and the power of our own network tools, the ability of one or a couple of disgruntled employees to cause a significant amount of damage has multiplied."
Misspending security budgets
If network executives have their eyes trained in the wrong places, they're most likely not spending their security budgets where it will help them most. Firewalls became the hot security commodity about three years ago, and now virtual private networks (VPN) are taking up their own share of the market. Both technologies are generally focused on securing the perimeter, making sure only the right people get in and keeping everyone else out.
"When you look at buying trends, it's mostly geared for maintaining a secure perimeter," Hurwitz's Szerszen says. "Almost everybody has antivirus software, firewalls and VPNs. But people would do well by their money if they thought about policy access management software and tracking and monitoring devices . . . They've got to think about a different kind of security." And that market is starting to get some attention. According to The Yankee Group in Boston, the adaptive network security management market is growing at an annual compound rate of 49%. That is expected to push the market from $45 million in 1997 to $747 million in 2003.Tools of the trade
The latest products in this arena are coming from security vendors such as Internet Security Systems, Axent Technologies, ODS Networks and Netegrity.
For example, companies have long been able to give each employee specific rights and privileges on a network. A person working in human resources shouldn't be able to access the company's sales plans, while the top salesperson shouldn't be able to access employees' personnel records. Analysts and vendors agree that many companies are beginning to put a new focus on these privileges, setting up specific access and rights policies, and giving administrators the teeth they need to enforce them. What's going to be hot, according to industry observers, is software that will track employees' footprints on the network, mapping out their normal usage patterns. Then if a worker suddenly logs on at 2 a.m. or tries to access a file or a server they normally don't, the software could shut down access and alert an administrator. And that is only the beginning. Analysts say companies also should be looking to set up internal firewalls, encrypt key databases and audit for internal security holes. Robert Forbes, technology manager for First Tennessee, one of the 25 largest holding companies in the U.S., says those are all necessary tools to shore up a network. He says getting the tools in place is less about the technology and more about convincing those in charge that purchasing the tools is needed.IS has to educate the CEOs
"Internal security is a worry," Forbes says. "It's something that we have to go to [the bank executives] with. They don't come to us concerned about this one. They come to us worried about hackers and denial of service. We have to get them to worry about someone being paid $5,000 for stealing internal information. That information could be walking right out our door."
A matter of trust
But no matter how many safeguards the bank has in place, Forbes says there has to be some level of trust involved.
"If my goal is to disable First Tennessee's network, there's not a whole lot they can do to prevent that," he says. "If I'm silently stewing and if I decide to open up the whole network or to shut down the whole network, I could do that. They have to trust me." That leads to what is often the company's greatest leap of faith - the security or network administrator. This is the person who often has access to every part of the network. As one corporate user who asked to remain anonymous says, "That's the guy with the key to the kingdom. You've got to trust somebody, don't you?" Analysts generally recommend that if possible, no single person should have access to everything. Split up responsibilities and rights so no single administrator can touch every part of the network. Ultimately, however, it all comes back to trust. If security administrators tie employees' hands enough so they can't steal or sabotage anything, their productivity might also suffer. "Electronic security should not be a substitute for having employees who are trustworthy and responsible and good stewards of the information they have at hand," says Len Laughridge, network and systems administrator for AtheroGenics, a biomedical research company in Alpharetta, Ga. Of course, Laughridge is no fool. He backs up that trust with authentication, passwords, privileges and policies. He also locks down some of his desktops with Ensure Technologies' wireless XyLoc product, which secures PCs, workstations and laptops when the authorized user is not in the vicinity. Sam Alaw, a network engineer for the U.S. Environmental Protection Agency in Dallas, which has 16,000 employees throughout all 50 states, asserts that most network abuses are merely pranks, if not simple mistakes. "I don't think there's a sense of destruction or of purposefully causing trouble," says Alaw, who adds system-monitoring software to the basic round of network protections. "If someone does cause destruction on the network, we'll find that out . . . But mostly if you can get a user not to write his password on his monitor, that's a big step." "There has to be a leap of faith with your employees at some point," says the IT director for a laboratory software and robotics firm, who did not want to be identified. "You try to eliminate the variables where you can but you'll never be 100%. At some point you become so bureaucratic that people can't do their jobs and you're looking at diminishing returns." But he backs up that trust with policies and user privileges, passwords and monitoring tools from ODS Networks, along with tools he's evaluating from Internet Security Systems. Those ODS monitoring tools caught one employee who was linking corporate computers to a string of external computers in an attempt to break Data Encryption Standard algorithms. The employee wasn't doing anything malicious, but he opened up the internal computers to outside eyes and depleted the company's own computing power. However, Matthew Kovar, a senior analyst at The Yankee Group, says that's the kind of faith that gets many companies in trouble. "They think they know everyone. They think they have trusted employees," Kovar says. "That philosophy breaks down sometimes, some would say quite often. . . . The reality is that most people aren't deploying technologies to alert themselves [to inside breaches]. They don't even know it's happening."| The inside story |
|---|
| Here are some steps network security administrators should be taking to protect their systems from inside security problems: |
|
| Computer crime survey |
|---|
| The Computer Security Institute worked with the FBI's Computer Intrusion Squad on the fifth annual Computer Crime and Security Survey. Here are some of the results: |
|
Contact Features Writer Sharon Gaudin
Other recent articles by Gaudin
Biometrics eyes the enterprise
Biometrics offers a reliable way to authenticate users.
Reviewer Tere' Bracco uses every trick in the book - including identical twins - to try to fool a variety of biometric authentication suites. Face-off: Is the use of biometrics an invasion of privacy?
Companies are beginning to use biometrics to secure networks, but is it an invasion of privacy? Samir Nanavati of the International Biometric Group and Barry Steinhardt of the ACLU are online this week to debate with you. Read their statements and then jump in with your comments and questions. Security survey
According to our exclusive Network World/Enterprise Management Associates survey, authentication tops the list of security concerns. Crossword puzzle
Test your security prowess with our crossword puzzle. Biometrics research page
Loads of info including white papers, publications, forums and usergroups.
12 questions to ask before you deploy a biometrics authentication suite
See a network topology for the BioLogon Server
White paper on biometric and smart card user authentication
PDF format, Adobe Acrobat reader needed
Read about the challenges that the biometric industry faces
