The case of the tampered USBs

I was just at a conference and heard that despite all the press and focus on hacking and viruses, there is a 72 percent likelihood that the next successful attack will come from an insider (according to statistics from ISCSA Labs). Why isn't this number going down?

For years, organizations have focused on the evil outsiders that were behind attacks on their networks. Firewalls, IDS, IPS technologies have come to the rescue and have resulted in impregnable walls protecting organization networks. Now with strong walls, the challenge is ensuring the trusted insiders don't walk out with the king's crown.Recently, I heard a story of a black-hat firm trying to gain access to a pharmaceutical company's secrets. They put 4Gb USB sticks (properly marked and in manufacturers' packaging) all over the parking lot. Employees picked up the sticks and some went straight to their computers and inserted them to see if they worked. Unknown to the employees, the USB had a boot program that installed a piece of software. The software made a copy of all outgoing mail. The duplicated e-mail was then being sent to the black hat servers, right through the firewall the company had.

Another example is a client where I went to review the finding of a risk assessment we had done. We had left our appliances deployed for one week and went back and created a report for presentation. The report contained incidents of data leakages. At the executive presentation we highlighted a highly secret spreadsheet that was sent to a number of consultants that should not have seen it. In the meeting the CIO challenged the findings and stated that it was impossible for someone to have sent that spreadsheet and he wanted the details of who sent it. We went to our appliance and found that it was sent by the CIO, except it was a tab in a larger spreadsheet. Organizations face data leakage not only from malicious activities but also from accidental disclosure.

So how does a company keep up? Can anyone know all the ways in which data can leave a company? Can they know who should see what? The challenge now exists in using an organization's traffic to determine what is normal, to investigate unusual activities or to validate the rules they have in place. This is the future of information security, surprisingly using an organizations own historical traffic to learn about what to protect.

Having worked with many CSO/CISOs I can say that two things are clear. First, in the mountain of data an organization has there is information that is the crown jewels of the company. Second, most organizations don't know what that information is or who has legitimate access to it. Data loss prevention solutions are a good first step when the organization knows what information needs to be protected from whom. If your organization doesn't know the information to protect then either start by interviewing all stakeholders or deploy a learning data loss prevention system.

Have an insider-threat question? E-mail us. Read more Insider Threat columns.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)