Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
FBI warns of holiday cyber scams
U.S. Open used Web filtering to prevent online gambling
Google Earth used by terrorists in India attacks
Verizon trounces competition in wireless quality survey
Mumbai terrorist attacks don't deter technology companies
Google layoffs: 10,000 jobs being cut, report claims
Experts to Feds: Sign the DNS root ASAP
Cisco shutting down between holidays
Sprint completes Clearwire WiMAX deal
Mobile sales to beat economic gloom, forecasts Ovum
Start-ups starting to feel economic pain
Spam levels fluctuate as crooks try to revive botnets
Mozilla eyes extra beta for Firefox 3.1
Grim forecast for holiday e-commerce sales
Talking Web, memory assistants and solar-powered cell phones headed mainstream, IBM says
/

The enemy within

Teen crackers get the ink, but the real threat to your network could be sitting in the next cubicle.

Related linksToday's breaking news
Send to a friendFeedback

By Sharon Gaudin
Network World, 05/08/00

Long after most people have called it a day, a network administrator sits at his desk, studying a monthly report detailing activity at the company's firewall. He searches for holes that crackers could use to infiltrate the network to steal or sabotage critical information.

Down the hall in the marketing department, a woman calls up a payroll file to measure her co-workers' salaries against her own. And a software engineer two floors down prints out a copy of newly tested code he expects will bring him thousands of dollars from the company's biggest competitor.


All the hype and media flash about denial-of-service attacks, destructive break-ins and teenage computer geniuses are distracting network executives from the real threat to their computer networks - their own employees.

Industry analysts estimate that in-house security breaches account for 70% to 90% of the attacks on corporate computer networks. And the percentage is probably even higher than that because most insider attacks go undetected. In fact, Dennis Szerszen, director of security strategies at The Hurwitz Group in Framingham, Mass., says for every in-house attack reported, there could be as many as 50 that go unreported or undetected.

That means most companies are blind to the majority of attacks on their systems. It also means the financial losses associated with these attacks are going uncalculated.

"People are ignoring their biggest threat," says John O'Leary, director of education for the Computer Security Institute in San Francisco. "The attention given to hackers by the press is what gets the attention of upper management, and that's what they base their security purchases on. . . . People need to be worried about the insiders because they know how to hurt the organization specifically, drastically and quickly."

That often invisible inside threat comes in many forms. It could be a disgruntled employee who has been put on probation or received a bad work review and wants to lash out at the company by deleting files or changing information. It could be someone who is struggling financially and has been offered thousands of dollars to e-mail or print out classified information. Or it could be a worker breaking into files to change payroll numbers.

And these are the last people you would suspect. They're the people the network administrator chats with over coffee in the lunchroom; the people having their questions answered by the help desk. These are the people -- more than any outside hacker -- who know the system, know the company and know what to do and where to go to make an attack really hurt.

"The vast majority [of employees] are scrupulous and honest and want . . . their company to succeed," O'Leary says. But even someone who is generally satisfied is going to be somewhat disgruntled when they hear about booming salaries or stock options at other places. They hear about the 23-year-old millionaire loaded down with options, and suddenly they're not satisfied.

"It might be a matter of vandalizing or selling information to competitors. Sometimes it's getting information for themselves, say about a coming merger, and buying stock beforehand," O'Leary says. "It all comes down to the fact that we now have highly interconnected systems. With the speed and the power of our own network tools, the ability of one or a couple of disgruntled employees to cause a significant amount of damage has multiplied."

Misspending security budgets

If network executives have their eyes trained in the wrong places, they're most likely not spending their security budgets where it will help them most. Firewalls became the hot security commodity about three years ago, and now virtual private networks (VPN) are taking up their own share of the market. Both technologies are generally focused on securing the perimeter, making sure only the right people get in and keeping everyone else out.

"When you look at buying trends, it's mostly geared for maintaining a secure perimeter," Hurwitz's Szerszen says. "Almost everybody has antivirus software, firewalls and VPNs. But people would do well by their money if they thought about policy access management software and tracking and monitoring devices . . . They've got to think about a different kind of security."

And that market is starting to get some attention. According to The Yankee Group in Boston, the adaptive network security management market is growing at an annual compound rate of 49%. That is expected to push the market from $45 million in 1997 to $747 million in 2003.

Tools of the trade

The latest products in this arena are coming from security vendors such as Internet Security Systems, Axent Technologies, ODS Networks and Netegrity.

For example, companies have long been able to give each employee specific rights and privileges on a network. A person working in human resources shouldn't be able to access the company's sales plans, while the top salesperson shouldn't be able to access employees' personnel records. Analysts and vendors agree that many companies are beginning to put a new focus on these privileges, setting up specific access and rights policies, and giving administrators the teeth they need to enforce them.

What's going to be hot, according to industry observers, is software that will track employees' footprints on the network, mapping out their normal usage patterns. Then if a worker suddenly logs on at 2 a.m. or tries to access a file or a server they normally don't, the software could shut down access and alert an administrator.

And that is only the beginning. Analysts say companies also should be looking to set up internal firewalls, encrypt key databases and audit for internal security holes.

Robert Forbes, technology manager for First Tennessee, one of the 25 largest holding companies in the U.S., says those are all necessary tools to shore up a network. He says getting the tools in place is less about the technology and more about convincing those in charge that purchasing the tools is needed.

IS has to educate the CEOs

"Internal security is a worry," Forbes says. "It's something that we have to go to [the bank executives] with. They don't come to us concerned about this one. They come to us worried about hackers and denial of service. We have to get them to worry about someone being paid $5,000 for stealing internal information. That information could be walking right out our door."

That means getting executives to look past the media hype and focus on more mundane security problems. "Quite a bit of it is about education," Forbes says. "I tell them they have to worry about the guy whose wife left him, the dog bit him, he's in a bad mood and now there's trouble."

To take care of that disgruntled employee or anyone else with a devious motive, Forbes says he's set up a myriad of policies and software, including computer usage polices, such as desktops, files and servers each employee can access. He also has clearly spelled out punishments that range from a reprimand to termination. He has set up user privileges, passwords and identification numbers, along with software to track usage patterns, and monitoring software to detect and set off alarms for deviations in those patterns.

On top of that, First Tennessee reserves the right to monitor employees' in-house bank accounts. Forbes says if he suddenly deposits $10,000, the bank probably will come asking questions about where he got the money.

A matter of trust

But no matter how many safeguards the bank has in place, Forbes says there has to be some level of trust involved.

"If my goal is to disable First Tennessee's network, there's not a whole lot they can do to prevent that," he says. "If I'm silently stewing and if I decide to open up the whole network or to shut down the whole network, I could do that. They have to trust me."

That leads to what is often the company's greatest leap of faith - the security or network administrator. This is the person who often has access to every part of the network. As one corporate user who asked to remain anonymous says, "That's the guy with the key to the kingdom. You've got to trust somebody, don't you?"

Analysts generally recommend that if possible, no single person should have access to everything. Split up responsibilities and rights so no single administrator can touch every part of the network.

Ultimately, however, it all comes back to trust. If security administrators tie employees' hands enough so they can't steal or sabotage anything, their productivity might also suffer.

"Electronic security should not be a substitute for having employees who are trustworthy and responsible and good stewards of the information they have at hand," says Len Laughridge, network and systems administrator for AtheroGenics, a biomedical research company in Alpharetta, Ga.

Of course, Laughridge is no fool. He backs up that trust with authentication, passwords, privileges and policies. He also locks down some of his desktops with Ensure Technologies' wireless XyLoc product, which secures PCs, workstations and laptops when the authorized user is not in the vicinity.

Sam Alaw, a network engineer for the U.S. Environmental Protection Agency in Dallas, which has 16,000 employees throughout all 50 states, asserts that most network abuses are merely pranks, if not simple mistakes.

"I don't think there's a sense of destruction or of purposefully causing trouble," says Alaw, who adds system-monitoring software to the basic round of network protections. "If someone does cause destruction on the network, we'll find that out . . . But mostly if you can get a user not to write his password on his monitor, that's a big step."

"There has to be a leap of faith with your employees at some point," says the IT director for a laboratory software and robotics firm, who did not want to be identified. "You try to eliminate the variables where you can but you'll never be 100%. At some point you become so bureaucratic that people can't do their jobs and you're looking at diminishing returns." But he backs up that trust with policies and user privileges, passwords and monitoring tools from ODS Networks, along with tools he's evaluating from Internet Security Systems. Those ODS monitoring tools caught one employee who was linking corporate computers to a string of external computers in an attempt to break Data Encryption Standard algorithms. The employee wasn't doing anything malicious, but he opened up the internal computers to outside eyes and depleted the company's own computing power.

However, Matthew Kovar, a senior analyst at The Yankee Group, says that's the kind of faith that gets many companies in trouble.

"They think they know everyone. They think they have trusted employees," Kovar says. "That philosophy breaks down sometimes, some would say quite often. . . . The reality is that most people aren't deploying technologies to alert themselves [to inside breaches]. They don't even know it's happening."

The inside story
Here are some steps network security administrators should be taking to protect their systems from inside security problems:
  1. Employ strong authentication tools.
  2. Use intrusion-detection tools, and pay attention to the results on a daily basis so you can identify threats as they occur.
  3. Encrypt key databases.
  4. Audit and close security holes.
  5. Don't let one administrator have access to the whole network.
  6. Conduct background checks before hiring employees.
  7. Have strong antivirus software in place since most viruses are spread from the inside.
  8. Develop a strong policy that addresses ownership of corporate data.
  9. Make sure your employees are aware of the policies and the consequences of breaking them.
  10. Ensure that all sensitive business data is logged for access attempts and refusals.


Computer crime survey
The Computer Security Institute worked with the FBI's Computer Intrusion Squad on the fifth annual Computer Crime and Security Survey. Here are some of the results:
  • 90% of respondents (primarily large corpor-ations and government agencies) detected computer security breaches within the past year.
  • 71% of respondents detected unauthor-ized access by insiders.
  • 25% of respondents detected system pene-tration from the outside.
  • 79% detected employee abuse of Internet access privileges.
  • 74% acknowledged financial losses through theft of proprietary infor-mation and financial fraud.
  • For the third consecutive year, more respon-dents (59%) cited their Internet connections as a frequent point of attack than their internal systems (38%).


Related links

Contact Features Writer Sharon Gaudin

Other recent articles by Gaudin

Biometrics eyes the enterprise
Biometrics offers a reliable way to authenticate users.

Review: Biometrics suites earn a thumbs up
Reviewer Tere' Bracco uses every trick in the book - including identical twins - to try to fool a variety of biometric authentication suites.

Face-off: Is the use of biometrics an invasion of privacy?
Companies are beginning to use biometrics to secure networks, but is it an invasion of privacy? Samir Nanavati of the International Biometric Group and Barry Steinhardt of the ACLU are online this week to debate with you. Read their statements and then jump in with your comments and questions.

Security survey
According to our exclusive Network World/Enterprise Management Associates survey, authentication tops the list of security concerns.

Crossword puzzle
Test your security prowess with our crossword puzzle.

Biometrics research page
Loads of info including white papers, publications, forums and usergroups.

12 questions to ask before you deploy a biometrics authentication suite

See a network topology for the BioLogon Server

White paper on biometric and smart card user authentication
PDF format, Adobe Acrobat reader needed

Read about the challenges that the biometric industry faces


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.