The Enemy Within
The Enemy Within The length of a border grows only in proportion to the size of a figure, but the area grows with the square of the size; in the same way, its tempting to focus on problems at the edge of the network because theyre much easier to identify and address than those that can arise from any point inside the perimeter."People are spending a lot of money on firewall and intrusion [detection] technology," said Dan Jude, president of software vendor Security Software Systems Inc., in Sugar Grove, Ill. "But 70 percent of breaches are internal. Its not just financial information; its intellectual property, its things being sent internally that create liability." If "insecure computing" is broadly defined as abuse of IT systems creating serious costs to the enterprise, Jude said, then enterprise IT must concern itself with activities such as the sending of sexually harassing e-mail as well as with attacks on IT infrastructure or sensitive data. SSSIs Policy Central product directly confronts the issue of enterprise surveillance of employee IT activity. Court decisions to date tend to support the idea that activities on enterprise networks are the property, and are subject to the scrutiny, of the company and its appointed IT or other security staff; appropriate, documented notification to users is the crucial ingredient, and SSSI fills that gap. "Before users are allowed to access any application or Web site, they must agree to the companys customized policy on acceptable use," Jude explained. "Their acceptance is logged in a database." With that acceptance formally recorded, SSSIs technology is then free to scan not just e-mail messages but also document files such as spreadsheets as well as Internet access activitywith immediate results, said Jude, once people realize that their individual activity is now a matter of record. Like it or not, the precedents have been set and lack only the enabling technology to make this common practice. Once the tools become pervasive, failure to use them could risk civil findings of employer negligence, even without corresponding legislation. "Users seem to be more tolerant toward blocking and scanning tools than in the past," said FN Manufacturings Benincasa. "Publicity of events seems to have sensitized users more to the issues and risks. They dont like it, but they understand the need." (Benincasa may have had a head start on this process, given his companys involvement in the stringently documented arms business.) Users and business unit managers are still a law unto themselves, though, when a technology becomes an affordable off-the-shelf convenience. "I worry a lot about wireless networks. How easy it would be for a rogue employee to place a dongle into the USB port of one of their PCs and compromise our network," said Schwedhelm. Conventional wired connections can also escape the protection of enterprise security architects in the pursuit of short-term convenience. "People complain about firewalls all the time," said Taher Elgamal, chief technology officer at Securify Inc., in Mountain View, Calif. "People set up Internet access themselves. They buy a router and install it with no firewall. Thats not a technical problem; thats a problem of management. Theres too much focus on technical vulnerabilities." (Read the review of Securifys SecureVantage packet sniffer.) As author of the patent on the SSL protocol, the heart of most Web retail transactions, Elgamal speaks with authority on the limits of technology: "There are way too many technology companies in security these days, when the real solution is to run things like a business: The business owns the data, the business owns the computer, the business has to come down on these things and say, This is how they should be used." Said Schwedhelm, "Our board of directors is pretty good about understanding security issues when they are presented with information, and I was very happy that our bank regulators showed a great interest in security during a recent examination. It emphasized to our board of directors how important network security really is." Like FN Manufacturings Benincasa, however, Schwedhelm is in a business accustomed to a high degree of regulatory scrutiny and may be ahead of the curve in acclimating managers and users to these necessities. IT departments in other domains may get more initial resistance.
However, studies from groups such as the FBIs Computer Intrusion Squad, in San Francisco, suggest that internal attackers represent at least a third of the problemor more, if the problem is broadly defined in terms of damage to systems or cost to the enterprise, without regard to motive.