Behind the Firewall - The Insider Threat, Part 1

Guest Column: Kathy Coe of Symantec's Education Services weighs the human threat within the corporate firewall.

Your security program is only as strong as its weakest link, and that is where the human element comes into play. Even if you have very comprehensive IT security technology in place, all it takes is one careless, uninformed, or disgruntled person with access to your physical office space or enterprise network to open your company up to unnecessary risk. While you spend a great deal of time and money fortifying your enterprise networks from outsider threat, dont neglect the threat from within. The fact is that some of the most devastating threats to computer security have come from individuals who were deemed trusted insiders.

Costly consequences

Protecting intellectual property should be a security priority for all enterprises because the alternatives can be very costly - not to mention very damaging to your corporate image. According to the 2002 CSI/FBI Computer Crime and Security Survey, the most serious financial losses occurred through theft of proprietary information (41 respondents reported a total of $170,827,000).

One infamous insider

The case of former FBI agent Robert Phillip Hanssen, who was convicted for spying for Russia, is an extreme but prime example of how insiders can take advantage of their access and authorizations. Over a span of more than 15 years, Hanssen provided his Russian contacts with highly classified documents and details about U.S. intelligence sources and electronic surveillance taken directly from his employer, the FBI. Because Hanssen was an authorized user, his activities didnt raise any suspicion. While Hanssen used a variety of technology devices as a means stealing data - encrypted floppy disks, removable storage devices, and even his own Palm handheld device - he also repeatedly walked out of his FBI office carrying classified paper documents in his briefcase, which in turn, he would hand over to his Russian contacts. Since Hanssens arrest two years ago, the FBI has put a special panel in place to review all internal processes and systems and to study the issue of insider abuse. Hanssen manually and electronically stole information from the FBI for his own financial gain, and he did it for more than 15 years without trouble because he was a trusted insider.

Who are your insiders?

While your full-time employees may be the most obvious insiders, those employees make up a fraction of the individuals you should be concerned about. Anyone who has physical or electronic access to your enterprise poses a potential security risk. In addition to your employees, think about all of the people who can get past your security guard (if there is one) and into your office - contract workers, temporary workers, visitors, interns, and service, support and maintenance people. Once they are inside your office walls, they have access to unlocked workstations, paper files, and any passwords or other sensitive data that could be left out in the open.

Key holders

Some insiders who pose a threat dont necessarily have physical access to your office. Often it is the "key holders" - those who have access to your internal systems through contract or partnership arrangements with your enterprise - who can cause the most harm. In order to conduct business with these key holders, they have access to your network and have been given authorization to be there. It is important that your IT staff be aware of who these individuals are, and give them only the access necessary to perform their function while keeping a close eye on their activities.

Four main reasons insiders cause security breaches

The value of the security software and policies you have in place will decrease if insiders dont understand their role in maintaining a secure enterprise. With that in mind, here are the main reasons behind internal security breaches:

  • Ignorance - Insiders do not know about, or understand the security policies that are in place. Lack of understanding of general safe computing practices and information system use is also a common problem.
  • Carelessness - While insiders may be aware of security policies and procedures, all too often they do not stop to consider how their actions would breach the rules. Their motivation is not to exploit, attack or otherwise adversely affect your enterprise system - but it could end up badly regardless of motive.
  • Disregard for security policies - Sometimes insiders will act in ways that they know go against the security policy. Often this is an effort by insiders to make their day-to-day tasks easier. For instance, when insiders keep passwords on a sticky note attached to their monitors, they are not directly trying to cause harm, but they also know that they are going against policy and their actions could lead to compromise of corporate information.
  • Maliciousness - This can be a disgruntled insider, or any insider who deliberately intends to inflict damage, destroy, or compromise your enterprises intellectual property - for financial gain, or merely personal satisfaction.

Important checklist

Here is a checklist of important things you should do to help preserve your enterprise security from the inside out:

  • Immediately after temporary or contract workers are done working for you, disable their user accounts on your computer systems. Of course, the same thing applies to employees who leave the company.
  • Do not allow multiple employees to share a single logon account.
  • Make it clear to all insiders with access to your enterprise network that their usage is subject to monitoring - this should be a part of your corporate security policy.
  • Keep laptops locked down - this should be a part of an overall mobile computing policy.
  • Utilize password protected screen savers so computers are always locked when not in use.
  • Instruct employees to log off their computers before they leave each day.
  • Dole out access to the network on an individual basis, and give each person access to only the computers and files they will need to do their jobs.
  • Emphasize the importance of protecting passwords - they should not be left on sticky notes on the computer, emailed or shared with other employees.

The worst thing you can do is to have a false sense of security just because you have taken steps to secure your IT systems with technology. Most likely, quite a few insiders know what your most valuable information assets are, where theyre stored and how to access them. Take charge of the situation by gaining a tighter grip over usage and educate users on how their actions can threaten your enterprise security.

Coming in Part Two

Network defenses will certainly be enhanced when employees are motivated (but not scared) to adopt a common-sense approach to security and are trained to recognize possible security problems. This can be accomplished through an awareness and education program. We will discuss ways to educate your employees on general threats, social engineering tactics, and ways to create a culture of awareness in your enterprise.

Kathy Coe is Director of Education Services for Symantec. She has more than 20 years of experience designing, implementing, and managing customer-focused training solutions for organizations. Over the last six years her business education experience has been focused on the information security industry.

/zimages/1/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page: