Watching Your Back

The biggest threats to security may already be inside your network.

Most football fans think of the Super Bowl as the end of the professional football season. While it may be the official finale, theres still an unofficial ritual that takes place throughout the National Football League after the final whistle blows: the firing of coaches by teams that didnt achieve enough regular- or post-season glory.

Even the storied Green Bay Packers—with 12 world championships under their belt over the last 82 seasons—are not immune. The teams had more head coaches (13) than championships. And more assistants than you could shake a frozen block of cheese at.

That kind of turnover creates problems for the Packers IT director, Wayne Wichlacz, whos responsible for the security of the organizations intranet. Its tough enough to keep external hackers from breaking in and picking off everything from financial information to scouting reports and playbooks. It can be even harder protecting that information from coaches and players who today may be on your team and tomorrow may be singing another fight song.

To ensure that no one within his firewalls is accessing unauthorized files or applications, Wichlacz has built a championship defense strategy using a combination of policies, procedures and security tools, including authentication software, firewalls and a VPN (virtual private network).

"Being in the football arena, we have a lot of people going from team to team, and its in our best interest to make sure accounts are shut down and things are secure internally," said Wichlacz, in Green Bay, Wis.

Hacker exploits and denial-of-service attacks may be snatching the headlines, but the biggest threats to security may already be inside your companys network. Theyre the employees who, either out of carelessness or malice, leave digital assets open to exploitation.

So, savvy organizations such as the Packers, Massachusetts Institute of Technology and Inc. are taking action to limit their exposure. Theyre implementing strategies that include developing and enforcing strict policies that, for example, ensure former employees are shut out of the network once they leave the organization. They also involve taking advantage of security technologies such as internal auditing systems, Internet filtering tools, password protection software and VPNs to find and stop internal security breaches. And, perhaps most important, theyre enforcing procedures that include hardening hardware, immediately pulling compromised machines off the network, for example.

Getting Even

So just how common are security attacks from employees and other internal sources? Surprisingly, given the number of layoffs in recent months, the 2001 Computer Security Institute/ FBI Computer Crime and Security Survey found security breaches from internal sources are down—although they havent gone away by any means. The number of respondents to the survey who reported incidents of unauthorized access by insiders dropped from 71 percent in 2000 to 49 percent last year.

Still, experts warn, this does not mean threats from the inside should be any less of a concern. In fact, in a survey last year by Camelot IT Ltd. and eWEEK, of those enterprises that reported a security breach within the last year, the largest group—57 percent—said the breaches were caused by inside users accessing unauthorized resources. Twenty-one percent of respondents said their companies had been the victims of an attempted or successful break-in by an angry employee. Still, many IT managers remain unaware of or unmoved by the risk. According to the Camelot-eWEEK survey, 22 percent of respondents said they were not concerned about unauthorized insiders having access to sensitive data.

Whether security breaches from inside are becoming more or less frequent, one things for sure: Internal security breaches are expensive. The study by the CSI and the FBI shows that theft of proprietary information continues to represent one of the largest financial losses to organizations.

Thats because employees and contractors have both the technical skill and insider know-how to disrupt or corrupt vital services as well as to gain access to confidential information, said Victor Wheatman, an analyst at Gartner Inc., in San Jose, Calif. Often, Wheatman said, because of weak internal network monitoring and administration, internal employees—or those posing as employees—can do great damage before they are discovered.

"When it comes down to it, all outsider attackers are working to become insiders," said Wheatman. "The statistics seem to be balancing out over time, but it is naive to think that internal security should take a back seat to external security."

Avoiding the Nightmare

Like the Packers Wichlacz, some IT managers are taking steps to avoid the nightmare of an internal security breach before it happens.

"Really, the worst thing would be for an employee to start moving files around and hiding them," said Steve Farr, CIO at Salerno/Livingston Architects, in San Diego. "If someone gets mad, they could really do some damage that would cost us time and money to clean up."

Farr should know. His company learned its lesson a few years ago when an employee stole architectural drawings after being fired. Since then, Farr has implemented a series of strict policies. First of all, the IT organization is notified hours before the human resources department conducts an exit interview with an employee on the way out. During the meeting, IT immediately disables access to e-mail, all files on the network and the VPN.

Second, on an ongoing basis, IT managers review logs from the companys NetScreen 1000 Internet system box from NetScreen Technologies Inc., in Sunnyvale, Calif., to ensure unauthorized files or applications arent being opened. All files are also analyzed to see who last modified them and when.

Farr isnt the only one who takes a hard stance when it comes to departing employees. At automotive Web site, in Santa Monica, Calif., IT is notified a day before an employee is terminated, and all access is immediately restricted and monitored. In anticipation of layoffs last year, IT developed policies under which a computer system is physically disconnected from the network and has its power supply shut off as an employee is being pink-slipped.

"Obviously, layoffs are never easy, so we disconnect everything to make sure the user cant come back and do anything malicious," said Jack Cate, director of systems administration at

Just as important as having employee policies in place is implementing the right security procedures. At Cambridge-based MIT, Bob Mahoney, team leader for network security, has published guidelines that focus on hardening the universitys systems against internal threats.

MITs rules specify that the 40,000 computers on its networks will be scanned continuously. In search of both intentional and unintended internal threats, IT officials look for missing virus patches as well as suspicious behavior. Once a machine is identified as vulnerable, the machines owner is notified and given a deadline by which he or she must download and install a security patch. Failure to meet the deadline means the computer is pulled off the network. In the event that a machine is being used by someone to conduct attacks on other machines or to open unauthorized files, its network port is immediately shut off, and the computer is physically disconnected from the network.

Mahoney, who has seen few problems from student hackers, said that while there are users with malicious intent, most incidents are caused by users who dont know any better.

Like MIT, uses scanning tools to keep an eye on internal users. The company also enforces a policy of frequently changing passwords. At present, Edmunds.coms Cate, and Oscar Mejia, manager of network computing, run monthly security audits using Nessus, a free remote security scanner. Nessus (which can be downloaded from handles port scanning and network-level auditing and alerts IT of any suspicious activity on company servers.

Passwords are changed every year and managed by John the Ripper (which can be downloaded at, a free password-checking tool that ensures that all passwords are secure and have not been compromised.

Partly as a response to layoffs, recently intensified its focus on internal security, monitoring employee movements on the Internet. Concerned about productivity and to make sure employees werent using free e-mail accounts to send out confidential company data, Cate is now using Ntop, a Unix-based Internet protocol auditing tool that shows network usage.

"We are really starting to pay attention to local activity," Cate said. "Weve always logged activity, but now were really starting to do analysis on the logs to make sure everything is secure."

Many IT managers said they also use Internet auditing tools to ensure that end users are who they say they are. At the Packers, Wichlacz uses firewall and VPN products from Check Point Software Technologies Ltd., of Redwood City, Calif., to ensure that coaching staff members are the only ones going through playbooks and that financial officers are the only ones looking at spending reports. Wichlacz also uses Safeword authentication software from Secure Computing Corp., in San Jose.

Later this year, Wichlacz will begin an Exchange 2000 migration that will enable him to take advantage of the password management capabilities in Microsoft Corp.s Active Directory. Once AD is implemented, Wichlacz will be able to more easily block access to e-mail and other enterprise applications.

In the long run, experts say, a successful internal security program requires a combination of policies, procedures and technology. The first step, IT managers say, is to be constantly on the lookout for potential attacks, whether from the inside or the outside. That should be another play Wichlacz can use to defend against attackers coming from inside or outside the organization.

"In the end, it doesnt really matter where theyre coming from," Wichlacz said. "What matters is what theyre looking for."