Soft on the Inside

By Allen Bernard

(Back to article)

As the arrest of an AOL employee today for allegedly pilfering screen names of AOL customers for resale to a spammer attests, internal IT security at most companies is still a greater threat than being hacked from unknown, outside assailants with malicious intent.

"There's a saying in security: 'Crunchy on the outside, soft on the inside'," says Barry Kaufman, CTO of the Intense School, an IT training center in Ft. Lauderdale, Fla., that provides accelerated certification boot camps for computer professionals. "And the general mentality out there is perimeter security as opposed to comprehensive and internal security. While you can technically do great things like patch systems and whole bunch of other stuff, it's hard to patch human beings."

While worms, viruses, Trojans, external hacking and other outside threats are ever increasing, 80% of hacks still originate from internal sources, as do 80% of computer crimes, said Kaufman. Some of this is intentional and malicious. Yet many security issues are simply caused by carelessness on the part of system administrators unaware of the pervasive security holes in their systems.

"If they turn just a basic passive scan on internally, they'll see everybody's system is completely wide open unless they've gotten involved in node security," says Kaufman.

With so much attention paid to security issues over the past few years this seems paradoxical, but it is understandable once you realize the average security mentality stems from a medieval mindset: build high walls with strong gates to keep the barbarians out and you'll be safe. The problem is, once the barbarians breech the walls (or bypass them via a tunnel or Trojan Horse), most companies' systems are wide open for attack.

Overcoming this mindset and building a better security mousetrap is really about three things, says Gerry Wilson, CIO of Bedford, Mass.-based security firm RSA Security: People, process and policy -- and then technology, in that order.

And, while technology solutions proliferate, most are defensive in nature. Wilson prefers to promote a 'good offense is the best defense' strategy that heads off attacks through ongoing employee training and security policies and procedures that are strictly enforced.

"The easiest things for a CIO to do is to go buy a technology solution," says Wilson, "but the harder component is to surround that with processes and people and the administrative policies that help that technology do its job and do what it's intended to do."Single sign-on, for example, is great for employees tired of multiple passwords and the post-it notes they rely on to remember them, but it can lead to a wide open back-end once the initial password is breached. That is why node security is becoming more popular, but this is really just a smaller, more pervasive version of building walls. Intrusion prevention is the latest thinking in security and the reason RSA's business is booming, says Wilson.

The first level of defense, however, is still strong authentication. Wilson promotes a two-factor authentication schema that involves something you have, like an ATM card and something you know, like a PIN number. RSA sells a system where the user has a token of some kind -- the 'have' -- that syncs up to a system password generator that changes passwords every 60 seconds, and a static PIN number the employee remembers.

Using this system, the password changes every 60 seconds, providing a good layer of initial security, i.e. authentication. From there policies and procedures take over as well as node security and a system of checks and balances to ensure someone in marketing isn't accessing financial data and vice-versa.

Another reason the medieval mindset is no longer effective is the porous nature of most corporate networks, says Matt Kovar, an analyst with the Yankee Group in Boston.

"Companies and their applications are accessible through so many different network connections or application connections that there is almost no real defined perimeter any longer," says Kovar.

This why security vendors like Check Point Software Technologies are focusing more attention on 'rules-of-engagement' at the application layer. This is different from node security, which is basically a server-, or OS-, level perimeter defense, says Kovar. Application-layer security focuses on point-to-point connections within the network to see who is accessing what and if that access should be considered valid.

"That's the area where organizations are trying to identify. What are the patterns of communication that should be operating on their network and trying to identify what falls out of the norm," he says. "The application is where the new attacks are going. Are they outside? Are they inside? Many times the outside attack needs an inside accomplice, if you will, either witting or unwitting."

And once you connect to partners, vendors, suppliers and customers, the internal threats increase exponentially. Even though these groups are technically external to your company, access to the network brings them inside and makes them an internal threat.

So, while worms and viruses are problematic, and hackers are endemic to the Internet, these threats are really quite minor compared to the potentially more damaging insider threat. Rarely, according to experts, do hackers actually do much harm or steal. More than likely, planting their 'flag' to claim bragging rights is the justification for their efforts. Like it or not, employees, and lax or non-existent policies and procedures, can cause the most damage if left unchecked.

"What you need to do is think like a criminal," says RSA's Wilson, "and say 'If I were someone trying to do this, how would I do it?' And try to put in some policies, procedures, education, training, awareness, checks and balances, etc. to mitigate the risk."