TORONTO — Attendees at the IT Security and Governance conference Thursday heard from the RCMP that the biggest network threats come from inside the organization — and from a security consultant that the best fixes may come an unorthodox source on the outside.
Luc Filion, one of the several
civilians the RCMP employs to manage its Technical Security Branch in Ottawa, said that more than 60 per cent of network abuse is the result of staff tampering. It could be due to malicious intent, he said, or it could be purely accidental or due to apathy and neglect.
Filion described one case that originated in the U.S. – a bank employee cost his company US$691 million over several years. At first it was by accident, but the employee discovered he could filter money outside of the organization with impunity, since appropriate network security measures were lacking.
It’s ultimately a people problem, said Filion. A lot of companies hire security staff that aren’t fully qualified to meet their obligations. In other cases, security duties might be delegated to an existing employee that isn’t qualified to handle them. In one instance, he said, a secretary was given the key to a closet that contained a vital server just because she happened to sit near it.
Some of the most serious security breaches come through simple neglect, he said. A failure to effectively manage patches and updates can leave holes through which a network can be compromised. Unauthorized PDAs or thumb drives can easily be brought into a company’s physical space and used to capture information. Even a boot disk can easily be used to circumvent password-protected PCs.
This problems are best addressed by acting on the simplest security procedures, he said. But perhaps the best way to manage security is to properly train the day-to-day staff that use IT. The RCMP runs its own training program for public sector employees. One section of Filion’s division is devoted to this purpose, he said.
“Once you scare the bejesus out them, they usually take security more seriously,” he said.
It’s IT users that pose the biggest threat just because they aren’t effectively trained in a lot of cases, he said. It’s up to security professionals to promulgate this information to their staff, he said, noting that he was preaching to the choir by imparting security practices at a security conference. “All the people we see at these conferences are the people we don’t need to see.”
Curtis Wiseman, director of security for Cyberplex in Toronto, spoke after Filion and agreed that sometimes the biggest security breaches occur because people aren’t aware that they’re misusing their own IT. The head of accounting can become a hacker unbeknownst to them by saving a file in a wrong location, for example.
To guard against the most egregious examples of network attacks, Wiseman suggested that companies may want to consider hiring ethical or “white hat” hackers. These are IT professionals who solve security issues because they are passionate about problem-solving, he said. They possess knowledge that can’t easily be imparted and have skills that are not easily transferable, he said.
Hackers will often look for network flaws in places that most security professionals wouldn’t consider to be at risk. By locating an ftp site, for example, a hacker could locate a system administrator’s password and break into the network that way.
White hat hackers will consider security practices in ways that aren’t written up in manuals, said Wiseman. That way they can provide solutions to problems that no one else has even thought of and thereby insure an extra layer of protection.
Hackers are a different breed, though, and companies would be wise to consider that before hiring them, said Wiseman. They may become obsessed with security problems and deliver elegant, clever solutions which are ultimately overkill. They get results, he said, but may be in front of their computers till 4 a.m. and not show up for work until the following afternoon.