Hackers, crackers, viruses and worms: the Internet can be a tough place to open up shop. Threats seem to be everywhere; it’s almost enough to make you close the doors and retreat to the cozy security of your internal corporate network. The problem is things aren’t any safer on the inside. In fact,
they just might be worse. “”The problem of security is much bigger on the inside,”” says Nick Galletto, a partner with Deloitte & Touche security services in Toronto.
“”On the inside, companies tend to take their employees for granted,”” Galletto says. “”It’s not just the dishonest or disgruntled employee who can be a problem. IT professionals can misconfigure firewalls or access control devices, and employees can create problems through carelessness.””
Even if black-hat hackers get all the press, however, company executives are aware of problems closer to home. In its 2003 Global Security Survey, Ernst & Young found that its respondents ranked employee misconduct as the second most serious security threat facing their operations.
“”The internal threat is always there,”” says Tom Wong, senior manager of Ernst & Young’s technology and security risk services in Vancouver. “”More money is spent on the external threat, but you see some companies, especially financial institutions, that are looking carefully at the inside.””
Wong says every company should look very carefully, since internal threats make up a rather lengthy list but, says Wong, “”it’s the little things that count in IT security.””
* Bad password hygiene: Passwords are the core of any security system, but network users can be notoriously careless with them. Wong points out that a lengthy password taped to the bottom of a keyboard, or saved on a Post-It note, is easy prey for prying eyes. Equally troubling, says Robert Richardson, editorial director of the Computer Security Institute, is the practice of using the same passwords for business and personal use. “”A lot of password-protected Web sites have very weak security,”” he says. “”If someone can hack into a site and get your personal password, that means he has the keys to your business account.””
* Shared secrets: A related problem is sharing accounts and passwords. Sometimes it’s just easier to use a colleague’s account or computer, but that circumvents authentication, Wong says. “”The whole point of an authentication password is to keep track of who’s accessing what.””
* “”Above the rules”” attitude: “”All sorts of problems happen when executive management overrides policies ‘because you can trust me,'”” Wong says. “”That might or might not be true, but policies have to be consistent if they’re going to work at all. And what kind of message does that send to everyone else?””
* Leaving the hardware door open: A big problem, according to Wong, is employees who leave their computers on and unprotected when they get up from their desks. “”We also see a lot of laptop theft due to carelessness,”” says Galletto. “”When you leave your laptop on a coffee shop table, or in the back seat of your car, you’re really leaving access to your company wide open.””
* E-mailing sensitive information: Whether it’s malicious or not, the moment a sensitive document leaves the enterprise network, it’s not protected by perimeter security. “”People do this all the time,”” Wong says. “”They e-mail work home to themselves through Hotmail, so they can work on the weekend. But Hotmail isn’t protected by your enterprise security.”” Moreover, Galletto says, your home computer isn’t your business computer, and home users — your spouse or your kids — should not have access to your business files.
* Messages from outside: A related problem is the kind of threat that can come back into the enterprise when an employee uses his personal Web mail or instant messaging account at work. “”Organizations that allow users to access Web mail from work are asking for trouble,”” Galletto says. “”It’s amazing how many viruses can come through that way, even if you have virus scanning at the gateway.””
* Unauthorized surfing: When employees spend company time surfing for entertainment or thrills, they’re not just wasting company time and money. They’re also inviting spyware and adware onto the company system.
* Unauthorized downloads: Off-site downloads can contain viruses and malicious code. But, Wong warns, “”sometimes you need to download a utility or a little program from the Net, so it might not always be appropriate to lock down the desktop.””
* Infected e-mail attachments: “”How many times have we told users that, if you don’t know where an attachment came from, don’t open it?”” Galletto asks. The problem however, is that, like the boy who cried wolf, many users just don’t see or hear the warnings anymore. “”They get so many these days that they ignore them, or delete them without reading,”” says Wong.
* Malicious or dishonest employees: The malicious employee is a rare animal, but he does exist and, Richardson says, he can cause a whole lot more trouble than a careless worker. What is more common, according to Galletto, is the employee who uses company resources for private purposes. “”We’ve seen employees who set up shops or, in extreme cases, porn sites,”” he says. “”A lot of this activity goes undetected because companies aren’t doing a lot of logging, monitoring and reporting.””
Keeping — and watching — an audit trail is the key to maintaining internal security. Antivirus systems are essential, and logging software can keep track of exceptions and unauthorized access and use of critical systems, but technology can’t help if there is no policy defining appropriate use and the logs aren’t reviewed. “”It’s a bit of everything”” Galletto says. “”You need the technology, certainly, but you have to have the policies and procedures in place to use the technology.””
However, not just any policy will do — you can’t buy a security process off the rack. “”Companies are always looking for books of policy that they can slap the company logo on, but it doesn’t work that way,”” Richardson says. “”Every company is going to be different, with different risks, and you have to decide what they are.””
Indeed, a successful internal security policy is a tradeoff, Richardson says. However, companies have to be aware of what they’re trading off. A good policy is one that reflects a sensible balance between security and business objectives. An airtight policy with sixteen character alphanumeric passwords that have to be renewed twice a week might look good on paper, but its rigour could be enough of an impediment for employees to consider taking shortcuts just to do their jobs. Users put passwords on Post-It notes when they’re hard to remember.
How you respond to an internal security problem depends on what kind of problem it is and, more importantly, the motivation of the person responsible. The employee who inadvertently compromises security through carelessness or negligence can be educated Richardson says. After all, he probably just wants to do his job.