With 2006 hot on its heels, its clear that we have yet to get a handle on threats to business integrity. The overall success of criminal activity clearly shows that threat mitigation requires ongoing evolution -- in our approach to infrastructure security, our implementation of security solutions, and the way we think about threats entering the organization.
Vulnerability Begins at Home
Not so surprisingly, though many vendors employ the skills of top-level threat research facilities, none have detected the newest and most insidious threat of all -- the internal resource. Its a common misconception that if the perimeter is protected, the organization must be secure. This line of thinking is directly challenged in worldwide headlines, information theft, misappropriation of access and information assets, and data embezzlement. One of the biggest threats to an organization actually lies within its boundaries.
In its 2005 survey, The Global State of Information Security, PricewaterhouseCoopers found that 33 percent of information security attacks originated from internal employees, while 28 percent came from ex-employees and partners. Further bolstering these findings, law enforcement experts estimate that more than 50 percent of all security breach cases are the result of employees misusing access privileges.
Its an epidemic that goes all the way to the top. In early 2006, the Department of Homeland Security fired an IT administrator who misused his access privileges to read his superiors confidential email. Malicious insiders notwithstanding, unintentional threats, introduced by otherwise well-meaning employees also make up a staggering percentage of the security problems IT will handle daily.
Its Anybodys Game
At RSA 2006, IDC presented their Insider Threat Ecosystem, which breaks the corporate stratosphere into four main parts. At the top are the citizens -- employees who rarely, if ever, do anything to violate the company acceptable use policies and are not a security issue.
Second are the delinquents -- which make up the general employee population -- people who take small liberties, check their personal mail, play games, and do some online shopping. While they can pose a significant security threat, it is rarely intentional.
Then there are renegades -- folks that spend most of the day doing things they should not and often abuse their Internet privileges to install P2P or underground IM applications, and even worse, send confidential company data to outside interested parties. They pose a huge security threat.
Lastly, you have the rogues -- malicious insiders who routinely endanger confidential corporate information assets, usually for financial gain. They pose the biggest security threat yet are often the hardest to catch.
Though experts widely agree that insiders are among the most insidious threats to the enterprise security infrastructure, companies have been slow to accept this realization. In a recent IDC survey regarding corporate security challenges, respondents unfailingly listed malware as the top threat to their organization with spyware coming in a close second. Internal threats barely broke into the list at number five. Although respondents see insider threat as a "bottom of the stack" concern, analysts such as IDCs Brian Burke rank it much higher on the corporate threat mitigation task list.
However, one must look at the context of such surveys. Most respondents were IT or security managers, people tasked with the protection of the network whose primary focus is on the network perimeter. While inappropriate access is a security breach, it would more likely be HR or Legal that would be concerned with employees viewing confidential wage information. IT would be more concerned about keyloggers and malware. Yet in order to secure the enterprise, it must be done from the inside out, defining and, more importantly, enforcing access and use policies as well as agreeing that security is cross-organizational, not a departmentally segmented exercise.
Add to the challenge of internal security the leaps and gains being made by the outside in attack crew and youve got a somewhat overwhelming security scenario. With virus templates, root kits and made-to-order spyware so easy to obtain, all it takes is an Internet connection and some modicum of aptitude to launch an attack. The prevalence of ready-made criminal tools has given rise to a new breed of attackers -- the previously mediocre are now armed with highly capable code.
The external criminals level of sophistication has gone up and at the same time so has their access to criminal tools. In the past, computer crime was kind of like the high school science project and now its an organized effort. The underground community has made it easy to share those types of tools, says Devin Redmond, Sr. Manager for Security Products and Strategy at Websense, With more of these tools becoming available, and more collaboration between criminals, the sophistication level of the attack type as well as the technology, is growing.