With 2006 hot on its heels, its clear that we have yet to get a handle on threats to business integrity. The overall success of criminal activity clearly shows that threat mitigation requires ongoing evolution -- in our approach to infrastructure security, our implementation of security solutions, and the way we think about threats entering the organization.
Vulnerability Begins at Home
Not so surprisingly, though many vendors employ the skills of top-level threat research facilities, none have detected the newest and most insidious threat of all -- the internal resource. Its a common misconception that if the perimeter is protected, the organization must be secure. This line of thinking is directly challenged in worldwide headlines, information theft, misappropriation of access and information assets, and data embezzlement. One of the biggest threats to an organization actually lies within its boundaries.
Its an epidemic that goes all the way to the top. In early 2006, the Department of Homeland Security fired an IT administrator who misused his access privileges to read his superiors confidential email. Malicious insiders notwithstanding, unintentional threats, introduced by otherwise well-meaning employees also make up a staggering percentage of the security problems IT will handle daily.
Its Anybodys Game
At RSA 2006, IDC presented their Insider Threat Ecosystem, which breaks the corporate stratosphere into four main parts. At the top are the citizens -- employees who rarely, if ever, do anything to violate the company acceptable use policies and are not a security issue.
Second are the delinquents -- which make up the general employee population -- people who take small liberties, check their personal mail, play games, and do some online shopping. While they can pose a significant security threat, it is rarely intentional.
Then there are renegades -- folks that spend most of the day doing things they should not and often abuse their Internet privileges to install P2P or underground IM applications, and even worse, send confidential company data to outside interested parties. They pose a huge security threat.
Lastly, you have the rogues -- malicious insiders who routinely endanger confidential corporate information assets, usually for financial gain. They pose the biggest security threat yet are often the hardest to catch.
Though experts widely agree that insiders are among the most insidious threats to the enterprise security infrastructure, companies have been slow to accept this realization. In a recent IDC survey regarding corporate security challenges, respondents unfailingly listed malware as the top threat to their organization with spyware coming in a close second. Internal threats barely broke into the list at number five. Although respondents see insider threat as a "bottom of the stack" concern, analysts such as IDCs Brian Burke rank it much higher on the corporate threat mitigation task list.
However, one must look at the context of such surveys. Most respondents were IT or security managers, people tasked with the protection of the network whose primary focus is on the network perimeter. While inappropriate access is a security breach, it would more likely be HR or Legal that would be concerned with employees viewing confidential wage information. IT would be more concerned about keyloggers and malware. Yet in order to secure the enterprise, it must be done from the inside out, defining and, more importantly, enforcing access and use policies as well as agreeing that security is cross-organizational, not a departmentally segmented exercise.
Add to the challenge of internal security the leaps and gains being made by the outside in attack crew and youve got a somewhat overwhelming security scenario. With virus templates, root kits and made-to-order spyware so easy to obtain, all it takes is an Internet connection and some modicum of aptitude to launch an attack. The prevalence of ready-made criminal tools has given rise to a new breed of attackers -- the previously mediocre are now armed with highly capable code.
The external criminals level of sophistication has gone up and at the same time so has their access to criminal tools. In the past, computer crime was kind of like the high school science project and now its an organized effort. The underground community has made it easy to share those types of tools, says Devin Redmond, Sr. Manager for Security Products and Strategy at Websense, With more of these tools becoming available, and more collaboration between criminals, the sophistication level of the attack type as well as the technology, is growing.
Behavioral Vulnerability Is All the Rage
As the sophistication of tools and attack types become more advanced, vendors and their solutions must also do the same. Yet the most comprehensive, successful approach to controlling the crimeware threat is to proactively control and prevent access to places where users can go and get infected by bad things.
From an organizational perspective you have to blend policies and solutions. You cant do either/or. If you try to approach it from an all policy perspective and you dont have a good solution set in place, then you end up spinning your wheels and vice versa, says Redmond, You can throw all the technology you want at threats, but if you dont create good policies around what the users are allowed to do then youre still open to vulnerabilities.
As Peter Cassidy, Secretary General of the APWG (Anti-Phishing Working Group) explains, Behavioral vulnerabilities are the center of the universe. Unfortunately the conversations always about either money or technology and behavioral aspects are never really taken as seriously as they should be. Behavioral vulnerability isnt really quantified in a way that illustrates how it impacts the effectiveness of a particular technology.
The whole idea of providing "value" or "utility" in things like Smiley Central or Hot Bar are great examples of social engineering. Users feel that the applications provide usefulness that outweighs company policy prohibiting unapproved downloads. Media files containing malicious payloads are another example of social engineering as a means of propagation. Viral videos spread across the Internet at breakneck speeds. How many conceal backend crimeware that users are readily installing onto the corporate network?
"There are people who cant conceptualize whats really going on with crimeware, notes Tim Johnson, Product Marketing Manager for Enterprise Threat Shield at SurfControl, There are also those that really won't care or who will misunderstand the risk to the organization. When a user wants to do something and company disallows it, they will often circumvent desktop protection if theyre able. No amount of deep packet inspection or port agility defenses can protect an organization against a deceptive or delinquent user.
Whats a Company To Do?
The situation may seem bleak, because indeed, employees are a necessary requirement for doing business, vendor solutions often fail us, and threats are continually on the rise. However, mitigating the symptoms of spyware, phishing, and their more advanced permutations can benefit from the classic layered approach to Internet and communications security, beginning with an enforced acceptable use policy. Employing the combination of solutions-based, policy-based and behavioral-based controls can drastically reduce organizational vulnerabilities.
Johnson explains, From a policy standpoint, policies are only as effective as the enforcement behind them. From a behavioral standpoint, actively educating users as to what crimeware looks like and how it adversely affects the organization can bring them on board as effective preventative resources. From a solutions-based perspective, even the best and brightest of vendor wares can never provide 100% protection. However, they should always be the first line of defense in a comprehensive security approach.
At a minimum, companies need an effective email filter capable of blocking spyware from entering the network via active HTML, attachments, phishing, spam and other email-borne vectors. This is essential to securing the communications medium. Yet blocking shouldnt stop with email - there also needs to be something at the desktop level that stops the spyware as its introduced, NOT after it is already saved and running.
Lastly, an extremely effective cure for an infected network is to remove the ability to introduce symptoms in the first place. Users unfortunately shoulder most of the blame when it comes to introducing spyware. Diehard delinquents and rogues will do whatever they can to hold onto their messaging, music, games and other nifty widgets. If they can turn off protection, they will. If they can hide their spoils, they will. Companies should implement a solution that disallows running or installing programs (such as games, P2P, and IM applications) that in turn, install spyware. Group Policy Objects - or similar tools - are not enough as they can be easily tricked or circumvented.
Enacting policies is a great idea, but completely ineffectual if they arent regularly, equitably and instantly enforced. Preventative tools are a step in the right direction, but only if they are not of the one-size-fits-all-magic-bullet variety. Workable solutions must have comprehensive, scalable and customizable capabilities to meet the evolving needs of todays organizations.