The approach to enterprise security has always been to build the fortress walls bigger and higher — write more policies, install more products. Yet despite heightened awareness and a proliferation of cutting-edge security tools, 2005 turned out to be the worst year on record for corporate security breaches.
With 2006 hot on its heels, it’s clear that we have yet to get a handle on threats to business integrity. The overall success of criminal activity clearly shows that threat mitigation requires ongoing evolution — in our approach to infrastructure security, our implementation of security solutions, and the way we think about threats entering the organization.
Vulnerability Begins at Home
Not so surprisingly, though many vendors employ the skills of top-level threat research facilities, none have detected the newest and most insidious threat of all — the internal resource. It’s a common misconception that if the perimeter is protected, the organization must be secure. This line of thinking is directly challenged in worldwide headlines, information theft, misappropriation of access and information assets, and data embezzlement. One of the biggest threats to an organization actually lies within its boundaries.
In its 2005 survey, “The Global State of Information Security,” PricewaterhouseCoopers found that 33 percent of information security attacks originated from internal employees, while 28 percent came from ex-employees and partners. Further bolstering these findings, law enforcement experts estimate that more than 50 percent of all security breach cases are the result of employees misusing access privileges.
It’s an epidemic that goes all the way to the top. In early 2006, the Department of Homeland Security fired an IT administrator who misused his access privileges to read his superior’s confidential email. Malicious insiders notwithstanding, unintentional threats, introduced by otherwise well-meaning employees also make up a staggering percentage of the security problems IT will handle daily.
It’s Anybody’s Game
At RSA 2006, IDC presented their “Insider Threat Ecosystem,” which breaks the corporate stratosphere into four main parts. At the top are the “citizens” — employees who rarely, if ever, do anything to violate the company acceptable use policies and are not a security issue.
Second are the “delinquents” — which make up the general employee population — people who take small liberties, check their personal mail, play games, and do some online shopping. While they can pose a significant security threat, it is rarely intentional.
Then there are “renegades” — folks that spend most of the day doing things they should not and often abuse their Internet privileges to install P2P or “underground” IM applications, and even worse, send confidential company data to outside interested parties. They pose a huge security threat.
Lastly, you have the “rogues” — malicious insiders who routinely endanger confidential corporate information assets, usually for financial gain. They pose the biggest security threat yet are often the hardest to catch.
Though experts widely agree that insiders are among the most insidious threats to the enterprise security infrastructure, companies have been slow to accept this realization. In a recent IDC survey regarding corporate security challenges, respondents unfailingly listed malware as the top threat to their organization with spyware coming in a close second. Internal threats barely broke into the list at number five. Although respondents see insider threat as a “bottom of the stack” concern, analysts such as IDC’s Brian Burke rank it much higher on the corporate threat mitigation task list.
However, one must look at the context of such surveys. Most respondents were IT or security managers, people tasked with the protection of the network whose primary focus is on the network perimeter. While inappropriate access is a security breach, it would more likely be HR or Legal that would be concerned with employees viewing confidential wage information. IT would be more concerned about keyloggers and malware. Yet in order to secure the enterprise, it must be done from the inside out, defining and, more importantly, enforcing access and use policies as well as agreeing that security is cross-organizational, not a departmentally segmented exercise.
Add to the challenge of internal security the leaps and gains being made by the “outside in” attack crew and you’ve got a somewhat overwhelming security scenario. With virus templates, root kits and made-to-order spyware so easy to obtain, all it takes is an Internet connection and some modicum of aptitude to launch an attack. The prevalence of ready-made criminal tools has given rise to a new breed of attackers — the previously mediocre are now armed with highly capable code.
“The external criminal’s level of sophistication has gone up and at the same time so has their access to criminal tools. In the past, computer crime was kind of like the high school science project and now it’s an organized effort. The underground community has made it easy to share those types of tools,” says Devin Redmond, Sr. Manager for Security Products and Strategy at Websense, “With more of these tools becoming available, and more collaboration between criminals, the sophistication level of the attack type as well as the technology, is growing.”
Behavioral Vulnerability Is All the Rage
As the sophistication of tools and attack types become more advanced, vendors and their solutions must also do the same. Yet the most comprehensive, successful approach to controlling the crimeware threat is to proactively control and prevent access to places where users can go and get infected by bad things.
“From an organizational perspective you have to blend policies and solutions. You can’t do either/or. If you try to approach it from an ‘all policy’ perspective and you don’t have a good solution set in place, then you end up spinning your wheels and vice versa,” says Redmond, “You can throw all the technology you want at threats, but if you don’t create good policies around what the users are allowed to do then you’re still open to vulnerabilities.”
As Peter Cassidy, Secretary General of the APWG (Anti-Phishing Working Group) explains, “Behavioral vulnerabilities are the center of the universe. Unfortunately the conversation’s always about either money or technology and behavioral aspects are never really taken as seriously as they should be. Behavioral vulnerability isn’t really quantified in a way that illustrates how it impacts the effectiveness of a particular technology.”
The whole idea of providing “value” or “utility” in things like Smiley Central or Hot Bar are great examples of social engineering. Users feel that the applications provide usefulness that outweighs company policy prohibiting unapproved downloads. Media files containing malicious payloads are another example of social engineering as a means of propagation. Viral videos spread across the Internet at breakneck speeds. How many conceal backend crimeware that users are readily installing onto the corporate network?
“There are people who can’t conceptualize what’s really going on with crimeware,” notes Tim Johnson, Product Marketing Manager for Enterprise Threat Shield at SurfControl, “There are also those that really won’t care or who will misunderstand the risk to the organization. When a user wants to do something and company disallows it, they will often circumvent desktop protection if they’re able. No amount of ‘deep packet inspection’ or ‘port agility defenses’ can protect an organization against a deceptive or delinquent user.”
What’s a Company To Do?
The situation may seem bleak, because indeed, employees are a necessary requirement for doing business, vendor solutions often fail us, and threats are continually on the rise. However, mitigating the symptoms of spyware, phishing, and their more advanced permutations can benefit from the classic “layered approach” to Internet and communications security, beginning with an enforced acceptable use policy. Employing the combination of solutions-based, policy-based and behavioral-based controls can drastically reduce organizational vulnerabilities.
Johnson explains, “From a policy standpoint, policies are only as effective as the enforcement behind them. From a behavioral standpoint, actively educating users as to what crimeware “looks” like and how it adversely affects the organization can bring them on board as effective preventative resources. From a solutions-based perspective, even the best and brightest of vendor wares can never provide 100% protection. However, they should always be the first line of defense in a comprehensive security approach.”
“At a minimum, companies need an effective email filter capable of blocking spyware from entering the network via active HTML, attachments, phishing, spam and other email-borne vectors. This is essential to securing the communications medium. Yet blocking shouldn’t stop with email – there also needs to be something at the desktop level that stops the spyware as it’s introduced, NOT after it is already saved and running.”
Lastly, an extremely effective cure for an infected network is to remove the ability to introduce symptoms in the first place. Users unfortunately shoulder most of the blame when it comes to introducing spyware. Diehard delinquents and rogues will do whatever they can to hold onto their messaging, music, games and other nifty widgets. If they can turn off protection, they will. If they can hide their spoils, they will. Companies should implement a solution that disallows running or installing programs (such as games, P2P, and IM applications) that in turn, install spyware. Group Policy Objects – or similar tools – are not enough as they can be easily tricked or circumvented.
Enacting policies is a great idea, but completely ineffectual if they aren’t regularly, equitably and instantly enforced. Preventative tools are a step in the right direction, but only if they are not of the ‘one-size-fits-all-magic-bullet’ variety. Workable solutions must have comprehensive, scalable and customizable capabilities to meet the evolving needs of today’s organizations.