A network engineer at a Kansas City company says he’s just as worried
about threats to his company’s network coming from inside the corporate
walls than he is about any hacker busting through the perimeter.
”Once you’re already inside that firewall, you’re considered trusted,”
says Josh Herr, network engineer at Ladlaw Transit Services, an
outsourcing company that handles bus scheduling and routing services.
”You’ve always got to worry… We’re in the process of putting firewalls
between the front end and the back end of the system to alleviate that
concern. The back-end system will have a completely separate firewall
network. It will keep people internally from getting through.”
According to a new survey, Herr isn’t alone in his concerns.
Sixty-nine percent of 110 senior executives at Fortune 1,000 companies
say they are ‘very concerned’ about insider network attacks or data
theft, according to a study by Caymas Systems, a network security
technology firm based in San Jose, Calif. And 25 percent say they are so
concerned they can’t sleep at night, Sanjay Uppal, a vice president at
Caymas Systems, told eSecurityPlanet.
Only 13 percent says they are not worried at all.
And Uppal says if they’re not, they should be.
”I think they should definitely be worried,” he adds. ”The people who
are not worried just haven’t been hit yet. They have a false sense of
security.”
What’s worrying Herr is the number of outside contractors who are on his
network. ”A lot of [the worry] is about the people who are coming into
our network for short periods of time, such as auditors and
contractors,” says Herr. ”We’re not in charge of those PCs.”
Uppal claims 30 percent of people who come in and work on your average
network every day are temporary workers. And that brings up specific
threat concerns. But he also says that IT and security administrators
should not forget about permanent workers and the havoc they can wreak.
After all, who knows better where critical information is stored or what
the boss’ password might be, than someone who works in the company?
And if a worker is unhappy about not receiving a bonus or feels slighted
for any other reason, she just might be disgruntled enough to want to
cause the company some serious damage.
”As we can see in the media more and more, the concept of a company
really taking care of its people — that bond is less and less secure,”
says Uppal. ”If a company doesn’t take care of its people, then the
workers won’t have that much loyalty either.”
Security from the Inside
Uppal says insider security threats definitely need to be dealt with…
and quickly. But it’s not an easy problem to solve.
”People coming from the outside all come from one place,” he explains.
”People on the inside are coming in from many many places — the
conference room, their desks, at home on their laptops. It’s actually a
problem that’s not all that easy to tackle.”
The first step, according to Uppal, is to reign in the temporary workers
and people who are coming in as guests to the company. ”Someone might
come in for a meeting, find an open jack in a conference room, then plug
in, and they’re off and running,” he says. ”People should install
barriers or hurdles, access controls on the network. The software would
scan the laptop and then realize it’s not an authorized machine. It would
then ask for a user name and password to distinguish that this person
should not be there.”
Uppal also recommends that workers should be limited as to what parts of
the network they can access. Someone working in production shouldn’t be
able to access financials. And someone working in the financial
department, should be able to access personnel records and reviews.
”We hear a lot about viruses or hackers coming in through the
perimeter,” Uppal says. ”We don’t hear what’s going on inside the
network. People don’t want to admit that it’s a problem.”