The insider threat, the bane of computer security and a topic of worried conversation among CSOs, is undergoing significant change. Over the years, the majority of insider threats have carried out attacks in order to line their pockets, punish their colleagues, spy for the enemy or wreak havoc from within. Today's insider threats may have something much less insidious in mind—multitasking and social networking to get their jobs done.
There's a growing risk within most organizations today that is clearly an insider threat but is also clearly not caused by a disgruntled or disillusioned employee. In fact, the new insider threat is more likely to manifest itself as a gung-ho new employee or contractor. And more often than not, the new insider threat is a recently hired twenty-something. We've coined the term "lifestyle hacker" to refer to this new cadre of insider threats. The lifestyle hacker does not have malicious intent. Nevertheless, the lifestyle hacker is highly successful at skirting various corporate controls put in place to protect security-related websites and critical endpoints. The most interesting and ironic aspect of the lifestyle hacker is that he is motivated by the pursuit of productivity, often the very same motivation driving the implementation of various corporate controls (including but not limited to Web proxies, DLP solutions, firewalls, etc.).
Tightly managed organizations (especially huge financial corporations) often block access to Web 2.0 capabilities in order to "promote productivity of staff." However, this very same staff often desires to utilize Web 2.0 capabilities (including social networking, external IM, Skype, Twitter, etc.) in the name of enhancing personal productivity. And never the twain shall meet!
This conundrum exists as the inherent conflict between those who make the rules and those who break the rules, both of whom are driven by the exact same motivation—being more productive in the work environment. There are two fascinating and problematic aspects of this situation worth mentioning:
1. The population of lifestyle hackers is growing in size and diversity as demographics of new hires shift toward those people who grew up on the Internet.
2. Neither the corporate decision makers who make the rules nor the lifestyle hackers understand the security ramifications of emerging and evolving Web 2.0 capabilities (see McGraw's article "Twitter Security" at www.informit.com/articles/article.aspx?p=1350268).
Baby Boomers don't even like listening to music while they work. Net Gen'ers listen to music (sometimes even watching music videos) while browsing a website or six, instant-messaging with whoever is around, sending text messages and pecking at a Microsoft Office file. The University of Oregon Library published a study that showed that the average Net Gen'er, by the age of 21, has been exposed to:
- 10,000 hours of video games
- 200,000 e-mails
- 20,000 hours of TV
- 10,000 hours of cell phone conversation
- Less than 5,000 hours reading books
Some demographers bifurcate the Net Generation into Generation X and Y, but for the purposes of understanding the lifestyle hacker, Net Gen says it all. As Internet-facing technology became ubiquitous and leaped from the home to the mobile device, the Net Generation adapted by incorporating new technology into its very social fabric. The Net Generation prefers SMS texting and using instant messaging in many social situations. (Organizing a particular time and place to meet is rather silly if the people doing the meeting all have cell phones and a vague plan.)
Utilizing a texting system as an essential productivity tool in a professional environment is a natural extension of normal Net Gen social behavior. The same can be said for social networks such as Facebook, which offer excellent tools for collaborating on complex problem solving and building effective relationships.
Unfortunately, many Baby Boomers have never used Web 2.0 tools at work. Such tools simply did not exist when they entered the work force. As a result, they often view such tools as distractions from doing "real" work.
One high-tech firm did a study on the primary reason for undergraduate offer rejections by prospective new hires and discovered that the number-one reason for rejection was that access to Facebook was blocked. The firm now offers access to Facebook. Along the same lines, but without a solution to the problem, FS-ISAC survey results from April 2009 indicated that over 90 percent of financial service firms block access to social networking sites. The number-one reason for blocking access is a concern over productivity, not security. Ninety-five percent of the firms responding to the survey have no plans to change policies to allow access to social networking sites. You can see the storm clouds gathering.
To restate the conundrum, leaders believe that social networking, instant messaging and using SMS constantly in the work environment will lead to lower overall productivity, so they block access. Net Gen'ers believe that Web 2.0 technologies are essential for collaboration and relationship management and that they improve productivity. Impasse.
Enter the lifestyle hacker. To sidestep the impasse, a growing number of Net Gen'ers are using their technical savvy to find creative ways of bypassing controls so they can leverage Web 2.0 capabilities. Perhaps an example can make this clear.
Dylan (not his real name) was an intern working in the technology department doing server administration for two years while he completed graduate school. He then applied for and was hired as an analyst working in the operational risk department. Dylan established himself as an effective contributor to the department over a period of six months.
One day, the corporate security staff noticed a spike in network traffic coming from Dylan's workstation. The large volume of data transfer indicated the possibility of a security breach in which company information was being shoveled off to an outside party. The security staff initiated an investigation. They eventually approached Dylan and completed a forensic analysis of his computer. What they uncovered was that Dylan had constructed a secure tunnel by exploiting a vulnerability in the company's Web proxy, and he was connecting his workstation to his ISP at home. This allowed Dylan to watch pirated movies running on his home PC while he was streaming music from sites no longer filtered by the proxy.
As it turns out, Dylan was also modifying a sensitive risk report at the same time. When Dylan's boss was told what was going on, Dylan was asked to leave the firm. His boss was disappointed, since Dylan was one of her most productive employees.
Note that Dylan was not malicious and in fact did not intend to break established policies and federal laws. His actions were motivated purely by his desire to multitask, unfettered by the standard controls that all other employees had to live with.
The question is, how many "Dylans" work in your organization? And what are you to do if you're the CSO trying to safeguard your firm while also enabling business growth? As usual for computer security, there are no easy answers here, just as there are no simple Web 2.0 technology controls ready for prime-time implementation.
Upon reflection, we believe the most important thing to do is to educate staff about the security and brand risks associated with unfettered use of Web 2.0 capabilities while exploring ways to offer tools with collaborative capabilities with a level of control that the organization can manage effectively.
This solution is likely to necessitate updating your security policies as well as communications and marketing policies governing publication of the firm's information. In addition, the firm's IT strategy should clearly define a road map for Web 2.0 implementation over time that provides for increased collaboration outside the firm. The right approach for each organization must, of course, be driven by its respective business model, since business and security risks always differ. The good news is that the problem of the lifestyle hacker provides a clear opportunity for innovative leadership by the CIO and the CSO.
What is clear is that the technology frontier has moved well beyond the workstation to an increasing constellation of mobile devices and distributed software (some of it already in the cloud). As more processing capability emerges in PDAs, there will be no avoiding them or their distributed software as a work platform. Collaborative technology is here to stay.
Solving the Net Gen productivity problem in order to avoid lifestyle hacking is thus a critical aspect of the CSO's job. Finding the right balance for your organization will require innovation, education and, most importantly, courage. We certainly can't hold back Web 2.0 in the name of security! At least not for long.
Gary McGraw is chief technology officer at Cigital. Jim Routh is CISO of KPMG.