Industry View

The Enemy Inside

A realistic approach to prioritizing actions to prevent privileged user or insider security threats.

By Kristin Gallina Lovejoy

What Are Some Common Attacks?

• Sabotage of information or systems: This category includes physical destruction of network cabling or computing devices, or disabling of electrical or other environmental control.
• Theft of information or computing assets: This category includes theft of anything from digitally stored information, such as customer credit card information to company critical financial data to internal product engineering plans, to theft of physical devices.
• Introduction of bad code: "Bad code" may include time bombs (software programmed to damage a system on a certain date), or logic bomb (software programmed to damage a system under certain conditions).
• Viruses: While the most significant internal threat is the "ignorant" employee who double clicks on an e-mail attachment, activating a virus, results from a number of "insider attack" surveys show that viruses may be exploited by hostile employees.
• Installation of unauthorized software or hardware: Common attacks include the installation of Trojans by privileged users.
• Manipulation of protocol design flaws: Protocol weaknesses in TCP/IP can result in a virtual treasure trove of problems, for example DNS spoofing, TCP sequence, hijacked sessions and authentication session / transaction replay, denial of service and TCP_SYN flooding.
• Manipulation of operating system design flaws: We all know the drill. Operating systems, such as Windows and Linux, have not been designed to be highly secure. Privileged users in particular have easy access to information regarding which vulnerabilities exist and which vulnerabilities have been patched. With the ability to read and administrative access, privileged users can manipulate these design flaws and exercise native vulnerabilities.
• Social engineering: Attackers may use e-mail, IM or telephone to impersonate employees and administrators to gain username, passwords or escalated privilege to information or systems, as well as to execute Trojan horse programs.

Where Should You Begin to Address the Problem?

As a pragmatist, my recommendation is to start addressing the problem whose mitigation offers me the most "bang for the buck." That problem is that of the "privileged user."

Users who have been delegated absolute control are called privileged. In the real world, we generally refer to privileged users as "administrators," "super users" or "special." Here are some simple facts about privileged users, which are referred to as administrators:

1. Human beings do dumb things, inadvertent things and sometimes even deliberately bad things.
2. Administrators are human beings.
3. Administrators, as human beings, will likewise do dumb, inadvertent or potentially bad things as well.

Why do these simple realities matter? Your administrators have the "keys to the kingdom," literally. Dumb, inadvertent or deliberately bad acts can have potentially dreadful impacts within the business environment powered by the IT infrastructure. If you have doubts, just look at the statistics: Internal attacks cost U.S. business $400 billion per year, according to a national fraud survey conducted by The Association of Certified Fraud Examiners, and of that, $348 billion can be tied directly to privileged users. Another way to look at it, the same survey shows U.S. businesses lose 6 percent of their gross annual revenue to internal attacks, again with the vast bulk of that at the hands of privileged users.

• Email
• Print
• Comments
• Digg This
• SlashDot