Danger Within Protecting your Company from Internal Security Attacks

Its not hacking that results in the most damaging penetrations to an enterprises security system. It is often the work of an employee within the enterprise that causes the most damage. And while many of those incidents are due to employee malice, a great number stem from the manipulation of employees - often without their knowledge - that results in the theft of crucial data.

This "social engineering," as defined in the IT security sector, uses the age-old art of human persuasion. First a relationship is developed with an employee and then that newly trusting person is convinced to hand over key information to the attacker.

The method is insidious but it can be stymied if employees are trained to be security-conscious, process controls are implemented, and strong authentication is built into the security system. Humans may well have tendencies that leave them vulnerable to persuasion, but these tendencies can be positively channeled with education and culture. These tendencies are also not hard-wired and we can set up software that can back us up... just in case.

IT Security Breaches are Growing

It is not a nice world out there. Statistics show an alarming rise in cyber-attacks. Since 1998, electronic crime has risen dramatically ten-fold according to the latest incident statistics from the Carnegie Mellon Computer Emergency Response Team. In the 2001 Computer Crime and Security Survey, conducted jointly by the Computer Security Institute and the F.B.I., 85% of respondents said they had detected breaches in their systems during the previous 12 months. Sixty-four percent of them reported financial losses due to those security incidents.

Further, the nature of the crimes has changed. According to a study produced by the Computer Security Institute and the F.B.I., the Internet is a source of frequent attacks: 70% in 2001 compared to 59% in 2000, while at the same time internal attacks dropped from 38% to 31%. Reported average losses from viruses alone, an untargeted nuisance attack, were $244 million in 2001, up from just $45 million in 1999.

Attackers Take Advantage of Employees

The malicious attackers who are making their way into IT systems are not working on their own. Their accomplices are often unsuspecting employees of the enterprises they are targeting. Malicious attackers know that the easiest way into any system is to exploit the people that use and administer it.

Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses. The attacker can be a person inside or outside the enterprise who pretends to be someone else:

  • In person
  • On the telephone
  • Via conventional mail or e-mail
  • Through a computer program disguised as an interesting message or a legitimate program.

And don't forget about the "hidden" employees in your organization who may have completely unlimited access (often off-hours), yet not undergo nearly the scrutiny of a "regular" employee:

  • Housekeeping
  • Maintenance and external repairs/service (phone company, construction)
  • Temporary workers
  • Contractors

Remember that one of the easiest ways to get past security is to work on the inside. Can you really be sure the midnight housekeeper cleaning the server room isn't breaking into your systems?

Employees are Unwitting Victims of Social Engineering

The employee targeted by a security system attacker is a victim of social engineering, the manipulation of a person through a combination of spying, theft and clever deception. This "art of human persuasion" takes advantage of a persons natural tendencies - such as seeking prestige, avoiding embarrassment or merely finding acceptance and it usually follows a simple pattern:

  • The attacker gathers information about his target that can be as simple as a phone number or as detailed as an organizations structures and procedures. (For example, a user name can be gleaned from an e-mail address.)
  • A relationship is developed between the outsider and the employee that establishes a degree of trust. (With the user name in hand, the attacker takes advantage of a natural instinct to be trusting and successfully identifies himself as a tech support worker.)
  • The attacker maneuvers his target into revealing information or performing an action that he would not normally do. (The innocent and helpful employee reveals his password.)
  • The attacker obtains his objective often leading him to successfully execute the cycle once more. (With user name and password in hand, access to one level of the enterprises system is complete. From within that level, more information is easily gathered. This allows the attacker to approach another employee and establish a trusting relationship).

Creating and Implementing Policies and Plans

The single strongest defense for an enterprise against social engineering attacks is an educated employee. But a well-educated employee must be armed with more than just information about what social engineering is. He or she must be part of a security-conscious enterprise. The employee must know what the enterprise is doing to maintain security and how to support those efforts. And while learning how to support these efforts, the employee must be motivated to do so.

The first building block for developing a security-aware enterprise is to create simple, clear and enforceable policies and plans.

  • The policies lay out the security goals set by or supported by executive management.
  • The plans are the means to achieve those ends - the constantly updated guidelines, processes and procedures that go into complying with the policies.

Create and Foster a Security-Conscious Culture

Creating a culture of security is the single most critical factor in building a security-aware enterprise and defending you from nearly every type of attack. It is very difficult to impose this culture from the top down. It must be grown and developed so security can become a habit for employees, not an effort:

  • Management must set an example by leading from the front and exceeding expectations.
  • Employees need to understand why security is important to the enterprise and to the employees themselves.
  • Everyone in the enterprise should understand that his or her personal efforts make a difference.
  • Employees must be rewarded for positive behavior through recognition and/or bonuses.

Create and Organizational Structure to Manage IT Security

Security needs a well-designed management structure just like any other operation in the enterprise. Many fail to realize that security is fundamentally different than the day-to-day maintenance and support of systems. Usually the employees running IT systems do not have the resources or the training for security, and at times concerns related to managing security can actually conflict with everyday IT management.

Although information security and physical security are traditionally separated, sometimes it makes sense to combine them under a single management structure, while other times just opening strong communications channels is more appropriate. Even individual business units need to assign responsibility for security. Treating security as an extra duty, without management or resources, will almost always result in failure.

Develop an IT Security Education Plan for Employees

The enterprise must create effective and concise education for employees. Its hard to be aware of security incidents if you dont even know what the issues are. Education should cover the following areas:

  • Corporate policies: Employees must understand policies to both limit the potential for them to commit personal violations and allow them to recognize when others violate policies.
  • Security issues: Employees need training on a variety of security issues, from physical access, to information misuse, to e-mail safety.
  • Impact on enterprise/employee: Awareness and proactive actions are more likely if employees understand the negative consequences on the enterprise and themselves.
  • How to report/respond: Employees should know to whom they should report and what actions they should take if they are confronted by security breaches.

Test Security Awareness

There are three questions to ask in determining if an enterprise has successfully made itself security-aware:

  1. Would an employee actually know if a security violation has been committed? This would be key to avoiding an attack by social engineering.
  2. Would the employee choose to report the violation? This addresses the issue of the culture. Policies will be viable only if employees feel they are pertinent, fair and consistent.
  3. Would the employee know how to report the violation? Security policies become ineffective if well-meaning employees are stymied by reporting procedures that do not work.

Continue to Monitor Security Effectiveness

Once the enterprise is prepared, its work is not done. It must monitor itself over time to make sure it sees a value on its investment. The increase in security expenses must result in sufficiently decreased security losses.

In judging the effectiveness of a security system over time, comprehensive penetration testing is one tool but it is not the only one at your disposal:

  • Try calling the help desk to see if you can trick them into revealing a password - but give them a bonus if they follow procedures.
  • Walk around and look for passwords or sensitive documents sitting on desks - and write an educational "ticket".

Watch how your business process changes over time. Do your security policies keep up with these changes? Monitoring doesn't have to be expensive- it needs to be consistent and constant.

Cyber Incidents on the Rise

The future of security in the IT world contains good news and bad news. On the downside, cyber-incidents and vulnerabilities doubled in 2001 and you can expect them to double again in 2002. These attacks are increasing as criminals learn how to take advantage of systems that depend on Internet connections.

At the same time, a transition to become a security-aware enterprise can be cost-effective. The reduction in losses experienced during the first widespread attack that penetrates an enterprises outer defenses will offset the cost of making that enterprise security-aware.

Internal Threats Will Never be Eliminated

It will not be possible to completely eliminate internal threats (e.g., disgruntled or criminal employees); however, checks and balances can limit the effectiveness of an internal attack intentional or as a result of social engineering manipulation.

Use business process to your advantage. Don't depend on awareness or technology alone. Many crimes are committed by people performing authorized tasks within their job duties. Make sure the damage any single individual can commit is limited.

Tension Between Employers and Employees

Senior managers and their staffs may have radically differing views about how much personal privacy an employee should have. The tension can rapidly result in growing difficulties in retaining and recruiting employees.

The employees of financial service providers (FSPs) are among the most heavily monitored both on and off the job and trained in privacy lore. As a result, they are extremely sensitive to privacy issues. By 2007, most FSPs in the U.S. will have experienced significant employee relations problems relating to privacy in the workplace.

If the relationship between FSPs and their employees can be viewed a glimpse into the future, there may be some difficult times ahead as employers determine how much personal privacy their workers should have.

Non-FSP enterprises can learn some lessons from FSPs' strategies and tactics to reduce unnecessary employer/employee tension. For instance, if employee monitoring is fair, uniformly enforced and fully understood by all involved, tensions can be reduced.

For more security reports from Gartner, visit gartner.com/security

Copyright © 2002 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline