Online Encyclopedia Lists Internal Security Threats

A free online encyclopedia of internal network security issues was released Tuesday by network security provider Promisec, which includes popular Web-based applications among possible data-loss threats.

Internal threats may come from various sources such as usage of USB (Universal Serial Bus) memory sticks, programs like Skype, unwanted file types, and any services or applications that are not permissible or aren’t covered by registered software licenses, according to Promisec, based in Rishon Letziyon, Israel.

Promisec hopes that the encyclopedia — which lists and dates dozens of potential threats and ranks them on a five-part scale, ranging from “extremely critical” to “not critical” — will help promote its marketing and sales efforts.

The newest applications that may pose threats — such as EnterMyPC, Kismet and Wireshark — are included and described with information on the manufacturer, systems affected, relevant links and date added. In addition, the site contains monthly charts showing how internal network risk trends have changed in the past year, an internal security tips and tricks section, articles on recent internal security incidents, an overview of internal threats, and other resources.

Today, the top five threats listed by the encyclopedia are MySpace, Skype, Tencent QQ, PacketTrap and Google Talk.

However, PacketTrap Networks has challenged Promisec over its inclusion on the list. The vulnerability in its pt360 software that the online encyclopedia lists was discovered by San Antonio network security auditing firm Digital Defense earlier this year. A patch was issued in February, according to the San Francisco maker of network monitoring tools.

Given that PacketTrap has registered about 80,000 downloads, by its count, since releasing the software, its vice president of marketing and corporate development, Anna Yen, said in an e-mail message that she considered it odd that her company could be considered a “top five” threat along with MySpace, Skype and Google. She added that only 106 users downloaded the version of the software that included the vulnerability.

The encyclopedia is part of the Promisec Risk Center, a resource for statistics highlighting significant internal network threats.

“This tool helps us make sense of internal threats and actually beg companies to draw comprehensive policies and action plans to deal with these threats,” said Amir Kotler, Promisec CEO. “It is set to include thousands of terms and enable IT professionals to post feedback and comments.”

Promisec’s network security software aims to detect and eliminate internal threats, without using ActiveX or any other type of dissolvable agent, run-once technology that removes traces of itself. The company estimates that over 80 percent of attacks and corporate abuse originate internally. As an example, Kotler noted last year’s data breach in Pfizer, where the data of about 15,700 existing and former employees were compromised when the spouse of an employee downloaded file-sharing software onto a company-issued laptop.