Study after study continues to reveal a fundamental truth about the shifting landscape of IT security today: The biggest threat to proprietary systems and information is not the traditional cyber-criminal writing malicious code in a virtual location, but rather trusted employees.
Savvy administrators recognize that because end users are privy to an organization’s sensitive data, they represent a significant risk factor. However, mitigating this threat is something that security pros continue to struggle with. While no single “silver bullet” solution exists, there are steps organizations can take to ensure that corporate policies are effectively enforced and insider threat is neutralized.
Where the Risks Lie
Users represent a security risk for several reasons. Corporate boundaries continue to expand as the number of mobile workers increase, which also ties in with the convergence of personal and professional use of corporate endpoints. Laptops and PCs are becoming more personal, loaded with non-business applications that potentially expose an organization to spyware, keyloggers and other threats.
There are also mounting threats that prey on end-user curiosity. Tactics include Web site or e-mail spoofing designed to trick employees into performing actions detrimental to the organization’s security or divulging confidential information. What’s more, employees are constantly moving between competitive organizations, and competitors angle to hire key personnel for their skills as much as for the confidential information they can bring with them. Overall, the insider threat –whether malicious or inadvertent — is something that cannot be overlooked.
Safeguarding organizations against insiders with malicious intent requires effectively enforcing data access policies and auditing user activity with sensitive and confidential data and systems. The stories that have surfaced about company insiders stealing sensitive data worth millions of dollars — if not billions — is a nonstop cycle. As a result, security administrators must take action to protect their organizations against these threats.
Meanwhile, protecting against employee errors or accidents requires policy enforcement so that end users are not solely relied upon to make intelligent security decisions. Most non-malicious employees accidentally make improper choices when it comes to handling corporate data. For example, as iPods, digital cameras, PDAs and other gadgets continue to see rapid adoption among business users, security administrators must remember that these are devices that spend most of their lives plugged into far less-secure home computers. This makes it incredibly easy for employees to unintentionally download a nasty virus or destructive code onto an enterprise machine.
Mitigating Threats Step by Step
Organizations can protect themselves against these malicious and accidental employee actions through the combination of people, processes and technology. They must clearly define and socialize policies, automate policy enforcement and provide detailed auditing and reporting. Here are some fundamental steps that organizations can take to achieve this:
- First, they must accept the reality that employees are not security experts and will always engage in risky behavior. They will open unsolicited attachments, browse a wide assortment of Web sites, click on links in e-mails and instant messages, utilize outdated and unpatched versions of software, and plug in personal devices or removable media without understanding (or caring) about the potential impact of these decisions. Since they are not security experts and do not generally understand the criticality of some software and operational vulnerabilities that require immediate remediation, relying upon end users to rapidly install the latest patches is leaving a lot to chance.
In a perfect world, written corporate policy would be enough to dictate employees’ interactions with technology. While a policy is an important step, the reality is that even the most stringent policies need a solution to support and enforce them. Trying to force policies where the employees are responsible has proven ineffective.
- The second step to mitigating the threat from within is to remove the organization’s reliance on end users as security experts. The organization must provide a way to develop and enforce policy that enables users to focus on their task at hand, but also reduces the risk of their day-to-day decisions when they interact with technology. This includes understanding which employees need access to specific applications, devices and data. Also, enforcing policies that give users access only to what is required in order to successfully complete their job functions can help in ensuring that the applications in use are up-to-date with the latest patches.
By enforcing application and device control, organizations can flexibly control execution of specific files or removable devices all the way down to the user level. This takes the decisions away from the users and enables them to be focused on the job at hand. Also, by enforcing mandatory baselines for critical patches and configurations, organizations can automate the remediation process throughout the enterprise instead of relying upon their users. This ensures that proper security configurations are maintained and takes work off the employee’s hands. Employing technology that automates the enforcement of acceptable resource use while preventing and reporting unacceptable use that could put the enterprise at risk is a flexible yet secure approach.
- A third step is to ensure that policies are socialized throughout the organization and enforced as transparently as possible so as not to impede end user productivity. Without proper socialization, end user understanding and buy-in of these policies, they will be viewed as a hindrance to productivity, and users will find a way to get around them. Though an organization should never expect or rely upon its users to become security experts, engaging in security training and socializing corporate policies is a key step to finding that balance between security and user productivity. Communication is extremely important in educating users and preventing disruption in employee productivity. Explaining why a policy exists is a key success factor. Once end users know what you’re doing and why you’re doing it, they’re usually more than willing to help out.
- The final step to addressing insider threat requires the CIO and others within the IT department to have access to a continuous report of the organization’s environment, what policies are working and which ones are not, and adjust policies accordingly. Automated auditing and reporting functions give security personnel the flexibility to conditionally allow certain devices, applications or configurations while still maintaining visibility into user activity. For example, if an organization allows only accounting personnel access to specific finance-focused applications, it needs to know if a developer was attempting to gain access to these applications. Either there is malicious intent, or there is a legitimate need.
From a best-practices perspective, policy compliance should be reviewed on a regular basis as organizational needs may change and user activities might highlight a policy loophole. This includes continuous surveillance of the enterprise environment and user activities and using the gathered information to update policy as necessary.
An organization’s end users represent a significant amount of risk due to the proliferation of threats that target individuals and the rising value of corporate IP, customer, employee and financial data. What’s more, criminal organizations are targeting end users as a way to gain access to valuable data, and some internal employees target this data for personal financial gain. While it should be the duty of every user to protect the company’s assets, the CIO and their IT departments ultimately will be held responsible for any breach of confidentiality or data.
Through transparent policy enforcement, technology that puts substance behind the documented words, socialization of policies and awareness of sound security practices, and continuous and actionable auditing information, organizations can take a big step forward in protecting their network and data from the inside out.
Mike Wittig is president and CTO of Lumension Security, a global security management company formed by the merger of PatchLink and SecureWave.