How much easier it would be if the world of information security worked the way it’s shown on TV, writes Brian T Anderson, Chief Marketing Officer, BeyondTrust. In an hour or less, you could tell the bad guys from the good ones and the cyber thieves from the cyber sleuths.
On TV, someone’s shifty eyes, dark clothing, and shadowy background, along with a vaguely foreign accent, all converge to finger the culprit. Then, following a few dramatic twists and turns, Europe’s critical institutions are spared in time for the final commercial.
But outside the world of TV drama, it’s a lot harder. In the world of business and government, where misappropriations of data and unauthorised insider transactions have had ruinous effects on organisations, the differences between perpetrators and everyone else are a lot more subtle. Still worse, they’re subject to change over time; even established ‘good guys’ can become ‘bad guys’ under the right set of circumstances.
There are, of course, people whose personal interactions and work histories provide clear signals of untrustworthy behaviour; they’re the ones whose backgrounds should raise red flags to any potential employer. But with most employees and job candidates, the distinctions between good and evil are almost never as sharply etched as they are on TV. Indeed, the impulses toward virtue and vice are embedded in the heart of every individual; they are twins from birth.
As a result, while much of the IT world is focused on the threat posed by ‘outsiders’ hacking into sensitive data on a target’s secure servers, an even greater threat comes from within the organisation – from those who already have easy and legitimate entrée to that information – as well as from former employees who understand how to access information. And given the right set of conditions – financial strain, personal stress, resentment, anger over workplace affronts, conflicting loyalties, and so on – even normally trustworthy employees can succumb to the pressure.
Venerable financial organisations including Barings Bank, Sumitomo, Société Générale and UBS have all suffered massive blows from rogue traders: trusted employees who took advantage of the easy access to accounts afforded by their work. And, in the case of hijacked government diplomatic or military files, the potential for damage to national reputation and security has been enormously amplified by online vehicles like WikiLeaks, with the power to distribute purloined data globally in a heartbeat.
Not always obvious
Don’t get me wrong. I’m not minimising the threat posed by people outside an organisation, but the threat posed by those within the network’s perimeter – trusted employees, contractors and partners – is now, and always has been, far more immediate. And it’s not solely the result of malicious intent by malevolent workers. Accidental, careless, frivolous, or indirect actions by the employee can result in damage just as grave to the employer.
Equally at risk, however, are individual customers – people whose personal and financial information, entrusted to a company’s data centre, are just as vulnerable to theft and exposure. It is a risk which has prompted strict laws intended to safeguard sensitive data, both in the US and elsewhere. According to recent statistics reported by Ponemon Institute, data breaches now cost companies $7.2 million per incident.
But there’s always that risk. In a volatile economy, some employee terminations are unavoidable. Especially during times of economic hardship, layoffs leave people angry and sometimes vindictive. And in a small number of cases, backlash from terminated employees can have disastrous consequences for their former employers.
Earlier this year in New York, for example, an employee who had been fired by the American branch of Gucci broke into the company’s computer system, shut down its servers and deleted data using an account he had secretly created while still employed there. As a result, Gucci was unable to access any documents on its network and lost e-mail access to both its store managers and its e-commerce sales team, generating a loss estimated by the company at $200,000.
Unnecessary access
In Gucci’s case, the indicted man had previously worked as its network security engineer, so his job likely required a high level of access to the company’s sensitive data. However in many other cases, employees are granted computer privileges which far exceed their needs. The problem with having excessive access is not that the individual will deliberately abuse their privileges, although that can certainly happen. Instead, it’s that they can unintentionally, accidently, or indirectly misuse it, with essentially the same result.
Failure to properly log off, unwittingly emailing a confidential document, using a thumb drive to bring work home, P2P file sharing, and other routine tasks that inadvertently create risks of exposing sensitive data to theft or misappropriation are not usually the results of malice. But if that person has broad access to a company’s most sensitive files, all of them are then at risk of becoming accidentally, intentionally or indirectly compromised.
Best practice tips
First, calibrate each employee’s information access to the specific needs of their job. Implement the best practice of least privilege to enable employees to access the applications required to do their jobs effectively without unnecessarily putting the organisation at added risk. Organisations should take the ‘Goldilocks’ approach (not too much privilege, not too little, but ‘just right’). The aim here is to create barriers, not walls.
Third, immediately change passwords and reset access rights whenever someone leaves the organisation’s employment.
Fourth – Investigate what tools specifically designed for managing privilege and preventing data leaks are available. Systems can cover: monitoring and alerts, reporting, and management tools siphon through web and code based interfaces to centrally control requested network tasks. These tasks are then deployed across all end points: cloud, virtual, servers, databases, desktops, and mobile. The latest data loss protection innovations mean that organisations can even prevent employees or contractors from copying precious data onto USB sticks, embedding into email or even printing out copies.
Fifth – forbid desktop users from operate as ‘administrators’ on their machines – Companies often make this mistake, thinking that this approach saves on hundreds or thousands of calls to the IT helpdesk, but this is a false economy: when individuals are allowed to operate as a local admin, organisations are opened up to serious security threats.
Sixth – stop bypassing logging – However tempting this is, without this system of checks and balances, companies cannot have granular control over what is going on, let alone work out what the root cause was when something goes wrong. Use of Microsoft UAC is not enough on its own, because it does not eliminate admin right altogether and can cause a gaping hole in protection plans.
Finally – understand the ‘people’ factor at play here. Security is not just about technology. Work with your staff – especially those with extensive privileges – to secure their sense of ownership in the organisation’s mission and the value of protecting its information assets.
Clearly, HR should have screened any employees during the recruitment process. But as I said earlier, people’s motivations and views about their employees can change, particularly if they feel that the organisation no longer respects them. So, be very mindful to these risks, especially during times of change (redundancies, re-organisation, outsourcing and so on). And recognize that even the most well-intentioned person can make mistakes: they could be the real enemy, not the TV villain stereotype.
About the author: Brian T Anderson is CMO of BeyondTrust. A 20 year-plus veteran of the security industry, Brian is co-author of “Preventing Good People from Doing Bad Things,” published by Apress Media and available via www.amazon.co.uk.
