Insiders commit three of every four computer network attacks. Whether it's a denial of service attack, a malicious break-in, or data theft, the perpetrator is most likely an employee or a former employee. Yet companies continue to focus most of their attention on preventing external attacks.
How many companies want to publicize this image-deflating fact? Very few. So few, in fact, that security analysts at the Hurwitz Group estimate that as many as 50 insider attacks occur for every one detected—testimony to the insider's intimate knowledge of your systems and procedures.
As is the case with most planned crimes, who better than your own current or past employees to screw you over? After all, they don't have to spend a lot of time learning about your policies and defenses. And they're more likely to know where the rarest jewels are kept. What's more, except for those who want to get caught for the sake of a social statement or just to get attention, they also know how to cover their tracks.
Stacy O'Connor, managing director of the Waltham, MA-based security firm Guardent, says that the most common causes for insider attacks are poor morale, a fluctuating economy, weak internal safeguards, and an overly trusting work environment.
Prevention starts with the hiring process, O'Connor said. You should discuss with new hires their role in maintaining security and its potential benefits. Ongoing monitoring and assessment will help assure the system's effectiveness while avoiding aggravation, downtime, and fantasies of revenge.
"Organizations should realize that internal incidents have a higher likelihood of causing significantly more damage [than external attacks] and significantly higher costs to repair," he said. Just ask the FBI about Robert Hanssen.
Check out CNET Enterprise Business
This article appears courtesy of CNET’s Enterprise Business section, where you can explore IT business solutions on various topics, including ASPs, Linux, groupware, information systems infrastructure, and supply chain management.
Passwords and body parts
One way to protect yourself and your data is to eliminate unwitting damage by employees who permanently enter their passwords in the sign-on box, leave their passwords taped to sliding desk drawers, or use simplistic passwords such as their Social Security numbers.
In fact, the three most popular passwords in some surveys were password, some elementary mixing of the person's own name or a relative's name (usually a child's), and words related to sexual acts. So much for carefully crafted, comprehensive security policies. Other innocent, if naive, acts include opening e-mail attachments. For example, one that promised a look at someone's naked wife actually contained a virus.
What else can you do? Short of changing human nature, why not leverage all that interest in body parts and use it to reinforce security? For example, biometric devices that read fingerprints are affordable, reliable, and simple to install. One such device is available from Digital Persona. Its compact $100 U.are.U fingerprint scanner worked well in my comparison tests.
BioLink's $120 U-Match Mouse offers a space-saving advantage. A combination thumbprint scanner and mouse, it provides logon security without adding more hardware to the desk. Both products are available in client-only versions as well as server-based installations that centralize management and help maintain uniform rules.
Building better fences
If biometrics had been more widely available, Kevin Mitnick would never have risen from obscurity to infamy. Mitnick achieved success precisely because his plan was elegantly simple. He cracked all those government systems by pretending to be a system administrator verifying the network's condition. He'd call and ask users for their sign-on names and passwords. Most times, they just handed over the keys to the digital kingdom without a second thought.
In retrospect, one answer to closing the kind of hole that allowed Mitnick's attack to succeed is now obvious: a combination of education, monitoring, and biometrics. These defenses are also key to preventing sneakier, less obvious insider attacks.
Howard Millman, a writer and computer technology consultant based in Croton, NY, contributes regularly to CNET Enterprise and helps make computers behave.
How does your company guard against internal attacks?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.