Security

Strategies for preventing internal security breaches in a growing business

Methods for preventing internal security breaches that work in a small company environment generally don't scale well as the organization gets larger. Here's how you develop a scalable strategy for preventing breaches as your company grows.

Many companies focus their security strategies on keeping outsiders from getting into the network. Yet a large percentage of serious security breaches come from within. Some of these are deliberate and others are unintentional, but either way they can put your network and the data on it at risk and result in lost productivity and/or direct monetary loss.

As your business grows, it's important that your security strategy be able to evolve to meet your changing needs. This is especially true when it comes to protecting against internal threats, because the methods that work in a small company environment generally don’t scale well as the organization gets larger. Let’s look at how you develop a scalable strategy for preventing internal security breaches.

A threat that evolves

When a company is small and has only a few employees, internal security breaches may or may not be less likely to occur and easier to detect than in a larger organization. There are several reasons for this. In the small company environment, managers and employees work more closely together so that there is less opportunity for intentional breaches. There is often less specialization, so that employees work together, share computers, etc., rather than each worker handling just his or her "piece" of a project or a narrowly defined set of tasks. This also reduces opportunity and makes detection more likely.

On the other hand, employees in small companies often are given more autonomy and managers may be more trusting. In those cases, there is a golden opportunity for the employee who wants to do so to steal data or bandwidth, or use the network for personal web surfing, emailing, chat, and so forth--all activities that can expose the network to risk. And the small company is less likely to have a dedicated IT department or security personnel to put technological security measures into place, and also less likely to have detailed written policies governing employees’ use of the network.

So while the relative anonymity of employees in a very large company may make it easier in some ways for them to breach security, they’re more likely to run into preventative measures (such as computers that are locked down more tightly, firewalls that are configured more securely and so forth).

Assessing internal threats

Internal threats can be divided into several different categories. For example:

  • Corporate espionage: employees may be recruited and paid by the company’s competitors to steal data
  • Malicious/disgruntled employees: current and recently terminated employees may wish to do damage to the network because of a grievance they have against the company
  • Unintentional breaches: employees put the network at risk by installing unauthorized software, opening virus-infected email attachments, succumbing to social engineering attacks, etc.

You may also classify non-employees with physical access to the network as a form of internal threat. Examples include contractors and "temp" workers, vendors, even janitorial service personnel and others who work on your site but are not actually employed by your company.

Security policies that evolve as you grow

The best way to create policies that can address these types of threats in both the small and large company environment is to implement a multi-layered strategy right from the beginning. Your policies should address both behaviors and technologies.

Policies targeting internal breaches should address such issues as:

  • Policies governing the use of external removable media such as floppy disks, flash drives, USB/Firewire hard drives, CD/DVD burners, and so forth. Many internal breaches occur when insiders copy company data to removable media, or bring in removable media from which they install programs or upload data to the network.
  • Email attachment policies. A large portion of internal security breaches occur when someone on the network opens infected attachments, or sends confidential company data outside of the network via an email attachment.
  • Printing policies. If unable to send or take company data in electronic form, insiders may print the information out and take the hard copy.
  • Download policies. Many inadvertent security breaches are caused by those on the network downloading information from the web that contains malicious code, which then provides external attackers with a way into the network.

Enforcing policies to prevent internal threats

It’s not enough to issue a set of written policies dictating that "thou shalt not..." The second layer of your security strategy should be to enforce the policies technologically whenever possible.

You can physically remove or disable removable media drives, card readers and such from the computers of users who don’t need them. You can control the use of portable storage devices with software solutions such as GFI’sEndPoint Security (formerly Portable Storage Control). You can set firewall policies to prohibit incoming and/or outgoing email attachments, or to allow only attachments of certain types. Content security filters can examine attachments and flag those that violate your policies. You can restrict access to printers, and place printers in supervised areas to make it more difficult for users to print material that they shouldn’t. You can use solutions such as Microsoft’s Rights Management Services to restrict the ability of internal recipients of email and Office documents to print, copy and forward those documents. You can configure firewalls to prohibit visiting known dangerous web sites or to allow users to visit only known safe sites.

Summary

The key points to developing a scalable strategy to prevent internal security breaches are:

  • Don’t overlook the risk of security breaches from inside the network
  • Develop written policies specifically aimed at internal threats
  • Distribute the policies and ensure that users sign off on having received them
  • Reinforce the written policies with training to prevent unintentional breaches (for example, educate users on safe surfing practices, the dangers of opening unknown attachments, how to recognize a social engineering ploy, etc.)
  • Enforce the policies with technological controls whenever possible

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

5 comments
J_Smoker
J_Smoker

What is a good way to limit what content is printable by factory workers? policies, etc...

gracedman
gracedman

I'm delighted to see an article on the internal security threats to an organization! The points are appreciated. We have spent a lot of time considering how to prevent another internal threat, internal esclation of privileges, and have launched the open source ISCS project as a possible answer to the problem (http://iscs.sourceforge.net). This is a problem in environments deluded by the idea that secure passwords at the application layer will keep the bad guys out. They forget that the bad guys do not play by the same rules as the good guys. Once an intruder has gained access to the internal network via physical intrusion, device theft, identity theft, trojan, compromised wireless or any other of many simple means, they will try to escalate their privileges beyond those of the user they have compromised. They will attempt to gain superuser access and "own" the network. Our work on the ISCS project has enabled us to implement perimeter style security with strong user authentication, access controls and encryption within the interior of the network and do so in a manageable, scalable, cost effect manner -- true compartmentalized, multi-layered network security. Thus, even if someone breaks into a remote user's home, whacks them over the head while they are logged into the corporate network via VPN and is sitting in front of their PC or has completely compromised an internal PC and has console access on the local network, they can only do what the user is normally allowed to do. They cannot attempt to gain escalated privileges to internal systems to "knock the legs out" from underneath the password security system. They can only send the kind of packets on the network that the user is allowed to send and users are only allowed to send the kind of packets they need to do their jobs - least access principle at the network level. We hope others will find our labor on this open source project helpful to secure their environments from internal threats in a scalable and affordable manner (http://iscs.sourceforge.net).

sethlev
sethlev

The threats to a company's data and networks are more often destructive rather than theft related.Most small companies do not have 'secrets' that are either easily stolen or particularly useful if stolen. They are, however, subject to severe problems if the network or software or data is destroyed or damaged. THESE are the first lines of defense against internal threats. The article does not address the first level of security, the physical. Keep your servers and switches and original software media under (Owner's) lock and key! Password protect, biometric protect (for owner's only) all network critical components - routers, switches, server management. Then work on protecting your network from hackers, viruses and intruders.

wdeckert
wdeckert

We have over 100 workstations and 14 servers in 9 locations covering 2 States managed by one (1) IT person. Access to server data is on a need to know basis. However access as an administrator to the Windows XP workstation is an absolute necessity. Our users run over 70 programs, which both read and write to various servers as well as doing updates to their programs, sometimes weekly. It is physically impossible to maintain upgrades to these workstations and servers without employee (user) intervention. This requires administrative rights to their individual workstations (not servers). At some point you need to train and trust your employees while monitoring the network and programs which are installed on their workstations. I fully agree that Security is a priority, but by locking down workstations and servers so that only IT personnel can access, backup, and do maintenance requires a staff that can manage these tasks. Social Engineering is our greatest fear and only continuous staff training can prevent this type of intrusion.

eddie.limoncelli
eddie.limoncelli

A co-worker of mine recently brought up issues of trust about an employee of mine who performs routine maintenance such as backups. While I am looking into these allegations, how can I secure department data while still having this employee perform backups and accessing basically every machine in the department? Or, how can I monitor whaat he does to see if there is anything wrong going on? Note: this is a WinXP network with all really sensitive data on a server that he cannot access, but data on all local machines is less under my control. Thanks for any ideas!

Editor's Picks