Here are a few first steps that your company can take to begin the process of securing against internal hackers.
By Ruby Bayan
A security breach that undermines the integrity of enterprisewide data, systems, and structures ranks high on the list of most gruesome corporate nightmares. Firewalls and antivirus packages will fend off intruders and intrusions from the outside world, but how do you protect your company's vitals from an inside job?
We gathered tips from network administration and security experts on preventing attacks from within. Their suggestions can be summed up in three basic defense strategies:
- Secure the perimeter.
- Police the ranks.
- Protect the enterprise.
Read on to find out how to implement these strategies and protect your organization.
Secure the perimeter
According to Rick Huber, IT veteran and network administrator for Felker Brothers Corporation, an unwitting employee who downloads a game or application that contains harmful code is a common and serious insider threat.
"The innocent employee loads the program, and the virus infects the entire network, corrupting and annihilating applications and data," Huber said.
He suggested three ways to secure the network from careless and clueless employees:
- Lock down machines so that unauthorized software, such as an e-mail client that accesses an e-mail server other than your corporate one or an FTP client, cannot be installed.
- Lock down ports on your firewall to prevent use of FTP and file sharing applications, such as iMesh, Kazaa, Gnutella, Morpheus, and Grokster.
- Remove internal modems so that everyone has to go through your corporate firewall.
Police the ranks
"Internal attacks are the most difficult attacks to prevent and shield from," said Joe Hartmann, director of the North-American Anti-Virus Research Group of Trend Micro Inc. He said that protecting a corporate network from employees who have been fired or let go is an IT administrator's nightmare. He added that recent statistics suggest that many attacks originate from provoked employees.
Hartmann proposed these preventive measures to guard against ex-workers' malicious intent:
- Network administrators must work closely with every manager or employee that handles access to systems on the network. This way, they can keep track of those who may have numerous passwords and access to systems unknown to the IT department, like a server that is used only in a specific department.
- Companies should ensure that employees understand the organization's security policies and that those policies become part of its corporate culture and values.
- To test whether security has taken root in the corporate mind, ask yourself this: Do my employees like to work for the company or do they come to work only because they need the money to pay bills? When an opportunity presents itself, will they steal from the company?
Colt Ellis, network admin for Perlos, Inc. holds fellow administrators suspect.
"I'd say that an internal security risk would be admins just flat out abusing their power—viewing payroll documents, changing permissions for people they like or don't like, etc."
Another possible threat might be an admin who is angry for being fired or denied a raise, he said.
"An admin can be your best friend or your worst enemy. Obviously, background checks could help. But as far as the technical aspect goes, I think auditing and strict permissions are your best line of defense."
Huber zeroed in on another group of people who may cast a covetous eye on your trade secrets: independent contractors. A lot of establishments "give the keys to the company" to their consultants, he said.
To guard against the risks consultants pose, Huber suggested these steps:
- Give them access only to what they need to access.
- Put a time limit on their accounts.
- Disable accounts after they leave.
- Change any admin/system passwords they used while onsite after they leave.
- Check for any back doors they may have created.
To go as far as physically policing employees, administrators, and consultants, Huber offered two suggestions:
- Set up a checks and balance system. Don't make just one person in-charge of content monitoring—that person may be the one compromising the system's internal security or may have been paid off by another employee to let documents through the system.
- Have a security guard check briefcases for confidential documents or removable media, such as laptops, hard drives, jazz drives, zip drives, and floppies.
Protect the enterprise
Beyond passwords, lockdowns, background checks, and security guards, a company that values its assets should look into how the latest security solutions can protect against attacks from within.
Nick Galea, CEO at GFI, recommends its LANguard Security Event Log Monitor (S.E.L.M.), which monitors the security event logs of all Windows NT/2000/XP servers and workstations on a network and alerts administrators to possible intrusions or attacks in real time.
Galea said that as past media reports have shown, internal security threats include disgruntled employees and those who conduct industrial espionage to obtain information for their own gain—in other words, those who intend to sell data or to use it to make them attractive as a prospective recruit to a competing company. Since firewalls offer no protection from these threats, an application that enables administrators to quickly respond to important security events without being an event log guru would be a valuable defense tool.
Bob Hansmann, product marketing director of Trend Micro Inc., North America, explained its products' role in keeping an enterprise secure.
"As an antivirus, content-filtering, and antispam solution provider, our contribution to an organization's protection from internal threats might best be placed in a category called 'carriers,' which includes 'electronic' and 'human' carriers," he said.
Once a single system becomes infected by a virus, you have a significant internal threat, Hansmann said.
"In any company of any size, there is bound to be someone who will do something that will let that first virus in."
Electronic carriers include e-mail, instant messaging, and Web pages with Java, ActiveX, or any other technology that allows for a message with an enticing link or application to enter and execute on the client system. Human carriers of malicious code include fully mobile laptop users whose antivirus solutions have been compromised—infected offsite due to human error or because the desktop security solutions have not been maintained or have become unstable.
According to Hansmann, these threats can be mitigated through a combination of technology and end user awareness.
"Education can help users realize the danger of tampering with security solutions and dispel rumors and myths about them," he said.
He added that some of today's client-based antivirus solutions can check a client's system when it first connects to the network and enforce configuration settings to IT standards or even reinstall the antivirus software before allowing a connection.
Hansmann further advised that it might also be worth reviewing how different solutions work together to provide stronger security for users.
"For example, Check Point offers a VPN security option that will deny a remote user access to the network unless they have an antivirus solution installed and it does not have out-of-date pattern files."
Looking at internal threats from a macro level, Hartmann gives corporate decision makers and security administrators a final tip.
"There is no quick fix and ultimate solution to prevent internal attacks," he said. "However, companies can create policies, conduct training sessions, and ensure that the corporate culture supports all security implementations."