Foxes In the Coop

As everyone knows, the wall that once separated the IT group from security management is a relic of another era. Professionals recognize that an effective security system not only protects infrastructure from intrusions from the outside but also from incidents caused by employees and others on the inside, particularly in cyberspace. In other words, IT security is about more than firewalls.

The Insider Threat
Dan Verton, author of Black Ice, a chilling and highly recommended account of our electronic vulnerabilities, outlines situations that have thoughtful managers worried.

"Companies need to know at all times who is on the premises and who has got access to the company infrastructure," he said after a recent Secret Service briefing for the private sector. He asked what can happen when someone enters a company's office in Asia or Europe at 3:00 in the morning, accesses a weakly protected area of the IT network and does damage to files tucked "safely" on a server in New York. Or when a workman is ignored in the local garage where he has tapped into the fiber network and is busy removing data, all with equipment bought at Radio Shack.

Verton is not alone. One CEO of a prominent Fortune 100 firm says it is "especially the potential vulnerability of an insider gone bad" that scares him more than any other threat to his firm and its worldwide operations. A recent study by the Secret Service and the CERT Coordination Center reported that insiders "pose a substantial threat by virtue of their knowledge of and access to their employers' systems and/or databases, and their ability to bypass existing physical and electronic security measures through legitimate means." More than 70 percent of insider threat cases studied occurred during normal working hours from a physical location inside the organization. Most of the incidents involve people using legitimate commands, people authorized with active computer access. In one study, nearly half the perpetrators used their own names or passwords to initiate the incident. Less than a fifth were people with technical positions or system administration access. Even more startling, the CERT report found that perpetrators shared their intentions with others, including with those both in the firm and with those outside, sometimes even with competitors.

The Costs of Denial
The effects of adverse incidents (everything from hiding illegal trades in a large financial institution to changing authorization and access rules for any firm's database) can be substantial. One study has the average loss to Fortune 1000 firms from successful IT attacks at nearly $1,750,000. The CERT study reports a high of $691 million for insider events at financial institutions. But the damage includes more than immediate dollars; it also includes disruption of operations and harm to reputation.

Indeed, the negative impact on brand could be the most harmful over the long term. When one considers that companies as diverse as Nokia, McDonald's, GE and Microsoft assess the 2004 value of their brands in the billions of dollars ($24 billion, $25 billion, $44 billion and $61 billion respectively, according to Interbrand Corp.), it is easy to see that the financial risk of inadequate protections from insider harm is huge.

The insurance industry hasn't been out of the loop on this issue. John Bugalla, managing director of Aon Risk Services, acknowledges that his firm is developing brand impairment products to protect against sharp declines in brand value caused by catastrophic events. "Look," said Bugalla, "reputation can take a hit when a large public firm violates Sarbanes-Oxley or when a smaller private firm is sloppy in protecting its customer or personnel information. Either way, perception will drive down shareholder value and upend all the other benefits that come with a strong brand."

Cyber Tools at the Ready
Although business processes and protocols are a major source of the vulnerabilities, technology can be helpful, and technologies for protecting IT inside the firewall are available. One firm, Tripwire, targets host security and sends alerts about changes to a server, as when a configuration has changed or a file has been added. Cisco, Network Flight Recorder, Internet Security Systems and Enterasys all detect network events, searching, for example, for the unleashing of a virus or worm. Radware blocks attacks on networked applications. IPLocks protects a firm's databases, the crown jewel for most organizations. It works with multiple database systems (Oracle, DB2, SQL, Sybase, Teradata), and because it sits outside the database management system and does not require additional hardware, it adds no performance overhead. Most important, it interlocks three capabilities in a way that probably anticipates what the marketplace is going to demand in the future.

First, IPLocks provides an automated assessment tool that acts like an expert system to locate vulnerabilities. Frequent changes to servers, applications, WiFi access, VPNs and personnel all affect security, and these changes to the network may open up holes for hackers and employees alike. Hence, vulnerability assessment has to be a continual periodic endeavor.

Second, IPLocks monitors the DB and alerts for suspicious behaviors of any user. Even legitimate users who challenge security and business rules or who attempt inappropriate access or behavior are recognized. Like cameras and behavioral analysis software in the physical world, monitoring has a deterrent benefit while at the same time alerting for any attacks while they happen.

Third, the solution includes database auditing. Consequently, security personnel and database specialists can trace back the who, what, where and when of an incident. This aid to forensic analysis, external audits and regulatory compliance efforts is as substantial as it is obvious, especially in the link with the assessment and monitoring capabilities.

Technology Plus
Of course, protection from insider threats is not achieved with any one tool, even those that support upgrades in best business practices. Context is key. Pete Karagiannis, managing director at Red Siren, a provider of IT security management services and e-learning courseware, says that continual education of a company's workforce is too often overlooked.

"You may have employed the best technology throughout your firm," said Karagiannis, "but it can be defeated by careless or uninformed workers who fail to perform their roles in keeping the network secure." Even if a monitor sounds an alarm, as an example, someone still has to respond in a timely and effective way.

In the final analysis, protecting a firm's cyberspace is much like achieving security generally. It's not only a matter of goals and tools; it's also a matter of culture and commitment.

Nicholas Imparato (imparato@uscfca.edu) is a professor at the University of San Francisco and a Research Fellow at the Hoover Institution, Stanford University. He consults frequently with large and small firms regarding external, "macro-environment" factors that affect business performance. (Full disclosure: Dr. Imparato has consulted in the past or currently consults with several firms mentioned in this article.)

Loading