Study after study continues to reveal a fundamental truth about the shifting landscape
of IT security today—the biggest threat to proprietary systems and information
is not the traditional cyber criminal writing malicious code in a virtual location,
but rather, trusted employees.
Savvy administrators recognize that because end users are privy to an organization's
sensitive data, they represent a significant risk factor. However, mitigating
this threat is something that security pros continue to struggle with. While
no single, "silver bullet" solution exists, there are steps organizations
can take to ensure that corporate policies are effectively enforced and the
insider threat is neutralized.
Where the Risks Lie
Users represent a security risk for several reasons. Corporate boundaries continue
to expand as the number of mobile workers increase, which also ties in with
the convergence of personal and professional use of corporate endpoints. Laptops
and PCs are becoming more personal, loaded with non-business applications that
potentially expose an organization to spyware, keyloggers and other threats.
Don't miss a single important development in security by getting ebizQ's weekly security newsletter delivered straight to your inbox. Sign-up here.
There are also mounting threats that prey on end-user curiosity. Tactics include
Web site or email spoofing designed to trick employees into performing actions
detrimental to the organization's security or divulging confidential information.
What's more, employees are constantly moving between competitive organizations,
and competitors' angle to hire key personnel for their skills as much as for
the confidential information they can bring with them. Overall, the insider
threat—whether malicious or inadvertent—is something that cannot be
Safeguarding organizations against insiders with malicious intent requires
effectively enforcing data-access policies and auditing user activity with sensitive
and confidential data and systems. The stories that have surfaced about company
insiders stealing sensitive data worth millions—if not billions of dollars—is
a non-stop cycle. As a result, security administrators must proactively take
action to protect their organizations against these threats.
Meanwhile, protecting against employee errors or accidents requires policy
enforcement so that end users are not solely relied upon to make intelligent
security decisions. Most non-malicious employees accidentally make improper
choices when it comes to handling corporate data. For example, as iPods, digital
cameras, PDAs and other gadgets continue to see rapid adoption among business
users, security administrators must remember that these are devices that spend
most of their lives plugged into far less-secure home computers. This makes
it incredibly easy for employees to unintentionally download a nasty virus or
destructive code onto an enterprise machine.
Mitigating Threats, Step-by-Step
Organizations can protect themselves against these malicious and accidental
employee actions through the combination of people, processes, and technology.
They must clearly define and socialize policies, automate policy enforcement
and provide detailed auditing and reporting. Here are some fundamental steps
that organizations can take to achieve this:
First, they must accept the reality that employees are not security experts
and will always engage in risky behavior. They will open unsolicited attachments,
browse a wide assortment of Web sites, click on links in emails and instant
messages, utilize outdated and un-patched versions of software, and plug in
personal devices or removable media without understanding (or caring) about
the potential impact of these decisions. Since they are not security experts
and do not generally understand the criticality of some software and operational
vulnerabilities that require immediate remediation, relying upon end users to
rapidly install the latest patches is leaving a lot to chance.
In a perfect world, written corporate policy would be enough to dictate employees'
interactions with technology. While a policy is an important step, the reality
is that even the most stringent policies need a solution to support and enforce
them. Trying to force policies where the employees are responsible has proven
The second step to mitigating the treat from within is to remove the organization's
reliance on end users as security experts and to provide a way to develop and
enforce policy. Such a policy would enable users to focus on their task at hand,
and also reduce the risk of their day-to-day decisions when they interact with
technology. This includes understanding which employees need access to specific
applications, devices and data. Also, enforcing policies that give users access
only to what is required in order to successfully complete their job function
and ensures that the applications in use are up-to-date with the latest patches.
By enforcing application and device control, organizations can flexibly control
execution of specific files or removable devices all the way down to the user
level. This takes the decisions away from the users and enables them to be focused
on the job at hand. Also, by enforcing mandatory baselines for critical patches
and configurations, organizations can automate the remediation process throughout
the enterprise and then do not have to rely upon their users. This ensures that
proper security configurations are maintained while also taking work off the
employee’s hands. Employing technology that automates the enforcement of
acceptable resource use while preventing and reporting unacceptable use that
could put the enterprise at risk is a flexible, yet secure approach.
A third step is to ensure that policies are socialized throughout the organization
and enforced as transparently as possible so as not to impede end-user productivity.
Without proper end-user understanding and buy-in of these policies, they will
be viewed as a hindrance to productivity and users will find a way to get around
them. Though an organization should never expect or rely upon its users to become
security experts, engaging in security training and socializing corporate policies
is a key step to finding that balance between security and user productivity.
Communication is extremely important in educating users and preventing disruption
in employee productivity. Explaining why a policy exists is a key success factor.
Once end users know what you're doing and why you're doing it, they're usually
more than willing to help out.
The final step to addressing insider threat requires the CIO and others within
the IT department to have access to a continuous report of the organization's
environment, what policies are working and which ones are not, and adjust policies
accordingly. Automated auditing and reporting functions give security personnel
the flexibility to conditionally allow certain devices, applications or configurations
while still maintaining visibility into user activity. For example, if an organization
allows only accounting personnel access to specific finance-focused applications,
it needs to know if a developer has attempted to gain access to these applications,
either because of malicious intent or a legitimate need.
From a best practices perspective, policy compliance should be reviewed on
a regular basis as organizational needs often change and user activities might
highlight a policy loophole. This includes continuous surveillance of the enterprise
environment and user activities and then using the gathered information to update
policy as necessary.
An organization's end users represent a significant amount of risk due to the
proliferation of threats that target individuals and the rising value of corporate
IP, customer, employee and financial data. What's more, criminal organizations
are targeting end users as a way to gain access to valuable data and some internal
employees target this data for personal financial gain. While it should be the
duty of every user to protect the company's assets, the CIO and their IT departments
ultimately will be held responsible for any breach of confidentiality or data.
Only through transparent policy enforcement technology that puts substance
behind the documented words, socialization of policies and awareness of sound
security practices, and continuous and actionable auditing information can organizations
move forward in protecting their network and data from the inside out.
About the Author
Mike Wittig serves as President and Chief Technology Officer of Lumension Security, where he is responsible for the overall execution of day to day operations and driving technology strategy and development.
Prior to joining Lumension Security, Wittig served as President and CTO of CyberGuard (NASDAQ: CGFW), an industry leading provider of enterprise-class network security solutions. CyberGuard was later acquired by Secure Computing (NASDAQ: SCUR).
Wittig, who was part of CyberGuard since its inception in 1992 as Harris Computer Systems, was responsible for spearheading the design and development effort to build the company’s first network security appliance product line.
His technology innovations garnered more than 15 “best of breed” awards by leading organizations and trade press, and are considered to be among the industry’s best security solutions. Under his leadership, CyberGuard products have achieved the most stringent industry certifications and became one of the most credentialed product lines in the industry. Examples of these credentials include ITSEC E-3 level security for the United Kingdom and Australian governments, FIPS-140-2, and Common Criteria EAL4+ evaluation, which is recognized by more than 18 countries.
Wittig holds a BS degree from the University of Florida’s College of Engineering.