The Biggest Security Threat for 2008...End Users!

Untitled Document Study after study continues to reveal a fundamental truth about the shifting landscape of IT security today—the biggest threat to proprietary systems and information is not the traditional cyber criminal writing malicious code in a virtual location, but rather, trusted employees.

Savvy administrators recognize that because end users are privy to an organization's sensitive data, they represent a significant risk factor. However, mitigating this threat is something that security pros continue to struggle with. While no single, "silver bullet" solution exists, there are steps organizations can take to ensure that corporate policies are effectively enforced and the insider threat is neutralized.

Where the Risks Lie

Users represent a security risk for several reasons. Corporate boundaries continue to expand as the number of mobile workers increase, which also ties in with the convergence of personal and professional use of corporate endpoints. Laptops and PCs are becoming more personal, loaded with non-business applications that potentially expose an organization to spyware, keyloggers and other threats.

Don't miss a single important development in security by getting ebizQ's weekly security newsletter delivered straight to your inbox. Sign-up here.

There are also mounting threats that prey on end-user curiosity. Tactics include Web site or email spoofing designed to trick employees into performing actions detrimental to the organization's security or divulging confidential information. What's more, employees are constantly moving between competitive organizations, and competitors' angle to hire key personnel for their skills as much as for the confidential information they can bring with them. Overall, the insider threat—whether malicious or inadvertent—is something that cannot be overlooked.

Safeguarding organizations against insiders with malicious intent requires effectively enforcing data-access policies and auditing user activity with sensitive and confidential data and systems. The stories that have surfaced about company insiders stealing sensitive data worth millions—if not billions of dollars—is a non-stop cycle. As a result, security administrators must proactively take action to protect their organizations against these threats.

Meanwhile, protecting against employee errors or accidents requires policy enforcement so that end users are not solely relied upon to make intelligent security decisions. Most non-malicious employees accidentally make improper choices when it comes to handling corporate data. For example, as iPods, digital cameras, PDAs and other gadgets continue to see rapid adoption among business users, security administrators must remember that these are devices that spend most of their lives plugged into far less-secure home computers. This makes it incredibly easy for employees to unintentionally download a nasty virus or destructive code onto an enterprise machine.

Mitigating Threats, Step-by-Step

Organizations can protect themselves against these malicious and accidental employee actions through the combination of people, processes, and technology. They must clearly define and socialize policies, automate policy enforcement and provide detailed auditing and reporting. Here are some fundamental steps that organizations can take to achieve this:

First, they must accept the reality that employees are not security experts and will always engage in risky behavior. They will open unsolicited attachments, browse a wide assortment of Web sites, click on links in emails and instant messages, utilize outdated and un-patched versions of software, and plug in personal devices or removable media without understanding (or caring) about the potential impact of these decisions. Since they are not security experts and do not generally understand the criticality of some software and operational vulnerabilities that require immediate remediation, relying upon end users to rapidly install the latest patches is leaving a lot to chance.

In a perfect world, written corporate policy would be enough to dictate employees' interactions with technology. While a policy is an important step, the reality is that even the most stringent policies need a solution to support and enforce them. Trying to force policies where the employees are responsible has proven ineffective.

The second step to mitigating the treat from within is to remove the organization's reliance on end users as security experts and to provide a way to develop and enforce policy. Such a policy would enable users to focus on their task at hand, and also reduce the risk of their day-to-day decisions when they interact with technology. This includes understanding which employees need access to specific applications, devices and data. Also, enforcing policies that give users access only to what is required in order to successfully complete their job function and ensures that the applications in use are up-to-date with the latest patches.

By enforcing application and device control, organizations can flexibly control execution of specific files or removable devices all the way down to the user level. This takes the decisions away from the users and enables them to be focused on the job at hand. Also, by enforcing mandatory baselines for critical patches and configurations, organizations can automate the remediation process throughout the enterprise and then do not have to rely upon their users. This ensures that proper security configurations are maintained while also taking work off the employee’s hands. Employing technology that automates the enforcement of acceptable resource use while preventing and reporting unacceptable use that could put the enterprise at risk is a flexible, yet secure approach.

A third step is to ensure that policies are socialized throughout the organization and enforced as transparently as possible so as not to impede end-user productivity. Without proper end-user understanding and buy-in of these policies, they will be viewed as a hindrance to productivity and users will find a way to get around them. Though an organization should never expect or rely upon its users to become security experts, engaging in security training and socializing corporate policies is a key step to finding that balance between security and user productivity. Communication is extremely important in educating users and preventing disruption in employee productivity. Explaining why a policy exists is a key success factor. Once end users know what you're doing and why you're doing it, they're usually more than willing to help out.

The final step to addressing insider threat requires the CIO and others within the IT department to have access to a continuous report of the organization's environment, what policies are working and which ones are not, and adjust policies accordingly. Automated auditing and reporting functions give security personnel the flexibility to conditionally allow certain devices, applications or configurations while still maintaining visibility into user activity. For example, if an organization allows only accounting personnel access to specific finance-focused applications, it needs to know if a developer has attempted to gain access to these applications, either because of malicious intent or a legitimate need.

From a best practices perspective, policy compliance should be reviewed on a regular basis as organizational needs often change and user activities might highlight a policy loophole. This includes continuous surveillance of the enterprise environment and user activities and then using the gathered information to update policy as necessary.


An organization's end users represent a significant amount of risk due to the proliferation of threats that target individuals and the rising value of corporate IP, customer, employee and financial data. What's more, criminal organizations are targeting end users as a way to gain access to valuable data and some internal employees target this data for personal financial gain. While it should be the duty of every user to protect the company's assets, the CIO and their IT departments ultimately will be held responsible for any breach of confidentiality or data.

Only through transparent policy enforcement technology that puts substance behind the documented words, socialization of policies and awareness of sound security practices, and continuous and actionable auditing information can organizations move forward in protecting their network and data from the inside out.

About the Author

Mike Wittig serves as President and Chief Technology Officer of Lumension Security, where he is responsible for the overall execution of day to day operations and driving technology strategy and development.   Prior to joining Lumension Security, Wittig served as President and CTO of CyberGuard (NASDAQ: CGFW), an industry leading provider of enterprise-class network security solutions. CyberGuard was later acquired by Secure Computing (NASDAQ: SCUR).   Wittig, who was part of CyberGuard since its inception in 1992 as Harris Computer Systems, was responsible for spearheading the design and development effort to build the company’s first network security appliance product line.   His technology innovations garnered more than 15 “best of breed” awards by leading organizations and trade press, and are considered to be among the industry’s best security solutions. Under his leadership, CyberGuard products have achieved the most stringent industry certifications and became one of the most credentialed product lines in the industry. Examples of these credentials include ITSEC E-3 level security for the United Kingdom and Australian governments, FIPS-140-2, and Common Criteria EAL4+ evaluation, which is recognized by more than 18 countries.   Wittig holds a BS degree from the University of Florida’s College of Engineering.

More by Mike Wittig

About Lumension Security

Lumension Security™ is a global security management company formed by the merger of PatchLink Corporation and SecureWave.