Keep the cyber-wolves inside your door

24 Mar 2008

The internal threat to business computer systems is becoming all-pervasive.

Keeping the electronic cyberspace wolves from the door used to be the main priority for most companies when securing their IT assets.

These days the internal threat is becoming more pervasive and the spend on internally securing a business from its own employees is beginning, for the first time, to overtake expenditure on external threats.

A survey of information security professionals by The Info Pro revealed 72pc of enterprises cite internal security threats as greater or equal in importance to external threats.

According to Mike Smart, Secure Computing’s product marketing manager, even the external threats have metamorphosised into internal threats. For example, 66pc of top malware is designed to take data out of an organisation.

And it’s here the user comes in as they click a link bringing them to a zombie machine where the malware is downloaded. It then hides in the background, leaking data such as key logging information.

Smart says the internal threat has two sides. One is the users who, somewhat gullibly, open unsolicited email and follow web links contained therein. “Boundaries are moving inside the organisation as people are using more applications such as web mail, social networking sites, peer-to-peer and so on. So all these things increase the risk of users clicking on a malicious link.”

The other side is the user who is genuinely leaking data, either by accident or maliciously.

“The UK Government did a survey and found 90pc of employees have web mail access and approximately 30pc of them actually send business email to their private web mail account. That’s data leakage right there.

“The challenge with involuntary leakage is awareness and making employees conscious of the dangers.”

Vinny Brijlal, Entropy’s senior security architect, says the internal risk has gone up because the workforce is more mobile and more data is being moved around. Also, the popularity and storage capacity of mobile devices such as USB keys is adding to the possibilities of internal threat.

“Everybody knows the danger of removable media such as USB keys but it’s also ipods and media players. In addition, laptops need to be secured against possible loss or theft.”

This point is particularly apt in the wake of the theft of a disk and laptop belonging to the Irish Blood Transfusion Service (IBTS) in New York, which contained the details of 170,000 donors. According to the IBTS, the data was encrypted and the Data Protection Commissioner is currently investigating the incident.

Brijlal says one of Entropy’s partners is looking at leakage prevention from two perspectives. One is in terms of encryption of laptops and workstations.

“So if it [a laptop] is lost, simply switching it on won’t get the information very quickly. If, however, the person is determined to get the data from the machine they would have to remove the HD and plug it into a separate computer to try to bypass the security controls.”

Brijlal says this action can be counteracted if the organisation is willing to accept the total loss of the machine by encrypting the entire HD so that removing data from it is impossible.

Brijlal believes having policies and procedures is the best way to combat the internal security threats. This means restricting the types of devices which can be used to copy data and having tight controls on what can actually be downloaded and moved.

“Years ago, many companies used to superglue the USB ports to disable them but users do have to move data around. However, the type of data they move has to be controlled as does the device used to move it. We should be able to create intelligent policies to control this. Companies should have procedures in place allowing users to only copy data to an encrypted USB key or mobile device that is authorised by the company. So, if the devices are lost they can’t be accessed.”

From a backup perspective, many companies are also taking huge data leakage risks.

Eoin Blacklock, co-founder and director of Keep IT Secure, says companies backing up to tape and letting employees take it home are leaving themselves open to prosecution from the Data Protection Commissioner.

“Many companies back up incorrectly. And back up directly to tape. Then a staff member is given the tape for safekeeping and takes it home and stores it away. If the tape is not encrypted or gets into the wrong hands, it spells disaster. Even if the staff member looks at the tape, they’d see private information they don’t have privileges for and should not be looking at. Companies indulging in this practice are completely exposing themselves to prosecution under the Data Protection Act.”

Blacklock observes that companies put locks on their doors and windows and password protect their servers, “but the biggest info leak is a staff member taking your data home with them on backup tape”.

By Eamon McGrane