I have been on the road for the past few weeks, last week I was in the Middle East and this week I come to you from Scotland. These places would appear to the outsider as being very different places but not when it comes to IT. One topic that was common throughout most meetings that I attended was on the subject of the insider threat, something getting inside a network and causing a problem.
The insider threat can include anything from an employee stealing data to problems with malware capturing sensitive data. From my experience it seems to be becoming more of a problem due to the uptake of BYOD and CYOD. One university that I spoke to last week described the problem they were having with students arriving on campus with smartphones, tablets and laptops. A single student could be walking around with 3 IP addresses; this creates extra demands on IP address allocations and bandwidth management.
Over the years I have noticed that many trends can start within educational institutes and then extend to the workplace as students graduate and move on with their careers. Network managers within these institutes are telling me that it's becoming more difficult managing bandwidth consumption and dealing with requests to investigate incidents. The best advice I can give here is to make sure users are required to authenticate themselves before they can access a resource on the network. There are many technologies out there for this, from Microsoft's Active Directory services to RADIUS authentication which is commonly implemented on wireless networks. Once you make authentication mandatory you have some chance in tracking what users are doing on your network.
The edges of our networks are also becoming less well defined as more cloud and other online services are adopted. Once you just needed to install a firewall, block everything except web and email and then rest easy. Nowadays people invest in other technologies like IPS, web filters and application aware firewalls. The problem with these is that you walk past them when you bring devices into a network.
NAC technologies were supposed to be the upcoming way of preventing unwanted devices from connecting to your LAN. From what I have experienced their adoption has been slow, due mostly to costs and the complexities of getting them working.
Other problems that can originate from the LAN are threats like malware and activity associated with illegal file sharing, which can result in being blacklisted by an ISP. During a recent meeting at an engineering firm I listened to a network manager describe how his ISP notified him that his network was a major source of SPAM email. This came as a major surprise as they had strict policies which called for antivirus applications on all desktops. It was eventually traced back to a laptop that was not owned by the company but was connected to the corporate network. The laptop was infected with malware which was sending 10,000 emails per hour. The other issue that it uncovered was that their firewall was allowing any host on the network to send email, a big no-no when it comes to securing a network.
At a minimum you should be looking at monitoring what is going on within your LAN. Take a look at intrusion detection and traffic analysis solutions which can connect to a mirror port. Mirror ports are available on most network switches and they allow you to listen in on what is happening on a network without the need for installing software or agents on every client and server. Start by monitoring your core switch and then extend the monitoring to other sites on your network.
Do you have any other recommendations for securing networks against the internal threat? Comments welcome.
Darragh Delaney is head of technical services at NetFort. As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service. Follow Darragh on Twitter @darraghdelaney