Targeting the Enemy Within

Computerworld - The fear of corporate data being stolen or accidentally leaked by insiders is what keeps Andreas Wuchner-Bruhl awake at night. Detecting and stopping such leaks is an enormous challenge, especially for large companies with widely distributed data stores and networks, says Wuchner-Bruhl, head of global IT security at Novartis Pharma AG, a $25 billion drug maker in Basel, Switzerland.

These days, the problem is even tougher because it's no longer just the disgruntled or malicious employee who poses the internal threat, says Wuchner-Bruhl. It's also the careless user, the outside hacker posing as a trusted user and others with inside access to enterprise networks, such as suppliers, partners and service providers.

As a result, companies must take a fresh look at the scope of the insider threat and figure out what new technology, processes and administrative controls they need to implement to deal with it, says Wuchner-Bruhl. "Security people like to give the impression that things are under control," he says. "But the fact is, there are so many things we don't even begin know" about internal threats.

Wuchner-Bruhl is among a growing number of security managers who are looking to see what new controls are needed at a time when internal attacks on corporate information systems are increasing. In fact, at many of the world's largest financial services companies, such attacks have already surpassed external attacks, according to Deloitte Touche Tohmatsu's June report on its 2005 Global Security Survey. In the survey of Fortune 100 companies, 34% of the respondents said they had experienced internal attacks in the past 12 months, compared with 14% in 2004. In contrast, only 26% reported external attacks in the past 12 months.

"Insider attacks are the most difficult to catch because these are legitimate users using their legitimate access for inappropriate purposes," says Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. "They tend to have the highest impact, since they are insiders with access and they know where the valuable information is."

Know the Enemy

Understanding that it's not just the disgruntled employee who poses the insider risk is a good place to start addressing the problem, says Jonathan Bingham, president and chief technology officer at Intrusic Inc., a Waltham, Mass.-based security products vendor.

Very often, the more sophisticated inside attacks are launched by outsiders who have stolen legitimate user credentials and then use them to gain access to high-value targets, says Bingham. For example, selectively planted Trojan horse programs were used to collect the usernames and passwords of highly privileged users at more than 300 critical infrastructure companies in the U.K. earlier this year. The credentials were then used by hackers to gain access to high-value systems. Because such targeted attacks generate much less traffic than mass attacks, they are harder to detect using traditional antivirus and e-mail filtering tools, users say (see related story, QuickLink 55220).