Targeting the Enemy Within

Insider security risks grow as partners and suppliers increasingly have access to corporate networks. Here's what companies are doing about the threat.

The fear of corporate data being stolen or accidentally leaked by insiders is what keeps Andreas Wuchner-Bruhl awake at night. Detecting and stopping such leaks is an enormous challenge, especially for large companies with widely distributed data stores and networks, says Wuchner-Bruhl, head of global IT security at Novartis Pharma AG, a $25 billion drug maker in Basel, Switzerland.

These days, the problem is even tougher because it's no longer just the disgruntled or malicious employee who poses the internal threat, says Wuchner-Bruhl. It's also the careless user, the outside hacker posing as a trusted user and others with inside access to enterprise networks, such as suppliers, partners and service providers.

As a result, companies must take a fresh look at the scope of the insider threat and figure out what new technology, processes and administrative controls they need to implement to deal with it, says Wuchner-Bruhl. "Security people like to give the impression that things are under control," he says. "But the fact is, there are so many things we don't even begin know" about internal threats.

Wuchner-Bruhl is among a growing number of security managers who are looking to see what new controls are needed at a time when internal attacks on corporate information systems are increasing. In fact, at many of the world's largest financial services companies, such attacks have already surpassed external attacks, according to Deloitte Touche Tohmatsu's June report on its 2005 Global Security Survey. In the survey of Fortune 100 companies, 34% of the respondents said they had experienced internal attacks in the past 12 months, compared with 14% in 2004. In contrast, only 26% reported external attacks in the past 12 months.

"Insider attacks are the most difficult to catch because these are legitimate users using their legitimate access for inappropriate purposes," says Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. "They tend to have the highest impact, since they are insiders with access and they know where the valuable information is."

Know the Enemy

Understanding that it's not just the disgruntled employee who poses the insider risk is a good place to start addressing the problem, says Jonathan Bingham, president and chief technology officer at Intrusic Inc., a Waltham, Mass.-based security products vendor.

Very often, the more sophisticated inside attacks are launched by outsiders who have stolen legitimate user credentials and then use them to gain access to high-value targets, says Bingham. For example, selectively planted Trojan horse programs were used to collect the usernames and passwords of highly privileged users at more than 300 critical infrastructure companies in the U.K. earlier this year. The credentials were then used by hackers to gain access to high-value systems. Because such targeted attacks generate much less traffic than mass attacks, they are harder to detect using traditional antivirus and e-mail filtering tools, users say (see related story, QuickLink 55220).

The growing interconnectedness of enterprise networks also means it's not just the employee who has access to internal assets. "We can have a situation where a guy who has legitimate access for a day can plant a back door on our systems and log in at will later," says Jeff Nigriny, chief security officer at Exostar Inc., a business-to-business portal for the aerospace industry in Herndon, Va.

Detecting the telltale signs of such activity requires a deeper analysis of network traffic and behavior than most traditional security technologies provide, Nigriny says.

Nigriny's company is using a hardware appliance from Intrusic called Zephon to analyze network traffic at the packet, session, host and environment levels. Such monitoring allows companies like Exostar to identify suspicious internal network activity such as data flows going in the wrong direction, servers consuming data instead of producing it and computers communicating with one another where no such communication existed previously, Bingham says.

Malicious insiders use network resources in subtly different ways from normal users. Intrusic's tool is designed to detect such "illegal movement of a sophisticated individual within a network," Bingham says.

"It looks for things down at the Level 2 and Level 3 layers. It doesn't care what the application is," says Nigriny. The tool can be used to identify issues as varied as a misconfigured firewall, an employee downloading porn or someone attempting to upload confidential data to an external server in an HTTP stream, he says.

What's Going Out

Network egress filtering is another way of finding out whether protected data is leaving corporate boundaries in an illegal fashion, says Jeff Karafa, chief financial officer at Community Bank of Dearborn in Michigan.

The bank uses a hardware appliance from Reconnex Inc. in Mountain View, Calif., to examine outgoing corporate e-mail, Web mail, instant messages and Web posts for confidential data such as customer account numbers.

Like other products in its class, Reconnex's iGuard technology uses a combination of exact data matching, contextual analysis and policy information to alert administrators when specific pieces of protected information traverse the network. Such alerts can be useful in identifying both malicious leaks and accidental ones—such as an employee sending a file containing confidential information to his personal e-mail account so he can work on it at home.

The amount of data that trickles out in such fashion can be surprising, Karafa says. "We thought we were doing pretty well on our own" in detecting such leaks, he says. But then the bank tested Reconnex's egress-filtering tool and noticed how much sensitive information was slipping out, often as a result of employees making mistakes. In one case, an employee was found to be sending customer account information to a former worker and was promptly fired, Karafa says.

"When that data was presented to us, it was something of an eye-opener," says Karafa, who also uses the Reconnex tool to monitor the Web surfing habits of employees.

But content-monitoring tools don't always scale well and are of limited use in environments where network traffic is encrypted, says Wuchner-Bruhl. He is considering using digital rights management technologies to tag confidential data and intellectual property in order to control how it is accessed and used. DRM tools, which are available from vendors such as Microsoft Corp., Authentica Inc. and Liquid Machines Inc., are designed to let companies track how data is used and prevent employees who don't have the right privileges from doing things like reading, altering, copying, printing and forwarding data.

For the Money

Financial motives appear to be a primary driver in a growing number of insider attacks, says Bingham. One example of that trend is the theft of information on about 60,000 Bank of America Corp. customers by a New Jersey-based data-theft ring that had also stolen information from three other banks—Wachovia Corp., Commerce Bancorp Inc. and PNC Bank NA . The ring's members included seven former employees from across the four banks.

Most such inside attacks are planned in advance and can be prevented if the right controls are in place, according to a report released in May by the U.S. Secret Service and Carnegie Mellon University's CERT Coordination Center. Good configuration management practices, for instance, allow companies to identify unauthorized changes to software or the creation of unauthorized remote-access accounts, both of which could portend trouble, the report says. Segregating the duties of systems administrators and privileged users is another way of ensuring that a single person doesn't have unbridled access to network resources, according to the report.

It's also important to have the right processes in place for disabling network access when employees are terminated, notes the report, which is based on an investigation of 49 cases of insider attacks via computer systems in critical infrastructure sectors between 1996 and 2002.

Many inside attacks continue to be the work of disgruntled employees and former workers who still have access to corporate systems after they leave, according to the CERT report.

In many cases, the triggers for such attacks are negative work-related incidents that could be addressed via formal human resources processes for handling employee grievances, and by reporting suspicious behavior, the report says.

Companies need to use access control and account provisioning tools to identify and close the "orphan accounts" that are left behind when employees leave or are terminated. The failure to close such accounts gives former employees an entry into the corporate network.

Training, user awareness and administrative measures are perhaps as important as technology when it comes to dealing with insider risks, says Kim Milford, information security manager at the University of Rochester in New York.

Outside hackers are increasingly using social engineering methods, such as spoofed e-mails and Web sites, to lure people into disclosing sensitive information and user credentials. These so-called phishing and pharming exploits are now among the top security concerns of the financial companies in the Deloitte survey.

The efficacy of such methods on untrained users can be alarming, says Jason Jones, a webmaster at a private university in Texas that he asked not be named. In a test earlier this year, Jones and his team managed to harvest authentication credentials from over 90% of targeted individuals by using spoofed e-mail and Web pages designed to look as though they were from the university's IT security team.

Educating and training employees about such issues is key, Milford says. It's also vital that employees know security policies and the consequences of misusing corporate data and network resources, says Wuchner-Bruhl.

Technological measures are important as well, Milford says. Among those Milford has found useful are controls that enforce least privilege rules, meaning they give users no more access than they need. She also likes tools that use IP restrictions to limit access to protected information and keep logs for monitoring unsuccessful application access attempts.

In addition, Milford advocates the use of a what she calls a "carrot-and-stick policy" to induce good security practices. The stick could be a comprehensive policy with strong enforcement, she says. The carrot could take the form of incentives for completing security training, such as job reclassification, merit raises, bonuses and increased opportunities for career development, Milford says. Empowering staffers at all levels of the organization to learn about security and take steps to guard organizational resources in their power is also key, she says.

"Education, empowerment and enforcement are probably the most critical ways to create a climate of security for administrators and users," Milford says. "Utilizing and reinforcing the message that everyone has a responsibility for information security is important."



In a survey commissioned by Mazu Networks Inc. in Cambridge, Mass., security professionals who have had internal security breaches reported the following consequences:

Breach led to the interruption of a critical business system 40%
Breach resulted in data

corruption or loss

Breach led to intellectual property theft 17%


The same security professionals claim to have found the following network vulnerabilities over the past 12 months:

Active user accounts that belonged to ex-employees 46%
Misconfigured hosts or networking equipment 44%
Rogue wireless access points 31%
Network nodes with default passwords enabled 26%

BASE: IT security professionals at 229 companies with more than 1,000 employees. Multiple responses allowed.

Source: "Mazu Networks Internal Threat Report," March 2005

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon