How to defend against internal security threats

1 2 Page 2
Page 2 of 2
  • Force applications to be configured in a certain way (notably browsers).

  • Restrict users from running anything but a certain set of applications.

  • Restrict use of removable media.

  • Prevent users from modifying system configuration.

    Restricting Content

    It used to be that IT managers were only worried about what users were able to download; that is, folks were concerned about employee abuse of the Internet. At the time, there wasn't technology to check what the actual downloaded content was -- so managers contented themselves with blocking sites based upon where the user tried to surf. Certain software manufacturers also became service organizations (notably Cyber Patrol) that maintained a list of URLs in certain categories: adult-oriented, comedy, shopping, news, and so on. As a manager, you could then block various categories with a perimeter device that had access to these lists.

    This strategy, however, wasn't complete in and of itself. Objectionable sites surface overnight, and the list didn't always reflect reality. And, filtering outbound URLs does nothing to fight questionable content that leaves your site.

    Because one of the risks to your organization is the unauthorized disclosure of content (customer lists, intellectual property, and so on), one of the hottest topics in corporate security today is that of content management (also called content filtering, content services, and content restriction). Content management works in conjunction with your perimeter security devices. The software can perform lexical analysis, pattern matching -- even image recognition. (Yes, those images.)

    Another risk faced by your organization is the transmission of inappropriate content (pornographic, libelous, or otherwise offensive data) or dangerous content (such as Trojans and viruses) to business partners. You'd have to be nuts to think that any tool could totally eliminate the possibility of inappropriate content making it through your checkpoints. But content management tools can limit the possibility. Virus gateway protection software is one example of specialized content management.

    Some vendors label their products as content filters, when in fact they are site filters or URL filters. Again, rather than checking the data stream for objectionable content, they check the Web address against a categorized list of known Web sites. Site filtering has merit. It can definitely decrease the amount of day trading/time-wasting/non-work-related surfing at your organization -- but it's not content filtering. It is only as effective as the folks who update the lists. And, site management doesn't do anything for your intranet.

    That said, content management tools fall into two categories: those that offer generic content-checking services to the network, and those that operate solely on a specific application.

    Those that offer generic content services tend to do it via CheckPoint Software's CVP (Content Vectoring Protocol). CVP accepts a connection from a client, proxies the request to the server, scans the content, and either modifies or denies the request when content does not pass muster.

    There is not yet an RFC-based content restriction protocol that has been widely implemented. If you're not using Firewall-1 or another firewall that supports CVP, you might have to purchase individual products that separately monitor Web content (HTTP), e-mail (SMTP), news (NNTP), and FTP.

    You'll also probably have to put up with some degree of false positives -- yet another thing to administrate. For example, content filters commonly block Network Computing's "Centerfold," a showcase of innovative companies' networks.

    Still, content filters can be worthwhile, if you target and configure them correctly. Look for content management to change and grow in the next couple of years.

    Administrative Collaboration

    At first, administrative collaboration doesn't seem like much of a security practice. How can teamwork make your internal network a safer place?

    First, consider that any illegal or unethical action involving partners automatically means that there are witnesses and possible leads to an investigation. As Benjamin Franklin said, "Three can keep a secret if two of them are dead."

    Secondly, take the case where there is no explicit partnership during a questionable activity. The fact that there is another administrator who has responsibility for the system involved means that the system itself is under scrutiny. The fact that there is third-party scrutiny of the system might discourage the perpetrator in the best case, or at least lead to discovery of the questionable activity.

    You should be careful, however, to avoid assigning too many hands to any given pot. Not only can this lead to system chaos, but it also can make unethical activity harder to trace, either during an incident or an audit. You definitely want a limited pool of individuals accountable for a given system.

    This excerpt from Maximum Security: A Hacker's Guide to Protecting Your Computer Systems and Networks was published with permission of SAMS Publishing, all rights reserved.

Special Report

Tips From Security Experts

Stories in this report:


Copyright © 2003 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon