The Enemy Within

BOSTON (05/08/2000) - If your security strategy is focused on building the most impenetrable defense against external assaults, you may be ignoring an even more ominous threat - attacks from your co-workers. Experts say the majority of damage to enterprise systems can be traced to disgruntled or mischievous employees.

Long after most people have called it a day, a network administrator sits at his desk, studying a monthly report detailing activity at the company's firewall. He searches for holes that crackers could use to infiltrate the network to steal or sabotage critical information.

Down the hall in the marketing department, a woman calls up a payroll file to measure her co-workers' salaries against her own. And a software engineer two floors down prints out a copy of newly tested code he expects will bring him thousands of dollars from the company's biggest competitor.

All the hype and media flash about denial-of-service attacks, destructive break-ins and teenage computer geniuses are distracting network executives from the real threat to their computer networks - their own employees.

Industry analysts estimate that in-house security breaches account for 70 percent to 90 percent of the attacks on corporate computer networks. And the percentage is probably even higher than that because most insider attacks go undetected. In fact, Dennis Szerszen, director of security strategies at The Hurwitz Group in Framingham, Massachusetts, says for every in-house attack reported, there could be as many as 50 that go unreported or undetected.

That means most companies are blind to the majority of attacks on their systems. It also means the financial losses associated with these attacks are going uncalculated.

"People are ignoring their biggest threat," says John O'Leary, director of education for the Computer Security Institute in San Francisco. "The attention given to hackers by the press is what gets the attention of upper management, and that's what they base their security purchases on. . . . People need to be worried about the insiders because they know how to hurt the organization specifically, drastically and quickly."

That often invisible inside threat comes in many forms. It could be a disgruntled employee who has been put on probation or received a bad work review and wants to lash out at the company by deleting files or changing information. It could be someone who is struggling financially and has been offered thousands of dollars to e-mail or print out classified information. Or it could be a worker breaking into files to change payroll numbers.

And these are the last people you would suspect. They're the people the network administrator chats with over coffee in the lunchroom; the people having their questions answered by the help desk. These are the people - more than any outside hacker - who know the system, know the company and know what to do and where to go to make an attack really hurt.

"The vast majority [of employees] are scrupulous and honest and want . . . their company to succeed," O'Leary says. But even someone who is generally satisfied is going to be somewhat disgruntled when they hear about booming salaries or stock options at other places. They hear about the 23-year-old millionaire loaded down with options, and suddenly they're not satisfied.

"It might be a matter of vandalizing or selling information to competitors.

Sometimes it's getting information for themselves, say about a coming merger, and buying stock beforehand," O'Leary says. "It all comes down to the fact that we now have highly interconnected systems. With the speed and the power of our own network tools, the ability of one or a couple of disgruntled employees to cause a significant amount of damage has multiplied."

Misspending security budgets

If network executives have their eyes trained in the wrong places, they're most likely not spending their security budgets where it will help them most.

Firewalls became the hot security commodity about three years ago, and now virtual private networks (VPN) are taking up their own share of the market.

Both technologies are generally focused on securing the perimeter, making sure only the right people get in and keeping everyone else out.

"When you look at buying trends, it's mostly geared for maintaining a secure perimeter," Hurwitz's Szerszen says. "Almost everybody has antivirus software, firewalls and VPNs. But people would do well by their money if they thought about policy access management software and tracking and monitoring devices . .

. They've got to think about a different kind of security."

And that market is starting to get some attention. According to The Yankee Group in Boston, the adaptive network security management market is growing at an annual compound rate of 49 percent. That is expected to push the market from $45 million in 1997 to $747 million in 2003.

Tools of the trade

The latest products in this arena are coming from security vendors such as Internet Security Systems, Axent Technologies, ODS Networks and Netegrity.

For example, companies have long been able to give each employee specific rights and privileges on a network. A person working in human resources shouldn't be able to access the company's sales plans, while the top salesperson shouldn't be able to access employees' personnel records. Analysts and vendors agree that many companies are beginning to put a new focus on these privileges, setting up specific access and rights policies, and giving administrators the teeth they need to enforce them.

What's going to be hot, according to industry observers, is software that will track employees' footprints on the network, mapping out their normal usage patterns. Then if a worker suddenly logs on at 2 a.m. or tries to access a file or a server they normally don't, the software could shut down access and alert an administrator.

And that is only the beginning. Analysts say companies also should be looking to set up internal firewalls, encrypt key databases and audit for internal security holes.

Robert Forbes, technology manager for First Tennessee, one of the 25 largest holding companies in the U.S., says those are all necessary tools to shore up a network. He says getting the tools in place is less about the technology and more about convincing those in charge that purchasing the tools is needed.

IS has to educate the CEOs

"Internal security is a worry," Forbes says. "It's something that we have to go to [the bank executives] with. They don't come to us concerned about this one.

They come to us worried about hackers and denial of service. We have to get them to worry about someone being paid $5,000 for stealing internal information. That information could be walking right out our door."

That means getting executives to look past the media hype and focus on more mundane security problems. "Quite a bit of it is about education," Forbes says.

"I tell them they have to worry about the guy whose wife left him, the dog bit him, he's in a bad mood and now there's trouble."

To take care of that disgruntled employee or anyone else with a devious motive, Forbes says he's set up a myriad of policies and software, including computer usage polices, such as desktops, files and servers each employee can access. He also has clearly spelled out punishments that range from a reprimand to termination. He has set up user privileges, passwords and identification numbers, along with software to track usage patterns, and monitoring software to detect and set off alarms for deviations in those patterns.

On top of that, First Tennessee reserves the right to monitor employees' in-house bank accounts. Forbes says if he suddenly deposits $10,000, the bank probably will come asking questions about where he got the money.

A matter of trust

But no matter how many safeguards the bank has in place, Forbes says there has to be some level of trust involved.

"If my goal is to disable First Tennessee's network, there's not a whole lot they can do to prevent that," he says. "If I'm silently stewing and if I decide to open up the whole network or to shut down the whole network, I could do that. They have to trust me."

That leads to what is often the company's greatest leap of faith - the security or network administrator. This is the person who often has access to every part of the network. As one corporate user who asked to remain anonymous says, "That's the guy with the key to the kingdom. You've got to trust somebody, don't you?"

Analysts generally recommend that if possible, no single person should have access to everything. Split up responsibilities and rights so no single administrator can touch every part of the network.

Ultimately, however, it all comes back to trust. If security administrators tie employees' hands enough so they can't steal or sabotage anything, their productivity might also suffer.

"Electronic security should not be a substitute for having employees who are trustworthy and responsible and good stewards of the information they have at hand," says Len Laughridge, network and systems administrator for AtheroGenics, a biomedical research company in Alpharetta, Ga.

Of course, Laughridge is no fool. He backs up that trust with authentication, passwords, privileges and policies. He also locks down some of his desktops with Ensure Technologies' wireless XyLoc product, which secures PCs, workstations and laptops when the authorized user is not in the vicinity.

Sam Alaw, a network engineer for the U.S. Environmental Protection Agency in Dallas, which has 16,000 employees throughout all 50 states, asserts that most network abuses are merely pranks, if not simple mistakes.

"I don't think there's a sense of destruction or of purposefully causing trouble," says Alaw, who adds system-monitoring software to the basic round of network protections. "If someone does cause destruction on the network, we'll find that out . . . But mostly if you can get a user not to write his password on his monitor, that's a big step."

"There has to be a leap of faith with your employees at some point," says the IT director for a laboratory software and robotics firm, who did not want to be identified. "You try to eliminate the variables where you can but you'll never be 100 percent. At some point you become so bureaucratic that people can't do their jobs and you're looking at diminishing returns." But he backs up that trust with policies and user privileges, passwords and monitoring tools from ODS Networks, along with tools he's evaluating from Internet Security Systems.

Those ODS monitoring tools caught one employee who was linking corporate computers to a string of external computers in an attempt to break Data Encryption Standard algorithms. The employee wasn't doing anything malicious, but he opened up the internal computers to outside eyes and depleted the company's own computing power.

However, Matthew Kovar, a senior analyst at The Yankee Group, says that's the kind of faith that gets many companies in trouble.

"They think they know everyone. They think they have trusted employees," Kovar says. "That philosophy breaks down sometimes, some would say quite often. . . .

The reality is that most people aren't deploying technologies to alert themselves [to inside breaches]. They don't even know it's happening."