Tackling security threats from within

A University of Texas student steals 55,000 Social Security numbers from the school's administrative databases. A UBS PaineWebber system administrator activates a logic bomb in the company's network, causing $3 million in damage. A disgruntled Australian IT employee commandeers his company's sewage management software to dump millions of gallons of raw sewage into local parks and rivers.

These real-life examples from the past three years show how devastating damage from malicious insider cyberattacks can be. And the threat is growing. Although companies are reluctant to report having been attacked from the inside, 64 percent of enterprises that responded to a 2002 survey conducted by the Computer Security Institute and the FBI reported experiencing at least one internal incident, up from 59 percent in 2001. From malicious DoS (denial of service) attacks to the theft of HR, financial, or medical records, there are many ways insiders can cause financial and physical damage and create legal liabilities for their employers.

“Insider attacks are where most of the money's lost, where most of the vulnerabilities are," says Frank Huerta, vice president of intrusion-detection product delivery at Cupertino, Calif.-based Symantec. Huerta also notes that many of the increasing number of workers who have been laid off during the past two years have retained passwords to sensitive systems. Increased connectivity among enterprises has also given insiders greater access to the internal networks of partners, customers, and vendors.

"It's almost becoming a myth that there is an internal network,” says Christopher William Klaus, CTO of Atlanta-based Internet Security Systems. As e-business proliferates, “your firewalls become more and more porous,” he adds.

In addition to keeping passwords after termination of their employment, malicious insiders often gain access to internal systems while on the payroll through social-engineering -- essentially sweet-talking IT personnel for passwords to restricted systems. “If you can get the passwords, you’ve got the keys to the kingdom,” Symantec’s Huerta says.

Insiders can also attack without passwords, ISS' Klaus says. For example, an insider can hack credit card data directly through a database using a tool such as Nmap, which scans the network to find default accounts. “You can go on the Internet and download scripts and exploits to break in,” Klaus explains. “Anybody on the inside of your company can download this stuff."

To guard against insider attacks, experts generally recommend a layered approach, meaning that enterprises should use multiple technologies in tandem and should combine these technologies with tough security policies. Here’s a rundown of some of the key technologies and policies enterprises can use to guard against inside attacks.

Identity management

One key layer of protective technology is identity management: software that efficiently tracks, provisions, and deprovisions accounts and passwords across the enterprise. Many vulnerabilities stem from companies giving users, especially contractors, broader access than they really need to do their jobs — access to the whole sales database versus a single region, for example — or forgetting to deprovision accounts when a user is terminated.