Security philosophies tend to be externally focused -- build firewalls to keep the bad guys from coming in because the outside world is dangerous. Sadly, the greatest threat to most companies sits inside the firewall -- trusted employees with access to systems, who don't need fancy hacking tools to get into your IT systems. They already have everything at their fingertips.
Small and medium-sized businesses (SMBs)
might think that since they're smaller -- and sometimes more tight-knit -- they know their employees better and are less vulnerable. Think again.
Internal threats range from the theft of sensitive customer data to stealing trade secrets that could cripple your business if passed to a competitor. An SMB on a shoestring budget risks losing far more than its larger counterpart, who has deeper resources to protect itself.
The insider threat can be mitigated on three levels: physical security, administrative security and technical security. For an SMB, the first two -- physical and administrative security -- are probably already part of its routine. Technical security is the challenge, since it requires networking monitoring tools that can be costly both financially and in demands on staff.
But there are ways an SMB can protect itself from the insider threat at a reasonable cost and with existing IT staff. Here are some best practices specifically for thinly staffed and cash-strapped SMBs:
Conduct a risk analysis of your data and systems. Determine what data you have, its sensitivity and on which systems it resides. Do you handle sensitive customer data, like Social Security numbers, for example? Do you store medical records for patients? What about bank account and other financial information?
Create a classification system for data based on risk level. It should be at least three tiers -- low, medium and high -- and be part of your information security policy, if you have one. Social Security numbers, medical records and financial information would be high risk. Names and addresses of customers, which can be found in a phone book, might be medium risk. Marketing data that can't be traced back to an individual, and his or her accounts or transactions, would be low risk. Any public information, of course, such as marketing brochures either in print or on a Web site, would also be low risk.
Some of these classifications are driven by regulations in your industry. In heavily regulated industries, like health care and finance, you will have to follow guidelines set out by the Health Insurance Portability and Accountability Act for medical institutions and the Sarbanes-Oxley Act for financial institutions.
Limit employee access. Employees shouldn't have free rein of your facility. All IT systems with high-risk data should be segregated physically in separate locked rooms. Only those employees whose job duties require access to that information should be allowed into those areas.
Assign a system of badges. All on-site employees, visitors and vendors, should have badges. Color coding the badges is one way to define areas where people are allowed access. Access to sensitive areas should be logged and checked regularly.
Badge systems don't have to be elaborate. Simple systems can be set up at a reasonable cost. However, if you're a government contractor, or working with classified material, you may require smart cards or biometrics, which are more costly.
Perform background checks on all employees before offering employment. That doesn't mean an exhaustive life history going back to their kindergarten teachers, but verifying the last five years of employment is a good start. In addition, education, degrees, professional certifications and criminal records should be checked. This can be done by your existing human resources staff or outsourced to a service.
Weigh the results of background checks with care. A search of criminal records may show a misdemeanor offense from years ago for some youthful indiscretion or a college prank. This shouldn't disqualify a candidate. But a red flag might be a recent felony conviction for fraud that resulted in a two-year stay at the local penitentiary, which the candidate papered over as a bogus -- and unverifiable -- job on their resumé.
Access controls are key. Employees should be given roles based on their job duties and the level of risk of data they have to access. Roles can be further subdivided on a per-project basis, as well. For example, an engineer working on one project may need access to only that project's data and not other project data, which could involve sensitive trade secrets.
Your current IT systems, whether Windows or Unix, already have built-in access controls. The key is to create groups around the risk levels and roles just described. Access should be audited regularly and all employees who are no longer with the company should have their access rights revoked. Former employees are considered insiders because of their prior access to your systems. If their accounts haven't been removed, their ghosts can come back to haunt you.
Both Active Directory in Windows and Lightweight Directory Access Protocol for Linux, for example, have capabilities for creating groups and roles and account auditing and revocation.
Security awareness training can seem costly, at first. But there are computer-based programs and clever ways to spread security knowledge without bringing in a team of expensive trainers. The Security Awareness Co. and Native Intelligence Inc. both offer Web-based training that can be tailored to a company's needs. All employees should be required to take such training as part of their annual reviews. These programs can be set to automatically record if employees, in fact, take the training.
Technical controls include network monitoring for suspicious or anomalous activity. The difference is that network monitoring for insider threats has to monitor activity inside the network, not just activity coming in from the outside, as is the case for many monitoring tools.
Restrict access to mobile devices and portable storage devices like USB keys and iPods. These devices can download data from the company network and can then walk out the door with an employee. If you're using Active Directory, access to USB ports can be restricted through Group Policy Objects. In addition, some products such as GFI Software Ltd.'s GFI LANguard and those from Safend can restrict and monitor attempts to use unauthorized portable devices on the network.
Technical security can be the most costly to an SMB. But there are alternatives for the budget conscious.
Peakflow from Arbor Networks Inc. uses behavioral modeling and analysis of internal network traffic to detect abnormal traffic. By creating a baseline of normal activity and use, Peakflow uses a proprietary algorithm to check for malicious traffic that could point to inappropriate access by an insider. Other companies with products in this space include Netwise AB, Lancope Inc., Mazu Networks Inc. and Q1 Labs Inc.
With all three controls -- physical, administrative and technical -- the key is auditing and tracking. They won't always stop a malicious insider from attempting something, but they'll help catch the offender in the act. The insider threat never goes away, but it can be monitored.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and the author of The Little Black Book of Computer Security, available on Amazon.com. He also runs the IT Security Guy blog at www.theitsecurityguy.com.
This was first published in March 2007