Security Angst

Employees are rebelling against security practices and testing the boundaries of corporate controls. Clear policies and responsibilities enforcement can keep workers on your side.

When you were a child, your parents defined the limits of your activities. At first this was easy, since you were small and they were big. At some point, however, you realized they weren’t omniscient and began to challenge their authority, first in subtle, then in more direct ways.

Enterprise managers, your end users are teenagers now; they’re running amok and defying authority simply because they can. They’re doing it subtly by playing on the Internet and by obscuring their non-business use of your systems, and aggressively by destroying property when disgruntled. Ignoring these threats from within will only encourage them. Trying to manage them with increasing severity will only create martyrs. Instead, you need to find ways to encourage employees to buy in to the importance of security. A well-rounded program that addresses internal abuse can save money, conserve resources, foster a sense of community among employees and lead to stronger external defenses at less cost.

Seventeen years ago, an FBI study found that the majority of information system attacks came from within. Back then, PCs were a joke to most "serious" information system engineers, and almost unheard of in small businesses. It’s tempting to wonder how there were any attacks from the outside at all, since no one was connected. This July, the Computer Science Institute, in joint cooperation with the FBI, published its sixth annual Computer Crime and Security Study (available from www.gocsi.com). Not surprisingly, most attacks now originate from outside companies, since we’re all connected. CSI’s reports for the last four years have recorded that up to 70 percent of attacks are external. The flip side of the coin: that means 30 percent of violations, a sizeable portion, have come from within.

What types of employee activities are defined as attacks? We’re not just talking about direct theft of information, money or goods here. We also must include non-business use of systems, abuse of privileges and other acts like inappropriate or unauthorized Internet access, deleted files, theft of equipment or using company infrastructure to set up a business or store personal files.

Other abuses include e-mailing trade secrets or offensive material to employees or outsiders, participation in chain e-mails and joke lists and loading unauthorized software, including games and hardware drivers. Companies have also had to battle the use of internal modems that evade firewalls and other filters, the use of Internet access for "always-on" subscriptions (such as stock tickers and radio stations) and downloading pornography, large music or video files, or copyrighted materials.

Intentional Misuse

When we talk about enterprise security, some of the most startling pictures to emerge are tales of employees' intentional misuse of resources. Workers are using corporate facilities in alarming numbers to spawn their own businesses, listen to radio stations, download pornography and visit non-work-related chat rooms.

  • In a Computer Science Institute (CSI) study published in July, 91 percent of those companies surveyed detected employee abuse of Internet access privileges.
  • Monetary losses that could be definitively ascribed (by the 538 respondents to the CSI study) to insider attack ranged from $100 million to $10 million (with an average in the several hundreds of thousands).
  • Internet abuse by insiders shows a 91 percent growth rate.
  • Earlier this year, Robert Phillip Hanssen, an FBI agent for 15 years, was arrested for espionage. He was originally placed in the FBI's New York office to set up the database of case information that he later apparently plumbed for information.
  • Joseph Martin Durnal allegedly broke into his former employers' computer system and sent e-mails to employees saying his employer was going out of business.
  • A 1998 U.S. Senate survey found that 12.6 percent of Fortune 1000 companies reported evidence of e-mail tampering.
  • Chevron faces a $2 million lawsuit as a result of an employee's e-mail that allegedly included sexist content.

One final alarming fact: Employees often see these activities as their right. Rather than breaking fear barriers or pushing employees to join the digital age, your greatest challenge may be instilling basic work ethics.

—R.B.


Establish Clear Rules
What’s the answer to internal violations? Start with this: Protect company assets with strong controls, with strong employee buy-in, and with vigilant auditing and robust technologies. Here are some of the things that work.

Maintain a separation of duties. One of the tenets of good law enforcement is to assure that no one is both judge and executioner. This separation of duties prevents an abuse of power. In IT there are many areas that need to apply this principle. Two of them are backup and security.

If one group of employees is charged with backing up systems data, a separate group should have the job of restoring it. Coupled with strong controls on the physical backup media and a log of all related activity, you can maintain the integrity of the tape data and prevent accidental or malicious use of these tapes in restoring the wrong data.

Establish strong controls on sensitive areas. Not all areas are created equal—that’s why stronger controls need to be placed on sensitive areas. Making sure that virus checkers and e-mail filters are in place will help keep e-mail under control, and controlling and testing all media will help keep your backup secure. Make sure software installations are fully compatible with your systems, and keep tabs on whether these installations are actually doing their job. Keeping hardware and software change under control by recording all configuration changes and logging server restarts will also help strengthen these sensitive areas, and bolster your overall system.

And don’t forget to pay attention to your administrators. Make sure that they clearly understand the issues you are addressing, and that they have approval for the software they’re installing.

Define events that can precipitate abuse. What high security events exist in your company or division? If you can define them, you can apply additional security and ensure that everyone involved knows how to apply them and handles them with the sensitivity required. Such events include mergers and spinoffs, downturns and upswings, layoffs and terminations.

While it’s not hard to imagine the consequences of loose lips around major business changes, most companies underestimate the danger of a disgruntled employee. Remember that terminated employees may possess information that can be used to damage your information systems.

By defining events that can precipitate abuse, you can manage them in a way that prevents it. At the very least, you can mount defenses that will reduce its effectiveness.

House Rules

Treated with respect and made to understand the rules, most employees will want to make security work. Your goal should be to encourage behaviors that lead to fewer instances of internal misuse of systems. Here are some suggestions:/p>

  • Strictly define employee/employer ownership of information system assets. Provide documents that list the corporate assets you're entrusting to employees. Include care and handling instructions. Establish a sign-out system and record inventory as it is used and returned.
  • Review your "acceptable use policy" with each employee. Provide the policy to all employees and have them sign it. Be sure the policy is clear on what constitutes use and abuse, and make plans to have staff review the rules annually with each division or group.
  • Provide security awareness training for every employee. Establish different programs for different users-both end users and IT specialists.
  • Provide training and tools for those charged with implementing security.

—R.B.

 

Concentrate on the Big Stuff
Any business advisor will tell you to concentrate efforts on the large issues, those that cause the majority of problems. Find the chokepoints—the areas where you can place restrictions and controls that affect the most resources. E-mail, Internet downloads and remote access qualify in both respects.

E-mail servers, of course, are the entry points for many abuses of outside origin. Viruses, which used to be brought into companies by employees bringing disks from home, are now coming primarily from e-mail. That e-mail may arrive on your systems from the outside, but is populated throughout the company by lack of controls on your e-mail servers and on employee desktops. In addition, employees may unwittingly (or intentionally) divulge proprietary information; abuse the sensitivities of others by sharing pornography; make remarks that leave the company vulnerable to legal action; or flood internal networks with endless non-business chatter in the form of joke lists or large attachments such as video and audio files. Employing content filters and virus checkers on e-mail servers can significantly reduce these events and their impact on your networks.

Other technologies need to be used to protect e-mail from interception and tampering. Incidentally, mail server-based virus checking doesn’t eliminate the need for client up-to-date desktop virus checkers. Viruses, Trojan horses and worms may pass through e-mail filters in encrypted attachments but be identified and destroyed on the desktop.

Don’t assume employees understand issues of copyright and the significant impact their music and video downloads can have. A secretary was recently fired when it was discovered that thousands of recordings were stored on her desktop computer. She faces possible criminal action. Monitoring of Internet access points can alert you to employees making large downloads. Blocking protocols at the firewall can prevent some of them.

Remote access means the accessibility of company assets by employees from the outside. This can be done by dial-up lines, by VPNs or through the Internet. It’s obvious that each potential access point requires a high level of control including centralization, content analysis and possible encryption. However, have you considered the potential for abuse that exists at the other end—at the client system used for access? This was the apparent source for the unauthorized source code access at Microsoft last year. Remote access systems may be laptops used by employees on the road, or desktop systems provided for their use from home. What controls exist on these systems in your company? Remember, it’s the employee who implements security: If you develop security practices that make sense, then they’ll be practiced.