Companies must take heed of the insider threat

Increased vulnerabilities on the user side undermine many investments in network security, say experts.

Don't forget to keep an eye on internal threats when you're securing your enterprise.

That was the overarching theme for several speakers at IDC Asia-Pacific's SecurityVision 2008 conference Tuesday.

Song Hai Yan, vice president of engineering at ArcSight, quoted figures from a 2006 InfoPro survey, saying 72 percent of Fortune 1000 organizations worry equally or more about insider threats than they do external security breaches.

Increasingly, security issues revolve around employee activity, she said, noting a trend for many enterprises in attempting to buy a broad portfolio of security products, but with little direction toward focusing on weak security areas.

"Don't buy too much. Start with a good foundation around your [existing security] assets" before patching weak spots, she advised.

Don't buy too much, start with a good foundation around your assets.
Song Hai Yan, ArcSight engineering VP

Another vulnerable spot where users are concerned is the advent of Web applications, said Citrix Systems' Asean area vice president, Yaj Malik.

According to Malik, most targeted hacker activity today focuses on customized Web applications which include internally-developed and customized package applications, which are "extremely hard to write securely", and lack signatures or patches, causing the "traditional security paradigm [to] fall apart".

Elaborating, he said this "traditional paradigm" is a reactive one, where patches and signatures are issued only after a hole is discovered. With no signature or patch management cycle for many of these applications, Web applications offer "untraceable access to sensitive data".

Yet, with the vulnerabilities associated with users and applications, 75 percent of most enterprise security investments are focused at the network level, while conversely, 75 percent of attacks are focused at the application level, said Malik.

Malik said in an ideal situation, securing the endpoint assumes programmers write perfect software, free of security leaks. Of course, he said, bugs exist in all software, and it is from these numerous and varied scenarios that data breaches will occur.

Ieta Chi, director of business development, Asia-Pacific, at Trend Micro, echoed the thoughts of the previous speakers.

Quoting research from Market Research International, he said the top three enterprise security leaks in descending order are employees copying files out of office systems, corporate e-mail breaches and leaks from e-mail accessed on public Internet terminals.

Chi noted that all three breaches are employee-related, which negates the efficacy of data encryption, since encryption protects against unauthorized access, and does not pose a barrier for authorized employees.

Quoting a 2006 study by U.S. research firm, Ponemon Institute, Chi said: "78 percent of data breaches come from authorized insiders."