Three of every four attacks are committed by insiders. Whether it's a denial of service attack, a malicious break-in, or data theft, most likely the perp is an employee or a former employee. Yet companies continue to focus their attention on preventing external attacks.
How many companies want to publicise this image-deflating fact? Very few. So few, in fact, that security analysts at the Hurwitz Group estimate that as many as 50 insider attacks occur for every one detected--testimony to the insider's intimate knowledge of your systems and procedures.
As is the case with most planned crimes, who better than your own current or past employees to screw you over? After all, they don't have to learn about your policies and defenses. And they're more likely to know where the rarest jewels are kept. What's more, except for those who want to get caught for the sake of a social statement or just to get attention, they also know how to cover their tracks.
Stacy O'Connor, managing director of the security firm Guardent, says that the most common causes for insider attacks are poor morale, a fluctuating economy, weak internal safeguards, and an overly trusting work environment.
Prevention starts with the hiring process, says O'Connor. You should discuss with new hires their role in maintaining security and its potential benefits. Ongoing monitoring and assessment will help assure the system's effectiveness while avoiding aggravation, downtime, and fantasies of revenge.
"Organisations should realise that internal incidents have a higher likelihood of causing significantly more damage [than external attacks] and significantly higher costs to repair," says O'Connor. Just ask the FBI about Robert Hanssen.
Sex and network security
One way to protect yourself and your data is to eliminate unwitting damage by employees who permanently enter their passwords in the sign-on box, leave their passwords taped to sliding desk drawers, or use simplistic passwords such as their Social Security number. In fact, the three most popular passwords in some surveys were password, some elementary mixing of the person's own name or a relative's name (usually a child's), and words related to sexual acts. So much for carefully crafted, comprehensive security policies. Other innocent, if naive acts, include opening email attachments, for example, the one that promised a look at someone's naked wife.
What else can you do? Short of changing human nature, why not leverage all that interest in body parts and use it to reinforce security? For example, biometric devices that read fingerprints are affordable, reliable, and simple to install. One such device is available from Digital Persona. Its compact US$100 U.are.U fingerprint scanner worked well in my comparison tests.
BioLink's $120 U-match Mouse offers a space-saving advantage. A combination thumbprint scanner and mouse, it provides logon security without adding more hardware to the desk. Both products are available in client-only versions as well as server-based installations that centralise management and help maintain uniform rules.
Building better fences
If biometrics had been more widely available, Kevin Mitnick would never have risen from obscurity to infamy. Mitnick achieved success precisely because his plan was elegantly simple. He cracked all those government systems by pretending to be a system administrator verifying the network's condition. He'd call and ask users for their sign-on names and passwords. Most times, they just handed over the keys to the digital kingdom without a second thought.
In retrospect, one answer to closing the kind of hole that allowed Mitnick's attack to succeed is now obvious: a combination of education, monitoring, and biometrics. These defenses are also key to preventing sneakier, less obvious insider attacks.