Last month I wrote about the inside threat to your network and your company at large. In this column I'll offer two more examples of internal threats to your organization.

There are two types of employees that I like to call Dennis the Menace and Alice in Wonderland. They are bright, motivated, friendly and have only the best of intentions. They can also be your worst nightmare.

Dennis, for instance, sees some problem with the production code you use for your core business. He knows there’s an easy fix, it will only take five minutes, and everyone will be very glad at how much better the system runs once it’s fixed.

He rewrites the function, and replaces it in the module where he first identified the problem. What he fails to realize is that several other modules have dependencies and the change causes the production code to grind to a halt. Your network looks fine, everything should be working, but it’s not.

If you have change controls in place, and critical file monitoring done by a centralized location, you would have already determined that Dennis was mucking about in the code. Additionally, you can identify which files were changed, and compare them to, or replace them with back-up code, and return to production with limited down time.

Certainly you don’t want to be the one explaining to the CEO, CIO, or CTO what happened and why it took so long to do something about it. You also don’t want to be the one responsible for informing customers about loss of data, down time and loss of revenue.

A change control process sets the framework for protecting all the parties involved. It allows for the identification and timely resolution of a snag in your code, but it also clearly identifies who is responsible for the change, and what the back out should be in case of difficulties.

In Dennis’ case, it also means that every time there’s some difficulty, you won’t be camped on his desk asking what he did this time. He’ll be relieved to know that he isn’t a scapegoat in bad situations.

Educating the Trusting

Then there’s Alice. She will be the first to tell you she’s not very technically inclined. She loves her computer, it lets her do so many things. She’s working on a novel, she thinks the world wide web is amazing for its ability to tell you everything you ever wanted to know about anything.

And she believes it all. If it comes to her in email from friends, then it’s obviously something she needs to see, sign, buy or try. After all, who on earth would know who she is and what her email address is?

We’ve talked about this situation before, and we’ll likely talk about it again. It is very difficult to educate the trusting to recognize the threats inherent in the virtual world. Teaching users to avoid suspicious sites sent in email and learning to recognize attempts to gain privileged information by unauthorized persons either via the web or email will go a long way to cutting down the number of compromises as the result of malicious web content.