dcsimg

Unintentional (But Very Real) Internal Threats

Download our in-depth report: The Ultimate Guide to IT Security Vendors

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  
Last month I wrote about the inside threat to your network and your company at large. In this column I'll offer two more examples of internal threats to your organization.

There are two types of employees that I like to call Dennis the Menace and Alice in Wonderland. They are bright, motivated, friendly and have only the best of intentions. They can also be your worst nightmare.

Dennis, for instance, sees some problem with the production code you use for your core business. He knows there’s an easy fix, it will only take five minutes, and everyone will be very glad at how much better the system runs once it’s fixed.

He rewrites the function, and replaces it in the module where he first identified the problem. What he fails to realize is that several other modules have dependencies and the change causes the production code to grind to a halt. Your network looks fine, everything should be working, but it’s not.

If you have change controls in place, and critical file monitoring done by a centralized location, you would have already determined that Dennis was mucking about in the code. Additionally, you can identify which files were changed, and compare them to, or replace them with back-up code, and return to production with limited down time.

Certainly you don’t want to be the one explaining to the CEO, CIO, or CTO what happened and why it took so long to do something about it. You also don’t want to be the one responsible for informing customers about loss of data, down time and loss of revenue.

A change control process sets the framework for protecting all the parties involved. It allows for the identification and timely resolution of a snag in your code, but it also clearly identifies who is responsible for the change, and what the back out should be in case of difficulties.

In Dennis’ case, it also means that every time there’s some difficulty, you won’t be camped on his desk asking what he did this time. He’ll be relieved to know that he isn’t a scapegoat in bad situations.

Educating the Trusting

Then there’s Alice. She will be the first to tell you she’s not very technically inclined. She loves her computer, it lets her do so many things. She’s working on a novel, she thinks the world wide web is amazing for its ability to tell you everything you ever wanted to know about anything.

And she believes it all. If it comes to her in email from friends, then it’s obviously something she needs to see, sign, buy or try. After all, who on earth would know who she is and what her email address is?

We’ve talked about this situation before, and we’ll likely talk about it again. It is very difficult to educate the trusting to recognize the threats inherent in the virtual world. Teaching users to avoid suspicious sites sent in email and learning to recognize attempts to gain privileged information by unauthorized persons either via the web or email will go a long way to cutting down the number of compromises as the result of malicious web content.

Alice has another bad habit. She can never remember her password, so she’s written it down and put it in a safe place. How many safe places can you think of? Want to bet it’s one of the first three you can come up with? Let’s see: bottom of keyboard, behind monitor, under edge of desk (next to last week’s gum), or in Rolodex under “computer.” But they are such good hiding places!…(sigh)

The reason I bring this up is, if you’ll recall from last month, there are all these people who have access to you physical spaces that you have little or no control over. Cleaners, caterers, contractors. If Alice isn’t going to protect her password, do you think she’s left her user name lying around? What’s to prevent the “hired help” from taking advantage of the situation?

As we talked about before, in many situations, you have no ability to vet the employees of your contract labor. You also have limited ability to monitor work being done outside normal business hours.

You might be saying to yourself that Alice’s laxness with her password and user name aren’t really a major problem, since she doesn’t have access to critical systems or data. But what does she have access to? Memos between the CEO and the CFO about the next round of venture capitalization? Plans for going public? What would the loss of this information mean to the organization?

In many respects, policy implementation regarding the use of the Internet, password strength, and replacement, minimizes certain aspects of these threats. Eliminating unauthorized software or applications improves the ability to control unanticipated vulnerabilities.

I want you to be able to look at your organization with an eye for security hotspots. Anyone can identify the unsecured fire door, or the modem tied into the office server. What you need to be able to identify is the invisible threat of the stranger at your door (contractors), the well-intentioned, and the dearly departed.

You can do a lot of things to handle these threats. Policy implementation can force updates to operating systems, enforce strong passwords and prevent the installation of unauthorized software. Education brings a better understanding to your employees about the threats they confronted with on a daily basis. Finally, knowing your employees as people with families, hopes and dreams, and problems as well. You can identify potential problem areas when you know the people who work with and for you.

On Wednesday, Sept. 27, I will be participating in a webcast discussing this subject. You’ll hear about these employees and others in detail. Hopefully, you will gain better insight into identifying possible situations before problems arrive. I hope you’ll join me. For more information, check here.

Submit a Comment

Loading Comments...