Identifying the threats within: why your staff can be your biggest security risk, by Marcus Ranum, Chief Security Officer, Tenable Network Security.
It is instinctive to look outside the organisation when trying to identify potential security issues, but the harsh reality is that the biggest threat to most organisations is internal. Your staff are unlikely to ever intentionally compromise your network security, but there are any number of ways that their accidental behaviour may impact the security systems that have cost so much time and money to put in place. As well as guarding against external attacks such as hackers and viruses, it is essential therefore to understand how employees interact with the IT network and to invest in measures that stop them from putting it at risk.
One of the most recent types of internal threat to come to the fore has arisen as the result of consumers’ increased levels of online interaction. Social engineers exploit the trust of employees by leveraging the technology they feel comfortable with. For example they may use social networking sites such as Facebook, Twitter, LinkedIn and MySpace to gain information about a target which they can then use to gain access to systems or to commit identity theft crimes. Since many people still share too much information online, from a Facebook page you can obtain the name of a user’s pet that could be a user’s password or secret answer.
Another problem that is caused by our increased familiarity with technology is the blurring of the boundaries between work and personal devices and software. Applications or hardware that are used in the unsecured home environment, such as phones, iPads or laptops are often brought into the office and if they become connected to the network it can be difficult to both see and control the potential security problems that they bring with them. The rise of smart devices, combined with greater levels of mobile working means that viruses, bots and other malicious threats can easily by-pass existing security measures and pass unnoticed into the corporate network until they have delivered their payload.
Network visibility
Despite their best efforts, today’s complex networks and dispersed workforces mean that it is very unlikely that most IT managers could honestly say they have a totally accurate, 360 degree view of their IT systems at any given time. The unofficial application download or plugging-in of an unprotected iPad is likely to go unnoticed for at least enough time for its vulnerabilities to be exploited and corporate information to be compromised. Despite having security policies in place and restrictions on access, there are also always employees for whom exceptions are made, and while this may seem harmless it may only take one thoughtless click for that employee to accidentally cause a significant security breach.
So, what an IT department needs is not just a set of rules and policies but true real-time visibility of its network – outlining every key IT asset, where the potential vulnerabilities are, how devices are being used and if it belongs to the company or is an external device. Real-time and unified vulnerability scanning is such a key tool for an IT department because without it systems cannot be properly secured and core assets cannot be maximised. In this changing world of threats it is no longer good enough to run patches on a Tuesday and run a weekly scan of the network – there must be systems in place to be able to continuously monitor the organisation’s systems to immediately flag when there is a system compromise or potential vulnerability discovered from internal or external sources.
Deploying a vulnerability scanner like Nessus is a great start, but to ensure that the network is secure 24-7 a fully automated and managed solution is required as an organisation needs to know it is completely secured from the growing risks and threats it faces. Essentially, it is the difference between using a still camera and a video camera to record a live event – the choice is pretty clear.
This is not a problem that will resolve itself easily, as the complexity of the threats increases with developments in both technology and the sophistication of attackers. The best line of defence however is visibility – even if security issues can’t always be anticipated and avoided it is critical that they are identified and dealt with effectively before they are able to have a negative impact on the business. This is not just the responsibility of IT though and employees themselves, with the right education and training, can significantly reduce the frequency of security breaches. Effective training can help staff to identify suspicious emails, know how some of the attacks work and teach staff what to do once they have become compromised. While limiting and monitoring employee access to the internet can help reduce the risk of social engineering attacks, it is only by teaching people about the threats on the internet, that they may be inclined to accept a more stringent internet usage policy.
