A University of Texas student steals 55,000 Social Security numbers from the school's administrative databases. A UBS Pain Webber system administrator activates a logic bomb in the company's network, causing US$3 million in damage. A disgruntled Australian IT employee commandeers his company's sewage management software to dump hundreds of thousands of litres of raw sewage into local parks and rivers.
These real-life examples from the past three years show how devastating damage from malicious insider cyberattacks can be. And the threat is growing. Although companies are reluctant to report having been attacked from the inside, 64 percent of enterprises that responded to a 2002 survey conducted by the Computer Security Institute and the U.S. Federal Bureau of Investigation (FBI) reported experiencing at least one internal incident, up from 59 percent in 2001. From malicious DoS (denial of service) attacks to the theft of HR, financial, or medical records, there are many ways insiders can cause financial and physical damage and create legal liabilities for their employers.
"Insider attacks are where most of the money's lost, where most of the vulnerabilities are," says Frank Huerta, vice president of intrusion-detection product delivery at Cupertino, Calif.-based Symantec Corp. Huerta also notes that many of the increasing number of workers who have been laid off during the past two years have retained passwords to sensitive systems. Increased connectivity among enterprises has also given insiders greater access to the internal networks of partners, customers, and vendors.
"It's almost becoming a myth that there is an internal network," says Christopher William Klaus, CTO of Atlanta-based Internet Security Systems Inc. As e-business proliferates, "your firewalls become more and more porous," he adds.
In addition to keeping passwords after termination of their employment, malicious insiders often gain access to internal systems while on the payroll through social-engineering -- essentially sweet-talking IT personnel for passwords to restricted systems. "If you can get the passwords, you've got the keys to the kingdom," Symantec's Huerta says.
Insiders can also attack without passwords, ISS' Klaus says. For example, an insider can hack credit card data directly through a database using a tool such as Nmap, which scans the network to find default accounts. "You can go on the Internet and download scripts and exploits to break in," Klaus explains. "Anybody on the inside of your company can download this stuff."
To guard against insider attacks, experts generally recommend a layered approach, meaning that enterprises should use multiple technologies in tandem and should combine these technologies with tough security policies. Here's a rundown of some of the key technologies and policies enterprises can use to guard against inside attacks.
One key layer of protective technology is identity management: software that efficiently tracks, provisions, and deprovisions accounts and passwords across the enterprise. Many vulnerabilities stem from companies giving users, especially contractors, broader access than they really need to do their jobs -- access to the whole sales database versus a single region, for example -- or forgetting to deprovision accounts when a user is terminated.
"We typically find that about 40 percent of the valid users in the enterprise are people who no longer work there," says Jeff Drake, director of security strategy at IBM Corp./Tivoli in Austin, Texas. "Companies are very good at getting you out of the payroll system when you leave, but they're very poor at removing accesses to apps that you were granted."
Identity management systems -- from companies such as IBM Tivoli, Netegrity Inc., Oblix Inc., Novell Inc., and Sun Microsystems Inc.-- aim to solve this problem by providing a single mechanism for managing and provisioning account access and for linking that access to HR and payroll. These systems typically provide audit, logging, and policy enforcement to help prevent contractors from getting root access to sensitive systems.
Intrusion detection and security-event management
To identify insiders who may be exploring internal systems as a prelude to an attack, IDS (intrusion detection system) software provides passive scanning of network activity. These host- or network-based systems listen on the wire for suspect traffic and then use pattern recognition and various algorithms to find what looks like illegitimate activity. When such activity is detected, IDS software alerts security personnel or automatically shuts off access to the resource being probed.
Many vendors, including ISS, Symantec, Cisco Systems Inc., and a host of smaller companies, offer IDS systems. Some, such as Symantec, also offer so-called "honey pot" or decoy systems, designed to catch malicious attackers by luring them into a painstakingly prepared replica of the system they may be trying to penetrate (for example, finance or payroll) but with false data -- essentially catching them in the act.
In the past, IDS systems triggered too many false alarms, which often caused IT personnel to simply shut them off. To address this problem, many vendors are developing so called security-event management platforms -- software that takes data inputs from a multitude of security devices on the network and correlates them in real time or after the fact to identify potential threats. According to Deepak Taneja, CTO of Waltham, Mass.-based Netegrity, the systems work similar to the credit-card companies' antifraud algorithms by looking for atypical behavior.
"Say Jennifer gets a hold of my password and tries to access that application (by dialing) in from home on a VPN," Taneja says. "But that's not how I always do it -- from my desktop during business hours." This information might then be passed to the provisioning system to shut down the account Jennifer has hijacked. "Just knowing that those systems are in place is a good deterrent," Taneja adds.
Many of the security event management vendors -- including most major IDS vendors as well as smaller companies such as Guardent, Network Intelligence, Arcsight, and E-security -- incorporate vulnerability information about specific systems to prioritize protection for those systems that are the most vulnerable to attacks. "If the dead bolt is locked," ISS' Klaus says, "it doesn't matter if they wiggled a key in the door."
Firewalls and VPNs
Hackers have been known to deride vulnerable enterprises as "crunchy on the outside, chewy on the inside," meaning that once they get past the firewall they can do anything they want. Partly in response to insider threats, enterprises are beefing up their internal use of firewalls and VPNs to provide more protection to key systems and data.
"Make your network as crunchy as possible; don't just have a hard line across your perimeter," advises Sweta Duseja, product marketing manager at Redwood City, Calif.-based Check Point Software Technologies Ltd. She sees enterprises deploying peer-to-peer VPNs even on their internal network and taking a more "concentric" approach to deploying firewalls. This can mean putting firewalls into gateways at key points in the network and directly in front of key applications.
Insider security policies
No amount of layered technology will stop insider attacks if an enterprise doesn't have good security policies and procedures in place. "You can put in as many firewalls and VPNs as you like," Duseja says. "The issue is still: Have you configured your security rules and policies?" She cites access to Web-based protocols such as Microsoft's CIFS (Common Internet File System) as a major policy issue. "They are one of the most vulnerable protocols that hacker employees get a hold of and know how to use."
Joel McFarland, manager of security appliances at San Jose, Calif.-based Cisco, thinks enterprises are generally too trusting of employees and wishes they would put more teeth in their policies to deter inside attacks.
"More often than not, customers are willing to passively police their internal threats," McFarland says, adding that enterprises will refuse to revoke privileges or shut off systems even when a threat has been detected, for fear of causing disruption to legitimate activity. He would like to see this change. "It's the collaboration between your IDS and identity service that allows you to police and enforce insider threat mitigation," he explains.
On an even more basic level, there are many straightforward policies that can help guard against insider attacks, according to Symantec's Huerta (see also top tips box). Have you had your IT employees' and contractors' backgrounds checked? Has your internal security plan been reviewed by a reputable third party? Are you limiting access to just those who need it? If an employee is caught looking at unauthorized material after hours, what are the consequences? "Are they just meandering around the network because they can?" Huerta asks. "You have to have policies."