Protecting your company from internal security attacks should be a high priority.
It's not hacking that results in the most damaging penetrations to an enterprise's security system. It is often the work of an employee within the enterprise that causes the most damage. And while many of those incidents are due to employee malice, a great number stem from the manipulation of employees - often without their knowledge - that results in the theft of crucial data.
This "social engineering", as defined in the IT security sector, uses the age-old art of human persuasion. First a relationship is developed with an employee and then that newly trusting person is convinced to hand over key information to the attacker.
The method is insidious but it can be stymied if employees are trained to be security-conscious, process controls are implemented, and strong authentication is built into the security system. Humans may well have tendencies that leave them vulnerable to persuasion, but these tendencies can be positively channelled with education and culture. These tendencies are also not hard-wired and we can set up software that can back us up . . . just in case.
IT security breaches are growing. It is not a nice world out there. Statistics show an alarming rise in cyber-attacks. Since 1998, electronic crime has risen dramatically - tenfold - according to the latest incident statistics from the Carnegie Mellon Computer Emergency Response Team. In the 2001 Computer Crime and Security Survey, conducted jointly by the Computer Security Institute and the FBI, 85 per cent of respondents said they had detected breaches in their systems during the previous 12 months. Sixty-four per cent of them reported financial losses due to those security incidents.
Further, the nature of the crimes has changed. According to a study produced by the Computer Security Institute and the FBI, the Internet is a source of frequent attacks: 70 per cent in 2001 compared to 59 per cent in 2000, while at the same time internal attacks dropped from 38 per cent to 31 per cent. Reported average losses from viruses alone, an untargeted nuisance attack, were $US244 million in 2001, up from just $US45 million in 1999.
Attackers take advantage of employees. The malicious attackers who are making their way into IT systems are not working on their own. Their accomplices are often unsuspecting employees of the enterprises they are targeting. Malicious attackers know that the easiest way into any system is to exploit the people that use and administer it.
Gartner estimates that more than 70 per cent of unauthorised access to information systems is committed by employees, as are more than 95 per cent of intrusions that result in significant financial losses. The attacker can be a person inside or outside the enterprise who pretends to be someone else:
- In person.
- On the telephone.
- Via conventional mail or e-mail.
- Through a computer program disguised as an interesting message or a legitimate program.
And don't forget about the "hidden" employees in your organisation who may have completely unlimited access (often off-hours), yet not undergo nearly the scrutiny of a "regular" employee:
- Maintenance and external repairs/service (phone company, construction).
- Temporary workers.
Remember that one of the easiest ways to get past security is to work on the inside. Can you really be sure the midnight housekeeper cleaning the server room isn't breaking into your systems?
Employees are unwitting victims of social engineering. The employee targeted by a security system attacker is a victim of social engineering, the manipulation of a person through a combination of spying, theft and clever deception. This "art of human persuasion" takes advantage of a person's natural tendencies - such as seeking prestige, avoiding embarrassment or merely finding acceptance - and it usually follows a simple pattern:
- The attacker gathers information about his target that can be as simple as a phone number or as detailed as an organisation's structures and procedures. (For example, a user name can be gleaned from an e-mail address).
- A relationship is developed between the outsider and the employee that establishes a degree of trust. (With the user name in hand, the attacker takes advantage of a natural instinct to be trusting and successfully identifies himself as a tech support worker).
- The attacker manoeuvres his target into revealing information or performing an action that he would not normally do. (The innocent and "helpful" employee reveals his password).
- The attacker obtains his objective often leading him to successfully execute the cycle once more. (With user name and password in hand, access to one level of the enterprise's system is complete. From within that level, more information is easily gathered. This allows the attacker to approach another employee and establish a trusting relationship).
Creating and implementing policies and plans. The single strongest defence for an enterprise against social engineering attacks is an educated employee. But a well-educated employee must be armed with more than just information about what social engineering is. He or she must be part of a security-conscious enterprise. The employee must know what the enterprise is doing to maintain security and how to support those efforts. And while learning how to support these efforts, the employee must be motivated to do so.
- The first building block for developing a security-aware enterprise is to create simple, clear and enforceable policies and plans.
- The policies lay out the security goals set by or supported by executive management.
The plans are the means to achieve those ends - the constantly updated guidelines, processes and procedures that go into complying with the policies.
Create and foster a security-conscious culture. Creating a culture of security is the single most critical factor in building a security-aware enterprise and defending you from nearly every type of attack. It is very difficult to impose this culture from the top down. It must be grown and developed so security can become a habit for employees, not an effort:
- Management must set an example by leading from the front and exceeding expectations.
- Employees need to understand why security is important to the enterprise and to the employees themselves.
- Everyone in the enterprise should understand that his or her personal efforts make a difference.
- Employees must be rewarded for positive behaviour through recognition or bonuses.
Create and organisational structure to manage IT security. Security needs a well-designed management structure just like any other operation in the enterprise. Many fail to realise that security is fundamentally different than the day-to-day maintenance and support of systems. Usually the employees running IT systems do not have the resources or the training for security, and at times concerns related to managing security can actually conflict with everyday IT management.
Although information security and physical security are traditionally separated, sometimes it makes sense to combine them under a single management structure, while other times just opening strong communications channels is more appropriate. Even individual business units need to assign responsibility for security. Treating security as an extra duty, without management or resources, will almost always result in failure.
Develop an IT security education plan for employees. The enterprise must create effective and concise education for employees. It's hard to be aware of security incidents if you don't even know what the issues are. Education should cover the following areas:
Corporate policies: Employees must understand policies to both limit the potential for them to commit personal violations and allow them to recognise when others violate policies.
Security issues: Employees need training on a variety of security issues, from physical access, to information misuse, to e-mail safety.
Impact on enterprise/employee: Awareness and proactive actions are more likely if employees understand the negative consequences on the enterprise and themselves.
How to report/respond: Employees should know to whom they should report and what actions they should take if they are confronted by security breaches.
Test security awareness. There are three questions to ask in determining if an enterprise has successfully made itself security-aware:
1 Would an employee actually know if a security violation has been committed? This would be key to avoiding an attack by social engineering.
2. Would the employee choose to report the violation? This addresses the issue of the culture. Policies will be viable only if employees feel they are pertinent, fair and consistent.
3. Would the employee know how to report the violation? Security policies become ineffective if well-meaning employees are stymied by reporting procedures that do not work.
Continue to monitor security effectiveness. Once the enterprise is prepared, its work is not done. It must monitor itself over time to make sure it sees a value on its investment. The increase in security expenses must result in sufficiently decreased security losses.
In judging the effectiveness of a security system over time, comprehensive penetration testing is one tool but it is not the only one at your disposal:
- Try calling the help desk to see if you can trick them into revealing a password - but give them a bonus if they follow procedures.
- Walk around and look for passwords or sensitive documents sitting on desks - and write an educational "ticket".
Watch how your business process changes over time. Do your security policies keep up with these changes? Monitoring doesn't have to be expensive; it needs to be consistent and constant.
Cyber-incidents are on the rise. The future of security in the IT world contains good news and bad news. On the downside, cyber-incidents and vulnerabilities doubled in 2001 and you can expect them to double again in 2002. These attacks are increasing as criminals learn how to take advantage of systems that depend on Internet connections.
At the same time, a transition to become a security-aware enterprise can be cost-effective. The reduction in losses experienced during the first widespread attack that penetrates an enterprise's outer defences will offset the cost of making that enterprise security-aware.
Internal threats will never be eliminated. It will not be possible to completely eliminate internal threats (for example., disgruntled or criminal employees); however, checks and balances can limit the effectiveness of an internal attack - intentional or as a result of social engineering manipulation.
Use business process to your advantage. Don't depend on awareness or technology alone. Many crimes are committed by people performing authorised tasks within their job duties. Make sure the damage any single individual can commit is limited.
Tension between employers and employees. Senior managers and their staffs may have radically differing views about how much personal privacy an employee should have. The tension can rapidly result in growing difficulties in retaining and recruiting employees.
The employees of financial service providers (FSPs) are among the most heavily monitored both on and off the job and "trained" in privacy lore. As a result, they are extremely sensitive to privacy issues. By 2007, most FSPs in the US will have experienced significant employee relations problems relating to privacy in the workplace.
If the relationship between FSPs and their employees can be viewed with a glimpse into the future, there may be some difficult times ahead as employers determine how much personal privacy their workers should have.
Non-FSP enterprises can learn some lessons from FSPs' strategies and tactics to reduce unnecessary employer/employee tension. For instance, if employee monitoring is fair, uniformly enforced and fully understood by all involved, tensions can be reduced.
Richard Mogull is a research director with Gartner (US) specialising in security issues
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.