One of the unfortunate by-products of the global economic downturn has been a dramatic increase in cyber crime. With companies consolidating, merging and downsizing in order to keep afloat, employees have had to endure salary freezes, retrenchment and even abrupt terminations.
With increasing numbers of staff becoming disgruntled, insider security threats and corporate data breaches are becoming more significant than traditional security risks such as viruses, Trojans and worms.
Most organisations, however, seem oblivious to this developing situation, preferring to remain focused on external threats. Few recognise the seriousness of the threat insiders pose despite the fact that many staff members have privileged access to sensitive information, systems and networks.
According to market researchers in the US, insider threats are now the root cause of most data breaches, whether by malicious acts or accidents.
Can the insider threat be thwarted? It can if organisations implement the appropriate technology to deal with these risks, rather than relying on conventional antivirus tools, firewalls and other regular solutions that present no real defence against insider attacks.
Unfortunately, companies looking to save money during the current economic crisis are exacerbating the problem by reducing their IT budgets and limiting their investments in security measures and new-generation technologies that could identify insider threats and resolve them.
At the same time, insider criminals are developing new ways to exploit the Internet for their own benefit using security loopholes in many commonly used applications. They do this by setting up hidden 'callback' channels between their corporate PCs and a command and control (C&C) infrastructure outside the company.
Backed by vigilant surveillance, DLP initiatives will monitor and protect data in use, data in motion and data in storage.
Andy Robb is CTO of Duxbury Networking
With these infrastructures in place, the criminals are able to override or bypass corporate security settings and those established by Internet service providers, redirecting and stealing data and other valuable corporate resources - without trace - even after the culprits have left the company.
Over time, and as the criminals grow in confidence, they will increase the levels of their activities, often introducing new, more ambitious schemes in order to realise greater rewards.
They will take advantage of a common ambiguity found in many corporate security systems that allows any number of incoming responses to a communication that first originated from inside the enterprise network.
In other words, once a corporate PC has been primed by the insider, all its malicious communications - inbound or outbound - will be allowed past the network's security barriers. This applies equally to communications that are generated by the criminal or automatically by malware on the PC.
To address this situation, organisations need to establish a 'culture of security' and have employees understand the importance of correct policies and procedures.
More importantly, they also need to install tools - such as data loss protection (DLP) solutions - that can identify any irregular inbound or outbound traffic using signatures, pattern detection and other criteria.
A DLP solution will place the contents of all outbound communications under the microscope to ensure they do not carry malware that could infect other machines, or hold the building blocks for a callback channel. In placing outbound communications under scrutiny, the destinations of all traffic should be known and classified as 'approved' or 'unapproved'.
Through the introduction of a DLP solution, organisations will come to understand how cyber criminals execute malware attacks and acquire the techniques needed to identify their secret extraction channels, thus gaining a stranglehold on data theft.
Backed by vigilant surveillance, DLP initiatives will monitor and protect data in use, data in motion and data in storage. These initiatives generally include the encryption of hard disks, strong authentication of users, protection for data on removable media and policy-based access controls for I/O ports and their associated devices.
A DLP strategy needs to be complemented by a centrally-sited management framework and geared to accommodate controls such as policy management, user authentication, backup, recovery, monitoring and reporting.
Additionally, by coupling the implementation of DLP measures with data protection policies and existing domain management tools, privileges and practices, enterprises can more successfully map data policies to their organisational structures and business processes - as well as to the roles of key users and their computer systems.
* Andy Robb is CTO of Duxbury Networking.
Share