The enemy`s at the water cooler

Here`s a piece of jargon to make even IT people shudder: deperimeterisation. This one is sending icy spikes into the hearts of IT organisations, because it means the end of old-style IT security.

In short, conventional security perimeters around the outside of an organisation are now woefully inadequate. Today, the perimeter has shrunk to an area around every access point to a company`s data; whether a mobile access channel or a USB flash drive.

Make no mistake, there are still plenty of threats from the barbarians outside the walls - denial-of-service attacks, specially engineered viruses, Trojan horses, spyware and the like. However, most attacks are now coming from within the organisation.

"Eighty-five percent of fraudulent events in South African businesses are performed by insiders, 55% by management and 30% by employees," says Amir Lubashevsky, director of Magix Integration. "Without fraud detection or risk management systems in place, most companies only pick up that something has gone wrong months after the incident. By that time it may be too late."

Organisations must start with protecting their IT assets from the ground up.

Martyn Healy, MD, Blue Turtle Technologies

The US National Reconnaissance Office found attacks from outsiders cost $56 000 to repair - compared to the $2 million it cost to clean up after a typical insider attack. Seventy-two percent of enterprises cite internal security threats as equally or more important than external threats. Research house IDC rates getting employees to follow security policies as the second-highest security challenge organisations will face over the next 12 months.

"The image of an employee accessing the corporate network and stealing confidential data using an iPod-type storage device is no longer simply a threat scenario - today, it has become a well-documented reality," says Martyn Healy, MD of local IT management company Blue Turtle Technologies.

In fact, says Healy, this focus on perimeter attacks such as viruses and spyware has detracted attention from the internal challenges, often causing insider threat policies to be loosely adhered to and routinely skirted. However, institutions are waking up to their internal enemies and understanding that threats from within are rapidly becoming more dangerous than those from the outside.

So who are these malcontents who can so easily damage reputation, customer perception and market position? The Insider Threat Study, carried out by Carnegie Mellon Software Engineering Institute in May 2005, suggests there is a recurring pattern in the majority of insider attacks. The study examined 49 incidents across critical infrastructure sectors between 1996 and 2002, in which the goal of the attack was sabotage or harm to the company or an individual.

The study found almost two-thirds of the perpetrators were former employees, of which almost half had been fired. The study also found 86% of perpetrators were employed in technical positions (systems administrators, programmers, engineers), suggesting the greater the knowledge of the system, the greater the risk of a threat from a disgruntled employee. This is an overwhelming case for regular employee reviews and careful hiring policies.

Healy says the second and fastest-growing group are more measured individuals who join the organisation and intentionally limit their tenure - either with a view to moving on and up more rapidly, or to building a contact list, legitimately or otherwise, before moving on. "One thing is crystal-clear in this rather murky world - these people are almost impossible to spot."

Technology makes it easy to copy large amounts of data onto small devices that can be hidden in the back of a pen.

Wolfgang Held, systems architect, 3Com

Healy and Wolfgang Held, systems architect at 3Com, believe the most effective way to detect threats of this nature, and to reduce the potential risk to the institution, is to automate the process - just as it has been at the perimeter level.

"These new automated enterprise security management (ESM) or intrusion prevention systems work with existing best-practice codes to create a single, comprehensive view of the organisation`s IT risk, employing advanced correlation and pattern discovery techniques to be able to match apparently unconnected events and blocking possible cases of non-compliance," says Held.

Doing this allows a company to control all the end-points in an organisation from which data can be copied, says Held. "Technology makes it easy to copy large amounts of data onto small devices that can be hidden in the back of a pen, for example."

"End-point monitoring, the ability to prevent USB and Firewire ports, for example, from being used by unauthorised users is, therefore, also a key aspect of an employee monitoring solution," says Magix Integration`s Lubashevsky. "And contrary to popular opinion, this functionality is available and easily implemented - even across companies with thousands of users."

Are companies taking IT security seriously enough? At a recent round-table discussion on IT security at ITWeb`s Rivonia offices, several panellists agreed that most people still can`t get their basic security issues solved.

Symantec`s principal security consultant Pieter van Niekerk and Dimension Data`s Pieter van der Merwe are among those who believe most companies don`t do the basic disciplines right. They have policies, but don`t check that they are complied with. They have tools, but don`t use them. In other words, says Van Niekerk, they have make-believe systems.

Companies need to stop relegating security to a line item of the IT budget.

Clifford Katz, CEO, ISA

Clifford Katz, CEO of Information Security Architects (ISA), says companies need to stop relegating security to a line item of the IT budget and take a real look at how they can best leverage all technology investments and use security as a positive tool. That involves security working more closely with business, and making sure their wants and needs are aligned. "The role of a security department is to enable a business to take the amount of risk it wants to take in the safest way possible," says Katz.

But few companies are even close to a new risk paradigm. Most, says SecureData`s spokesman Andrew Ochse, are still struggling to create a single, co-ordinated security message. Until they do that, he says, it will be difficult for many companies to build any kind of effective security shield that can withstand modern business threats.

Importantly, says Panda Software`s country manager Jeremy Matthews, the effort has to be built into business processes from the start, not bolted on as an afterthought that will slow productivity and stifle transparency. It will also require a new culture of control, and at some stage, require new limits on the workplace and how employees conduct their business and interact with customers, clients and each other, at work and at home.

Surveys show that compliance with security policies is a huge problem for most firms. A recent study says eight out of 10 times, passwords are written on the back of a person`s business card. What`s more, 43% of companies take more than two days before they cut off network access to people who have left the firm, while 15% take more than two weeks. Many IT security policies are not followed or even fully understood.

"A policy is often a complicated document," says Katz. "People either don`t understand it, or haven`t read it. A policy is a task as opposed to a culture - but that culture has to start with a policy."

McAfee`s regional director Chris van Niekerk says if a culture where security is a priority does not exist, it`s tough to build one. "Without a more deeply ingrained, holistic approach to security, the bad guys are going to keep winning.

"People are too smart and aren`t going to do something just because they were ordered to by some corporate person," he says. "You`ve got to get their hearts and minds behind the new directions, behind the notion of control."

So how do you build the culture? Martin Walshaw, a systems engineer with Cisco Systems, is not a fan of generic security training. "A poster about security won`t do anything if you don`t properly structure your programme. So the first step is to get your governance in place. Then you can build your awareness and change your culture. You also train people on security issues. System administrators need a lot of different training as opposed to the training needed by a developer, line employee or someone in senior leadership."

Lubashevsky says employee monitoring is the way to go, as controversial as it may be. He says the only workable preventative solution is to implement invisible employee monitoring technology to guard against specific information anomalies in real-time. This will enable businesses to catch malicious activity before any damage is inflicted.

"Obviously, managers cannot afford to pay people to play Big Brother and observe every employee all the time; nor can they afford to hinder the business` functions by installing software on computers and servers and slowing the performance of the company`s IT," adds Lubashevsky. "Installing independent monitors to keep tabs on network traffic and highlight anomalies without wasting management time or hampering productivity is the solution."

Van der Merwe puts his finger on the key flaw in many companies` approach to security, whether internal or external: they don`t always know what they want to protect in the first place.

He finds an ally in Faritec`s security sales manager, Logan Hill, who says few firms today are able to tie information security threats to a specific business vulnerability. "This is a critical piece of knowledge that`s missing when companies are deciding how and where to make the most of their security buck.

"Your security strategy has got to be as much about management as the IT shop and the guy on the road with a company laptop. If we`re not thinking this way about how we do business now, then security problems are going to rise up and bite us. You simply can`t afford not to know what your most important security threats are and what your policies are for dealing with them, at every level of the corporation."

Mobile device security remains a hot button as companies adopt mobile technology for executives, sales and field forces and even blue-collar workers. Fact is, company information now resides on these devices, and when they get lost or stolen, confidential information is at risk of getting into the wrong hands.

However, says Sybase SA`s iAnywhere manager, Gerard Sofianos, there are plenty of tools available to make this problem go away. One example is a "kill operation" - when the device is mislaid, a "kill" command is sent to the device to immediately wipe all data off the device.

Many of the problems relating to multiple channels of access can be sorted out using a good identity and access management strategy. "It is crucial that enterprise security monitors acknowledge and authorise each user`s right to access specific platforms and applications," says Kelvin Adams, Global Security Solutions country manager of Computer Sciences Corporation.

Another risk lurking within the walls of many companies is that posed by applications and application developers. "Systems and software applications can be developed in such a way that features are built in to enable someone to steal millions of rand from company accounts or destroy applications without leaving a trace," says Catherine de Klerk, a software development consultant of Compuware.

"Fraudulent application developers can insert lines of code that remain dormant for several years. When or if they leave the company, the code may become active. Most businesses do not have the controls or processes in place to protect against criminals who have the technical knowledge to insert fraudulent code into IT systems," says De Klerk.

Possibly the biggest security risk remains people - or, as the security gurus like to say, social engineering. It`s all about the manipulation of people rather than electronic systems in a security attack - and can completely circumvent all existing security measures.

"The cleaning and maintenance staff has access to your entire organisation overnight. Receptionists give out names and extensions. It`s still all too easy," says Symantec`s Van Niekerk.

Ultimately, says Healy, the most effective way for organisations to protect themselves is to move their attention away from both the perimeter and internal threats.

While this sounds illogical, the simple truth is that an attack is an attack, regardless of where it originates. Organisations must start with protecting their IT assets from the ground up, from every threat - identified or potential. This is the theory of the disappearing perimeter - to start with the application and work outwards.

Armand Smit, product manager at Sun Microsystems, says it is important that security is seen within the context of optimising the value of IT, Sarbanes-Oxley legislation and other business initiatives. "One has to map compliance and controls to a broader common framework, which views and measures IT`s alignment and contribution to the overall business strategy," he says.

So who`s in charge of enforcing security policy at an organisation?

Elzette de Ridder, security product specialist at Drive Control Corporation, echoes the feelings of many commentators.

She says security policies should be driven from the top, as it is the MD or CEO who bears the ultimate responsibility for ensuring security policies are enforced. "But every single employee should be aware of security requirements and be held accountable for acting within the parameters of these policy requirements."

Unfortunately, says Healy, there is no silver bullet to put an end to insider threats. Human nature being what it is, there will always be dissatisfied or mercenary employees looking to take advantage of security gaps.

"The key is to plug as many of these gaps as possible - often before the gaps appear, and here, at the water cooler, is where ESM software, together with best practice policies, has a clear role to play," says Healy.