Companies have expensive firewalls to protect their IT systems against external attack. But most damage comes from insiders - and they're already inside the firewall. Neil Campbell reports.
Firewalls are software devices that monitor all digital `traffic' at the entry and exit points of an organisation's information technology network. They sit between the company's IT system and the outside world. You can program firewalls to block certain types of traffic. That way, you are, you hope, protecting your system against attack. You can also use other techniques - encryption, digital signatures - to fend off outside attack. But the biggest threat to your system is likely to be someone sitting inside your offices - inside the firewall.
A well-placed insider is the simplest and most effective means of accessing information, or causing damage. Insiders render nearly all security safeguards redundant. The risks from uncontrolled insiders multiplies in an age where companies' reliance on information technology, global networks, e-mail and the Internet is increasing exponentially.
Companies have grown increasingly dependent on complex information systems, and on the individuals who design, maintain and operate them. More and more data of critical importance is being placed on corporate computers and global computer networks.
As a result, companies have become increasingly susceptible to computer crime and security attacks - the rise of the `rogue insider'.
Who are the rogue insiders?
Rogue insiders are typically computer operators, programmers, network engineers and system administrators. They will often have detailed knowledge of the company's IT system. They possess the necessary computing skills, and are charged with a significant level of `trust'. They can cause untold disruption:
Compromised companies tend to deal with insider issues with minimal fuss, in the hope that they can avoid adverse publicity.
How they escape detection ...
Until the recent dot.com lay-offs, there has been extreme pressure to recruit the top IT professionals. If you find the `ideal' candidate, you may override or ignore standard security processes. People recruited into the key `at-risk' roles need to be checked out thoroughly.
There's also the increasing unwillingness of companies to provide full and informative references - often because of legal concerns. And because the culture is to keep quiet about rogue insiders rather than prosecute them, repeat offenders can move - with an apparently clean record - from job to job.
... and what are they like?
Research into the psychological profile of rogue highlights a number of risk factors
So before letting people loose on your IT system, it's sensible to see how many risk factors they carry, and, of course, you need tight and monitored internal controls.
Don't forget that rogue insiders can easily be casual or temporary workers: so don't limit precautions to people on the permanent staff.
Safeguards within the firewall
Large corporations can dedicate staff to develop internal security policies. The bulk of small to medium-sized companies, however, can only react to actual breaches of security.
Experts claim that companies are only spending 1-3 three per cent of their information technology budgets to avert insider hacking. Many security software providers and consultants continue to over-emphasise defence against external intruders.
Technological safeguards
Companies have been slow to recognise the difference between access control - this is a firewall limiting access to legitimate users; and intrusion control, which protects your system against attacks from users inside the firewall.
However, there is now increasing interest in Intrusion Detection Systems.
These systems monitor and record what is occurring inside the network. They identify patterns of use, anomalies in usage, attempts to stray beyond normal limits of authority. When something out of the ordinary is detected, an automatic warning goes to security personnel.
Intrusion Detetction Systems are the last line of defence. They enable you to observe an insider's actions, to scrutinize an insider's attempts to gather information about your network, to detect intrusion attempts and to terminate a user connection if necessary.
Other safeguards
In addition to Intrusion Detection Systems, what other technological safeguards should you be building into to your protocols?
Merely addressing and putting in place technological safeguards cannot fully resolve the insider hacking issue. Insiders are also a human resource concern. Your company can be held liable for illegal acts committed by employees unless you have a well-defined and supported code of ethics. Your human resource department should consider incorporating the following procedures into everyday practice:
Only by adopting such an approach to computer systems security, applying both technological and human resource factors, can an organisation adequately protect itself from the threat of external hackers and the more serious threat posed by insiders.
Case study
Elite Web Hosting, Orlando, September 2000
The roof caved in for Elite Web Hosting in September 2000. A former employee is alleged to have entered the company's computer system without authorisation.
He is alleged to have sent an e-mail to all Elite's customers, containing offensive language, and saying that Elite was developing a Web porn business. Furthermore, the e-mail claimed that Elite's owner had been siphoning company funds for personal use.
Immediately, thirty steady customers took their business elsewhere, ripping a hole in Elite's cash flow. The company folded shortly afterwards.
Regional headquarters of an international energy company
A management information systems contractor shut down the UNIX-based telephonic switching system for the complex. Subsequent investigation uncovered that the contractor had been told of the termination of their contract the previous week. Furthermore, they had two previous felony convictions.