The threat within

Forget the hackers – the real worry for organisations is their own careless or malicious users. Christopher Reynolds looks at some of the critical issues for enterprises to consider on internal security.

  • E-Mail
By  Published  November 30, 2006

The landscape of internal security has undergone a change over the last few years. The proliferation of consumer technology, and the mounting technological awareness of its users, has increased the damage potential of a security breach, both in terms of the frequency of its occurrence and the magnitude of its scale.

Recent data from New York based investment firm CSFB suggests annual worldwide losses attributed to IT security breaches are in excess of US$100 million; a report by the FBI this year placed intellectual property theft as the fourth highest threat against organisations and a 2004 Gartner survey claimed that 70% of security managers believe their biggest threat comes from their own employees.

“There is now widespread knowledge of network technologies around the world, which means there are more people who have enough knowledge to penetrate them. Five or 10 years ago the number of people who were IT aware were quite limited, mobile devices were not quite as wide spread, and there were no resources like the internet. So the problem is getting more complex and the solution is getting more complex,” says Patrick Hayati, regional managing director of McAfee.

In recent years malicious software, or malware, has been on the rise. Spyware, adware, key loggers and Trojans are all capable of causing a great deal of damage to a corporation’s business, and most of these are launched internally, deriving from applications brought in from the outside or from inappropriate internet activity by employees.

Unified threat management (UTM) has evolved massively to keep up with the diversity of these types of attacks. Vendors have incorporated a series of solutions into UTM software. Intrusion detection, anti-virus facilities, content filtering and email filtering allow the user to monitor all types of harmful network traffic, which are not revealed by conventional firewalls. This includes network attacks against vulnerable services, data driven attacks on applications, and host based attacks such as privilege escalation, unauthorised logins and access to sensitive files.

Inappropriate internet access not only escalates the problem of malware, it can also limit the productivity of workers and increase the risk of employees downloading illegal material on company systems. Recently security software vendor, Elitecore, launched its UTM Cyberoam solution that, among other things, addresses the problems cultivated by the spread of broadband internet within organisations. This type of solution can monitor and identify the traffic on a network and specify who is accessing what.

“Administrators can then take instant action, isolating threatgenerating systems, managing access to users who are using up bandwidth with non-essential surfing and allocating bandwidth to critical applications and users,” says Hadish Chib, Middle Eastern VP of marketing for Elitecore. Although such solutions cost enterprises a substantial amount, once they are in place, they are updated and they do largely eliminate the threat from internet based attacks. Most IT security experts, such as Steve Ritchie, managing director for global technology at Investcorp, no longer view malware as a serious threat. “Malware is an issue for us,” says Ritchie. “It is something we should be aware of but we have never had a problem with it. We have very good virus protection and we have anti-spy ware. The biggest problem with this is the drain on resources – we have to keep these things up-to-date – so it does require physical administration” he says.

Despite this Shushma Kajaria, business unit manager for Online Distribution, still believes that there is sufficient room in the market for better security solutions, arguing that while there are many solutions in the market, vendors do not tend to think long term. “There’s still a lot to do in the market with products like authentication, smart cards, tokens and intrusion detection. Also encryption is not full blown in this market, encryption vendors are not doing enough. In Saudi there are even some banks that are not thinking about LAN encryption,” she says.

Encryption is something vendors are beginning to address, since managing data traffic becomes more problematic for enterprises when employees frequently operate outside of a network’s physical perimeter; laptops, flash drives, PDAs and email have enabled the proliferation of ‘mobile workers’. Individuals can now, effectively, take their office with them, allowing mission critical work to be performed on the move.

However, companies are coming to the realisation that the more mobile data becomes the more susceptible it is to infringement. The loss or theft of sensitive data can be disastrous as, for many organisations, business relies on the security of the customer’s information. The largest arena in which mobile devices can be compromised is the internal one; whether it be the disgruntled employee, who copies company information to his USB device to give to his friend, the careless worker who leaves his laptop in the back of taxi, or the individual who has his laptop compromised through a Wi-Fi hotspot. This is the kind of security breach that is a prime concern for companies such as Investcorp.

“The level of customer we are dealing with and the type of business we are doing means that, if our data is stolen or lost, then that kind of loss of faith, in terms of privacy, would kill us. I can lock the firewalls, lock down the perimeter of the building, take away access to USB devices, but if I am giving people access from home or laptops to carry around, which are essential to business, then that is a huge risk,” Ritchie says.

Enterprises in America, Western Europe and, most recently, Eastern Europe have had serious problems with data theft, though the practice has not really taken root in the GCC. A great deal of corporations within the region have been built up fairly rapidly from small family businesses, which has led to a culture of trust between employer and employee.

However, with the increase of liberalisation, most experts agree that it is only a matter of time before individuals become aware of just how lucrative the trade in corporate data can be, as David Michaux, CEO of Scanit explains. “Firstly, people are very trusting and employees don’t have the mentality here to steal data in the first place. You have to remember that the markets here are not completely de-monopolised, there is no one really to sell the information too. But when you start to see competition in the market then you will start to see real value for the data which is coming in,” says Michaux.

Justin Doo, managing director of Trend Micro Middle East and North Africa, argues that, while data theft is not as prolifi c here as it is in other regions, companies cannot afford to be complacent: “I know for a fact that people have left organisations here and taken information with them and used it for their advantage,” he says. “That is data theft. You have always got people in this region who are looking to move jobs for a few hundred more dollars a year, and if by selling data is one way of doing it, and if that data is open and available to them, then someone is going to try to better themselves.”

As well as spending record amounts on security solutions, companies are also beginning to adopt international standards in order to better facilitate the implementation of solutions. However, according to Doo one of the biggest problems facing Middle Eastern organisations is the lack of public comment and public example. He believes that this reluctance to disclose information on security costs and violations is limiting the awareness and prevention of critical security risks.

“It is very rare that you hear of a successful phishing attack in this region, rare that you hear of somebody compromising data from within, rare that you hear of one of the leading national banks being hacked. But we do know that it happens and it will continue to happen until there is sufficient awareness,” comments Doo.
As well as spreading awareness, another way to minimise the threat of data theft is to implement technological solutions, which can prevent company data from being accessed without the proper authorisation. Data encryption solutions can allow IT managers to run secure and encrypted connections across all of their networks. Furthermore, hard drive encryption can prevent information from being removed from a mobile device by an unauthorised user. Systems can now be configured to a level that controls the actual data and the structure, so it does not permit rogue administrators to gain network admittance through a back door in the network.

“We run secure and encrypted connections across all of the network links; any external access from a home user or a traveling user comes in through an SSL gateway. We then have encrypted links between certain other external vendors or external companies that we exchange sensitive email with on a regular basis,” says Ritchie.

Las Kelly, IT security manager for Emirates Group, has been careful to avoid setting policies which no-one reads. He believes if companies invest in, and utilise, a variety of channels in order distribute educational policy then the returns are significant: “Technology can assist in getting the message across but you still need to get to the personal aspect of that, you cant just leave it to a technology to do a policy compliance or awareness. We use tools we use videos, we use e-learning, we also use intranet and email, we use all those tools in combination with a direct message,” Kelly says.

Although the security solutions are present and the educational policies can be effectively managed, employers still have to ensure that the technical expertise is available to keep networks secure and up-to-date.

David Michaux sees this as a massive problem for the GCC, and Scanit has established its own recruitment service, bringing in IT security specialists from Brazil and Eastern Europe in order to fill the gap: “We have the policies, all the procedures, everything is in place, but companies do not have the technical expertise in-house to keep their security up to date. We don’t actually have the technical people in the region.”

Ritchie sees it as vital for organisations to have at least one individual in place who is solely responsible for IT security but, with more and more organisations establishing themselves in the Middle East, these individuals are becoming increasingly rare.

“It amazed me a year or so ago, I was speaking at a conference in Bahrain on IT security. I could see people’s eyes opening with every slide I put up and I realised that the general level of understanding here is pretty low. I think there are very few organisations out there that have got real good consultants on board to help people understand this and put policies in place,” he says Las Kelly says: “It is not a case of just buying boxes from vendors; you can buy boxes but if you don’t configure them properly they’re no good. The responsibility of security should be applied to everybody in the organisation.”

When you see competition in the market then you will start to see real value for the data which is coming in.

There are very few organisations out there that have got good consultants on board to help people understand this and put policies in place.

You can buy boxes to deal with security, but if you don’t configure them properly they’re no good.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code