Dealing With Internal Security Threats
Q: How easily could a nontechnical internal employee hack my company's network?
A: With all the recent press regarding the sharp rise in Internet-based external threats, is it any wonder that internal threats continue to be overlooked? Many companies today continue to focus the majority of their budgets and effort on "external" penetration and denial of service (DOS) risks. Regardless of the source, you will consistently find that internal security breaches continue to lead to external breaches by a significant majority. In fact, the risk of internal attacks is very likely to rise in the coming year due to the growth, sophistication and ease of use of hacking tools available online.
For years, security professionals have commonly communicated the vulnerabilities of operating systems and network services--such as Web, e-mail, ftp and telnet--to the public in many forms. In order for would-be hackers or disgruntled employees to take advantage of these published vulnerabilities, they'd have to create application code or scripts after studying the notes of a select group of experts who originally discovered and documented the vulnerability. Taking advantage of these security holes would require a level of knowledge beyond that of many common IT administrators and the majority of nontechnical individuals. Hence, the most common threats from nontechnical internal employees have mostly been limited to a matter of improperly managed permissions, weak authentication and other administrative-level issues.
Over the past year, the number of precoded exploit applications has been on the rise. The more sophisticated hackers are now writing and publishing applications that nontechnical individuals can use on UNIX or Windows PCs. These exploit applications can scan internal networks for vulnerable servers and then perform a specific exploit against the selected target.
The most common type of attack used by these new applications is DOS attacks that crash production servers with little or no way to track the source of the problem. Crashing a server is a significant issue since it not only affects productivity, but can also corrupt data, causing integrity issues. The need is apparent for constant attention to security patches and fixes as well as internal auditing and/or intrusion detection systems.
Internal auditing is one critical aspect of a security plan that can reduce the risk associated with these new attack tools. However, many internal-auditing projects, if they are being done at all, focus on high-level policy issues like weak passwords, directory and file permissions, and disaster-recovery procedures. Often, it is only the external audits that commonly test for the actual operating system and network service vulnerabilities being exploited by this new age of hacking tools. It is vital that the IT managers evaluating security-auditing vendors be sure that internal-auditing vendors provide a comprehensive analysis of the operating system and application vulnerabilities. Without this analysis, these new risks to business continuance and data integrity may go undetected until they directly affect the bottom line.
Many managers assume that nontechnical employees do not pose a significant risk to business continuance from an information security standpoint. Unfortunately, because of the easy access to more sophisticated exploit tools, that assumption is costing business today in terms of service outages and lost revenue. Know your risks and remediation requirements by performing an internal audit before your company becomes the next victim.
Michael Bruck is the founding partner of BAI Security, an 8-year-old information security consulting firm. Bruck leads his security team with a successful 16-year background in IT management and senior engineering positions. He is also the developer and author of best practices that are becoming standards in the information security consulting business. He can be reached via www.baisecurity.netor by e-mail at email@example.com.
The opinions expressed in this column are those of the author, not of Entrepreneur.com. All answers are intended to be general in nature, without regard to specific geographical areas or circumstances, and should only be relied upon after consulting an appropriate expert, such as an attorney or accountant.