“You are only as strong as your weakest link”
It is becoming clear that the weakest link in most companies’ information security defenses is the people who work inside the company. The company must identify the most likely risks those people face, train them to minimize those risks, develop policies to protect against those risks, and implement systems to monitor the discipline of those people in adhering to their training and policies as well as to catch when they’re up to mischief.
In this, the year of data breach, the necessity for protecting the company against attack is now more important than ever. Many tend to think of this as primarily implementing technological barriers to protect the companies’ computer system. But, what many do not realize is that no matter effective the technology may be in theory, in practice it is only as good as those people in the organization who work within its confines.
A significant amount of the commentary about information security discusses the integral role people play in company security breaches — not just internal breaches, but external breaches as well. That is, the easiest way for a hacker to penetrate the companies’ defenses is for an insider to invite him in, either knowingly or unknowingly, and that is exactly what happens in many cases. What this means is there are at least 3 types of security breaches:
Insider Intentional — “the inside job”
Insider Unintentional — “idiocy” inviting outsider
Outsider Direct Attack
So much attention has been paid to the third, the outsider direct attack, that I do not intend to address that issue. In this post, Part 1 of 2, I am going to focuses on the first, the Inside Job. In my next post I will focus on the Idiocy Inviting Outsider type of breach.
The Inside Job
In a very insightful article entitled Understanding the Insider Threat Omar Santos (@santosomar) gives a very thorough explanation of the nature and harm caused by insiders who knowingly exploit their employers’ computer systems. The statistics are surprising and demonstrate insider-mischief is such a substantial problem. While the number of incidents of outside attacks versus inside attacks overwhelming favor the outsiders, the damage done is far different, according to Santos:
If you count damages, insider attacks often are far worse. They are more extensive and go undetected longer. It is all about the attack surface and how well you understand the level of exposure (internally and externally). The problem sometimes is not technical, but organizational. In other words, sometimes people tend to focus on building a fort that protects them from outsider threads (using the best security technologies and processes in their Internet edge), but then fail to implement the same level of protection internally and develop processes and procedures to audit and assess their internal network.
Clearly, based upon the weak links that Santos describes, companies need to focus on beefing up their technology to detect these types of internal breaches — the inside jobs.
From my own experience, a rapid-growth company is most at risk. When I first started working for the credit card company that was a little branch of Sears, with a grand total of 80 workers, security was non-existant. We, as programmers, could directly access cardholder information, including updating credit limits and adding both account credits and debits. As the company grew, more security was added, but no one went back to “dis-allow” we support personnel from directly accessing data. Even when we had been bought by Citicorp, it took over a year to shut down the support team’s access. If any of us had wanted to sell cardholder data, it would have been simple, and we could have even sabotaged data.
“Legacy systems” are always a pain, in far more ways than just security! 😀