Revealing Internal Threats to IT Security Processes

Virtually all security surveys indicate the greatest threat to the security of information assets comes from within the organization. Computer hardware engineers have developed technology that permits users and systems to transfer and save massive amounts of information quickly, easily, and cheaply. In many cases, there is no record (also called a logfile ) that a copy or transfer has ever been made to the user s system or storage device, such as a flash memory device or CDROM. In just a few minutes, copies of an organization s payroll, customer or patient files, and core technology information assets can be copied off and taken out of the building. If an insider gains access to files through a network connection, the information could be downloaded to another computer 10,000 miles away.

How can potential internal threats be identified and nullified without implementing draconian access methods that reduce user productivity and decrease employee morale ?

First, ensure a written policy is in place that details management expectations concerning the business and personal use of information systems and networks. One of the key points should prohibit the sharing of user passwords or authentication tokens between users. The policy should have formal penalties for misuse of the organization s systems and information assets.

Second, have all employees acknowledge they have received a copy of the policy ” this can be done through e-mail or a Web-enabled data collection tool.

Third, for the most critical information assets and databases, have technical and security engineers activate system audit-logging capabilities so that a record is created by the computer system about who logs onto critical information systems and databases, and for how long. This information should be compared against a list of users who absolutely must have access. All others should be removed from the access lists.

Fourth, as part of the network monitoring activities, security engineers should watch for unusual large file transfers inside the organization s firewalls. In many cases, large files are routinely transmitted on standard schedule. Examples of these types of files include account records, financial files, supplier inventory records and digital images. The engineers can quickly identify the owners of most of these files, and verify their legitimacy . All other files should be examined closely for transmission purpose, valid ownership and appropriate storage method. For example, a mainframe sending a 50-megabyte quarterly financial statement to the CFO s laptop computer on the last day of each quarter is a reasonable situation. However, a marketing computer sending a 100-megabyte file with customer account names and purchasing histories to a desktop computer at an employee s home office just one time in the past 10 years may warrant a second look.

Although most information theft does occur internally, the vast majority of employees are honest and do their best to protect company information. Given the damage that just one security breach can have on an organization s reputation (such as TriWest Healthcare Alliance, Gehrke, 2003) and products (such as the posting of some of Microsoft s Windows 2000 and NT4.0 source code on the Internet in February 2004, Musgrove, 2004) it makes sense for senior managers and executives to limit the opportunity for theft to occur. Ensuring the right people have the correct access to the information they need to do their work, and then verifying unusual situations ” that may be entirely legitimate ” helps reduce the risk of unknown theft or misuse occurring.