Wednesday, June 01, 2005
Companies Face System Attacks From Inside, Too
EACH YEAR, COMPANIES invest billions of dollars to protect their computer systems from virus intrusions and hackers from the outside.
But another problem can render many of those defenses useless: internal abuse from employees, contractors and others with legitimate system access. A January survey from Mazu Networks, a network security firm in Cambridge, Mass., found that 23% of 229 U.S. organizations with more than 1,000 employees had at least one internal security breach in 2004, while another 27% didn't know whether or not their networks had ever been compromised -- from inside or outside.
In February, a former Time Warner Inc. employee pleaded guilty to federal charges that he conspired to steal 92 million user names and passwords from its subscriber list and sold them to a spammer for $28,000.
Last month, eight former employees of Bank of America Corp., Wachovia Corp. and other major banks were arrested in New Jersey for illegally selling account information of an estimated 500,000 customers for $10 a name. The buyer subsequently sold the information to law firms and collection agencies, according to police in Hackensack, N.J., who are investigating the theft ring.
The bank scheme is believed to be the biggest security breach to hit the banking industry, although there is no evidence any of the information has been used for further criminal activity such as identity theft.
Experts say the breach could have been avoided if the banks had detected abnormal activities on their computer systems early on. The employees involved would normally have accessed 30 to 40 customer records in a normal business day, according to police. As the theft occurred the employees were sometimes accessing 300 to 400 customer records a day -- an anomaly that could have been spotted had the right protections been in place.
Spokespersons for both banks said employees are only given access to information they need to provide service to customers. Neither would verify the number of accounts the associates are authorized to access in a normal business day. They also declined to discuss specific security procedures, saying it would compromise their effectiveness.
The incidence of such internal snafus is rising. In a survey of 600 companies in North America and Western Europe, Yankee Group found that in 2004, 50% of security problems originated from internal sources, up from 30% in 2003. "The trend has been moving away from external threat to internal threat," says Yankee Group analyst James Slaby.
Yet, awareness of internal threats -- and willingness to spend money to guard against them -- still is much lower than that for better known external threats. Of the $12 billion spent on security products worldwide in 2003, $8 billion was spent on enhancing perimeter security -- such as firewalls and intrusion detection systems -- to keep outsiders at bay. Only about $1 billion was spent on enhancing network capability to monitor and prevent threats posed by insiders, according to Enterprise Strategy Group.
Corporate information and data are vulnerable to inside attacks in numerous ways. In addition to ill-intentioned employees, external contractors and outsourcing partners have access to information systems. Trouble can happen inside a company's walls, right under managers' noses, or remotely -- say, if an employee logs on from home or a coffee shop. Breaches can be deliberate or accidental. Some threats can come from authorized users who unwittingly spread viruses and worms via their infected laptop computers.
Take advertising company ADVO Inc., which in January had part of its computer system attacked when an external contractor plugged his laptop into its network. Half an hour later, the company's security monitoring system detected abnormal traffic patterns in the server system of a production branch in California and 40 PCs in its Connecticut headquarters.
The accidental attack didn't cause any real monetary damage, but it took three network security engineers a whole day to clean up and repair the infected server and PCs.
This happened after ADVO invested more than $1 million on its network security to guard against threats -- from outside as well as inside. "No one is immune to this once you are connected to the Internet," says Phil McMurray, information-technology security director of the company, based in Windsor, Conn. Bank of America says it invests about $250 million a year in information security technology, personnel and assessment.
Security glitches can cause huge losses not only because they can paralyze the entire computer system, halting business operations -- but also because some hackers are creating them with the intent of stealing confidential information from a compromised computer. Once a computer is attacked, information such as email addresses, passwords, proprietary data and financial information may be accessed, disclosed or altered without authorization.
As more companies realize that high-risk, high-success rate attacks often are from people who have inside knowledge of the system, they have started using security products to protect their systems from inside. Often, they are surprised by what their employees are doing with corporate resources.
After deploying a product to detect abnormal computer behavior, a large public insurance company in the Midwest found a few employees running an illegal gambling Web site on computers hidden beneath the floor of its data center, says Paul Brady, chief executive of Mazu Networks in Cambridge, Mass.
A New Jersey utilities company with operations both in the U.S. and Canada found an employee siphoning confidential data from a corporate hard drive to a portable hard drive, says Tom Schuster, president of Arbor Networks in Lexington, Mass.
Analysts expect big security companies to make a big push into the internal security market through acquisitions in the next two years. Symantec invested $1 million dollars in Mazu last November while Cisco Systems Inc. was an original investor in Arbor Networks.
Company executives and analysts say the best defense may be as simple as training about the problem. "I do believe that an uneducated work force can create risks," says Kim Jones, director of information technology security at eFunds, a Scottsdale, Ariz., company that handles online funds transactions for financial institutions. "Even the most conscientious employees can bring in worms unintentionally." The company hasn't reported any internal security problems.
A new technology called endpoint security policy enforcement may be able to make security executives' lives a little bit easier.
The technology, being pioneered by such companies as Cisco Systems Inc. and Microsoft Corp., automatically enforces corporate security policies on both internal and external computers. Any laptop that doesn't have the most updated personal firewall software will have only limited access to the network and will be cleaned up and inoculated before it is granted access to the whole network.
It acts like a bouncer at a club, says Mr. Slaby of Yankee Group. "The idea is that sloppily dressed users will not be allowed into the club."
posted by Brian Moran @ 8:55 AM