How to unearth the IT moles
The computer security industry has often paid scant attention to so-called “insider threats”. But that is starting to change as companies vie to offer services that protect their corporate clients from the loss of sensitive data at the hands of company employees.
Most big companies direct a substantial proportion of their information technology security budgets towards addressing “perimeter threats” such as computer viruses or worms.
ADVERTISEMENT
Now, a growing number of security experts say that a bumbling employee with a laptop full of sensitive data or a disgruntled contractor hell-bent on revenge poses a far greater danger to a company’s well being than a few malicious hackers.
“Insider threats exist because security technologies do not protect information,” explains Dennis Hoffman, vice-president of security at EMC, the world’s biggest maker of data storage equipment and software. “The vast majority of security products today protect infrastructure. They fundamentally protect gear.”
Whether the result of incompetence or malice, recent data breaches, including the loss of Veterans Administration laptops containing personal information about thousands of US servicemen, have underlined the risks organisations run when they fail to protect sensitive data.
Kevin Brown, vice-president of marketing at Decru, a security group bought last year by Network Appliance, an EMC rival, says that until recently, many companies have been reluctant to acknowledge the extent of the insider threat.
“It’s a lot easier to talk about the bad guys on the outside,” he says. Falling storage costs and new regulations have exacerbated the problem by dramatically increasing the amount of data that companies are required to store about their customers and transactions.
Meanwhile, Mr Brown says methods for securing that data have lagged behind. “Now you have terabytes and petabytes [of data] in these big centralised systems,” he says. “You have got all your eggs in one big basket.”
At the same time, trends like telecommuting have created new ways for information to escape, making the idea of a perimeter defence appear outdated. “The traditional idea of firewalls and marking the boundaries of the network is fading away slowly but surely,” says Tony Redmond, who heads security strategy at Hewlett-Packard, the IT group.
To help their customers adjust to this new reality, companies such as HP, EMC and Network Appliance are racing to deploy new services that help customers determine who gets access to what data, as well as services that can help establish whether a remote user is bona fide before they are granted access to a company’s inner sanctum.
Yet even the most stringent technical safeguards may fail to stop a determined insider from making off with sensitive data.
An employee with an axe to grind may try to circumvent data protection measures by pasting a portion of a document into a chat window. Another may print a copy and walk out of the door.
Oakley Networks, a Utah-based start-up, is one of several companies that have sprung up to combat insider threats by addressing the human side of the equation. “[Human] behaviour is a bigger problem than simply monitoring content on your network,” says Tom Bennett, Oakley head of marketing. “If someone is doing something that’s malicious or hostile, they’re going to try to cover their tracks. They’re going to be clever about it.”
By cutting and pasting text from a sensitive document into a chat window or web-based e-mail program, insiders can circumvent many traditional security safeguards, Mr Bennett says.
To combat this, Oakley offers software that allows companies to monitor employees’ computer use in real time. It checks for keywords in employee’s e-mail, chat windows and elsewhere that may point to sabotage, theft or even sexual harassment. It allows administrators to record and play back suspicious incidents.
Tena Friery, director of research at the Privacy Rights Clearinghouse, a non-profit privacy rights organisation, says companies that use such surveillance systems must walk a careful line when it comes to privacy laws.
US courts have traditionally sided with employers when it comes to worker surveillance. But with increasing numbers of people choosing to work from home, Ms Friery says maintaining the appropriate balance between a company’s right to protect itself and an employee’s right to privacy has become “a balancing act”.
“Employees have a low expectation of privacy when they go to work, and companies are doing more and more monitoring.” However, she says, “Today people often work long hours. They work from home and may access the employer’s network with their home equipment. That really creates a blur between off-time and work time that does raise a big privacy issue.”
The issue of employee monitoring is especially contentious in Europe, where privacy laws tend to favour employees. “Germany and France are very strict in terms of employee privacy,” says Mr Redmond at HP. “Most of the Fortune 500 are going to be operating in areas where they are going to have to comply with privacy regulations. Employee unions and work councils would have a big problem with this stuff in Europe.”
George Dew, a consultant with the Ackerman Group, a risk consultancy, says companies have long lagged behind the US government in training employees to handle sensitive information. “A lot of people don’t really realise what data loss can mean or how damaging it can be,” he says.
In order to stop insider threats at the door, many companies have stepped up efforts to conduct background checks on potential recruits. Increasingly, they are extending the practice to contractors and temporary workers, who may pose a greater risk because they lack deeper loyalty felt by most employees.
But Bill Daley, a consultant at Control Risks Group, says background checks are of limited value in combating insider threats from workers who hate their jobs. “When you have people who are trusted it’s very difficult to determine who the disgruntled ones are, because they look like you or me from the outside,” says the former FBI agent. “These are the most difficult cases because these are people who are trusted.”
Mr Dew, who also owns his own computer security business, says the human touch often gets overlooked when it comes to fighting insider threats. “If you have managers who are good listeners, who have a good sense of how their employees feel, then you can quickly judge when an employee is not happy,” he says. But he adds that such activities are rarely a priority in the private sector, where the emphasis is on the bottom line.
Corporate IT chiefs would do well to marshal their defences against insider threats, he concludes, even if it does not result in kudos from above. “As an IT executive, you don’t get any pats on the back when you do the security thing but if something blows up in your face, you get hung.”
SEVEN STRAINS OF INSIDER THREAT
■Curiosity. A curious employee may try to hack into restricted areas to have a look around or to install spyware
■Protest. Insiders with an agenda may use their access to company networks to blow the whistle on bad practices or take their story to the media
■Lost productivity. Every minute workers spend watching porn or hunting for a new job on the company network costs shareholders money
■Hostile work environment. Unseemly characters can abuse computer systems by using them to intimidate or harass their fellow employees through racism or sexual harassment
■Revenge. Disgruntled workers may try to sabotage a corporate IT system from the inside
■Malfeasance. Employees can use company networks to commit crimes such as identity theft or industrial espionage or to collude with vendors
■Erroneous disclosure. Ignorance of proper procedures for handling data or technical errors may mean sensitive data is accidentally lost
黑客易挡 “家贼”难防
电
脑安全行业过去往往不太关注所谓“内部威胁”(insider threat),但这种情况已开始改变,一些公司开始竞相提供相关服务,帮助企业客户防止敏感数据在员工手上遭受损害。
过去,多数大公司都将大部分信息科技安全预算用在应对“外部威胁”(perimeter threat)方面,例如电脑蠕虫病毒等。
如今,越来越多的电脑安全专家表示,一位笨手笨脚的员工提着装满敏感数据的笔记本电脑,或是请来一个心怀不满、执意报复的承包人,它们对企业所构成的威胁要远远超过几个不怀好意的黑客。
“内部威胁之所以存在,原因是安全技术不能保护信息,” EMC副总裁丹尼斯?霍夫曼(Dennis Hoffman)解释道,“如今,绝大多数安全产品保护的是基础设施。从根本上来说,它们保护的是设备。”EMC是全球最大的数据存储设备和软件制造商。
最近发生了一系列数据丢失事件,比如美国退伍军人事务部(Veterans Administration)丢失了存有大量退伍军人个人信息的手提电脑。不管是当事人失职,还是有人蓄意制造,这些事件均突显出,公司若不能保护敏感数据,将会面临巨大风险。
安全集团Decru的营销副总裁凯文?布朗(Kevin Brown)表示,直到最近,许多公司还一直不愿承认内部威胁的严重程度。Decru去年被EMC 竞争对手Network Appliance收购。
他表示:“讨论外部的坏人要容易的多。”存储成本下降和新规定的出台,令公司需要存储的客户及交易信息、数据大幅增加,更是加剧了这一问题的严重性。
但在此期间,布朗表示,保护这些数据的方法却未能同步跟上。“如今,你把海量的数据都存放在那些大型中央数据系统中,就如同把所有的鸡蛋都放在了一个大篮子里。”
同时,远程办公等新兴趋势带来了新的信息泄露途径,这让“提防外贼”的观点显得有些过时。惠普公司(HP)安全战略部门主管托尼?雷德蒙(Tony Redmond)表示:“防火墙和划分网络界线的传统观点正在消失,虽然缓慢,但趋势很明显。”
为了帮助客户适应这种新情况,惠普、EMC和Network Appliance等公司正竞相开展新的服务,帮助客户确定何人可以获取何种数据,以及在远程用户进入一家公司的内部网络之前,帮助客户确定该用户是否怀有恶意。
然而,即使是最严格的技术保护,也可能无法阻止一个蓄意盗取数据的内部人士偷走敏感数据。
别有用心的员工可能会将文件的一部分粘贴到聊天窗口,以绕开数据保护措施。另一个员工则可能直接打印出一份文件,然后带出办公室。
总部位于美国犹他州的初创企业Oakley Networks等公司选择从人的方面入手,以求解决内部威胁问题。“相比于仅仅监控网络上的内容,(人的)行为是一个更大的问题,”Oakley的市场营销主管汤姆?班尼特(Tom Bennett)表示,“如果某人正在做一件不怀好意的事情,他们会努力掩盖其行为。他们会表现得很聪明。”
班尼特表示,通过把敏感文件内容剪切粘贴到聊天窗口或基于网页的电子邮件程序,内部人士能够绕过许多传统的安全防范措施。
为了解决这一问题,Oakley提供了能让企业实时监视雇员电脑使用情况的软件。这个软件可以检查雇员的电子邮件、聊天窗口和其它程序,检索可能与破坏、盗窃甚至性骚扰有关的关键字。有了它,管理者可以记录可疑事件并进行回放。
非赢利隐私权组织Privacy Rights Clearinghouse的研究主管特纳?弗列里(Tena Friery)表示,由于涉及隐私法,企业使用这种监控系统时必须非常小心。
在监控雇员的问题上,美国法庭通常会站在雇员一边。不过,弗列里表示,随着越来越多的人选择在家工作,在公司自我保护的权利与雇员的隐私权之间保持合理平衡,已经变成一件“平衡艺术”。
“雇员在上班时,对隐私权问题没有太高期望,而企业也正越来越多地进行监控。”然而,她表示,“如今,人们经常工作很长时间。他们会在家里工作,可能用他们的家用设备进入公司的网络。这确实模糊了休息时间和工作时间的界限,带来了严重的隐私权问题。”
雇员监视问题在欧洲特别富有争议,在那里,隐私法往往倾向于保护雇员。“德国和法国在雇员隐私方面的规定非常严格,”惠普公司的雷德蒙表示,“多数财富500强企业(Fortune 500)将面临一个问题,即必须遵守它们业务所在地区的隐私权法规。在欧洲,工会和职工监事委员会将会带来大麻烦。”
美国风险咨询机构Ackerman Group的顾问乔治?迪尤(George Dew)表示,在培训雇员如何处理敏感信息方面,企业一直落后于美国政府。他表示:“许多人并没有真正意识到数据丢失意味着什么、可能带来多大损失。”
为了防范内部威胁,许多企业已开始加大努力,对可能招募的新人进行背景调查。它们也逐渐将这种做法拓展至承包商和临时工。这些人可能会造成更大的风险,因为他们缺乏多数正式雇员所具有的高度忠诚感。
不过,前美国联邦调查局(FBI)探员、控制风险集团(Control Risks Group)顾问比尔?戴利(Bill Daley)表示,面对那些憎恨工作的员工所带来的内部威胁,背景调查作用有限。“如果你信任你的员工,就很难认定哪些人心怀不满,因为他们从外表看起来跟你我一样。”戴利表示,“这是最困难的情况,因为那是我们信任的人。”
迪尤表示,当谈到抗击内部威胁的时候,人际接触常常被忽视。他表示:“如果你有一些善于倾听的经理人,他们非常清楚自己的雇员感受如何,那么,当一名雇员感到不高兴的时候,你就能迅速判断出来。”不过,他补充指出,在私营领域,这种做法很少被优先考虑,因为那个领域强调的是业绩。
除了担任Ackerman的顾问,迪尤也拥有自己的计算机安全公司。他总结道,即便得不到上级的赞许,公司IT主管也愿意做好应对内部威胁的防范措施。“作为一名IT高管,你在加强安全防卫的时候不会得到称赞,但如果出了事,那你就死定了。”
