  |
PREVENTING AN ATTACK FROM THE INSIDEWayne Epperson correspondent | Web Hosting Monthly, June 2003 Even when they protect their networks with the latest anti-virus software, stalwart firewalls and hair-trigger intrusion detection systems, security officers still must grapple with their greatest risk – the insider threat. The vulnerability of networks to insider intrusion is so vast it warrants a security discipline all its own. “It is always considered one of the hardest aspects in computer security to protect machines from users with physical access,” says Johannes Ullrich, chief technology officer of the Internet Storm Center at the SANS Institute www.sans.org, a research and education cooperative in Bethesda, Md. The risks can range from vandalism to the compromise of hosted machines and networks. The goal of information security is “not solely to keep those bad hackers out of the system, unfortunately, there are a lot of people who are authorized users committing unauthorized hacks,” says Sanford Sherizen, president of Data Security Systems, Inc. www.computercrimestop.com of Natick, Ma. The insider threat shouldn’t be surprising since authorized users have access to huge amounts of data about their company’s clients, including credit card information and other data that can be used for identity theft, says Sherizen, a criminologist who has consulted on computer crime prevention for more than 15 years. “It’s not clear whether people in IT are more honest than people outside of IT.” The threat of vandalism can involve unplugging or sabotaging a hosting provider’s network or colocated customer equipment, Ullrich says. “Employees are usually able to connect equipment to free network jacks, or enable features like span ports on switches and routers to listen in on traffic to selected machines. In particular, private interconnect between customer-owned machines are frequently considered ‘secure’ by the customers and used for unencrypted data exchange,” Ullrich says. Systems can be compromised because frequently employees have access to root or administrator passwords to assist customers. This kind of access can easily be abused, he says. Martin Lindner, a team leader for security incident handling at the CERT Coordination Center (CERT/ Lindner says the problem faced by Web hosts are like those of any company: “You can’t always trust the people you hire, so you have to put the appropriate set of checks and balances in place to minimize your risks.” Checks and balances help defend against a disgruntled or malicious employee and the accidental mistake, and also maximize the likelihood of detection. Prevention begins at the hiring process, which of itself is a risk assessment, Lindner says. “You have to decide how much time and money you want to spend, and based on that, you can hire the cream of the crop or almost anybody, it depends on how far you want to go with the background checks.” For daily operations he recommends hosts create an environment where no one individual has enough information to cause serious destructive harm. He gave an analogy: “You don’t see an armored car driving around with only one guard, they always have two. The driver is isolated from the guy in the back. So, the driver can steal the truck but he can’t get to the money. The other guy can get to the money, but he can’t drive he truck.” Such a system adds another level of complexity, because “if there are going to be disgruntled employees, they would have to be two and they would have to be a pair, a matched set” agreeing to a crime. Ullrich of SANS says a layered defense in depth approach is the best protection against an insider threat. The layers include: careful employee candidate screening; limit access only to necessary components; accountability (access logs); monitoring, either technically via system or access logs or by supervisors; separating privileges -- for example, if a host uses a key card system to monitor access to certain locations, the systems collecting the logs should not be accessible to the same group of people. “Establishing a ‘buddy system’ may be helpful. There will be at least two employees on site at all times and access to some key systems, such as monitoring, will require supervisor approval,” Ullrich says. He also says security consultants can be helpful with periodic reviews. “Even an excellent security team tends to overlook certain vulnerabilities, and an outside consultant can bring new ideas to the table.” A consultant should bring senior executives into discussions about computer crime prevention to review, among other things, whether an organization has the adequate response capabilities to recover from any kind of attack, says Sherizen, who holds a Ph.D. and is a certified information systems security professional (CISSP) and a member of the International Association of Professional Security Consultants. He also is a former professor at Boston University, Northeastern University and the University of Illinois (Chicago). “Senior executive not only provide the resource decisions in terms of how much they are going to spend on information protection, but they also have legal and regulatory requirements to be responsible if problems do occur.” “The consultant who comes in can often cost a lot less than what would be the financial penalties, and even more important in some cases, the negative aspects of public relations,” Sherizen says. The potential damage from insider threats to data networks is so severe it is being addressed by the U.S. Secret Service. The service has joined with CERT/ The study will analyze the physical and on-line behavior of insiders prior to and during network compromises, according to the National Threat Assessment Center of the Secret Service. Periodic analysis updates of the survey will be published in future versions of National Strategy to Secure Cyberspace www.whitehouse.gov/ |
|
