Insider Attacks, Trust but Verify

For those security ostriches out there who are convinced that internal networks are perfectly safe, and that firewalls keep the bad guys out, this ComputerWorld article is yet another example of an insider stealing sensitive data. Worst of all this is a very trusted individual (a database administrator). Time to turn to proper risk management.

The impact of this sort of attack can be huge but I suspect the likelihood of this risk is low, or we wouldn’t be hearing about it in the news (to shamelessly quote Bruce Schneier: I tell people that if it's in the news, don't worry about it. The very definition of 'news' is 'something that hardly ever happens.). Think too of the cost/benefit equation for the threat source. So the risk is probably low; there are almost certainly bigger fish to fry in corporate America than distrusting DBAs and System Admins.

Low risk doesn’t justify much security spending if you look at this risk alone. But considering a number of related risks, there's a business case for employing security controls in a layered fashion to reduce risk in aggregate across these related risks. Controls might include background checks on employees, centralized logging with separation of duties and good monitoring, and blocking peer 2 peer network communications. For really sensitive data maybe more intrusive controls make sense.

But information security professionals should consider the whole equation. An oppressive culture of distrust of high paid techies is intuitively going to be bad for productivity and personnel retention. Is that worth it (or even necessary) given the likelihood and risk?

Changing the Firewall Paradigm

This article in eWeek got me to thinking a little about the venerable Firewall, staple of modern internet security. The technology was originally developed in the early days of the internet, a time when collaboration and communication between organizations was vastly different.

Back then, you were as liable to use BITNET as ftp or talk for file transfer or communications. At that time the internet was more open in its architecture. Systems within an organization were all accessible by the internet. The move to firewall technology sought to hide organizations’ computing assets behind a gateway.

But the talk of eroding network boundaries has been going for years now. We have telecommuters, road warriors, B2B connectivity, and Services Oriented Architecture essentially creating dozens of backdoors into an organization’s networks, not to mention internet facing applications with backend systems on internal networks. Enterprises benefit from more connectivity and collaboration. How do we do that without sacrificing security?

Firewalls aren’t going anywhere. It still makes sense filter incoming and outgoing internet traffic. But the shift towards endpoint security is bound to continue and I hope the result is that firewalls won’t always be perceived as the main mechanism for reducing risk. It’s not that simple anymore. It hasn’t been for years.

I’ve often wondered if firewalls, in some sense, create a false sense of security. Immature organizations make the mistake of ignoring host security and internal security threats because the firewall supposedly fixes everything.

A little thought experiment: if firewalls weren’t an available technology wouldn’t organizations have to enact better endpoint security? That could include implementing better host security for desktops and servers, or better application endpoint security such as agents to intercept and enforce security for web applications or web services, or improved development practices to reduce the vulnerabilities in deployed applications. Seems to me companies should already be doing these things.

It’s probably still safe to say a lot of attacks come from the big-I cloud and so, for now, the internet firewall is still a key feature of enterprise security architectures. But even if fewer attacks come from other sources such as telecommuter workstations or business partner networks or intranet users, the damage potential and thus the risk may be far greater than that due to generic internet based attacks. Could it be that in some cases it makes sense to focus as much or more than on so-called perimeter, aka firewall, security? I think so.

If you’re already doing good, careful, intelligent risk analysis as part of a holistic, enterprise-level process of information security risk management, you already know this and you apply your controls where they’re most needed. Otherwise you’re probably spending too much security money in the wrong place and not getting much risk reduction out of it.

Contact Me

Would love to hear your opinions!

Your Name
Your Email
Subject
Message
Image Verification Please enter the text from the image [ Refresh Image ] [ What's This? ]