News

Analysts: 'Inside Job' Among Top IT Security Concerns for '08

Browser-based attacks, bot vector incursions, targeted phishing, mobile hacking and insider espionage rank as top five security menaces for 2008.

Browser-based attacks, bot vector incursions, targeted phishing, mobile hacking and client-side or insider espionage are the top five security menaces for 2008, according to a report released this week by the SANS Institute.

But what's been raising eyebrows is the fifth item -- insider attacks -- which wasn't on last year's list and is becoming an increasing threat according to observers responding to the report's findings. SANS, the IT security training concern, arrived at the findings by studying emerging attack patterns on both enterprise systems and individual workstations nationwide.

"This year is definitely the year of the insider threat," said Steve Dispensa, chief technology officer at Kansas City-based security consulting firm Positive Networks. "Security organizations around the world are busy assessing and remediating insider threats, using concepts and tools such as least-privilege access, two-factor authentication, increased auditing and accounting, and mandatory policy application."

Two-factor authentication plays a critical role in securing remote-access environments, Dispensa said: "IT groups have a better shot at differentiating between insider attacks versus external intrusions."

Ellen Libenson, vice president of product management at Los Angeles security services firm Symark International Inc., agrees that the insider problem is clearly an issue something IT pros will see more of going forward.

"The insider threat is always there because people on the inside are aware of what steps a company has taken to secure the network and the various applications that sit on it," Libenson said.

Libenson cites what she calls "the law of averages" in IT security, saying that for many organizations it's not a question of "if, but when" a disgruntled or cash-motivated technologist will attempt to disrupt the system or steal proprietary data and sell it on the black market.

One such instance of a disgruntled IT pro came to light in 2006 when federal authorities arrested Yung-Hsun Lin, a 50-year-old systems administrator for Franklin Lakes, N.J.-based Medco Health Solutions. Prosecutors charged Lin with creating malicious code to take down a network containing vital medical data when he thought he would be laid off as a result of an impending restructuring in his firm's IT department. Lin wasn't laid off and it took one of his colleagues to find out what he'd done.

That episode came just a week after Roger Duronio, also of New Jersey, got eight years in prison for building, planting, releasing and distributing a so-called "logic bomb" at his former employer, UBS PaineWebber.

The End User and Application-Side Attacks
Increasingly, the application layer or inside-entry point is the staging ground for attacks of all kinds, especially since the inception of the firewall and accompanying security software and hardware has made it harder to break in through the network from the outside, security experts said.

One of the most recent examples of this kind of attack was an automated SQL injection onslaught that took hold of tens of thousands of workstations on Jan. 8. The attack also infected thousands of Web sites, although some sites with the domain suffixes of .gov and .edu were quickly cleared.

Rounding out the list were identity theft by bots; malicious spyware, which the institute thinks will get more malicious this year; Web 2.0 exploits; event phishing, which fools end users into thinking they're getting a special offer when they're really getting hacked; and chain attacks, in which a system could get hit if someone forwarded a funny joke via an extensive e-mail listserve.

Security practitioners are mixed on which of the threats is the most important because it depends on the processing architecture of a given enterprise. However, one common theme, said Lumension Security Vice President Dennis Szerszen, is that all the threats either affect or are executed through the end user.

"There are two reasons that hackers do what they do," Szerszen explained. "They do it for high interest or high value and that's when an end user either has personal or financial motivation, respectively, to hack into a system. That's why it comes back to the end user."

Indeed, whether through collusion or inadvertent invitation of malicious code, companies would do well to create "whitelists" of acceptable applications that can be loaded onto workstations, as well as monitor log-ins and system activity for accountability.

"When people think of monitoring, they think of Big Brother," said Symark's Libenson. "But it's really just creating an audit trail to track activity, enforce segregation of duties, take the power out of the hands of few and create an audit trail that's traceable so people don't get any funny ideas."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.