Analysts: 'Inside Job' Among Top IT Security Concerns for '08
- By Jabulani Leffall
Browser-based attacks, bot vector incursions, targeted phishing, mobile hacking and client-side or insider espionage are the top five security menaces for 2008, according to a report released this week
by the SANS Institute.
But what's been raising eyebrows is the fifth item -- insider attacks -- which
wasn't on last year's list and is becoming an increasing threat according to
observers responding to the report's findings. SANS, the IT security training
concern, arrived at the findings by studying emerging attack patterns on both
enterprise systems and individual workstations nationwide.
"This year is definitely the year of the insider threat," said Steve Dispensa,
chief technology officer at Kansas City-based security consulting firm Positive
Networks. "Security organizations around the world are busy assessing and remediating
insider threats, using concepts and tools such as least-privilege access, two-factor
authentication, increased auditing and accounting, and mandatory policy application."
Two-factor authentication plays a critical role in securing remote-access
environments, Dispensa said: "IT groups have a better shot at differentiating
between insider attacks versus external intrusions."
Ellen Libenson, vice president of product management at Los Angeles-based security
services firm Symark International Inc., agrees that the insider problem is
clearly an issue and something that IT pros will see more of going forward.
"The insider threat is always there because people on the inside are aware
of what steps a company has taken to secure the network and the various applications
that sit on it," Libenson said.
Libenson cites what she calls "the law of averages" in IT security, saying that for many organizations, it's not a question of "if, but when" a disgruntled or cash-motivated technologist will attempt to disrupt the system or steal proprietary data and sell it on the black market.
One such instance of a disgruntled IT pro came to light in 2006 when federal
Yung-Hsun Lin, a 50-year-old systems administrator for Franklin Lakes, N.J.-based
Medco Health Solutions. Prosecutors charged Lin with creating malicious code
to take down a network containing vital medical data when he thought he would
be laid off as a result of an impending restructuring in his firm's IT department.
Lin wasn't laid off and it took one of his colleagues to find out what he'd
That episode came just a week after Roger Duronio, also of New Jersey, got
eight years in prison for building, planting, releasing and distributing a so-called
"logic bomb" at his former employer, UBS PaineWebber.
The End User and Application-Side Attacks
Increasingly, the application layer or inside-entry point is the staging ground for attacks of all kinds, especially since the inception of the firewall and accompanying security software and hardware has made it harder to break in through the network from the outside, security experts said.
One of the most recent examples of this kind of attack was an automated SQL
injection onslaught that took hold of tens of thousands of workstations on Jan.
8. The attack also infected thousands of Web sites, although some sites with
the domain suffixes of .gov and .edu were quickly cleared.
Rounding out the list were: identity theft by bots; malicious spyware, which
the institute thinks will get more malicious this year; Web 2.0 exploits; event
phishing, which fools end users into thinking they're getting a special offer
when they're really getting hacked; and chain attacks, in which a system could
get hit if someone forwarded a funny joke via an extensive e-mail listserve.
Security practitioners are mixed on which of the threats is the most important
because it depends on the processing architecture of a given enterprise. However,
one common theme, said Lumension Security Vice President Dennis Szerszen, is
that all the threats either affect or are executed through the end user.
"There are two reasons that hackers do what they do," Szerszen explained.
"They do it for high interest or high value and that's when an end user either
has personal or financial motivation, respectively, to hack into a system. That's
why it comes back to the end user."
Indeed, whether through collusion or inadvertent invitation of malicious code,
companies would do well to create "whitelists" of acceptable applications that
can be loaded onto workstations, as well as monitor log-ins and system activity
"When people think of monitoring, they think of Big Brother," said Symark's
Libenson. "But it's really just creating an audit trail to track activity, enforce
segregation of duties, take the power out of the hands of few and create an
audit trail that's traceable so people don't get any funny ideas."
Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.