In this month's article we will talk about the "threat from within:" internal security dangers as opposed to threats from an an outside source.Incidents of both internal and external computer crimes appear to be on the rise. Recent surveys indicate that disgruntled employees may account for up to eighty-nine percent (89%) of attacks and security violations.
Threats that surface from the inside are:
- Acts of revenge, stemming from employee rivalry and/or jealousy.
- Employees providing access to company resources to friends and family, thus exposing other company resources to unacceptable risk.
- Theft of company intellectual property, (for instance, sharing with friends outside the company).
- Collecting or selling company trade secrets (corporate espionage).
- Hardware / Software theft.
- Lack of accountability.
Increasingly, companies are relying on outside contractors (not in itself a bad thing), and giving these contractors full employee privileges. However, considering the lack of accountability potentially implicit in short-term contracting, certain precautions should be taken.
The most powerful
person in your company
is the sysadmin...The best way to deal with this risk is to do background checks on all contractors, and weigh and evaluate all authorization they are given access to. Some of these privileges not always be obvious. For example, if a contractor has LAN access, you may be inadvertently granting him or her full access to all internal file shares and system resources on your Intranet. Does your Intranet WWW server contain propriety documentation for internal employee-programmers? If so, are there restrictions stopping non-programmers or employees from accessing these sensitive documents, if all that is required is internal LAN access?
It also must be said that the most powerful person in your company is not a manager or corporate officer, but the sysadmin. Since this person has full access to most systems, and in many cases designed the security system used to keep others out it is the sysadmin who knows the inside of the system, knows how the networks are configured, and what trust mechanisms exist between machines. Thus he or she has the best understanding of how to do damage.
Commonly, sysadmins are also the only people with superuser access passwords or the software authorization codes.
This situation poses another risk in that it presents itself as a single point of failure. To prevent such risks, I typically recommend to my clients that the establishment of alternative root or administrator accounts be created with a strong randomized password. This password should then be broken into three parts and given to officers of the company. Thus, when denial of access problems occur (eg: if the sysadmin is hit by a truck, or simply snowed in at an airport halfway across the contry), emergency access can be obtained with minimal difficulty.
Unfortunately the system administrators are often most underpaid and underappreciated, and frequently caught in a workplace Catch-22: employers often feel that if things are working flawlessly, the sysadmin obviously is not doing any work, and if problems arise, obviously he or she is not doing their job.
Programmers and integrators, on the other hand, are in the perfect situation to write and install backdoors into the product or support utilities. The reason for this behavior tipically stems from the programmer / integrator wanting full control of his or her environment while unjustly viewing the MIS department as a inhibitor to their work progress thus circumventing internal security for reason of sloth, lack of training or better judgment.
Programmers and engineers are notorious for installing administrative backdoors in to their workstations and development servers. Crackers or other employees frequently discover and use these backdoors for nefarious purposes.
The best protection against the above is having a independent third party, or at least a team of programmers from a different department/project, professionally review the integrity of your source code tree.
Other employee based security violations include dialing up to a ISP from work thus inadvertently becoming a back door on to the company LAN. In many other cases employees install backdoors to allow themselves to work remotely from home or satellite offices, thus creating alternate unrestricted access pathways that are vulnerable to attack.