Tribal thinking has existed for centuries within many different cultures in which members of a group, or tribe, were completely trusted to do what is right and good and those who were not members of the tribe were not trusted. There is a long history of organizations also trusting all their own members. Historically, organizations believed that trusting employees implicitly led to loyalty and better productivity. In fact, a study published by NFI in 2003
(http://www.nfiresearch.com/subpage/release/EmpLoyalty.html) stressed increasing trust, stating, "It isn't the monetary rewards that build loyalty—it is the feeling of adding value, making a contribution and being trusted that matter most in building an organization of loyal employees." This idea certainly reflects tribal thinking.
According to the United States Department of Labor (http://www.bls.gov/news.release/tenure.nr0.htm), the median number of years that wage and salary workers had been with their current employer was 4.0 years in January 2004, and in January 1983 it was 3.5 years. Thus, the retention of employees in all industries has changed little in two decades. However, if you look at the statistics of employees who are actively searching for a new employer while with their current employer, you get a different view. A May 1976 Bureau of Labor Statistics survey (http://www.bls.gov/opub/mlr/2000/09/art1full.pdf) showed that 4.2 percent of all workers who had been at their jobs at least 4 weeks were interested in changing jobs. A 2005 survey conducted by the Society for Human Resource Management and CareerJournal.com reported that 81 percent of today's employees are interested in changing jobs within the next 12 months. This statistic seems to indicate that your corporate tribal members are loyal only until something better comes along.
Trying to retain good employees certainly is necessary, but organizations must realize that the trust they impart upon their employees needs to have certain limits. Not only are security measures necessary to help protect against the malicious activities of those employees who cannot be trusted, such security measures are also necessary to help protect against the mistakes and lack of knowledge of well-meaning employees that could lead to business-closing incidents. This instinct of trusting everyone that is a part of your team, organization, or tribe, must be tempered with good business practice and establishment of due care processes.
Some of the most trusted positions within an organization are within the IT areas. Security administrators hold rein over your network. Making sure these folks are appropriately monitored, have appropriate controls applied, and receive adequate training is a demonstration of due care that your organization must take the time to implement. Although the vast majority of IT staff will do the right thing, there are still those that could be tempted to abuse their powerful capabilities and do wrong.
In August 2005 the Helsinki, Finland branch of global financing company GE Money had police investigate the theft in June of about €200,000 ($245,400). The police reported they believe the company's head of data security stole the money using banking software from the company along with passwords for its bank account. Accomplices then accessed the account from a laptop computer using an unprotected WiFi network at a nearby apartment building. Investigation revealed the laptop's MAC address (the unique identifier on the network card) belonged to GE Money, and the bank's security officer was soon implicated.
It is difficult for companies to guard against crimes in which internal staff is involved, making it even more important to implement security measures internally. There are few reported incidents of computer crimes committed by insiders, but that definitely does not mean that there are few crimes that are actually committed.
In July 2004, Scotland Yard's Computer Crime Unit reported UK businesses typically only report 5 to 7 percent of all computer-based crimes to the police. "Around 93 to 95 percent of all cybercrimes go unreported because companies rate unwanted publicity as potentially more damaging to their business than the incident itself."
It is likely many of these unreported crimes are committed inside the network. It is also likely that many crimes go undetected.
There has been an explosion in the creation of new technologies in the past decade that make it very easy to link networks. Staff members who do not realize the threats they present use new technologies widely inside the network, often without the knowledge of management. The availability of inexpensive technologies can be easily accessed by large numbers of people, employees, and outsiders alike. More and more employees are moving their business work to their home computers. Of course, this move can provide tremendous benefits to businesses. However, by increasingly putting powerful computing devices into the hands, and control of, employees, the businesses inevitably become more vulnerable to unauthorized network intrusion and abuse.
So how vulnerable are businesses to the activities of their own tribe members? Considering virtually any computer system is susceptible to unauthorized intrusion, very vulnerable. Just consider a few of the types of authorized activities an insider can typically perform:
Your internal tribal members can do any number activities by exploiting their authority to wreak havoc on your network:
It only takes one person to corrupt a corporation's information network. Are you comfortable believing that 100 percent of your tribe members will always do the right thing?
Employees, simply by virtue of their status as employees, enjoy wider access to a company's information assets and information equipment than outsiders do. Many, if not most, employees are now savvy computer users and, if they wanted, are better positioned to insert malicious code into a network than are hackers. They are also more able to steal passwords than any industrial spy. In fact, when it comes to leaking, copying, reading, stealing, altering or deleting information, employees participate in these activities far more than any external intruder.
Why do employees want to deliberately fiddle with their organization's information? For many reasons, including greed, anger, frustration, and revenge, just to name a few. There are also hundreds of unintentional security lapses committed by employees daily as a result of carelessness, gullibility, and ignorance. Employee access to information is the greatest threat and greatest challenge to securing an organization's information infrastructure.
Organizations must instill a security mentality into their tribe members. This goal can only be successfully accomplished through careful planning and implementation. Such an awareness and training program must encourage employees to identify the need for information security and to willingly accept and follow the security controls and procedures in place. Such a program must implement constant communication, consistent reinforcement, audits for compliance, and investigations into non-compliance.
Trust is vital for successful business; it is also vital as part of the security equation. Security technology, controls and procedures are definitely essential in protecting information.
Ultimately, however, the employees are critical to ensuring security.
If you explain clearly, consistently, and often to employees why security measures are established most will still feel trusted and understand the reasons why such measures are necessary. In fact, you must communicate that you trust your employees—this idea is a vital human factor in employee job satisfaction. However, letting employees know that they are trusted doesn't diminish the need to establish internal security controls—there are too many compelling reasons to do so, such as establishing accountability and to meet regulatory requirements.
In May 2005, the United States Secret Service in partnership with the CERT Coordination Center, located at Carnegie Mellon University's Software Engineering Institute, released their most recent Insider Threat Study (ITS—http://www.cert.org/insider_threat/insidercross.html). This study analyzed incidents from a behavioral and a technical viewpoint. The ITS examined incidents committed by insiders, defined as current or former employees or contractors, who intentionally misused their network access authorization in such a way that they impacted the organization's business operations, data, or networks. The 2005 ITS analyzed 49 insider incidents in which the insider's primary goal was to "sabotage some aspect of the organization (for example, business operations, information/data files, system/network, and/or reputation) or direct specific harm towards an individual."
The ITS revealed the majority of the insiders who committed acts of sabotage were former employees who had held technical positions with the targeted organizations. Almost all the insiders examined were charged with criminal offenses. Most of the charges were for violations of United States federal law.
The key findings of the ITS are the following:
These findings are corroborated by the findings of the 2004 Ernst & Young study (http://www.ey.com/global/download.nsf/International/2004_Global_Information_Security_Survey/$file/2004_Global_Information_Security_Survey_2004.pdf) that indicates the damage from insiders is much greater than from outside the network. Most damage is from misconduct, omissions, oversights, or violating policies and procedures. The study reported one in five employees reported "personal awareness of other individuals stealing from the employer."
Many insider incidents are never discovered by organizations, so they are unaware that they are even being victimized.
The 1997 President's Commission on Critical Infrastructure Protection report (http://www.cert.org/pres_comm/cert.rpcci.abstract.html) reveals some primary issues related to the insider threat:
The Association of Certified Fraud Examiners (ACFE—http://www.cfenet.com/pdfs/2004RttN.pdf) estimates that the typical United States organization loses 6 percent of its annual revenues to occupational fraud; in other words, fraud instigated by insiders. Using the United States Gross Domestic Product for 2003, this statistic amounts to roughly $660 billion in total losses.
Multiple other studies have examined various aspects of the impact of insider acts on businesses:
An explosion in outsourcing, mobile computing, wireless networking, business partner connections, and Web-based applications has created a spider web configuration of connections to virtually anyone, from anywhere, with any device. Perimeter-based security is no longer sufficient. It fails because there is no longer a clearly defined perimeter. With the large numbers of individuals with access to business networks who are not employees, it's difficult to determine who should have access to network resources and who needs to be blocked. Your "trusted" internal network environment is now likely connected directly to the Internet through a home or partner link or through an unapproved wireless connection.
The typical network perimeter is no longer like a steel fortress protecting against threats, instead it is like a stainless steel sieve.
Most organizations now have business to business (B2B) relationships with business partners in which the partners' networks are connected through a variety of methods. Such relationships certainly enable efficient business communications and processing (such as supply chain management, lead-time reduction, and other business process automation) by transmitting transactions through these connections. B2B can also automate transmissions to reduce the level of human interaction that used to be necessary to achieve these benefits and efficiencies.
Not long ago, organizations used Electronic Data Interchange (EDI) as the primary way to share information with their business partners. Of course, EDI is still used widely today. However, because of the complexity and costs involved with EDI systems and software, many companies used EDI only to share information with a small percentage of their partners. Most business partners do not need such complex systems to share information, so simpler, less-expensive solutions are implemented that leverages the ability to share information over the Internet, or to connect the trading partners directly to a company's network. A large amount of sensitive and competitive information is typically transmitted through B2B relationships, so security is a major concern. Not only the security of the transmissions but also the vulnerabilities that the multiple and varied connections present to the organization's network.
B2B connection implementations often fall through the cracks with regard to consistently having one group to manage and monitor the connection. Sometimes the IT group may be responsible for doing something minor for the connection, such as opening a port on the firewall to enable communication between the business partners. Sometimes the business partner handles the bulk of the connectivity. In yet other cases, the business unit takes it upon themselves to make the connection without the assistance, oversight, or authorization of the appropriate IT area. Support issues are often handled ad hoc. All these ambiguities can lead to unsecured pathways into your network. Regardless of how the connections are made, your company is still ultimately responsible for ensuring the security of the company network.
B2B connections can create an unbelievable number of holes into your network, providing compelling motivation to implement security at more than just the perimeter. The following sections explore some of these potential holes.
Often a good security policy does not exist to govern B2B connections. Without such a policy, personnel responsible for these relationships will not know the security requirements with which they must comply. There is also no accountability for personnel who create B2B connections if there is no policy. You need to have a security policy that outlines the minimum security requirements for each B2B relationship with your organization. The policy should outline security requirements related to architecture, transaction processing, monitoring, and the groups that must be involved from initial discussions to actual implementation and monitoring.
Due care activities need to occur to ensure B2B connections and information exchanges are secured. If information security is not involved in the due diligence process, the business partner might not have adequate measures to secure the B2B transactions. If the business partner will access your company's data or systems, significant security concerns exist related to confidentiality and integrity of information. To mitigate this risk, information security must participate in due diligence activities to validate and confirm security specifications and requirements prior to signing the final agreement.
Audits need to be performed on B2B connections to find vulnerabilities and prevent unauthorized access to your information. If internal audit is not involved when forming a B2B relationship, the final B2B infrastructure may not meet your organization's audit and control requirements, including regulatory requirements. Internal audit should be involved in the B2B process from start to finish to help ensure that your organization's audit and control requirements are met.
Connections may be made with business partners when they are not needed, or may be made in ways that do not support the corresponding business process. It is important to understand the business process any connection to your network is supporting, along with the criticality of the process. Is the purpose just to share information or to perform business transactions? Considering such issues will help determine the appropriate way in which to make and secure the connections.
If no one officially owns the B2B relationship management activities, it is likely such partnerships are not managed appropriately, and no accountability will exist to ensure contract requirements are met. Once your organization has signed a B2B agreement, someone needs the ownership of that relationship. This role needs to ensure that the requirements are met (including security requirements), act as a single point of contact with the partner, and work with appropriate groups within your organization to manage the relationship.
Without a Service Level Agreement (SLA), the partner may not be accountable for service levels required by your organization. Your organization's information may not receive an appropriate level of security, and may potentially be accessed on your network through the holes in the partner's network. An SLA obligates the partner to meet your security requirements. It should outline the scope of your organization's relationship with the partner, roles and responsibilities, performance metrics, and so on. Penalties should be incurred for being non-compliant with the SLA.
Some security-related issues to address within SLAs to help prevent incidents from occurring within the perimeter as a result of your relationship with the partner include:
If SLAs are not monitored, your organization's data may not be properly secured because the partner may not be meeting your SLA requirements. The person who owns the B2B relationship responsibility should also work with the appropriate areas in your organization to monitor the provisions of the SLAs.
If you are exchanging sensitive information that is not properly secured, it could be compromised and get into the wrong hands, and possibly result in detrimental impact not only to your organization, but also to your customers. Be sure to analyze and approve architectures for all planned partner connections. Important issues to address include, but are not limited to:
If you do not establish security measures to ensure information coming from the partner network is valid and authorized, there is great risk of unauthorized access to your organization information and network. When your partner sends information to your organization, your partner must communicate with at least one or more of your systems. Your security considerations for these transmissions will vary based upon your organization, your partner, and the purpose of the transmission.
There is a wide spectrum of risks related to your business partner not having adequate security. They can range from minor impacts due to operations all the way to huge fines and penalties resulting form non-compliance with applicable regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and many others. Incidents on your partner networks could have significant impact to your organization's reputation, availability, and financial success (or failure).
Risks related to inadequate access control measures can have significant impact on the confidentiality of your data, potentially resulting in financial and/or reputation damage. Your partners should provide access to data and applications based upon a business need and as it relates to the kind of relationship and contract you have with the partner. Be very careful about providing blanket access to everyone within the partner organization or by having identifiers for your system shared by multiple business partner personnel; this setup results in lost individual accountability.
Terminated partner employees could still have access to your organization's data and systems. They could wreak havoc on your network, making it inaccessible for business processing, surreptitiously take data from your network and give or sell to your competitors, or try to ransom it to your organization. When your partner employees are terminated, all their access to your organization should be removed. This is another good reason to not use group identifiers—it increases the likelihood terminated employees who used such an identifier will still have access to your systems.
If you do not purge identifiers, individuals who no longer need access, including terminated employees, may still have access to the B2B applications and your networks. You should establish a procedure to periodically purge all identifiers from your systems that have not been used for a specific period of time, in addition to reviewing identifiers to determine whether they are still necessary, even if they have been used recently.
Business to consumer (B2C) connections are those by which consumers purchase goods or services over the Internet, or some other public connection, from your company, or otherwise communicate or share information with you. Until recently, many organizations put up a Web site with information about their products and services so that consumers could learn about the company's offerings. However, organizations now overwhelmingly make services and products available for purchase, in addition to giving customers access to their account information, through public networks. Consumers use such connections extensively because of the convenience and often lower prices. However, many consumers still avoid making online purchases or accessing their account information through the Internet because of security concerns and the recent reports of identity theft, insufficient security on Web sites, reported attacker exploits, and concerns that Web sites are not legitimate. Such concerns are understandable.
If you have customers who look at your online catalogs, make purchases from your Web site, and supply information such as their name and address, they are participating in a B2C communication with your organization. B2C connections create entry paths to your organization's systems and data.
Security risks related to B2C connections include:
The risks created by B2C connections could significantly impact your organization. B2C connections create a variety of pathways into your systems. Some of the potential impacts to your organization from a B2C connection security incident include:
B2C connections can create huge risks and an unbelievable number of holes into your network. The following sections explore some of the ways these risks and unsecured connections occur, providing still more persuasive reason to secure inside the perimeter.
Without a policy to govern B2C processes, B2C architecture and applications will likely be developed with inadequate security. Trying to add security onto architecture and applications after deployment can be expensive and take much more time than if it was built in right from the start. Additionally, a policy provides a mechanism for enforcing effective B2C security practices.
If organizations do not know the financial and brand impact of B2C connections, they will likely not plan appropriately to ensure the connections have the appropriate level of availability. Organizations need to determine the percentage of overall revenues the B2C connections generate as well as whether the Web site providing the B2C connection has had a security breach that would impact the organization financially or its brand.
If you do not know about past security breaches through B2C systems and how they impacted your organization, you cannot know how to prevent the same breach from occurring again. Knowing about past security incidents and how they were handled will help to implement measures to prevent them from happening again.
If no one owns the B2C connections responsibilities, there is no accountability—a dangerous situation for a revenue-generating activity. Lost or corrupted B2C connections have a significant impact, including lost revenue and lost customers. Ownership of the B2C connections must be established so that all associated activities can be consistently managed. Such a role should ensure updates occur, the content is appropriate, the network architecture for the connections is appropriate, and that customer Web sites are available, functioning appropriately, and are secured.
If no one has documented ownership of the databases supporting the B2C operations, it's likely they will not be properly secured, resulting in unauthorized access and potential data integrity compromises. B2C databases are critical to the B2C infrastructure, and typically contain very sensitive and confidential information that falls under potentially multiple regulatory requirements for protection. This information must be adequately secured.
Without strict access controls on the B2C databases, unauthorized access to sensitive information in the database can occur or the integrity of the database could be damaged. Access to the database should be limited to only those who need it to perform their job responsibilities.
If due diligence is not performed to ensure proper security of B2C processes, the application may not have the necessary security features. As a result, there could be unauthorized access to the application transactions or integrity loss to the B2C data. When purchasing a Commercial Off the Shelf (COTS) application, security is often overlooked. It is important to review the application package and consider access control capabilities, information flow with other applications and systems, and other security-related issues unique to the application.
If security is not built in from the beginning, there is a risk the application will not adequately ensure the integrity and confidentiality of the data. The costs associated with additional development and re-engineering of the processes when trying to add security as an after-thought could be significant. Implement policies and procedures to require security as part of the systems development and modification process. Consider automated tools to help developers build security into applications during the development process.
If the Web server is not hardened or patched, vulnerabilities could be exploited to attack the B2C application. This attack could lead to Web site unavailability, defacement, access to internal systems, and so on, resulting in lost revenues, customers, reputation damage, confidential data breaches, and other significant business-impacting incidents. Best practices for hardening Web servers can be found on the corresponding vendor Web sites as well as on information security Web sites. Procedures should be implemented to perform hardening and patching activities on an ongoing basis.
Without an intrusion management system in place, potential attacks could go unnoticed until after significant and potentially irreversible damage occurs. This could lead to lost revenue, lost customers, and damaged reputation and brand. Procedures must be in place to detect when something inappropriate is happening at the B2C Web sites. Consider using intrusion management systems, which can help detect potential attacks on a 24×7 basis. Some such systems also have the ability to stop certain types of attacks.
If the B2C database and application sit on the same server, and the server is compromised or attacked, both the database and application could be compromised, resulting in customer and other sensitive information being exposed, permanently lost, or stolen. This risk is much greater if the application and database actually reside on the Web site server. To reduce risk, the application and database should not reside on the Web site server, but each on two separate servers behind your organization's firewall. Of course, the front end of the application will need to sit on the Web site server, but non-customer-facing functions of the application should sit in another network segment behind the firewall.
The lack of firewall, or an incorrectly placed or configured firewall, could result in unauthorized traffic into your organization's network. Oftentimes, the firewall is the only security feature of a B2C application. Implement policies and procedures to require firewalls to be used for every B2C application, and document the minimum requirements for establishing the firewall rules based upon the activities of the B2C application.
If sensitive B2C information is cached, another person could potentially log on to public computers or kiosks as the preceding person, leading to fraudulent activity. Client software should not allow authentication data, or other confidential data, to be cached. Additionally, cookies should not contain confidential information and should expire upon session termination.
If an application does not logout properly, individuals could obtain unauthorized access to each other's accounts. Such is especially a risk in public places such as at kiosks or on public computers such as in libraries or in Internet cafes. Each B2C application should have a logout function to allow users to logout out of the application completely and disallow others using the computer from using an active session.
When information is sent in clear text across the Internet, it can be intercepted and used to gain unauthorized access to other accounts without any trace that this activity even occurred, let alone who captured the information. All sensitive information should be sent using secure protocols that encrypt sensitive information.
If they are not masked, the B2C passwords could be seen by others nearby and used to subsequently logon as another person, leading to fraudulent activity, loss of customer trust, and brand damage, not to mention potential regulatory non-compliance and resulting fines, penalties, and potential civil suits. All passwords should be masked on the end user's screen whenever they are typed.
Weak passwords can easily be exploited to gain unauthorized access to the B2C application as well as to customer account information. The B2C application must force users to create strong passwords and provide ways for legitimate, identity-validated customers to obtain or change their passwords if they forget them.
Without a lockout feature, malicious users could use brute force methods to gain unauthorized access to B2C applications and customer information. A lockout feature will help to prevent this from happening. The account should be locked until the account user contacts your company to reset the account, or otherwise provides valid proof of identity to unlock the account.
If customer identity is not properly authenticated prior to resetting passwords and providing other account information, an unauthorized person could obtain this information then use it to gain access to the valid customer's account. Password resets should be performed only after following a consistent procedure to verify the customer's identity. Such procedures should also apply to responding to customers' requests for information about their accounts.
If you do not limit administrator or root access to only those few who need it to administer the Web server, accidental or malicious damage to the Web site is a possibility. This is a significant risk if disgruntled employees have access. Administrator access to the Web server allows full access rights; an administrator can make any change or see anything stored on the Web server. Ideally, only one person should have this access as a primary responsibility, with another person serving as a backup. The person performing administrator activities should have a different personal account they use for all other activities that are not related to Web server administration.
Applications built in-house must go through a formal change management process before being put into production. Without formal change management procedures, vulnerabilities can be introduced to the B2C application as a result of inadequate testing and quality assurance. Vulnerabilities can lead to unauthorized use of the application or other types of security breaches. Formally documented change management procedures must be followed for all B2C applications, including those built in-house.
Access to product and service information offered on the B2C Web site must be strictly controlled. If such access is not controlled, critical service and product offering information and pricing could be changed inappropriately, resulting in customers placing orders with the wrong prices or the wrong descriptions. Formal policies and procedures must be in place to ensure service and product information cannot be modified without proper authorization. All edits should be logged and reviewed by quality assurance and management personnel.
Vulnerability assessment of the B2C applications must take place. Without vulnerability assessment, significant vulnerabilities could be present and exploited when the application is moved to production. Tools are available that can be used to evaluate application code and security vulnerabilities. Code reviews can also be performed to identify faulty logic that creates vulnerabilities.
Someone must have assigned responsibility for reviewing the B2C Web server, database server, intrusion detection, and firewall logs. If logs are not reviewed, you will not know about potential security breaches in a timely manner, and will not be able to take proactive action. Periodic review of logs can help detect problems early while they are still manageable. Using automated tools for log analysis can help organizations that are short on human resources to perform the reviews. Another option is outsourcing log analysis.
An increasingly larger number of workers are becoming mobile. Personnel are carrying notebook computers, PDAs, smart phones, and Blackberries so that they can continue to work while they travel. More employees than ever are working from their homes. This increased mobility has enabled some individuals to be more effective in winning new business, transacting business on the spot, and delivering more timely and personal customer service.
An American Interactive Consumer report stated that there were 23.5 million teleworkers in the United States in 2003. The International Telework Association & Council (ITAC) and research partner Dieringer Research Group estimated there were 44 million United States teleworkers in 2004.
The nature of telecommuting inherently adds more work for an organization's IT and information security staff. According to Gartner, fewer than 30 percent of handheld computing devices are officially sanctioned or administered by IT. Support for such devices can take huge and unexpected amounts of time to address.
Large numbers of unauthorized personal computing devices are being used to perform business processing.
Securing the computing devices and storage media for mobile workers is dramatically more complex and difficult than securing a closed network. The more mobile workers an organization has, the more likely there are connections to their networks from external locations, and the more risks from each of these potential points of entry to the network. Recent studies from InfoBeads report most mobile workers work with information that is highly confidential and mission critical to the organization and has great impact on the business.
Mobile workers need to be well trained in the security requirements of computing while traveling and while working from their homes. They need to understand that they have ultimate control over the security of the business information while they are outside of organization facilities. Unfortunately, most mobile workers, especially those working primarily or exclusively from their homes, have notoriously lax security measures in place for their home-based business computers. A large majority now use cable and DSL modems for connections, effectively putting them online every hour of every day, subjecting them to the same types of attacks as the corporate networks but without the sophisticated firewalls and security tools in place to protect them.
ITAC and Dieringer Research Group reported the use of broadband by home teleworkers grew by 84 percent in 2004.
Think about how mobile workers actually work:
This type of insider threat within your virtual perimeter can have dire consequences. Consider an exercise performed by Pointsec Mobile Technologies in 2004 (Digital Secrets Up for Sale, The Birmingham Post. June 15, 2004.) Pointsec purchased 100 laptop computers for pennies on the dollar over a 2-month period from Internet and public auctions. The amount of unsecured confidential business information contained on these computers was staggering:
It is common practice at airports and mass transit facilities, such as Gatwick and Heathrow airports and on the Eurostar, for found items, including laptops, PDAs, and computer storage media, to be put up for auction if they are not reclaimed within 3 months.
Consider the damage not only to your organization's reputation, brand, and revenue, but also to your customers if your employees sold their computers containing business information. Consider also the potential serious legal ramifications of such an incident resulting in your company being charged with non-compliance with any number of regulations as well as potentially facing civil lawsuits.
It is critical for organizations to invest more time, attention, and resources in the security practices of their mobile workers and for the tools they use. Policies and procedures need to be implemented to effectively control the vast amount of business information processed outside of the network facilities.
Mobile Workers Create Holes and Entry Points into Your Network Perimeter Organizations must make sure mobile workers:
The very nature of mobile computing devices puts them at a greater risk of theft than other types of computing devices. Your network hardware is typically located within secured facilities, but your mobile devices, which have access through your network perimeter, are typically located outside your organization's physical security perimeter. As previously discussed, mobile workers rarely work in an environment as secure as your business offices. Mobile devices are used in cars, airplanes, trains, and buses; stuck in purses, bags, and jacket pockets; and many times are forgotten and left in overhead storage compartments, restaurants, bookstores, and libraries.
What if your CEO's or security administrator's mobile computing device fell into the hands of a competitor, a criminal, or the news media? Would they be able to read confidential email, customer information, or access your internal network using the device?
A mobile computing device is any device or medium that has computing capabilities, such as a PDA, laptop computer, or smart phone, or a device capable of storing electronic data, such as a CD, a USB thumb drive, a backup tape, and so on. Examples of mobile computing devices include:
According to a 2004 IDC report, virtually all enterprise employees own cell phones and/or handheld computing devices. More than 22 million smart phones capable of running enterprise applications shipped in 2004, and IDC projects this number will reach 100 million by 2008. As the numbers increase, such handheld devices will become attractive targets for theft.
Frost & Sullivan research reports mobile professionals represent 75 percent of data users in the United States. The value of the business data and credentials stored on these devices has increased along with their ability to run critical business applications, ranging from email and instant/text messaging to field support and sales force automation. The top-tier executives are among those most likely to make extensive business use of mobile computing devices; they are also the personnel with the most critical and confidential business information.
Handheld storage capabilities were originally very limited, typically to just a few kilobytes of RAM. However, these devices are now capable of storing megabytes of information. Small removable compact flash devices and multimedia cards have tremendously expanded storage capacities. If a mobile computing device or memory stick falls into the wrong hands, it is likely to expose huge amounts of business information, potentially including customer information, business email, corporate plans and strategies, and so on.
A handheld device belonging to a power company employee in Japan containing confidential personal information for 665 families was stolen in 2005. In 2003, a Blackberry that had belonged to a Morgan Stanley executive was sold on eBay that contained dozens of business emails and other confidential information.
The more advanced and feature-rich mobile computing devices become, the more ways there are to compromise them. With capabilities such as built-in cameras, text and media messaging, and always-connected Internet access, these devices are more versatile and usable than ever before, but they are also making it easier to download ring tones, images, games, malicious code, and shareware. When personnel use these advanced technology mobile devices without understanding the associated risks, it puts your business at increased risk to exploits from inside your perimeter.
Smart phones with Bluetooth connections can be victims of Bluesnarfing (remotely reading and writing the phone's address book, initiating calls, sending text messages, and so on.)
Because of their increasingly small sizes and diminishing prices, mobile computing devices are often not handled carefully and end up being lost. People typically view such inexpensive devices as being easy to replace, and some almost treat them as disposable or in nonchalant ways. More and more vendors give away USB drives and PDA devices at trade shows as marketing gimmicks. It's no wonder the perceived value of such devices can tend to be negligible without giving thought to the value of the information contained within them.
A 2005 FusionOne poll revealed 43 percent of mobile users had experienced theft, loss, or damage of their mobile computing devices. Gartner estimates that 90 percent of mobile computing devices containing business information do not have security implemented, such as power-on passwords or encryption to protect the information.
Mobile storage media is often overlooked as a source of concern by organizations, but it contains some of the most sensitive and confidential business information. The risks are great:
An organization must immediately deal with a variety of issues when a mobile device is stolen or lost. The cost of replacement hardware is often insignificant compared with the potential financial costs from the primary security considerations:
Your organization should have a documented policy for responding to the loss or theft of mobile computing devices. There should be a procedure to quickly report the loss, and device owners must be aware of this procedure. Information security must clearly and periodically communicate a clear message to the user community about the risks of mobile computing devices and stress the importance for users to report the theft or loss of a device immediately.
Mobile devices provide entry points to your internal network. Organizations must implement controls on mobile devices appropriate to the associated risks. When determining risks you need to review:
Most mobile computing devices provide a wide range of wireless communications capabilities, such as Infrared, Bluetooth, Wireless LAN, GPRS, and even dialup over analog cell technology. All of these capabilities provide routes into your organization and network systems. They all are also vulnerable to communications interception in varying degrees. When mobile devices are used to transmit sensitive information, there are risks that the information can be inadvertently disclosed or intercepted. Virtual private networks (VPNs) are often deployed to address and control these risks.
Wireless connections can easily, and are often, made to other outside untrusted networks. Such connections can be made from within your network or facilities. Mobile workers also often connect to untrusted networks using wireless in such locations as at an airport or using a broadband Internet connection within their own homes. Such devices are typically connected directly to the Internet without the protection of firewalls or intrusion detection systems (IDSs). This setup exposes the device, business information, and subsequently your organization, to a great range of threats, including direct attack from entities on the Internet, whether they are human or malicious code.
Businesses are jumping on the wireless network bandwagon in droves. However, there are a great number of risks inherent to wireless LANs for which business leaders are many times not aware. Some of these risks include unsecured default configurations, unsecured network architecture supporting the wireless LAN, encryption weaknesses, and physical security weaknesses.
An August 2005 CIO Insight survey reported that 83 percent of 357 IT executives indicated they use wireless networking.
Most wireless networks are configured by default to allow any wireless system to access the network without authentication. Individuals can easily drive around with a wireless computing device and pick up many network connections, a practice called war driving. War driving is widely used to locate free Internet access or—even worse news to your business—to access information on corporate networks. Wireless LAN administrators may not know just how vulnerable they really are. If you have a wireless network, you must protect it against war driving.
When someone gains access to your wireless network, the only things keeping the person from accessing unauthorized servers, applications, and information are strong internal security controls. If internal controls are weak or non-existent, an unauthorized individual could easily gain access to your corporate wireless LAN, then possibly take over control of your network by exploiting weaknesses.
DoS attacks are also a threat to wireless networks. If you have mission-critical systems running on your wireless network, an attacker doesn't even need to gain access to a system to cause damage or financial harm. All the attacker has to do is flood your network with transmissions to cause a DoS attack.
To help prevent the risk of inside attacks from occurring through wireless networks, you need to take two primary actions:
Regulations affecting the implementation of information security controls are becoming more common. For organizations in many sectors (such as healthcare, power generation, and financial services), there is specific legislation with which they must comply. These regulations do not focus on requirements for securing the perimeter of an organization's network. Indeed, they apply to all levels of an organization's information infrastructure. Relying upon securing the perimeter would likely lead to non-compliance with these regulatory requirements.
For example, consider the United States HIPAA regulation. The two sections within this regulation that impact information security professionals are the Privacy Rule and the Security Rule. Both require a variety of controls to be in place for ensuring the confidentiality and security of Protected Health Information (PHI). The Security Rule has very specific requirements for administrative safeguards, physical safeguards, and technical safeguards that must exist within all areas of the organization and network in which PHI is handled, accessed, or stored. Penalties and fines for non-compliance with these requirements can have huge impact upon an organization.
For noncriminal violation of the HIPAA rules, including disclosures made in error, civil penalties of $100 per violation up to $25,000 per year, per standard, may be issued. Additionally, criminal penalties may be applied for certain violations done knowingly as follows:
Also consider California's SB1386. This law requires any organization (state agency, person, or business) conducting business in California and processing personal information for California residents to disclose any information security breach to California residents whose unencrypted personal information was obtained by an unauthorized person. This legislation applies to information located anywhere, including inside the perimeter, on mobile computing and storage devices, and in any form. In 2005, 32 other states had proposed similar laws, with at least 19 states passing breach notification bills as of August 15, 2005. Different versions of the United States federal breach notification laws were also proposed. All these laws compel organizations to implement more security protection around personal information wherever it is stored.
Privacy Rights Clearinghouse has chronicled 82 different publicized personal information breaches that have occurred since February 15, 2005—starting with the ChoicePoint incident—through September 29, 2005. They estimate close to 51 million people had their personal information compromised within the accumulation of all these incidents.
Besides HIPAA and California SB1386, other regulations such as the Sarbanes-Oxley Act,
Gramm-Leach-Bliley Act, the European Union Data Protection Directive, and Japan's Personal Information Protection Act require many companies to protect personal information from unauthorized access, regardless of where the information is stored or handled on the network.
Companies are not compliant by merely taking actions to secure their network perimeters. Information must be secured and controlled throughout the entire enterprise, and access must be controlled within the workforce to only those who have a business responsibility for the information. Organizations often give little thought to the information stored on mobile computing devices, accessed by business partners, or through any of the numerous wireless, dialup, or third-party connections.
The number of regulatory requirements enacted to address the security of financial and consumer information continues to grow. This increasing number of laws makes it necessary for business leaders to reassess the security strategies and goals for what they have historically considered their trusted network components; those components exist within the perimeter defenses where information has until recently always been assumed to be safe. This places more responsibility upon IT security administrators to meet regulatory requirements by performing more activities with the same amount of resources. The resulting stress upon these personnel not only lead to regulatory non-compliance because of lack of resources and time but also to unhappy workers, who in turn themselves become insider risks to your internal network.
Oftentimes in exasperation of having no all-encompassing security solution available, organizations try to apply other technologies to address the internal network security challenges:
To be effective, security solutions must be appropriate to the risks, threats, and vulnerabilities being addressed. This security within the perimeter will be layered and will typically contain the following:
Data is more valuable than ever before—another significant reason for protecting data everywhere it is located. In the past few years, there has been a dramatic increase in the value of data, particularly personal data, that has led to an explosion in the number of incidents for unauthorized access to and use of information.
The United States Federal Trade Commission reports the dollar volume of identity theft crime was $52.6 billion in 2004. Approximately 10 million Americans had their personal information misused, costing consumers roughly $5 billion and businesses around $48 billion. In addition, the United States Secret Service reported actual losses to individuals and financial institutions involving identity fraud totaled $442 million in 1995. This is an increase of 12,615% in 9 years!
There are large numbers of unscrupulous individuals who are more motivated than ever to obtain personal information to sell for profit. The black market for personal information is quite lucrative. For example, the June 21, 2005 New York Times reported change of billing (cob) account information is particularly valuable for information thieves; Discover Card cobs with any balance go for around $50 for each account, and American Express, a more exclusive and potentially more profitable account, line the pockets of the information thieves for around $85 each. There are even multiple sites, such as the now defunct sites iaaca.com and carderportal.org, that even provide lengthy tutorials to their subscribers about how to steal personal information and make massive profits.
The potential to make millions of dollars is strong motivation for many people to take advantage of the weak controls and security a company has implemented for the personal information it collects and processes. When motivated information thieves find vulnerability anywhere within a company that allows access to personal information, they take action to obtain the information. Trying to protect information only at the perimeter of a network is inadequate for trying to keep information thieves from getting to your data anywhere, any time, and using any means.
Protecting information resources within the perimeter is a business necessity. It is no longer possible to establish a network perimeter that can be a bastion of solid, impenetrable security to protect all the data safe and snug within. The perimeter is porous—this idea is no longer a debatable opinion, it is a fact. Tribal thinking must change. Smart business leaders can no longer blindly trust all their personnel; not everyone within your organization wants, or plans, to be a permanent member of your team. Mobile computing has expanded your information universe— you now have highly valuable information boldly traveling and going far beyond your perimeter to locations and storage devices like never before and like you never expected.
The time is now for business leaders to take a holistic approach to securing the entire enterprise that complements and supports regulatory requirements as well as protects each internal component of the network. Doing so in harmony will minimize costs and improve productivity.
Multi-dimensional security provides a holistic approach to securing your enterprise data. Multidimensional security protects information assets and associated resources within all areas of your enterprise and in compliance with all regulatory, policy, and contractual requirements. It places protection at not only the perimeter but also wherever information is stored, processed, or transmitted. Multi-dimensional security employs not only technology solutions but also operational, administrative, and human forms of protection to help reduce the risks to information wherever information can be found.
Organizations must change their thinking from a secure-the-perimeter-only perspective to one that is a multi-dimensional enterprise-wide security strategy. They must start viewing their organizations as being comprised of numerous islands of information, each of which must be appropriately secured. We will explore this strategy in the next chapter.