Not very difficult at all is the answer.
Consider the following scenario. A good looking woman is wandering around your premises and approaches you asking to show her how to use some functions in Excel or any other application. Do you start quizzing her on who she is, from what department does she come from or do you invite her to your PC and show her what she needs to know? Let's say you choose the latter and then she asks you for a drink, would you leave her unattended at your PC or do you get her to accompany you?
If you leave her at your PC, how long would it take for her to insert a USB device and install a trojan horse, key logger, or any other application to steal information or gain access to the rest of your corporate network? By the time you return she may have installed all sorts of surveillance applications and have the ability to access classified information whenever she feels like it from her home computer. This is not such a far fetched scenario, especially in large organizations with no real physical security beyond the reception. According to this year's CSI/FBI survey on Computer Crime and Security more than $30 million worth of damage was caused by insiders stealing proprietary information. FBI and other security analysts still maintain that the majority of threats originate from insiders or people with insider privileges.
Kevin Mitnick, a notorious hacker from recent years explained in his testimony to a senate panel on computer security: "When I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted, because none of these measures address the weakest link in the security chain"
Even in more simplistic scenarios where a promotional CD is sent to a basic employee, for example a secretary or data entry clerk, would they think twice before running it on their PC? It may have a stealth application embedded that secretly installs itself onto that PC and may spread across the network enabling criminals access to your most sensitive information.
The above is a real example of an event that actually took place in Israel and was reported by the BBC of a Trojan horse that was planted into a number of organizations by competitive companies and by parent companies. In some cases an e-mail was sent to a secretary asking her to click on a few items that basically released the application and installed it onto her machine. Once installed it ran in the background for over a year before being detected. In another company a CD was sent to an employee with the same Trojan embedded in it and without a second thought the employee's curiosity caused him to run the CD and see what he had received. Of course without his knowledge the Trojan had installed itself onto his PC, gradually found its way around the network and transmitted data regularly to its target.
These are just a couple of examples where company networks have been easily infiltrated from within or by insiders and suffered major financial damage which in extreme cases have been difficult to recover from.
So far we have shown attacks that are premeditated where the intention is specifically to cause damage or steal information. However, there is the accidental damage by the ignorant or unaware employee or insider that does not realize he is causing any harm to the company. The example above is a combination of the two (accidental and intentional) where the attacker uses that employee's ignorance in the hope that whoever receives the CD will in fact run it on his PC and forget about the company policy which prohibits the use of unapproved media. This is the exact reason for the prohibition but these prohibitions are difficult to enforce.
In a purely accidental breach an employee may inadvertently disable the personal firewall on their PC allowing any number of malicious applications to enter unhindered. If a personal firewall or content inspection is disabled on a PC, employees can surf to virtually any site on the net and inevitably get infected with malicious applications or dialers which are predominantly found on the most popular recreational sites such as pornography and file shares. Another example may be a salesman who wants to synchronize his PDA, which has wireless connectivity, with is PC. During the same process the modem functionality has been activated on the PDA enabling unauthorized access to his PC, especially if there is no security enabled on the wireless connection. These are just a few examples of the multitude of internal security breaches that can bypass the gateway and access the corporate network.
So how does a company protect itself from its own users who intentionally or accidentally can cause serious damage? In light of the fact that most employees either do not read the company's security policy or forget its content as soon as they have read it and the fact that it is difficult to enforce this policy anyway other than the threat of terminating the contract with an employee. Companies have to invest in internal security systems that complement existing gateway security solutions and provide real time threat detection that minimizes the window of opportunity for threats to become major security breaches.
Most companies do not think twice when considering security solutions at the gateway to protect the perimeter and control all communications going in and out of the organization but for whatever reason do not place much importance on the threat from within. If we take the example above, of a salesman synchronizing his PDA with his PC we can see how easy it is to bypass the gateway and open an unsecured connection from within the organization rendering investment in the gateway as only a partial solution since too many holes still exist in the security apparatus that need plugging.
A recent study on Digital security claimed that 90 percent of companies surveyed reported 'Insider abuse of internet access' while 50 percent had experienced unauthorized access by insiders and 40 percent by outsiders. These figures are certainly not trivial and highlight a problem that is only increasing in its magnitude.
For many years now industry analysts have been saying that most threats originate within the network with estimates going as high as 80 percent of attacks originate internally. However, the perception of most organizations is that protecting the perimeter is paramount and that securing the internal network is only a secondary or even tertiary concern. This may be true since the most malicious attacks do come from the outside in many forms; DoS attacks, Viruses, Worms, SYN floods etc. and to make them even more difficult to detect many of the attacks are fragmented. All of this means that securing the perimeter with intelligent security applications is still of paramount importance but no less important is securing the internal network to complement the security devices at the gateway. Some companies have started shifting their security budgets to a more balanced investment between the perimeter and the internal network and this should increase as more and more companies realize the threat from within.
Simple, easy to use solutions that can run in the background and provide intelligent security threat alerts that can be acted on immediately either by individuals or by the solution itself is a step towards hermetically sealing networks both from within and at the perimeter. These types of solution are as necessary to have as a firewall or Anti Virus solution but they must be complimentary and have minimal financial overhead to an already tightly budgeted IT Security department to be cost effective.
The author is director of sales and marketing of Promisec Ltd
Promisec Limited is exhibiting at Infosecurity Europe 2006 which is Europe's number one information Security Event. Now in its 11th year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 10,000 visitors from every segment of the industry. Held on the 25th – 27th April 2006 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security.